FreeBSD Bugzilla – Attachment 87060 Details for
Bug 123613
security/sguil-server, files missing from recent upgrade
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
patch-sguil-server
patch-sguil-server (text/plain), 16.36 KB, created by
pauls
on 2008-05-12 17:30:00 UTC
(
hide
)
Description:
patch-sguil-server
Filename:
MIME Type:
Creator:
pauls
Created:
2008-05-12 17:30:00 UTC
Size:
16.36 KB
patch
obsolete
>diff -Naur /usr/ports/security/sguil-server/Makefile sguil-server/Makefile >--- /usr/ports/security/sguil-server/Makefile 2008-05-03 08:22:15.000000000 -0500 >+++ sguil-server/Makefile 2008-05-12 11:20:57.000000000 -0500 >@@ -7,6 +7,7 @@ > > PORTNAME= sguil-server > PORTVERSION= 0.7.0 >+PORTREVISION= 1 > CATEGORIES= security > MASTER_SITES= SF > MASTER_SITE_SUBDIR= sguil >diff -Naur /usr/ports/security/sguil-server/files/pkg-deinstall.in sguil-server/files/pkg-deinstall.in >--- /usr/ports/security/sguil-server/files/pkg-deinstall.in 1969-12-31 18:00:00.000000000 -0600 >+++ sguil-server/files/pkg-deinstall.in 2008-04-10 12:13:52.000000000 -0500 >@@ -0,0 +1,63 @@ >+#!/bin/sh >+# >+# $FreeBSD$ >+# >+ >+USER="sguil" >+ >+# Make sure we're in the right stage of the process >+if [ "$2" = "DEINSTALL" ]; then >+ echo "Stopping sguild......" >+ %%PREFIX%%/etc/rc.d/sguild stop >+ %%PREFIX%%/etc/rc.d/sguild poll >+ echo "Would you like to remove the sguild certs?" ; read ans >+ case "$ans" in >+ y*|Y*) >+ if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key ]; then >+ rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key >+ fi >+ if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem ]; then >+ rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem >+ fi >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ cd %%PREFIX%%/etc/%%SGUILDIR%% || exit 1 >+# Remove the conf files *if* they have not been altered >+ for f in autocat.conf sguild.access sguild.conf sguild.email \ >+ sguild.queries sguild.reports sguild.users; do >+ cmp -s -z ${f} ${f}-sample && rm ${f} >+ done >+# Remove the user and group if the installer chooses to >+ echo "Would you like to remove the sguil user and group?" ; read ans >+ case "$ans" in >+ y*|Y*) >+ if pw usershow "${USER}" 2>/dev/null 1>&2; then >+ pw userdel -n sguil >+ fi >+ if pw groupshow "${USER}" 2>/dev/null 1>&2; then >+ pw groupdel -n sguil >+ fi >+ ;; >+ n*|N*) >+ ;; >+ *) >+ ;; >+ esac >+fi >+if [ "$2" = "POST-DEINSTALL" ]; then >+ # If the user exists, then display a message >+ if pw usershow "${USER}" 2>/dev/null 1>&2; then >+ echo "To delete the '${USER}' user permanently, use 'pw userdel ${USER}'" >+ fi >+ # If the group exists, then display a message >+ if pw groupshow "${USER}" 2>/dev/null 1>&2; then >+ echo "To delete the '${USER}' group permanently, use 'pw groupdel ${USER}'" >+ fi >+fi >+ >+exit 0 >diff -Naur /usr/ports/security/sguil-server/files/pkg-install.in sguil-server/files/pkg-install.in >--- /usr/ports/security/sguil-server/files/pkg-install.in 1969-12-31 18:00:00.000000000 -0600 >+++ sguil-server/files/pkg-install.in 2008-04-11 09:37:31.000000000 -0500 >@@ -0,0 +1,388 @@ >+#!/bin/sh >+# >+# $FreeBSD$ >+# >+ >+echo "This sguild install script creates a \"turnkey\" install " >+echo "of sguild, including configuing the database and conf files" >+echo "and user accounts so that sguild can be started immediately." >+echo "" >+echo "You may have already done all this (especially if this is an upgrade)" >+echo "and may not be interested in iterating through cert creation and" >+echo "everything else that the script does." >+echo "" >+echo "Would you like to opt out of the entire install script " >+echo "and configure sguild manually yourself?" ; read ans >+case "$ans" in >+ y*|Y*) >+ exit 0 >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+esac >+# This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the >+# maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up >+# at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16 >+# I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD >+# developers from whose OS I