git: 18a4c3574d8f - main - security/crowdsec*: update to their latest releases
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 15 Jan 2022 13:16:34 UTC
The branch main has been updated by rene: URL: https://cgit.FreeBSD.org/ports/commit/?id=18a4c3574d8faad5936830be46ca5c14faaa7cc3 commit 18a4c3574d8faad5936830be46ca5c14faaa7cc3 Author: Rene Ladan <rene@FreeBSD.org> AuthorDate: 2022-01-15 13:15:52 +0000 Commit: Rene Ladan <rene@FreeBSD.org> CommitDate: 2022-01-15 13:15:52 +0000 security/crowdsec*: update to their latest releases security/crowdsec: - update to version 1.2.3 security/crowdsec-firewall-bouncer: - update to version 0.0.20 - update pkg-message Add log rotation to both ports, and other small improvements. PR: 260262 --- security/crowdsec-firewall-bouncer/Makefile | 16 ++++++---- security/crowdsec-firewall-bouncer/distinfo | 6 ++-- .../files/crowdsec-firewall-bouncer.conf-newsyslog | 2 ++ .../files/crowdsec_firewall.in | 11 ++++++- .../crowdsec-firewall-bouncer/files/patch-Makefile | 12 ++++---- .../crowdsec-firewall-bouncer/files/pkg-message.in | 34 +++++++++++++--------- security/crowdsec-firewall-bouncer/pkg-plist | 3 ++ security/crowdsec/Makefile | 21 +++++++++---- security/crowdsec/distinfo | 6 ++-- security/crowdsec/files/crowdsec.conf-newsyslog | 3 ++ security/crowdsec/files/crowdsec.in | 15 +++++----- security/crowdsec/files/patch-Makefile | 29 +++++++++++++----- security/crowdsec/files/patch-config_acquis.yaml | 12 ++++++++ security/crowdsec/pkg-plist | 7 +++++ 14 files changed, 126 insertions(+), 51 deletions(-) diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index 36a868801a50..6f9b4c3b9649 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,5 +1,5 @@ PORTNAME= crowdsec-firewall-bouncer -PORTVERSION= 0.0.17 # NOTE: change BUILD_VERSION and BUILD_TAG as well +PORTVERSION= 0.0.20 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security @@ -19,6 +19,7 @@ RUN_DEPENDS= crowdsec>0:security/crowdsec USE_GITHUB= yes GH_ACCOUNT= crowdsecurity GH_PROJECT= cs-firewall-bouncer +GH_TAGNAME= v0.0.20-freebsd #GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec_firewall @@ -28,14 +29,11 @@ SUB_FILES= pkg-message \ # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) # BUILD_TAG=$(git rev-parse HEAD) -MAKE_ENV= BUILD_VERSION="v0.0.17" \ - BUILD_TAG="b330209afcdefd0046fd6790999bbb342c02f1b3" +MAKE_ENV= BUILD_VERSION="v0.0.20" \ + BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310" ETCDIR= ${PREFIX}/etc/crowdsec/bouncers -do-patch: - cd ${WRKSRC} && go mod download github.com/mattn/go-sqlite3 - post-patch: ${REINPLACE_CMD} 's,$${BACKEND},pf,g' \ ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml @@ -56,4 +54,10 @@ do-install: ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \ ${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample + # + # Log rotation + # + + ${INSTALL_DATA} ${FILESDIR}/crowdsec-firewall-bouncer.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample + .include <bsd.port.mk> diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo index 001ca177529b..1548b93d6c60 100644 --- a/security/crowdsec-firewall-bouncer/distinfo +++ b/security/crowdsec-firewall-bouncer/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1637702397 -SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 53af239b86c6b554da3711e3686d7d3036d33b2e561bfb00e195b6c8a06918c8 -SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 143037 +TIMESTAMP = 1640213523 +SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171 +SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717 diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog new file mode 100644 index 000000000000..b26fae25b5ce --- /dev/null +++ b/security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog @@ -0,0 +1,2 @@ +# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num] +/var/log/crowdsec-firewall-bouncer.log root:wheel 644 10 5120 * JC /var/run/crowdsec_firewall.pid diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in index ee3dcc9f7325..6a0f96f26f8f 100755 --- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in +++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in @@ -1,7 +1,7 @@ #!