From nobody Fri Sep 22 05:07:58 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RsKz33Cbbz4vWrG; Fri, 22 Sep 2023 05:07:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RsKz30nwrz3gFj; Fri, 22 Sep 2023 05:07:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695359279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jx8Y5VYcU+13LVZojtFEL+0IBl+nk+FqH0Ll/emmTxw=; b=i8sn8vgce/VyGsz82IKNkYgHcCoRfs/DR0ZPzhu9Mgt6ONEP8dpwFCPmHRphwk/kM60ysr OgXM27LmihB+kL/CneBJg+ApdPYvIsZRUw9OfUSibEUENqLpjqlqPvwt4uCd6GNMD9aEWy NbMIrp1dMYNMPnHGefIhzdbUflVzwK45nWpmfnwv2+ARFj9zB6klouHkK1A3Ku3QKybPPu +IuZJJyGaeBkdwcSvisrUHyiSOYEN5v5ODABHnVEAa2SrZC40ZWlEgyStjqh6OiOLZapfx o6ObLUTgoJ3u3FiDnEVqxM0d2gAnmC7NdT5cO+k5m1hYR6J8O8vhdJl3Ecof6A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1695359279; a=rsa-sha256; cv=none; b=aYY7JzKWhuuUMTcGnXHxDssAsVPcklUUELvgDHPRr4Zm8qnRiHF9XWRqKtziwYoRC/wk5s WnSDSdd35RmyUzMgFGVFPWpGFBApVoItoco7rt+4ihXIGsvnBlkfQEUtytLwzHXnDAuELW mphj/LraOFpE1QrID0cTToLx32jP5lr1Nsbk8sqPbph6IF8PcIWEXLlJFs/wSTj7NeTi7x i4aGaPAk0V3XjQqN50fisrVr/v/30423iGH5lkS8DII4XX4hf9vMJ6Oxu6kOnWOTiJS9qs iXQrIRLSMoo6BdPBpo2yW4aEE4vHaRwC35e6hjno7jNaNRE6qzvmxrecGVUtAQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695359279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jx8Y5VYcU+13LVZojtFEL+0IBl+nk+FqH0Ll/emmTxw=; b=ejCcGiDu4VH9Dl33zRN/kwLIBPtCm9hZSRVmiH/DcmN+nehk5ZjKF2R6AOkbHHZ4MlR6hx JmRGYHaQeqeW0PNy6TKtUc07eYqd6saEsWduKPy3cE1Kz3cu5ZrBANOecHsLokB9PdEa8k uLIfg3YUDf7vRNeDEXvDz+H7pb9G+XTV9KMNIw6nO/qZKxISfnO3UohMTizCFDYtMNZ9Sz kslAucjVBVUzjPRGUBomCTkYWDTzF2eLzJOa/SBGMEG2M8zI1tPdxUzvQqjWJy92t9V7dn xJkd0mfKAJnC1xpcmSX7cd8KOiM2emzhodgcFzZDvWOKTapZLohpFOizdfR9yw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RsKz270sbz17Sk; Fri, 22 Sep 2023 05:07:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38M57wGX066229; Fri, 22 Sep 2023 05:07:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38M57wH3066226; Fri, 22 Sep 2023 05:07:58 GMT (envelope-from git) Date: Fri, 22 Sep 2023 05:07:58 GMT Message-Id: <202309220507.38M57wH3066226@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Robert Clausecker Subject: git: 6b1a62491190 - main - security/crowdsec: update to 1.5.4 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fuz X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6b1a624911903f4cd19774381169d5ac3c92240d Auto-Submitted: auto-generated The branch main has been updated by fuz: URL: https://cgit.FreeBSD.org/ports/commit/?id=6b1a624911903f4cd19774381169d5ac3c92240d commit 6b1a624911903f4cd19774381169d5ac3c92240d Author: Marco Mariani AuthorDate: 2023-09-19 13:42:58 +0000 Commit: Robert Clausecker CommitDate: 2023-09-22 04:56:47 +0000 security/crowdsec: update to 1.5.4 new upstream version use go:modules instead of gmake link with re2 for faster log parsing include sentinel plugin force termination if process is not responsive configurable local machine name Changelog: https://github.com/crowdsecurity/crowdsec/releases/tag/v1.5.4 PR: 273944 MFH: 2023Q3 --- security/crowdsec/Makefile | 59 +++++++++++++++++------------- security/crowdsec/distinfo | 8 +++-- security/crowdsec/files/crowdsec.in | 66 +++++++++++++++++++++++++++------- security/crowdsec/files/pkg-message.in | 8 +++++ security/crowdsec/files/upgrade-hub.in | 8 ++--- security/crowdsec/pkg-plist | 2 ++ 6 files changed, 107 insertions(+), 44 deletions(-) diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile index d6022fdd50f9..5f9d90135a3a 100644 --- a/security/crowdsec/Makefile +++ b/security/crowdsec/Makefile @@ -1,8 +1,6 @@ PORTNAME= crowdsec