stole a few tricks as well. >+ >+# Set up some paths and variables for later use >+PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin >+pkgname=$1 >+rootpwd='' >+confdir="${PKG_PREFIX:-%%PREFIX%%}/etc" >+portdir="${CURDIR:-%%CURDIR%%}" >+scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts" >+if [ -x /usr/sbin/nologin ]; then >+ nologin=/usr/sbin/nologin >+else >+ nologin=/sbin/nologin >+fi >+# Source rc.conf for later >+if [ -z "${source_rc_confs_defined}" ]; then >+ if [ -r /etc/defaults/rc.conf ]; then >+ . /etc/defaults/rc.conf >+ source_rc_confs >+ elif [ -r /etc/rc.conf ]; then >+ . /etc/rc.conf >+ fi >+fi >+sguil_user="sguil" >+sguil_group="sguil" >+case $2 in >+PRE-INSTALL) >+ echo "==> Pre-installation configuration of ${pkgname}" >+ if ! pw groupshow ${sguil_group} -q >/dev/null ; then >+ if ! pw groupadd ${sguil_group} -q; then >+ echo "Failed to create group \"${sguil_group}\"!" >&2 >+ echo "Please create it manually." >&2 >+ exit 1 >+ else >+ echo "Group '%{sguil-group}' created successfully." >+ pw groupshow ${sguil_group} >+ fi >+ fi >+ if ! pw usershow ${sguil_user} -q >/dev/null ; then >+ if ! pw useradd -q -n ${sguil_user} \ >+ -g ${sguil_group} -s "${nologin}" \ >+ -h - ; then >+ echo "Failed to create user '%{sguil_user}'!" >&2 >+ echo "Please create it manually." >&2 >+ exit 1 >+ else >+ echo "User '${sguil_user}' create successfully." >+ pw usershow ${sguil_user} >+ fi >+ fi >+ for dir in %%SGUILDIR%% %%SGUILDIR%%/certs ; do >+ if [ ! -d ${confdir}/${dir} ]; then >+ echo "Creating ${confdir}/${dir} ...." >+ install -d -o ${sguil_user} -g ${sguil_group} \ >+ -m 0750 ${confdir}/${dir} >+ fi >+ done >+ for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do >+ if [ ! -d ${dir} ]; then >+ echo "Creating ${dir} ...." >+ install -d -o ${sguil_user} -g ${sguil_group} \ >+ -m 0750 ${dir} >+ fi >+ done >+ ;; >+POST-INSTALL) >+ echo -e "\033[1mThere are a few things that need to be done to complete the install." >+ echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and " >+ echo "sensors will work, you need to create the database, the account to access it and " >+ echo "the tables for the database and you need to create the directories where all the " >+ echo "data will be stored. (You will also need to edit the conf files for your setup.)" >+ echo "" >+ echo "If you haven't already done this, I can do it for you now." >+ echo "Would you like to create certs now? (y for yes, n for no)"; read ans >+ case "$ans" in >+ y*|Y*) >+ echo -e "\033[1mFirst we need to create a password-protected CA cert." >+ echo "" >+ echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)" >+ openssl req -out CA.pem -new -x509 >+ echo "Now we need to create a server certificate/key pair." >+ openssl genrsa -out sguild.key 1024 >+ echo -e "\033[1mNow we need to create a certificate request to be signed by the CA." >+ echo "DO NOT password protect your server key. If you do, you will be required" >+ echo "to enter the password every time you start the server." >+ echo -e "\033[0m" >+ openssl req -key sguild.key -new -out sguild.req >+ echo "Now we need to create the actual certificate for your server." >+ echo 44 > file.sr1 >+ openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem >+ echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory " >+ echo "and clean up the port directory as well." >+ for files in sguild.key sguild.pem; do >+ mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/ >+ done >+ for files in CA.pem privkey.pem sguild.req file.sr1; do >+ rm ${portdir}/$files >+ done >+ ;; >+ n*|N*) >+ echo -e "\033[1mSSL is now required for all connections between server, sensors and clients." >+ echo "If you haven't already created certs, you will need to do that before sguil will work." >+ echo -e "\033[0m" >+ echo "" >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mIs the installation of mysql brand new and unaltered?" >+ echo -e "\033[0mBy default, when mysql is installed, it creates five accounts." >+ echo "None of those accounts are protected by passwords. That