root/honeywall/trunk/rpm-devel/roo-base/roo-base.spec @ 60

Revision 60, 31.3 KB (checked in by rmcmillen, 11 years ago)

Addresses Ticket #38. Added changes to ensure a new sid-msg.map file is created and loaded when rules are changed or added.

Line 
1# $Id: $
2
3#############################################
4#
5# Copyright (C) <2005> <The Honeynet Project>
6#
7# This program is free software; you can redistribute it and/or modify
8# it under the terms of the GNU General Public License as published by
9# the Free Software Foundation; either version 2 of the License, or (at
10# your option) any later version.
11#
12# This program is distributed in the hope that it will be useful, but
13# WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15# General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20# USA
21#
22#############################################
23Name: roo-base
24# Version follows CentOS version so yum $releasever works
25Version: 5
26Release: 28.hw
27License: GPL
28Source: %{name}-%{version}.tar.gz
29BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
30BuildArch: noarch
31Packager: Honeynet Project
32Group: Applications/Internet
33Summary: Honeywall functionality in a box
34URL: http://www.honeynet.org/tools/cdrom/roo/
35Vendor: Honeynet Project
36#Obsoletes: fedora-logos
37Provides: system-logos
38# This is so yum "distroverpkg works
39Provides: redhat-release
40Requires: coreutils sysklogd sudo mktemp sed grep initscripts grub crontabs
41Requires: snort snortrules-snapshot kernel selinux-policy oinkmaster
42Requires(post): /sbin/chkconfig
43Requires(post): /usr/sbin/useradd
44Requires(post): /bin/chmod
45Requires(preun): /sbin/chkconfig
46Requires(preun): /sbin/service
47
48%description
49The roo package contains all the files that implement basic
50honeywall functionality, all in a nice little package.
51
52%prep
53[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
54
55#######################################################################
56# setup macro
57# -a num  : Only unpack source number after changing to the directory
58# -b num  : Only unpack source number before changing to the directory
59# -c      : Create directory before unpacking.
60# -D      : Do not delete the directory before unpacking
61# -n name : Name the directory as name
62# -q      : Run quiety with minimum output
63# -T      : Disable the automatic unpacking of the archives.
64#######################################################################
65%setup -q -n src
66
67#%build
68#########################################################
69# Common Red Hat RPM macros (rpm --showrc for more info)
70# {_sourcedir} : /usr/src/redhat/SOURCES
71# {_builddir}  : /usr/src/redhat/BUILD
72# {_tmppath}   : /var/tmp
73# {_libdir}    : /usr/lib
74# {_bindir}    : /usr/bin
75# {_datadir}   : /usr/share
76# {_mandir}    : /usr/share/man
77# {_docdir}    : /usr/share/doc
78#########################################################
79
80%install
81%{__install} -d -m 755 %{buildroot}/hw/bin
82%{__install} -d -m 755 %{buildroot}/hw/conf
83%{__install} -d -m 755 %{buildroot}/hw/docs
84%{__install} -d -m 755 %{buildroot}/hw/lib
85%{__install} -d -m 755 %{buildroot}/hw/etc
86# Use sticky bit set to prevent unauthorized deletions.
87%{__install} -d -m 1777 %{buildroot}/hw/tmp
88%{__install} -d -m 755 %{buildroot}/hw/var/log
89%{__install} -d -m 755 %{buildroot}/hw/var/run
90%{__install} -d -m 755 %{buildroot}/hw/var/spool
91%{__install} -d -m 755 %{buildroot}/hw/etc/tripwire
92%{__install} -d -m 755 %{buildroot}/hw/etc/logrotate.d
93%{__install} -d -m 755 %{buildroot}/hw/sbin
94
95%{__install} -D -m 0640 etc/whitelist.txt %{buildroot}/etc/whitelist.txt
96%{__install} -D -m 0640 etc/blacklist.txt %{buildroot}/etc/blacklist.txt
97%{__install} -D -m 0640 etc/fencelist.txt %{buildroot}/etc/fencelist.txt