/bin/sh # # PROVIDE: crowdsec_firewall -# REQUIRE: LOGIN DAEMON NETWORKING +# REQUIRE: LOGIN DAEMON NETWORKING crowdsec # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf @@ -41,6 +41,15 @@ crowdsec_firewall_precmd() { fi fi fi + + # needs real tabs + cat <<-EOT | /sbin/pfctl -f /dev/fd/0 + table <crowdsec-blacklists> persist + table <crowdsec6-blacklists> persist + block drop in quick from <crowdsec-blacklists> to any + block drop in quick from <crowdsec6-blacklists> to any + EOT + } crowdsec_firewall_start() { diff --git a/security/crowdsec-firewall-bouncer/files/patch-Makefile b/security/crowdsec-firewall-bouncer/files/patch-Makefile index 6d9e9a2e2f42..df450e5e1b27 100644 --- a/security/crowdsec-firewall-bouncer/files/patch-Makefile +++ b/security/crowdsec-firewall-bouncer/files/patch-Makefile @@ -1,11 +1,11 @@ ---- Makefile.orig 2021-12-07 09:00:17 UTC +--- Makefile.orig 2021-12-22 22:57:23 UTC +++ Makefile -@@ -11,7 +11,7 @@ GOGET=$(GOCMD) get - BUILD_VERSION?="$(shell git describe --tags `git rev-list --tags --max-count=1`)" +@@ -11,7 +11,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')" BUILD_TIMESTAMP=$(shell date +%F"_"%T) --BUILD_TAG="$(shell git rev-parse HEAD)" -+BUILD_TAG?="$(shell git rev-parse HEAD)" - export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ + BUILD_TAG?="$(shell git rev-parse HEAD)" +-export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ ++export LD_OPTS=-mod vendor -modcacherw --ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \ -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \ -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \ + -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=$(BUILD_GOVERSION)" diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in index 3929d468efd0..8bcdc8d1d9d6 100644 --- a/security/crowdsec-firewall-bouncer/files/pkg-message.in +++ b/security/crowdsec-firewall-bouncer/files/pkg-message.in @@ -11,27 +11,35 @@ configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need to check if you made any changes there. -If it's the first time, you need to edit your Packet Filter configuration. -Add the following in /etc/pf.conf to create the tables: +This package depends on the Packet Filter service. +To make sure it's active: ---------- -# create crowdsec ipv4 table -table <crowdsec-blacklists> persist +# sysrc pf_enable=YES +pf_enable: NO -> YES +# service pf start +Enabling pf. +---------- -# create crowdsec ipv6 table -table <crowdsec6-blacklists> persist +Then activate the bouncer via sysrc: -block drop in quick from <crowdsec-blacklists> to any -block drop in quick from <crowdsec6-blacklists> to any +---------- +# sysrc crowdsec_firewall_enable="YES" +crowdsec_firewall_enable: NO -> YES +# service crowdsec_firewall start ---------- -To apply the file: - -# pfctl -f /etc/pf.conf +After a few seconds, the bouncer should have created the tables and rules: -Then activate the bouncer via sysrc: +---------- +# pfctl -s Tables +crowdsec-blacklists +crowdsec6-blacklists +# pfctl -s Tables -s rules +block drop in quick from <crowdsec-blacklists> to any +block drop in quick from <crowdsec6-blacklists> to any +---------- -# sysrc crowdsec_firewall_enable="YES" EOM } ] diff --git a/security/crowdsec-firewall-bouncer/pkg-plist b/security/crowdsec-firewall-bouncer/pkg-plist index 6a41287c1e57..ecbf8e901981 100644 --- a/security/crowdsec-firewall-bouncer/pkg-plist +++ b/security/crowdsec-firewall-bouncer/pkg-plist @@ -1,4 +1,7 @@ @mode 0755 bin/crowdsec-firewall-bouncer +@dir etc/newsyslog.conf.d @mode 0600 @sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample +@mode 0644 +@sample etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile index f3683aee9c30..dbc74172642a 100644 --- a/security/crowdsec/Makefile +++ b/security/crowdsec/Makefile @@ -1,5 +1,5 @@ PORTNAME= crowdsec -PORTVERSION= 1.2.1 # NOTE: change BUILD_VERSION and BUILD_TAG as well +PORTVERSION= 1.2.3 # NOTE: change BUILD_VERSION and BUILD_TAG as well DISTVERSIONPREFIX= v CATEGORIES= security @@ -18,19 +18,18 @@ USES= gmake USE_GITHUB= yes GH_ACCOUNT= crowdsecurity GH_PROJECT= crowdsec +GH_TAGNAME= v1.2.3-freebsd #GH_TAGNAME is automatically set from DISTVERSION USE_RC_SUBR= crowdsec -USE_RC_SUBR= crowdsec - SUB_FILES= pkg-message \ pkg-deinstall # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1)) # BUILD_TAG=$(git rev-parse HEAD) -MAKE_ENV= BUILD_VERSION="v1.2.1" \ - BUILD_TAG="dd03d073558e380c283afe66942f537c3da647ff" +MAKE_ENV= BUILD_VERSION="v1.2.3" \ + BUILD_TAG="fc4be1e0ffc5888f2824358464cb2426cd4472e1" PLUGIN_DIR= ${PREFIX}/lib/crowdsec/plugins STAGE_PLUGINS= ${STAGEDIR}${PLUGIN_DIR} @@ -62,6 +61,7 @@ do-install: ${LN} -s cscli ${STAGE_BIN}/crowdsec-cli @${MKDIR} ${STAGE_PLUGINS} + ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/email/notification-email ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/http/notification-http ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/slack/notification-slack ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/splunk/notification-splunk ${STAGE_PLUGINS}/ @@ -92,6 +92,10 @@ do-install: @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications + @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/email + @${MV} ${WRKSRC}/plugins/notifications/email/email.yaml \ + ${STAGEDIR}${ETCDIR}/notifications/email/email.yaml.sample + @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/http @${MV} ${WRKSRC}/plugins/notifications/http/http.yaml \ ${STAGEDIR}${ETCDIR}/notifications/http/http.yaml.sample @@ -119,4 +123,11 @@ do-install: @${MKDIR} ${STAGEDIR}${ETCDIR}/hub @${MKDIR} ${STAGEDIR}/var/db/crowdsec/data + # + # Log rotation + # + + @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} + ${INSTALL_DATA} ${FILESDIR}/crowdsec.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec.conf.sample + .include <bsd.port.mk> diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo index 1eecdf198266..a87959633114 100644 --- a/security/crowdsec/distinfo +++ b/security/crowdsec/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1637702390 -SHA256 (crowdsecurity-crowdsec-v1.2.1_GH0.tar.gz) = e3a9bbb70b1995a83c5001d06dbbcb5f59d43e4d7c18b60548f305a62d2dd6a3 -SIZE (crowdsecurity-crowdsec-v1.2.1_GH0.tar.gz) = 659398 +TIMESTAMP = 1642022158 +SHA256 (crowdsecurity-crowdsec-v1.2.3-v1.2.3-freebsd_GH0.tar.gz) = 9b3dd5fcc7b67cf89a1a661009a215b9a7f7a0efeb598456480e57fbd6e9bb4b +SIZE (crowdsecurity-crowdsec-v1.2.3-v1.2.3-freebsd_GH0.tar.gz) = 19122216 diff --git a/security/crowdsec/files/crowdsec.conf-newsyslog b/security/crowdsec/files/crowdsec.conf-newsyslog new file mode 100644 index 000000000000..a32cf4d567d7 --- /dev/null +++ b/security/crowdsec/files/crowdsec.conf-newsyslog @@ -0,0 +1,3 @@ +# logfilename [owner:group] mode count size(kb) when flags [/pid_file] [sig_num] +/var/log/crowdsec.log root:wheel 644 10 5120 * JC /var/run/crowdsec.pid +/var/log/crowdsec_api.log root:wheel 644 10 5120 * JC /var/run/crowdsec.pid diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in index 04b7c02130f9..ac0f384a9572 100644 --- a/security/crowdsec/files/crowdsec.in +++ b/security/crowdsec/files/crowdsec.in @@ -43,12 +43,12 @@ crowdsec_precmd() { } HUB_DIR=$(Config ConfigPaths.HubDir) - if ! ls -1qA "$HUB_DIR/*" >/dev/null 2>&1; then + if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then echo "Fetching hub inventory" cs_cli hub update || : fi - if [ -z "$(cs_cli machines list -o raw)" ]; then + if [ "$(cs_cli machines list -o json)" = "[]" ]; then echo "Registering LAPI" cs_cli machines add --auto || : fi @@ -59,12 +59,13 @@ crowdsec_precmd() { cs_cli capi register || : fi - cs_cli collections inspect crowdsecurity/linux >/dev/null || cs_cli collections install crowdsecurity/linux || : + # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. + # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ + # cs_cli collections install crowdsecurity/freebsd || : - DATA_DIR=$(Config ConfigPaths.DataDir) - if [ ! -f "${DATA_DIR}/GeoLite2-City.mmdb" ]; then - echo "Installing GeoIP enricher" - cs_cli parsers install crowdsecurity/geoip-enrich || : + # So we just check for the file + if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then + cs_cli collections install crowdsecurity/freebsd || : fi } diff --git a/security/crowdsec/files/patch-Makefile b/security/crowdsec/files/patch-Makefile index 909dceada263..840e31a44477 100644 --- a/security/crowdsec/files/patch-Makefile +++ b/security/crowdsec/files/patch-Makefile @@ -1,11 +1,26 @@ ---- Makefile.orig 2021-11-17 09:15:38 UTC +--- Makefile.orig 2021-12-21 21:18:22 UTC +++ Makefile -@@ -42,7 +42,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l - BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -E 's/[go]+//g')" - BUILD_CODENAME=$(shell cat RELEASE.json | jq -r .CodeName) +@@ -44,14 +44,14 @@ BUILD_CODENAME=$(shell cat RELEASE.json | jq -r .CodeN BUILD_TIMESTAMP=$(shell date +%F"_"%T) --BUILD_TAG="$(shell git rev-parse HEAD)" -+BUILD_TAG?="$(shell git rev-parse HEAD)" + BUILD_TAG?="$(shell git rev-parse HEAD)" - export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \ +-export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \ ++export LD_OPTS=-mod vendor -modcacherw -ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.System=$(SYSTEM) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.BuildDate=$(BUILD_TIMESTAMP) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Codename=$(BUILD_CODENAME) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Tag=$(BUILD_TAG) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.GoVersion=$(BUILD_GOVERSION)" + +-export LD_OPTS_STATIC=-ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \ ++export LD_OPTS_STATIC=-mod vendor -modcacherw -ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.BuildDate=$(BUILD_TIMESTAMP) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Codename=$(BUILD_CODENAME) \ + -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Tag=$(BUILD_TAG) \ +@@ -176,4 +176,4 @@ check_release: + release: check_release build package + + .PHONY: +-release_static: check_release static package_static +\ No newline at end of file ++release_static: check_release static package_static diff --git a/security/crowdsec/files/patch-config_acquis.yaml b/security/crowdsec/files/patch-config_acquis.yaml new file mode 100644 index 000000000000..67b4ef3c693b --- /dev/null +++ b/security/crowdsec/files/patch-config_acquis.yaml @@ -0,0 +1,12 @@ +--- config/acquis.yaml.orig 2021-12-15 10:39:37 UTC ++++ config/acquis.yaml +@@ -11,6 +11,8 @@ filenames: + labels: + type: syslog + --- +-filename: /var/log/apache2/*.log ++filenames: ++ - /var/log/httpd-access.log ++ - /var/log/httpd-error.log + labels: + type: apache2 diff --git a/security/crowdsec/pkg-plist b/security/crowdsec/pkg-plist index 5a02566e9cf2..a8e54a73df13 100644 --- a/security/crowdsec/pkg-plist +++ b/security/crowdsec/pkg-plist @@ -10,9 +10,13 @@ bin/crowdsec-cli @sample %%ETCDIR%%/config.yaml.sample @sample %%ETCDIR%%/profiles.yaml.sample @sample %%ETCDIR%%/simulation.yaml.sample +@sample %%ETCDIR%%/notifications/email/email.yaml.sample @sample %%ETCDIR%%/notifications/http/http.yaml.sample @sample %%ETCDIR%%/notifications/slack/slack.yaml.sample @sample %%ETCDIR%%/notifications/splunk/splunk.yaml.sample +%%ETCDIR%%/dev.yaml +%%ETCDIR%%/user.yaml +%%ETCDIR%%/crowdsec.service %%ETCDIR%%/patterns/aws %%ETCDIR%%/patterns/bacula %%ETCDIR%%/patterns/bro @@ -37,10 +41,13 @@ bin/crowdsec-cli %%ETCDIR%%/patterns/smb %%ETCDIR%%/patterns/ssh %%ETCDIR%%/patterns/tcpdump +@sample etc/newsyslog.conf.d/crowdsec.conf.sample @mode 0755 +lib/crowdsec/plugins/notification-email lib/crowdsec/plugins/notification-http lib/crowdsec/plugins/notification-slack lib/crowdsec/plugins/notification-splunk @dir %%ETCDIR%%/hub @dir /var/db/crowdsec/data @dir /var/db/crowdsec +@dir etc/newsyslog.conf.d