needs to be corrected." >+ echo "The five accounts are:" >+ echo " root@localhost" >+ echo " root@127.0.0.1" >+ echo " root@`hostname`" >+ echo " @localhost" >+ echo " @`hostname`" >+ echo "I can remove all of the accounts except root@localhost (highly recommended) " >+ echo "and I can set the password for the root@localhost account. (If you get an error " >+ echo "don't worry about it. The account may not have been created to begin with." >+ echo "Would you like me to do that now?" ; read ans >+ case "$ans" in >+ y*|Y*) >+ echo "Enabling mysql in /etc/rc.conf and starting the server....." >+ case ${mysql_enable} in >+ [Yy][Ee][Ss]) >+ echo -e "\033[1mIt appears that mysql is already enabled!" >+ echo -e "\033[0m" >+ ;; >+ *) >+ echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf >+ echo "mysql_enable=\"YES\"" >> /etc/rc.conf >+ ;; >+ esac >+ mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` >+ echo "The mysql pid is ${mysql_pid}...." >+ if [ -z ${mysql_pid} ]; then >+ %%PREFIX%%/etc/rc.d/mysql-server start >+ fi >+ sleep 1 >+ mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` >+ if [ -s ${mysql_pid} ]; then >+ echo "The mysql server did not start. Please fix the problem " >+ echo "and run this script again." >+ exit 64 >+ fi >+ echo "Deleting users from mysql......" >+ mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';" >+ mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';" >+ mysql -u root -e "USE mysql; DROP USER ''@'localhost';" >+ mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';" >+ echo "All done deleting......." >+ echo "What would you like root@localhost's password to be?" ; read rootpwd >+ mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');" >+ mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;" >+ ;; >+ n*|N*) >+ echo "Before you use the database, you should at least set passwords" >+ echo "for all the accounts. Otherwise anyone can login to your database." >+ echo "To remove an account, use \"drop user 'user'@'host'\"." >+ echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"." >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?" >+ echo -e "\033[0m" ; read ans >+ case "$ans" in >+ y*|Y*) >+ if [ ! -f /etc/my.cnf ]; then >+ echo "[mysqld]" >> /etc/my.cnf >+ echo "bind-address=127.0.0.1" >> /etc/my.cnf >+ echo "socket=/tmp/mysql.sock" >> /etc/my.cnf >+ echo "ft_min_word_len=3" >> /etc/my.cnf >+ mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` >+ echo "The mysql pid is ${mysql_pid}...." >+ if [ -z ${mysql_pid} ]; then >+ %%PREFIX%%/etc/rc.d/mysql-server start >+ else >+ %%PREFIX%%/etc/rc.d/mysql-server restart >+ fi >+ else >+ echo "/etc/my.cnf already exists!" >+ echo "add \"bind-address=127.0.0.1\" in the [mysqld] section " >+ echo "to force mysql to listen only on localhost." >+ echo "Then restart the server to accept the new settings." >+ fi >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mWould you like to create the database to store all nsm data?" >+ echo -e "\033[0m" ; read ans >+ echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade." >+ case "$ans" in >+ y*|Y*) >+ if [ -z ${rootpwd} ]; then >+ echo "What is the password for the mysql root user?"; read rootpwd >+ fi >+ mysql -u root -p${rootpwd} -e "create database sguildb" >+ mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql >+ ;; >+ n*|N*) >+ echo -e "\033[1mPlease note: if you are upgrading from a previous version " >+ echo "of sguil, you need to run the upgrade_0.7.tcl script located in " >+ echo "'${scriptdir}'." >+ echo -e "\033[0mIf you've already cleaned the port directory, run " >+ echo "make extract to recover the files and access the script." >+ echo "" >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?" >+ echo -e "\033[0m" ; read ans >+ case "$ans" in >+ y*|Y*) >+ if [ -z ${rootpwd} ]; then >+ echo "Please enter the password for the mysql root account." ; read rootpwd >+ fi >+ echo -e "\033[1mPlease enter the password that you want to use for the sguild account." >+ echo -e "\033[0m"; read sguildpwd >+ echo "Creating