diff options
| author | shannonjr <shannonjr@pkgsrc.org> | 2006-01-29 15:56:42 +0000 |
|---|---|---|
| committer | shannonjr <shannonjr@pkgsrc.org> | 2006-01-29 15:56:42 +0000 |
| commit | ea1490c7aa96d235e4a7f50ec08ddfc9a924927d (patch) | |
| tree | 39fc0d6b23f664ef52334ce488b39eceabd5c5b8 /security | |
| parent | 8586b15a4eece63338e76e8de737f235d53e08df (diff) | |
| download | pkgsrc-ea1490c7aa96d235e4a7f50ec08ddfc9a924927d.tar.gz | |
Prelude is a hybrid IDS consisting of multiple
sensors, managers, and a display console.
Prelude-lml is the log file analyzer. It scans
system log files and generates IDMEF alerts to
the prelude-manager based on signature rulesets.
This is one of sever new Prelude packages.
Diffstat (limited to 'security')
| -rw-r--r-- | security/prelude-lml/DESCR | 5 | ||||
| -rw-r--r-- | security/prelude-lml/Makefile | 53 | ||||
| -rw-r--r-- | security/prelude-lml/PLIST | 9 | ||||
| -rw-r--r-- | security/prelude-lml/distinfo | 7 | ||||
| -rw-r--r-- | security/prelude-lml/files/preludelml.sh | 18 | ||||
| -rw-r--r-- | security/prelude-lml/files/run-prelude-lml.c | 151 | ||||
| -rw-r--r-- | security/prelude-lml/patches/patch-aa | 13 | ||||
| -rw-r--r-- | security/prelude-lml/patches/patch-ab | 51 |
8 files changed, 307 insertions, 0 deletions
diff --git a/security/prelude-lml/DESCR b/security/prelude-lml/DESCR new file mode 100644 index 00000000000..d0dbb033523 --- /dev/null +++ b/security/prelude-lml/DESCR @@ -0,0 +1,5 @@ +Prelude is a hybrid IDS consisting of multiple +sensors, managers, and a display console. +Prelude-lml is the log file analyzer. It scans +system log files and generates IDMEF alerts to +the prelude-manager based on signature rulesets. diff --git a/security/prelude-lml/Makefile b/security/prelude-lml/Makefile new file mode 100644 index 00000000000..2a9f5b17cbf --- /dev/null +++ b/security/prelude-lml/Makefile @@ -0,0 +1,53 @@ +# $NetBSD: Makefile,v 1.1.1.1 2006/01/29 15:56:42 shannonjr Exp $ +# + +DISTNAME= prelude-lml-0.9.1 +CATEGORIES= security +MASTER_SITES= http://www.prelude-ids.org/download/releases/ + +MAINTAINER= shannonjr@NetBSD.org +HOMEPAGE= http://www.prelude-ids.org/download/releases/ +COMMENT= Log analyzer monitoring your logfile and received syslog messages + +.include "../../mk/bsd.prefs.mk" + +PRELUDE_USER?= _prelude +PRELUDE_GROUP?= _prelude + +USE_PKGLOCALEDIR= yes +USE_LIBTOOL= yes +GNU_CONFIGURE= yes +USE_GNU_TOOLS+= make +CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} +CONFIGURE_ARGS+= --with-html-dir=${PREFIX}/share/doc +CONFIGURE_ARGS+= --disable-fam +CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q} +RCD_SCRIPTS= preludelml +PRELUDE_USER?= _prelude +PRELUDE_GROUP?= _prelude +PRELUDE_HOME= ${VARBASE:Q}/prelude-lml +PKG_USERS= ${PRELUDE_USER}:${PRELUDE_GROUP}::Prelude\ IDS:${PRELUDE_HOME}:${NOLOGIN} +PKG_GROUPS= ${PRELUDE_GROUP} +FILES_SUBST+= PRELUDE_LML_PID_DIR=${PRELUDE_LML_PID_DIR:Q} +FILES_SUBST+= PRELUDE_USER=${PRELUDE_USER:Q} + +SUBST_CLASSES+= code +SUBST_STAGE.code= post-patch +SUBST_FILES.code= run-prelude-lml.c +SUBST_SED.code= -e 's,@PREFIX@,${PREFIX},g' +SUBST_SED.code+= -e 's,@PRELUDE_USER@,${PRELUDE_USER},g' + +pre-patch: + ${CP} ${FILESDIR}/run-prelude-lml.c ${WRKSRC} + +post-build: + cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${CC} ${CFLAGS} -o run-prelude-lml run-prelude-lml.c + +post-install: + ${INSTALL_PROGRAM} ${WRKSRC}/run-prelude-lml ${PREFIX}/sbin/run-prelude-lml + ${CHMOD} 755 ${PKG_SYSCONFDIR}/prelude-lml + ${CHOWN} -R ${PRELUDE_USER}:${PRELUDE_GROUP} ${PRELUDE_HOME} + +.include "../../security/libprelude/buildlink3.mk" +.include "../../devel/pcre/buildlink3.mk" +.include "../../mk/bsd.pkg.mk" diff --git a/security/prelude-lml/PLIST b/security/prelude-lml/PLIST new file mode 100644 index 00000000000..6f916f8cbd8 --- /dev/null +++ b/security/prelude-lml/PLIST @@ -0,0 +1,9 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2006/01/29 15:56:42 shannonjr Exp $ +bin/prelude-lml +include/prelude-lml/prelude-lml.h +lib/prelude-lml/debug.la +lib/prelude-lml/pcre.la +sbin/run-prelude-lml +share/examples/rc.d/preludelml +@dirrm lib/prelude-lml +@dirrm include/prelude-lml diff --git a/security/prelude-lml/distinfo b/security/prelude-lml/distinfo new file mode 100644 index 00000000000..a374dddd4b8 --- /dev/null +++ b/security/prelude-lml/distinfo @@ -0,0 +1,7 @@ +$NetBSD: distinfo,v 1.1.1.1 2006/01/29 15:56:42 shannonjr Exp $ + +SHA1 (prelude-lml-0.9.1.tar.gz) = 2d3cb99256c84813e4fe4f17c5f5b6e8609d4bcd +RMD160 (prelude-lml-0.9.1.tar.gz) = a48e849a3cfbaa32cd7e238e0b17a3dc5d6c9114 +Size (prelude-lml-0.9.1.tar.gz) = 515291 bytes +SHA1 (patch-aa) = 6ed3c426d1b18ff748a3777527fbf0046caaf97f +SHA1 (patch-ab) = df8bb7777d1938a167e4d27bf5a140e6d55e536b diff --git a/security/prelude-lml/files/preludelml.sh b/security/prelude-lml/files/preludelml.sh new file mode 100644 index 00000000000..6158c719093 --- /dev/null +++ b/security/prelude-lml/files/preludelml.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# +# $NetBSD: preludelml.sh,v 1.1.1.1 2006/01/29 15:56:42 shannonjr Exp $ +# + +# PROVIDE: preludelml +# REQUIRE: LOGIN + +$_rc_subr_loaded . /etc/rc.subr + +name="preludelml" +rcvar=${name} +required_files="@PKG_SYSCONFDIR@/prelude-lml/prelude-lml.conf" +start_cmd="@PREFIX@/sbin/run-prelude-lml -d" +pidfile="@PRELUDE_LML_PID_DIR@/prelude-lml.pid" + +load_rc_config $name +run_rc_command "$1" diff --git a/security/prelude-lml/files/run-prelude-lml.c b/security/prelude-lml/files/run-prelude-lml.c new file mode 100644 index 00000000000..cd6dd165f05 --- /dev/null +++ b/security/prelude-lml/files/run-prelude-lml.c @@ -0,0 +1,151 @@ +#define PRELUDE_LML_USER "@PRELUDE_USER@" +#define PRELUDE_LML_PATH "@PREFIX@/bin/prelude-lml" + +#include <unistd.h> +#include <string.h> +#include <stdio.h> +#include <errno.h> +#include <stdlib.h> +#include <sys/wait.h> +#include <pwd.h> +#include <syslog.h> + +#define MAX_ARGS 40 +#ifndef TRUE +#define TRUE 1 +#endif /* TRUE */ + +#ifndef FALSE +#define FALSE 0 +#endif /* FALSE */ + + +void error_sys(char *str) + +{ + /* Output error message to syslog */ + char msg[1024]; + snprintf(msg, sizeof(msg), "run-prelude-lml : %s : %s", str, strerror(errno)); + syslog(LOG_ALERT, msg); + +} + + +int obtainUIDandGID(const char *name, uid_t *pw_uid, gid_t *pw_gid) +{ + /* Obtain UID and GID from passwd entry identified by name */ + struct passwd *pw_entry; + char msg[100]; + + if ((pw_entry = getpwnam(name)) == NULL) + { + snprintf(msg, sizeof(msg), "failed to get password entry for %s", name); + error_sys(msg); + return FALSE; + } + else + { + *pw_uid = pw_entry->pw_uid; + *pw_gid = pw_entry->pw_gid; + return TRUE; + + } +} + + +int main (int argc, char **argv ) + +{ + + pid_t pid; + uid_t UID; + gid_t GID; + pid_t pidwait; + int waitstat; + + /* Sanity check */ + if (argc > MAX_ARGS) + { + error_sys("arg buffer too small"); + exit(-1); + } +/* + if (getpid() != 0) + { + error_sys("must be called by root"); + exit(-1); + } +*/ + + /* fork child that will become prelude-lml */ + if ((pid = fork()) < 0) + + error_sys("fork error"); + + else + + { + + if (pid == 0) + + { + + /* We're the child */ + char *args[MAX_ARGS]; + unsigned int i; + + /* Become session leader */ + setsid(); + + /* Clear out file creation mask */ + umask(0); + + if (!obtainUIDandGID(PRELUDE_LML_USER, &UID, &GID)) + exit(-1); + + /* Drop privileges immediately */ + if (setgid(GID) < 0) + { + /* It is VERY important to check return + value and not continue if setgid fails + */ + error_sys ("setgid failed"); + exit (-1); + } + + if (setuid(UID) < 0) + { + /* It is VERY important to check return + value and not continue if setuid fails + */ + error_sys ("setuid