98%{__install} -D -m 0700 etc/monitrc %{buildroot}/etc/monitrc
99%{__install} -D -m 0644 etc/redhat-release %{buildroot}/etc/redhat-release
100%{__install} -D -m 0644 etc/argus_summary.conf %{buildroot}/etc/argus_summary.conf
101%{__install} -D -m 0644 etc/swatchrc %{buildroot}/etc/swatchrc
102%{__install} -D -m 0644 etc/dialogrc %{buildroot}/etc/dialogrc
103%{__install} -D -m 0644 etc/honeywall.conf %{buildroot}/etc/honeywall.conf
104%{__install} -D -m 0644 etc/honeywall.conf %{buildroot}/etc/honeywall.conf.orig
105%{__install} -D -m 0750 etc/rc.d/init.d/bridge.sh %{buildroot}/etc/rc.d/init.d/bridge.sh
106%{__install} -D -m 0750 etc/rc.d/init.d/hwdaemons %{buildroot}/etc/rc.d/init.d/hwdaemons
107%{__install} -D -m 0750 etc/rc.d/init.d/hwdaemons_old %{buildroot}/etc/rc.d/init.d/hwdaemons_old
108%{__install} -D -m 0755 etc/rc.d/init.d/hwfuncs.sub %{buildroot}/etc/rc.d/init.d/hwfuncs.sub
109%{__install} -D -m 0750 etc/rc.d/init.d/hwnetwork %{buildroot}/etc/rc.d/init.d/hwnetwork
110%{__install} -D -m 0750 etc/rc.d/init.d/monit.sh %{buildroot}/etc/rc.d/init.d/monit.sh
111%{__install} -D -m 750 etc/rc.d/init.d/rc.firewall %{buildroot}/etc/rc.d/init.d/rc.firewall
112%{__install} -D -m 0750 etc/rc.d/init.d/swatch.sh %{buildroot}/etc/rc.d/init.d/swatch.sh
113%{__install} -D -m 0750 etc/rc.d/init.d/hwdont_run %{buildroot}/etc/rc.d/init.d/hwdont_run
114%{__install} -D -m 0644 etc/yum.repos.d/honeynet.repo %{buildroot}/etc/yum.repos.d/honeynet.repo
115%{__install} -D -m 0644 etc/yum.repos.d/honeynet-test.repo %{buildroot}/etc/yum.repos.d/honeynet-test.repo
116%{__install} -D -m 0644 etc/yum.repos.d/os-base.repo %{buildroot}/etc/yum.repos.d/os-base.repo
117%{__install} -D -m 0644 etc/yum.repos.d/os-updates.repo %{buildroot}/etc/yum.repos.d/os-updates.repo
118%{__install} -D -m 0644 etc/yum.repos.d/os-extras.repo %{buildroot}/etc/yum.repos.d/os-extras.repo
119%{__install} -D -m 0644 etc/yum.repos.d/rpmforge.repo %{buildroot}/etc/yum.repos.d/rpmforge.repo
120%{__install} -D -m 0644 etc/yum.repos.d/epel.repo %{buildroot}/etc/yum.repos.d/epel.repo
121%{__install} -D -m 0644 etc/yum.repos.d/media.repo %{buildroot}/etc/yum.repos.d/media.repo
122%{__install} -D -m 0644 boot/grub/splash.xpm.gz %{buildroot}/boot/grub/splash.xpm.gz
123%{__install} -D -m 0644 boot/grub/honeywall.xpm.gz %{buildroot}/boot/grub/honeywall.xpm.gz
124%{__install} -D -m 0750 dlg/ShowDocs.sh %{buildroot}/dlg/ShowDocs.sh
125%{__install} -D -m 0750 dlg/dowerundialog.sh %{buildroot}/dlg/dowerundialog.sh
126%{__install} -D -m 0750 dlg/checkfiles %{buildroot}/dlg/checkfiles
127%{__install} -D -m 0750 dlg/Status.sh %{buildroot}/dlg/Status.sh
128%{__install} -D -m 0750 dlg/dialogmenu.sh %{buildroot}/dlg/dialogmenu.sh
129%{__install} -D -m 0750 dlg/SetupHoneywall.sh %{buildroot}/dlg/SetupHoneywall.sh
130%{__install} -D -m 0644 dlg/README %{buildroot}/dlg/README
131%{__install} -D -m 0750 dlg/HoneyConfig.sh %{buildroot}/dlg/HoneyConfig.sh
132%{__install} -D -m 0644 dlg/docs.tgz %{buildroot}/dlg/docs.tgz
133%{__install} -D -m 0750 dlg/Administration-menu.sh %{buildroot}/dlg/Administration-menu.sh
134%{__install} -D -m 0750 dlg/HoneyAdmin.sh %{buildroot}/dlg/HoneyAdmin.sh
135%{__install} -D -m 0750 dlg/honeywall_init.sh %{buildroot}/dlg/honeywall_init.sh
136%{__install} -D -m 0750 dlg/admin/DirectoryInitialization.sh %{buildroot}/dlg/admin/DirectoryInitialization.sh
137%{__install} -D -m 0750 dlg/admin/AddUser.sh %{buildroot}/dlg/admin/AddUser.sh
138%{__install} -D -m 0750 dlg/admin/SSHConfig.sh %{buildroot}/dlg/admin/SSHConfig.sh
139%{__install} -D -m 0750 dlg/admin/MakeConfigs.sh %{buildroot}/dlg/admin/MakeConfigs.sh
140%{__install} -D -m 0750 dlg/admin/DirectoryCleanup.sh %{buildroot}/dlg/admin/DirectoryCleanup.sh
141%{__install} -D -m 0750 dlg/admin/Password.sh %{buildroot}/dlg/admin/Password.sh
142%{__install} -D -m 0750 dlg/config/hw_build_ssh_config.sh %{buildroot}/dlg/config/hw_build_ssh_config.sh