account for sguild with access to sguildb....." >+ mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \ >+ to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'" >+ mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'" >+ mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES" >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mWould you like to create the data directory and all its subdirectories?" >+ echo -e "\033[0m"; read ans >+ case "$ans" in >+ y*|Y*) >+ echo "What do you want the name of the main directory to be?" >+ echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir >+ echo "The main directory will be named '${maindir}'." >+ for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do >+ if [ ! -d ${dir} ]; then >+ echo "Creating ${dir} ...." >+ install -d -o ${sguil_user} -g ${sguil_group} \ >+ -m 0750 ${dir} >+ else >+ echo -e "\033[1mThe directory '${dir}' already exists!" >+ echo -e "\033[0m" >+ fi >+ done >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?" >+ echo -e "\033[0m"; read ans >+ case "$ans" in >+ y*|Y*) >+ case ${sguild_enable} in >+ [Yy][Ee][Ss]) >+ echo -e "\033[1mIt appears that sguild is already enabled!" >+ echo -e "\033[0m" >+ ;; >+ *) >+ echo -e i"\033[1mWriting to /etc/rc.conf...." >+ echo -e "\033[0m" >+ echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf >+ echo "sguild_enable=\"YES\"" >> /etc/rc.conf >+ ;; >+ esac >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now." >+ echo -e "\033[0m" >+ if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then >+ echo "The sguild.conf file already exists!" >+ echo "Do you want me to edit it anyway?" ; read ans >+ case "$ans" in >+ y*|Y*) >+ echo -e "\033[1mPreparing to edit the sguild.conf file......" >+ if [ -z ${maindir} ]; then >+ echo "There's a couple of things I need to verify before continuing." >+ echo "What is the name of the main nsm directory that you are using?" >+ echo -e "\033[0m" ; read ans >+ maindir="$ans" >+ fi >+ if [ -z ${sguildpwd} ]; then >+ echo -e "\033[1mWhat is the password for the sguild database user?" >+ echo -e "\033[0m" ; read ans >+ sguildpwd="$ans" >+ fi >+ sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ >+ -e 's|sguild_data|'"${maindir}"'|' \ >+ < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf >+ ;; >+ n*|N*) >+ ;; >+ *) >+ exit 64 >+ ;; >+ esac >+ else >+ echo -e "\033[1mPreparing to edit the sguild.conf file......" >+ if [ -z ${maindir} ]; then >+ echo "There's a couple of things I need to verify before continuing." >+ echo "What is the name of the main nsm directory that you are using?" >+ echo -e "\033[0m" ; read ans >+ maindir="$ans" >+ fi >+ if [ -z ${sguildpwd} ]; then >+ echo -e "\033[1mWhat is the password for the sguild database user?" >+ echo -e "\033[0m" ; read ans >+ sguildpwd="$ans" >+ fi >+ sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ >+ -e 's|sguild_data|'"${maindir}"'|' \ >+ < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf >+ fi >+ if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then >+ cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users >+ fi >+ if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then >+ cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access >+ fi >+ echo -e "\033[1mYou still need to review all the conf files and configure sguil " >+ echo "per your desired setup before starting sguild. Refer to the port docs in " >+ echo "%%DOCSDIR%% before proceeding." >+ echo -e "\033[0m" >+ echo "Right now, all the conf files except sguild.conf are set to the defaults." >+ for files in archive_sguildb.tcl sguild incident_report.tcl ; do >+ if [ -f %%PREFIX%%/bin/${files} ]; then >+ chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files} >+ fi >+ done >+ if [ ! -f %%PREFIX%%/bin/sguild ]; then >+ echo "Sguild is missing! Please correct the problem before continuing!" >+ exit 1 >+ fi >+ ;; >+*) >+ exit 64 >+ ;; >+esac >+exit 0
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=87060">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 123613
: 87060 |
87061