FreeBSD Bugzilla – Attachment 86248 Details for
Bug 122647
security/sguil-server, port upgrade, new version
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
pkg-install.in
pkg-install.in (text/plain), 13.42 KB, created by
pauls
on 2008-04-11 04:50:04 UTC
(
hide
)
Description:
pkg-install.in
Filename:
MIME Type:
Creator:
pauls
Created:
2008-04-11 04:50:04 UTC
Size:
13.42 KB
patch
obsolete
>#!/bin/sh ># ># $FreeBSD$ ># > >echo "This sguild install script creates a \"turnkey\" install " >echo "of sguild, including configuing the database and conf files" >echo "and user accounts so that sguild can be started immediately." >echo "" >echo "You may have already done all this (especially if this is an upgrade)" >echo "and may not be interested in iterating through cert creation and" >echo "everything else that the script does." >echo "" >echo "Would you like to opt out of the entire install script " >echo "and configure sguild manually yourself?" ; read ans >case "$ans" in > y*|Y*) > exit 0 > ;; > n*|N*) > ;; > *) > exit 64 > ;; >esac ># This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the ># maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up ># at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16 ># I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD ># developers from whose OS I stole a few tricks as well. > ># Set up some paths and variables for later use >PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin >pkgname=$1 >rootpwd='' >confdir="${PKG_PREFIX:-%%PREFIX%%}/etc" >portdir="${CURDIR:-%%CURDIR%%}" >scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts" >if [ -x /usr/sbin/nologin ]; then > nologin=/usr/sbin/nologin >else > nologin=/sbin/nologin >fi ># Source rc.conf for later >if [ -z "${source_rc_confs_defined}" ]; then > if [ -r /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > source_rc_confs > elif [ -r /etc/rc.conf ]; then > . /etc/rc.conf > fi >fi >sguil_user="sguil" >sguil_group="sguil" >case $2 in >PRE-INSTALL) > echo "==> Pre-installation configuration of ${pkgname}" > if ! pw groupshow ${sguil_group} -q >/dev/null ; then > if ! pw groupadd ${sguil_group} -q; then > echo "Failed to create group \"${sguil_group}\"!" >&2 > echo "Please create it manually." >&2 > exit 1 > else > echo "Group '%{sguil-group}' created successfully." > pw groupshow ${sguil_group} > fi > fi > if ! pw usershow ${sguil_user} -q >/dev/null ; then > if ! pw useradd -q -n ${sguil_user} \ > -g ${sguil_group} -s "${nologin}" \ > -h - ; then > echo "Failed to create user '%{sguil_user}'!" >&2 > echo "Please create it manually." >&2 > exit 1 > else > echo "User '${sguil_user}' create successfully." > pw usershow ${sguil_user} > fi > fi > for dir in %%SGUILDIR%% %%SGUILDIR%%/certs ; do > if [ ! -d ${confdir}/${dir} ]; then > echo "Creating ${confdir}/${dir} ...." > install -d -o ${sguil_user} -g ${sguil_group} \ > -m 0750 ${confdir}/${dir} > fi > done > for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do > if [ ! -d ${dir} ]; then > echo "Creating ${dir} ...." > install -d -o ${sguil_user} -g ${sguil_group} \ > -m 0750 ${dir} > fi > done > ;; >POST-INSTALL) > echo -e "\033[1mThere are a few things that need to be done to complete the install." > echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and " > echo "sensors will work, you need to create the database, the account to access it and " > echo "the tables for the database and you need to create the directories where all the " > echo "data will be stored. (You will also need to edit the conf files for your setup.)" > echo "" > echo "If you haven't already done this, I can do it for you now." > echo "Would you like to create certs now? (y for yes, n for no)"; read ans > case "$ans" in > y*|Y*) > echo -e "\033[1mFirst we need to create a password-protected CA cert." > echo "" > echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)" > openssl req -out CA.pem -new -x509 > echo "Now we need to create a server certificate/key pair." > openssl genrsa -out sguild.key 1024 > echo -e "\033[1mNow we need to create a certificate request to be signed by the CA." > echo "DO NOT password protect your server key. If you do, you will be required" > echo "to enter the password every time you start the server." > echo -e "\033[0m" > openssl req -key sguild.key -new -out sguild.req > echo "Now we need to create the actual certificate for your server." > echo 44 > file.sr1 > openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem > echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory " > echo "and clean up the port directory as well." > for files in sguild.key sguild.pem; do > mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/ > done > for files in CA.pem privkey.pem sguild.req file.sr1; do > rm ${portdir}/$files > done > ;; > n*|N*) > echo -e "\033[1mSSL is now required for all connections between server, sensors and clients." > echo "If you haven't already created certs, you will need to do that before sguil will work." > echo -e "\033[0m" > echo "" > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mIs the installation of mysql brand new and unaltered?" > echo -e "\033[0mBy default, when mysql is installed, it creates five accounts." > echo "None of those accounts are protected by passwords. That needs to be corrected." > echo "The five accounts are:" > echo " root@localhost" > echo " root@127.0.0.1" > echo " root@`hostname`" > echo " @localhost" > echo " @`hostname`" > echo "I can remove all of the accounts except root@localhost (highly recommended) " > echo "and I can set the password for the root@localhost account. (If you get an error " > echo "don't worry about it. The account may not have been created to begin with." > echo "Would you like me to do that now?" ; read ans > case "$ans" in > y*|Y*) > echo "Enabling mysql in /etc/rc.conf and starting the server....." > case ${mysql_enable} in > [Yy][Ee][Ss]) > echo -e "\033[1mIt appears that mysql is already enabled!" > echo -e "\033[0m" > ;; > *) > echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf > echo "mysql_enable=\"YES\"" >> /etc/rc.conf > ;; > esac > mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` > echo "The mysql pid is ${mysql_pid}...." > if [ -z ${mysql_pid} ]; then > %%PREFIX%%/etc/rc.d/mysql-server start > fi > sleep 1 > mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` > if [ -s ${mysql_pid} ]; then > echo "The mysql server did not start. Please fix the problem " > echo "and run this script again." > exit 64 > fi > echo "Deleting users from mysql......" > mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';" > mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';" > mysql -u root -e "USE mysql; DROP USER ''@'localhost';" > mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';" > echo "All done deleting......." > echo "What would you like root@localhost's password to be?" ; read rootpwd > mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');" > mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;" > ;; > n*|N*) > echo "Before you use the database, you should at least set passwords" > echo "for all the accounts. Otherwise anyone can login to your database." > echo "To remove an account, use \"drop user 'user'@'host'\"." > echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"." > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?" > echo -e "\033[0m" ; read ans > case "$ans" in > y*|Y*) > if [ ! -f /etc/my.cnf ]; then > echo "[mysqld]" >> /etc/my.cnf > echo "bind-address=127.0.0.1" >> /etc/my.cnf > echo "socket=/tmp/mysql.sock" >> /etc/my.cnf > echo "ft_min_word_len=3" >> /etc/my.cnf > mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` > echo "The mysql pid is ${mysql_pid}...." > if [ -z ${mysql_pid} ]; then > %%PREFIX%%/etc/rc.d/mysql-server start > else > %%PREFIX%%/etc/rc.d/mysql-server restart > fi > else > echo "/etc/my.cnf already exists!" > echo "add \"bind-address=127.0.0.1\" in the [mysqld] section " > echo "to force mysql to listen only on localhost." > echo "Then restart the server to accept the new settings." > fi > ;; > n*|N*) > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mWould you like to create the database to store all nsm data?" > echo -e "\033[0m" ; read ans > echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade." > case "$ans" in > y*|Y*) > if [ -z ${rootpwd} ]; then > echo "What is the password for the mysql root user?"; read rootpwd > fi > mysql -u root -p${rootpwd} -e "create database sguildb" > mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql > ;; > n*|N*) > echo -e "\033[1mPlease note: if you are upgrading from a previous version " > echo "of sguil, you need to run the upgrade_0.7.tcl script located in " > echo "'${scriptdir}'." > echo -e "\033[0mIf you've already cleaned the port directory, run " > echo "make extract to recover the files and access the