git: 6b1a62491190 - main - security/crowdsec: update to 1.5.4
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 22 Sep 2023 05:07:58 UTC
The branch main has been updated by fuz:
URL: https://cgit.FreeBSD.org/ports/commit/?id=6b1a624911903f4cd19774381169d5ac3c92240d
commit 6b1a624911903f4cd19774381169d5ac3c92240d
Author: Marco Mariani <marco@crowdsec.net>
AuthorDate: 2023-09-19 13:42:58 +0000
Commit: Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2023-09-22 04:56:47 +0000
security/crowdsec: update to 1.5.4
new upstream version
use go:modules instead of gmake
link with re2 for faster log parsing
include sentinel plugin
force termination if process is not responsive
configurable local machine name
Changelog: https://github.com/crowdsecurity/crowdsec/releases/tag/v1.5.4
PR: 273944
MFH: 2023Q3
---
security/crowdsec/Makefile | 59 +++++++++++++++++-------------
security/crowdsec/distinfo | 8 +++--
security/crowdsec/files/crowdsec.in | 66 +++++++++++++++++++++++++++-------
security/crowdsec/files/pkg-message.in | 8 +++++
security/crowdsec/files/upgrade-hub.in | 8 ++---
security/crowdsec/pkg-plist | 2 ++
6 files changed, 107 insertions(+), 44 deletions(-)
diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index d6022fdd50f9..5f9d90135a3a 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,8 +1,6 @@
PORTNAME= crowdsec
DISTVERSIONPREFIX= v
-DISTVERSION= 1.5.1
-PORTREVISION= 2
-DISTVERSIONSUFFIX= -freebsd
+DISTVERSION= 1.5.4
CATEGORIES= security
MAINTAINER= marco@crowdsec.net
@@ -12,21 +10,26 @@ WWW= https://github.com/crowdsecurity/crowdsec
LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/LICENSE
-USES= gmake go:no_targets
+LIB_DEPENDS= libre2.so:devel/re2
-USE_GITHUB= yes
-GH_ACCOUNT= crowdsecurity
-GH_PROJECT= crowdsec
-_BUILD_TAG= b76e95e3
+USES= go:modules pkgconfig
+_COMMIT= e4dcdd25
+_BUILD_DATE= $$(date -u "+%F_%T")
USE_RC_SUBR= crowdsec
-MAKE_ARGS= BUILD_VERSION="${DISTVERSIONFULL}" \
- BUILD_TAG="${_BUILD_TAG}" \
- BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw" \
- DEFAULT_CONFIGDIR="${PREFIX}/etc/crowdsec" \
- DEFAULT_DATADIR="/var/db/crowdsec/data"
+GO_MODULE= github.com/crowdsecurity/crowdsec
+GO_TARGET= ./cmd/crowdsec ./cmd/crowdsec-cli ./cmd/notification-email ./cmd/notification-http ./cmd/notification-sentinel ./cmd/notification-slack ./cmd/notification-splunk
-ALL_TARGET= build
+GO_BUILDFLAGS= -v -trimpath -tags netgo,osusergo,sqlite_omit_load_extension,re2_cgo \
+ -ldflags="\
+ -a -s -w \
+ -X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION}-freebsd \
+ -X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \
+ -X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT} \
+ -X $(GO_MODULE)/pkg/cwversion.Codename=alphaga \
+ -X $(GO_MODULE)/pkg/csconfig.defaultConfigDir=${PREFIX}/etc/crowdsec \
+ -X $(GO_MODULE)/pkg/csconfig.defaultDataDir=/var/db/crowdsec/data \
+ -X $(GO_MODULE)/pkg/cwversion.Libre2=C++"
SUB_FILES= pkg-deinstall pkg-install pkg-message crowdsec.cron upgrade-hub
@@ -52,15 +55,18 @@ do-install:
# Binaries
#
- ${INSTALL_PROGRAM} ${WRKSRC}/cmd/crowdsec/crowdsec ${STAGE_BIN}/
- ${INSTALL_PROGRAM} ${WRKSRC}/cmd/crowdsec-cli/cscli ${STAGE_BIN}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec ${STAGE_BIN}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec-cli ${STAGE_BIN}/cscli
+
+ # keep this around for compatibility
${LN} -s cscli ${STAGE_BIN}/crowdsec-cli
@${MKDIR} ${STAGE_PLUGINS}
- ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/email/notification-email ${STAGE_PLUGINS}/
- ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/http/notification-http ${STAGE_PLUGINS}/
- ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/slack/notification-slack ${STAGE_PLUGINS}/
- ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/splunk/notification-splunk ${STAGE_PLUGINS}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-email ${STAGE_PLUGINS}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-http ${STAGE_PLUGINS}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-sentinel ${STAGE_PLUGINS}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-slack ${STAGE_PLUGINS}/
+ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-splunk ${STAGE_PLUGINS}/
#
# Configuration
@@ -92,19 +98,23 @@ do-install:
@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications
@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/email
- @${MV} ${WRKSRC}/plugins/notifications/email/email.yaml \
+ @${MV} ${WRKSRC}/cmd/notification-email/email.yaml \
${STAGEDIR}${ETCDIR}/notifications/email.yaml.sample
@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/http
- @${MV} ${WRKSRC}/plugins/notifications/http/http.yaml \
+ @${MV} ${WRKSRC}/cmd/notification-http/http.yaml \
${STAGEDIR}${ETCDIR}/notifications/http.yaml.sample
+ @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/sentinel
+ @${MV} ${WRKSRC}/cmd/notification-sentinel/sentinel.yaml \
+ ${STAGEDIR}${ETCDIR}/notifications/sentinel.yaml.sample
+
@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/slack
- @${MV} ${WRKSRC}/plugins/notifications/slack/slack.yaml \
+ @${MV} ${WRKSRC}/cmd/notification-slack/slack.yaml \
${STAGEDIR}${ETCDIR}/notifications/slack.yaml.sample
@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/splunk
- @${MV} ${WRKSRC}/plugins/notifications/splunk/splunk.yaml \
+ @${MV} ${WRKSRC}/cmd/notification-splunk/splunk.yaml \
${STAGEDIR}${ETCDIR}/notifications/splunk.yaml.sample
# updated by "cscli machines" at first service start
@@ -145,6 +155,7 @@ do-install:
@${RM} ${STAGEDIR}${ETCDIR}/context.yaml
@${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/email
@${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/http
+ @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/sentinel
@${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/slack
@${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/splunk
diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo
index 5da1501580be..112a4b04660a 100644
--- a/security/crowdsec/distinfo
+++ b/security/crowdsec/distinfo
@@ -1,3 +1,5 @@
-TIMESTAMP = 1684323254
-SHA256 (crowdsecurity-crowdsec-v1.5.1-freebsd_GH0.tar.gz) = b00ba881d4691ac122d03d1b23ebc2ef2513e42392d628f0c5381b00f07d0996
-SIZE (crowdsecurity-crowdsec-v1.5.1-freebsd_GH0.tar.gz) = 23803699
+TIMESTAMP = 1695208926
+SHA256 (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.mod) = b4d34c91a97d103a5fb6b4bac159a861af0d9851e43c824f33eefe66cd009a97
+SIZE (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.mod) = 9499
+SHA256 (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.zip) = d0419bc5de391784327e898e0f1dca215742c184f32b6de3a6dc87e839758191
+SIZE (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.zip) = 1340437
diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in
index a63e7ca47da9..e84eeacf57e4 100644
--- a/security/crowdsec/files/crowdsec.in
+++ b/security/crowdsec/files/crowdsec.in
@@ -12,7 +12,9 @@
# Default is "NO".
# crowdsec_config (str): Set the agent config path.
# Default is "%%PREFIX%%/etc/crowdsec/config.yaml".
-# crowdsec_flags (str): Set the extra flags to run agent.
+# crowdsec_machine_name (str): Name for the crowdsec instance when it's running its own lapi.
+# Default is "localhost".
+# crowdsec_flags (str): Set the extra flags to run the agent.
# Default is ""
. /etc/rc.subr
@@ -21,16 +23,18 @@ name=crowdsec
desc="Crowdsec Agent"
rcvar=crowdsec_enable
-load_rc_config $name
+load_rc_config "$name"
: "${crowdsec_enable:=NO}"
: "${crowdsec_config:=%%PREFIX%%/etc/crowdsec/config.yaml}"
+: "${crowdsec_machine_name:=localhost}"
: "${crowdsec_flags:=}"
pidfile=/var/run/${name}.pid
required_files="$crowdsec_config"
command="%%PREFIX%%/bin/${name}"
start_cmd="${name}_start"
+stop_cmd="${name}_stop"
start_precmd="${name}_precmd"
configtest_cmd="${name}_configtest"
extra_commands="configtest reload"
@@ -49,15 +53,23 @@ crowdsec_precmd() {
cs_cli hub update || :
fi
- if [ "$(cs_cli machines list -o json)" = "[]" ]; then
- echo "Registering LAPI"
- cs_cli machines add --auto || :
- fi
-
CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
- if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
- echo "Registering CAPI"
- cs_cli capi register || :
+
+ # Is the LAPI enabled on this node?