failed"); + exit (-1); + } + + /* Build calling argv */ + args[0] = PRELUDE_LML_PATH; + for (i=1;i<argc;i++) + { + args[i] = argv[i]; + } + args[i++] = NULL; + + /* Finally transform self into prelude-lml */ + if (execvp(PRELUDE_LML_PATH, args) < 0) + error_sys("execve error"); + else + ; /* avoid if-then ambiguity */ + } + + else + + { + /* We're the parent + Terminate + */ + exit(0); + } + + } + +} diff --git a/security/prelude-lml/patches/patch-aa b/security/prelude-lml/patches/patch-aa new file mode 100644 index 00000000000..1894abc1aea --- /dev/null +++ b/security/prelude-lml/patches/patch-aa @@ -0,0 +1,13 @@ +$NetBSD: patch-aa,v 1.1.1.1 2006/01/29 15:56:42 shannonjr Exp $ + +--- configure.orig 2005-11-24 04:46:20.000000000 -0700 ++++ configure +@@ -30610,7 +30610,7 @@ _ACEOF + configdir=$sysconfdir/prelude-lml + prelude_lml_conf=$configdir/prelude-lml.conf + regex_conf=$configdir/plugins.rules +-metadata_dir=$localstatedir/lib/prelude-lml ++metadata_dir=$localstatedir/prelude-lml + plugindir=$libdir/prelude-lml + log_plugin_dir=$plugindir + diff --git a/security/prelude-lml/patches/patch-ab b/security/prelude-lml/patches/patch-ab new file mode 100644 index 00000000000..6268f1c4b3b --- /dev/null +++ b/security/prelude-lml/patches/patch-ab @@ -0,0 +1,51 @@ +$NetBSD: patch-ab,v 1.1.1.1 2006/01/29 15:56:42 shannonjr Exp $ + +--- Makefile.in.orig 2005-11-24 04:46:25.000000000 -0700 ++++ Makefile.in +@@ -600,33 +600,33 @@ uninstall-info: uninstall-info-recursive + + + install-data-local: +- $(INSTALL) -m 700 -d $(DESTDIR)$(metadata_dir) +- @if test -f $(DESTDIR)$(configdir)/prelude-lml.conf; then \ ++ $(INSTALL) -m 700 -d $(metadata_dir) ++ @if test -f $(configdir)/prelude-lml.conf; then \ + echo "********************************************************************************"; \ + echo; \ +- echo "$(DESTDIR)$(configdir)/prelude-lml.conf already exist..."; \ +- echo "Installing default configuration in $(DESTDIR)$(configdir)/prelude-lml.conf-dist"; \ ++ echo "$(configdir)/prelude-lml.conf already exist..."; \ ++ echo "Installing default configuration in $(configdir)/prelude-lml.conf-dist"; \ + echo; \ + echo "********************************************************************************"; \ +- $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/prelude-lml.conf-dist; \ ++ $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(configdir)/prelude-lml.conf-dist; \ + else \ +- $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/; \ ++ $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(configdir)/; \ + fi +- @if test -f $(DESTDIR)$(configdir)/plugins.rules; then \ ++ @if test -f $(configdir)/plugins.rules; then \ + echo "********************************************************************************"; \ + echo; \ +- echo "$(DESTDIR)$(configdir)/plugins.rules already exist..."; \ +- echo "Installing default configuration in $(DESTDIR)$(configdir)/plugins.rules-dist"; \ ++ echo "$(configdir)/plugins.rules already exist..."; \ ++ echo "Installing default configuration in $(configdir)/plugins.rules-dist"; \ + echo; \ + echo "********************************************************************************"; \ +- $(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/plugins.rules-dist; \ ++ $(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(configdir)/plugins.rules-dist; \ + else \ +- $(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/; \ ++ $(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(configdir)/; \ + fi + + uninstall-local: +- rm -f $(DESTDIR)$(configdir)/prelude-lml.conf; \ +- rm -f $(DESTDIR)$(configdir)/plugin.rules; ++ rm -f $(configdir)/prelude-lml.conf; \ ++ rm -f $(configdir)/plugin.rules; + # Tell versions [3.59,3.63) of GNU make to not export all variables. + # Otherwise a system limit (for SysV at least) may be exceeded. + .NOEXPORT: |