script." > echo "" > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?" > echo -e "\033[0m" ; read ans > case "$ans" in > y*|Y*) > if [ -z ${rootpwd} ]; then > echo "Please enter the password for the mysql root account." ; read rootpwd > fi > echo -e "\033[1mPlease enter the password that you want to use for the sguild account." > echo -e "\033[0m"; read sguildpwd > echo "Creating account for sguild with access to sguildb....." > mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \ > to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'" > mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'" > mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES" > ;; > n*|N*) > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mWould you like to create the data directory and all its subdirectories?" > echo -e "\033[0m"; read ans > case "$ans" in > y*|Y*) > echo "What do you want the name of the main directory to be?" > echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir > echo "The main directory will be named '${maindir}'." > for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do > if [ ! -d ${dir} ]; then > echo "Creating ${dir} ...." > install -d -o ${sguil_user} -g ${sguil_group} \ > -m 0750 ${dir} > else > echo -e "\033[1mThe directory '${dir}' already exists!" > echo -e "\033[0m" > fi > done > ;; > n*|N*) > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?" > echo -e "\033[0m"; read ans > case "$ans" in > y*|Y*) > case ${sguild_enable} in > [Yy][Ee][Ss]) > echo -e "\033[1mIt appears that sguild is already enabled!" > echo -e "\033[0m" > ;; > *) > echo -e i"\033[1mWriting to /etc/rc.conf...." > echo -e "\033[0m" > echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf > echo "sguild_enable=\"YES\"" >> /etc/rc.conf > ;; > esac > ;; > n*|N*) > ;; > *) > exit 64 > ;; > esac > echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now." > echo -e "\033[0m" > if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then > echo "The sguild.conf file already exists!" > echo "Do you want me to edit it anyway?" ; read ans > case "$ans" in > y*|Y*) > echo -e "\033[1mPreparing to edit the sguild.conf file......" > if [ -z ${maindir} ]; then > echo "There's a couple of things I need to verify before continuing." > echo "What is the name of the main nsm directory that you are using?" > echo -e "\033[0m" ; read ans > maindir="$ans" > fi > if [ -z ${sguildpwd} ]; then > echo -e "\033[1mWhat is the password for the sguild database user?" > echo -e "\033[0m" ; read ans > sguildpwd="$ans" > fi > sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ > -e 's|sguild_data|'"${maindir}"'|' \ > < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf > ;; > n*|N*) > ;; > *) > exit 64 > ;; > esac > else > echo -e "\033[1mPreparing to edit the sguild.conf file......" > if [ -z ${maindir} ]; then > echo "There's a couple of things I need to verify before continuing." > echo "What is the name of the main nsm directory that you are using?" > echo -e "\033[0m" ; read ans > maindir="$ans" > fi > if [ -z ${sguildpwd} ]; then > echo -e "\033[1mWhat is the password for the sguild database user?" > echo -e "\033[0m" ; read ans > sguildpwd="$ans" > fi > sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ > -e 's|sguild_data|'"${maindir}"'|' \ > < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf > fi > if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then > cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users > fi > if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then > cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access > fi > echo -e "\033[1mYou still need to review all the conf files and configure sguil " > echo "per your desired setup before starting sguild. Refer to the port docs in " > echo "%%DOCSDIR%% before proceeding." > echo -e "\033[0m" > echo "Right now, all the conf files except sguild.conf are set to the defaults." > for files in archive_sguildb.tcl sguild incident_report.tcl ; do > if [ -f %%PREFIX%%/bin/${files} ]; then > chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files} > fi > done > if [ ! -f %%PREFIX%%/bin/sguild ]; then > echo "Sguild is missing! Please correct the problem before continuing!" > exit 1 > fi > ;; >*) > exit 64 > ;; >esac >exit 0
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=86248">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 122647
:
86245
|
86246
|
86247
| 86248 |
86249