DISTVERSIONPREFIX= v -DISTVERSION= 1.5.1 -PORTREVISION= 2 -DISTVERSIONSUFFIX= -freebsd +DISTVERSION= 1.5.4 CATEGORIES= security MAINTAINER= marco@crowdsec.net @@ -12,21 +10,26 @@ WWW= https://github.com/crowdsecurity/crowdsec LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE -USES= gmake go:no_targets +LIB_DEPENDS= libre2.so:devel/re2 -USE_GITHUB= yes -GH_ACCOUNT= crowdsecurity -GH_PROJECT= crowdsec -_BUILD_TAG= b76e95e3 +USES= go:modules pkgconfig +_COMMIT= e4dcdd25 +_BUILD_DATE= $$(date -u "+%F_%T") USE_RC_SUBR= crowdsec -MAKE_ARGS= BUILD_VERSION="${DISTVERSIONFULL}" \ - BUILD_TAG="${_BUILD_TAG}" \ - BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw" \ - DEFAULT_CONFIGDIR="${PREFIX}/etc/crowdsec" \ - DEFAULT_DATADIR="/var/db/crowdsec/data" +GO_MODULE= github.com/crowdsecurity/crowdsec +GO_TARGET= ./cmd/crowdsec ./cmd/crowdsec-cli ./cmd/notification-email ./cmd/notification-http ./cmd/notification-sentinel ./cmd/notification-slack ./cmd/notification-splunk -ALL_TARGET= build +GO_BUILDFLAGS= -v -trimpath -tags netgo,osusergo,sqlite_omit_load_extension,re2_cgo \ + -ldflags="\ + -a -s -w \ + -X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION}-freebsd \ + -X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \ + -X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT} \ + -X $(GO_MODULE)/pkg/cwversion.Codename=alphaga \ + -X $(GO_MODULE)/pkg/csconfig.defaultConfigDir=${PREFIX}/etc/crowdsec \ + -X $(GO_MODULE)/pkg/csconfig.defaultDataDir=/var/db/crowdsec/data \ + -X $(GO_MODULE)/pkg/cwversion.Libre2=C++" SUB_FILES= pkg-deinstall pkg-install pkg-message crowdsec.cron upgrade-hub @@ -52,15 +55,18 @@ do-install: # Binaries # - ${INSTALL_PROGRAM} ${WRKSRC}/cmd/crowdsec/crowdsec ${STAGE_BIN}/ - ${INSTALL_PROGRAM} ${WRKSRC}/cmd/crowdsec-cli/cscli ${STAGE_BIN}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec ${STAGE_BIN}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec-cli ${STAGE_BIN}/cscli + + # keep this around for compatibility ${LN} -s cscli ${STAGE_BIN}/crowdsec-cli @${MKDIR} ${STAGE_PLUGINS} - ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/email/notification-email ${STAGE_PLUGINS}/ - ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/http/notification-http ${STAGE_PLUGINS}/ - ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/slack/notification-slack ${STAGE_PLUGINS}/ - ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/splunk/notification-splunk ${STAGE_PLUGINS}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-email ${STAGE_PLUGINS}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-http ${STAGE_PLUGINS}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-sentinel ${STAGE_PLUGINS}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-slack ${STAGE_PLUGINS}/ + ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-splunk ${STAGE_PLUGINS}/ # # Configuration @@ -92,19 +98,23 @@ do-install: @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/email - @${MV} ${WRKSRC}/plugins/notifications/email/email.yaml \ + @${MV} ${WRKSRC}/cmd/notification-email/email.yaml \ ${STAGEDIR}${ETCDIR}/notifications/email.yaml.sample @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/http - @${MV} ${WRKSRC}/plugins/notifications/http/http.yaml \ + @${MV} ${WRKSRC}/cmd/notification-http/http.yaml \ ${STAGEDIR}${ETCDIR}/notifications/http.yaml.sample + @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/sentinel + @${MV} ${WRKSRC}/cmd/notification-sentinel/sentinel.yaml \ + ${STAGEDIR}${ETCDIR}/notifications/sentinel.yaml.sample + @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/slack - @${MV} ${WRKSRC}/plugins/notifications/slack/slack.yaml \ + @${MV} ${WRKSRC}/cmd/notification-slack/slack.yaml \ ${STAGEDIR}${ETCDIR}/notifications/slack.yaml.sample @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/splunk - @${MV} ${WRKSRC}/plugins/notifications/splunk/splunk.yaml \ + @${MV} ${WRKSRC}/cmd/notification-splunk/splunk.yaml \ ${STAGEDIR}${ETCDIR}/notifications/splunk.yaml.sample # updated by "cscli machines" at first service start @@ -145,6 +155,7 @@ do-install: @${RM} ${STAGEDIR}${ETCDIR}/context.yaml @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/email @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/http + @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/sentinel @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/slack @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/splunk diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo index 5da1501580be..112a4b04660a 100644 --- a/security/crowdsec/distinfo +++ b/security/crowdsec/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1684323254 -SHA256 (crowdsecurity-crowdsec-v1.5.1-freebsd_GH0.tar.gz) = b00ba881d4691ac122d03d1b23ebc2ef2513e42392d628f0c5381b00f07d0996 -SIZE (crowdsecurity-crowdsec-v1.5.1-freebsd_GH0.tar.gz) = 23803699 +TIMESTAMP = 1695208926 +SHA256 (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.mod) = b4d34c91a97d103a5fb6b4bac159a861af0d9851e43c824f33eefe66cd009a97 +SIZE (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.mod) = 9499 +SHA256 (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.zip) = d0419bc5de391784327e898e0f1dca215742c184f32b6de3a6dc87e839758191 +SIZE (go/security_crowdsec/crowdsec-v1.5.4/v1.5.4.zip) = 1340437 diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in index a63e7ca47da9..e84eeacf57e4 100644 --- a/security/crowdsec/files/crowdsec.in +++ b/security/crowdsec/files/crowdsec.in @@ -12,7 +12,9 @@ # Default is "NO". # crowdsec_config (str): Set the agent config path. # Default is "%%PREFIX%%/etc/crowdsec/config.yaml". -# crowdsec_flags (str): Set the extra flags to run agent. +# crowdsec_machine_name (str): Name for the crowdsec instance when it's running its own lapi. +# Default is "localhost". +# crowdsec_flags (str): Set the extra flags to run the agent. # Default is "" . /etc/rc.subr @@ -21,16 +23,18 @@ name=crowdsec desc="Crowdsec Agent" rcvar=crowdsec_enable -load_rc_config $name +load_rc_config "$name" : "${crowdsec_enable:=NO}" : "${crowdsec_config:=%%PREFIX%%/etc/crowdsec/config.yaml}" +: "${crowdsec_machine_name:=localhost}" : "${crowdsec_flags:=}" pidfile=/var/run/${name}.pid required_files="$crowdsec_config" command="%%PREFIX%%/bin/${name}" start_cmd="${name}_start" +stop_cmd="${name}_stop" start_precmd="${name}_precmd" configtest_cmd="${name}_configtest" extra_commands="configtest reload" @@ -49,15 +53,23 @@ crowdsec_precmd() { cs_cli hub update || : fi - if [ "$(cs_cli machines list -o json)" = "[]" ]; then - echo "Registering LAPI" - cs_cli machines add --auto || : - fi - CONFIG_DIR=$(Config ConfigPaths.ConfigDir) - if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then - echo "Registering CAPI" - cs_cli capi register || : + + # Is the LAPI enabled on this node? + if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then + + # There are no machines, we create the main one + if [ "$(cs_cli machines list -o json)" = "[]" ]; then + echo "Registering LAPI" + cs_cli machines add "${crowdsec_machine_name}" --auto || : + fi + + # Register to the central server to receive the community blocklist and more + if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then + echo "Registering CAPI" + cs_cli capi register || : + fi + fi # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. @@ -70,16 +82,44 @@ crowdsec_precmd() { fi } +crowdsec_stop() +{ + if [ ! -f "$pidfile" ]; then + echo "${name} is not running." + return + fi + pid=$(cat "$pidfile") + if kill -0 "$pid" >/dev/null 2>&1; then + echo "Stopping ${name}." + kill -s TERM "$pid" >/dev/null 2>&1 + # shellcheck disable=SC2034 + for i in $(seq 1 20); do + sleep 1 + if ! kill -0 "$pid" >/dev/null 2>&1; then + rm -f "$pidfile" + return + fi + done + echo "Timeout, terminating ${name} with SIGKILL." + kill -s KILL "$pid" >/dev/null 2>&1 + rm -f "$pidfile" + else + echo "${name} is not running." + fi +} + crowdsec_start() { - /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ - ${command} -c "${crowdsec_config}" ${crowdsec_flags} + /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ + "$command" -c "$crowdsec_config" ${crowdsec_flags} } crowdsec_configtest() { echo "Performing sanity check on ${name} configuration." - eval ${command} -c ${crowdsec_config} -t + if "$command" -c "$crowdsec_config" -t -error; then + echo "Configuration test OK" + fi } run_rc_command "$1" diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in index 2fa6c08f4b30..b9812a0ed154 100644 --- a/security/crowdsec/files/pkg-message.in +++ b/security/crowdsec/files/pkg-message.in @@ -4,6 +4,11 @@ crowdsec is installed. +Note: If you are using OPNsense or pfSense, ignore the following instructions and use the settings page of the +CrowdSec plugin. + +----- + You need to check/edit the following files in %%ETCDIR%% as described in https://doc.crowdsec.net/docs/configuration/crowdsec_configuration - config.yaml: main configuration @@ -12,9 +17,12 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/ Then you can enable the daemon via sysrc and run it. +---------- # sysrc crowdsec_enable="YES" crowdsec_enable: NO -> YES # service crowdsec start +---------- + EOM } ] diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in index 450dc8af96cc..27faaf3f598b 100644 --- a/security/crowdsec/files/upgrade-hub.in +++ b/security/crowdsec/files/upgrade-hub.in @@ -5,13 +5,13 @@ test -x /usr/local/bin/cscli || exit 0 # favor the opnsense plugin's cron if it's there test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0 -/usr/local/bin/cscli --error hub update +/usr/local/bin/cscli --error -o human hub update -upgraded=$(/usr/local/bin/cscli --error hub upgrade) +upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade) if [ -n "$upgraded" ]; then # splay initial metrics push - sleep $(jot -r 1 1 60) - service crowdsec reload + sleep "$(jot -r 1 1 60)" + service crowdsec onestatus && service crowdsec reload fi exit 0 diff --git a/security/crowdsec/pkg-plist b/security/crowdsec/pkg-plist index 3e3566388844..dd1afd08742f 100644 --- a/security/crowdsec/pkg-plist +++ b/security/crowdsec/pkg-plist @@ -9,6 +9,7 @@ libexec/crowdsec/upgrade-hub @sample %%ETCDIR%%/online_api_credentials.yaml.sample @sample %%ETCDIR%%/notifications/email.yaml.sample @sample %%ETCDIR%%/notifications/http.yaml.sample +@sample %%ETCDIR%%/notifications/sentinel.yaml.sample @sample %%ETCDIR%%/notifications/slack.yaml.sample @sample %%ETCDIR%%/notifications/splunk.yaml.sample @mode 0644 @@ -44,6 +45,7 @@ etc/cron.d/crowdsec @mode 0755 lib/crowdsec/plugins/notification-email lib/crowdsec/plugins/notification-http +lib/crowdsec/plugins/notification-sentinel lib/crowdsec/plugins/notification-slack lib/crowdsec/plugins/notification-splunk @dir %%ETCDIR%%/hub