+ if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then
+
+ # There are no machines, we create the main one
+ if [ "$(cs_cli machines list -o json)" = "[]" ]; then
+ echo "Registering LAPI"
+ cs_cli machines add "${crowdsec_machine_name}" --auto || :
+ fi
+
+ # Register to the central server to receive the community blocklist and more
+ if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
+ echo "Registering CAPI"
+ cs_cli capi register || :
+ fi
+
fi
# This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.
@@ -70,16 +82,44 @@ crowdsec_precmd() {
fi
}
+crowdsec_stop()
+{
+ if [ ! -f "$pidfile" ]; then
+ echo "${name} is not running."
+ return
+ fi
+ pid=$(cat "$pidfile")
+ if kill -0 "$pid" >/dev/null 2>&1; then
+ echo "Stopping ${name}."
+ kill -s TERM "$pid" >/dev/null 2>&1
+ # shellcheck disable=SC2034
+ for i in $(seq 1 20); do
+ sleep 1
+ if ! kill -0 "$pid" >/dev/null 2>&1; then
+ rm -f "$pidfile"
+ return
+ fi
+ done
+ echo "Timeout, terminating ${name} with SIGKILL."
+ kill -s KILL "$pid" >/dev/null 2>&1
+ rm -f "$pidfile"
+ else
+ echo "${name} is not running."
+ fi
+}
+
crowdsec_start()
{
- /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
- ${command} -c "${crowdsec_config}" ${crowdsec_flags}
+ /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
+ "$command" -c "$crowdsec_config" ${crowdsec_flags}
}
crowdsec_configtest()
{
echo "Performing sanity check on ${name} configuration."
- eval ${command} -c ${crowdsec_config} -t
+ if "$command" -c "$crowdsec_config" -t -error; then
+ echo "Configuration test OK"
+ fi
}
run_rc_command "$1"
diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in
index 2fa6c08f4b30..b9812a0ed154 100644
--- a/security/crowdsec/files/pkg-message.in
+++ b/security/crowdsec/files/pkg-message.in
@@ -4,6 +4,11 @@
crowdsec is installed.
+Note: If you are using OPNsense or pfSense, ignore the following instructions and use the settings page of the
+CrowdSec plugin.
+
+-----
+
You need to check/edit the following files in %%ETCDIR%% as described in https://doc.crowdsec.net/docs/configuration/crowdsec_configuration
- config.yaml: main configuration
@@ -12,9 +17,12 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/
Then you can enable the daemon via sysrc and run it.
+----------
# sysrc crowdsec_enable="YES"
crowdsec_enable: NO -> YES
# service crowdsec start
+----------
+
EOM
}
]
diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in
index 450dc8af96cc..27faaf3f598b 100644
--- a/security/crowdsec/files/upgrade-hub.in
+++ b/security/crowdsec/files/upgrade-hub.in
@@ -5,13 +5,13 @@ test -x /usr/local/bin/cscli || exit 0
# favor the opnsense plugin's cron if it's there
test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
-/usr/local/bin/cscli --error hub update
+/usr/local/bin/cscli --error -o human hub update
-upgraded=$(/usr/local/bin/cscli --error hub upgrade)
+upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)
if [ -n "$upgraded" ]; then
# splay initial metrics push
- sleep $(jot -r 1 1 60)
- service crowdsec reload
+ sleep "$(jot -r 1 1 60)"
+ service crowdsec onestatus && service crowdsec reload
fi
exit 0
diff --git a/security/crowdsec/pkg-plist b/security/crowdsec/pkg-plist
index 3e3566388844..dd1afd08742f 100644
--- a/security/crowdsec/pkg-plist
+++ b/security/crowdsec/pkg-plist
@@ -9,6 +9,7 @@ libexec/crowdsec/upgrade-hub
@sample %%ETCDIR%%/online_api_credentials.yaml.sample
@sample %%ETCDIR%%/notifications/email.yaml.sample
@sample %%ETCDIR%%/notifications/http.yaml.sample
+@sample %%ETCDIR%%/notifications/sentinel.yaml.sample
@sample %%ETCDIR%%/notifications/slack.yaml.sample
@sample %%ETCDIR%%/notifications/splunk.yaml.sample
@mode 0644
@@ -44,6 +45,7 @@ etc/cron.d/crowdsec
@mode 0755
lib/crowdsec/plugins/notification-email
lib/crowdsec/plugins/notification-http
+lib/crowdsec/plugins/notification-sentinel
lib/crowdsec/plugins/notification-slack
lib/crowdsec/plugins/notification-splunk
@dir %%ETCDIR%%/hub