143%{__install} -D -m 0750 dlg/config/ModeConfig.sh %{buildroot}/dlg/config/ModeConfig.sh
144%{__install} -D -m 0750 dlg/config/FenceList.sh %{buildroot}/dlg/config/FenceList.sh
145%{__install} -D -m 0750 dlg/config/purgeDB.pl %{buildroot}/dlg/config/purgeDB.pl
146%{__install} -D -m 0750 dlg/config/BlackWhite.sh %{buildroot}/dlg/config/BlackWhite.sh
147%{__install} -D -m 0750 dlg/config/ChangeEmail.pl %{buildroot}/dlg/config/ChangeEmail.pl
148%{__install} -D -m 0750 dlg/config/createWhiteRules.pl %{buildroot}/dlg/config/createWhiteRules.pl
149%{__install} -D -m 0750 dlg/config/Summary.sh %{buildroot}/dlg/config/Summary.sh
150%{__install} -D -m 0750 dlg/config/RoachMotel.sh %{buildroot}/dlg/config/RoachMotel.sh
151%{__install} -D -m 0750 dlg/config/purgePcap.pl %{buildroot}/dlg/config/purgePcap.pl
152%{__install} -D -m 0644 dlg/config/README %{buildroot}/dlg/config/README
153%{__install} -D -m 0750 dlg/config/Email.pl %{buildroot}/dlg/config/Email.pl
154%{__install} -D -m 0750 dlg/config/DNSConfig.sh %{buildroot}/dlg/config/DNSConfig.sh
155%{__install} -D -m 0750 dlg/config/SebekConfig.sh %{buildroot}/dlg/config/SebekConfig.sh
156%{__install} -D -m 0750 dlg/config/ConnectionLimit.sh %{buildroot}/dlg/config/ConnectionLimit.sh
157%{__install} -D -m 0750 dlg/config/dns2resolv.sh %{buildroot}/dlg/config/dns2resolv.sh
158%{__install} -D -m 0750 dlg/config/createBPFFilter.pl %{buildroot}/dlg/config/createBPFFilter.pl
159%{__install} -D -m 0750 dlg/config/DataManage.sh %{buildroot}/dlg/config/DataManage.sh
160%{__install} -D -m 0750 dlg/config/SnortinlineConfig.sh %{buildroot}/dlg/config/SnortinlineConfig.sh
161%{__install} -D -m 0750 dlg/config/snortrules_cron.sh %{buildroot}/dlg/config/snortrules_cron.sh
162%{__install} -D -m 0750 dlg/config/snortrules_config.sh %{buildroot}/dlg/config/snortrules_config.sh
163%{__install} -D -m 0750 dlg/config/ManagementOpts.sh %{buildroot}/dlg/config/ManagementOpts.sh
164%{__install} -D -m 0750 dlg/config/createBlackRules.pl %{buildroot}/dlg/config/createBlackRules.pl
165%{__install} -D -m 0750 dlg/config/Upload.sh %{buildroot}/dlg/config/Upload.sh
166%{__install} -D -m 0750 dlg/status/argus.sh %{buildroot}/dlg/status/argus.sh
167%{__install} -D -m 0750 dlg/status/tcpdstat.sh %{buildroot}/dlg/status/tcpdstat.sh
168%{__install} -D -m 0750 dlg/status/conntrack.sh %{buildroot}/dlg/status/conntrack.sh
169%{__install} -D -m 0640 hw/Makefile.hwctl %{buildroot}/hw/Makefile.hwctl
170%{__install} -D -m 0640 hw/etc/logrotate.d/rpm %{buildroot}/hw/etc/logrotate.d/rpm
171%{__install} -D -m 0640 hw/etc/logrotate.d/syslog %{buildroot}/hw/etc/logrotate.d/syslog
172%{__install} -D -m 0640 hw/etc/logrotate.d/yum %{buildroot}/hw/etc/logrotate.d/yum
173%{__install} -D -m 0640 etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 %{buildroot}/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
174%{__install} -D -m 0640 etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL %{buildroot}/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
175%{__install} -D -m 0640 etc/pki/rpm-gpg/RPM-GPG-KEY-beta %{buildroot}/etc/pki/rpm-gpg/RPM-GPG-KEY-beta
176%{__install} -D -m 0640 etc/pki/rpm-gpg/RPM-GPG-KEY.honeynet.txt %{buildroot}/etc/pki/rpm-gpg/RPM-GPG-KEY.honeynet.txt
177%{__install} -D -m 0640 etc/pki/rpm-gpg/RPM-GPG-KEY.dag.txt %{buildroot}/etc/pki/rpm-gpg/RPM-GPG-KEY.dag.txt
178%{__install} -D -m 0640 hw/etc/tripwire/twpol.txt %{buildroot}/hw/etc/tripwire/twpol.txt
179%{__install} -D -m 0644 hw/docs/CREDITS %{buildroot}/hw/docs/CREDITS
180%{__install} -D -m 0644 hw/docs/LICENSE %{buildroot}/hw/docs/LICENSE
181%{__install} -D -m 0644 hw/docs/README %{buildroot}/hw/docs/README
182%{__install} -D -m 0644 hw/docs/README.snortrules %{buildroot}/hw/docs/README.snortrules
183%{__install} -D -m 0644 hw/docs/README.internals %{buildroot}/hw/docs/README.internals
184%{__install} -D -m 0644 hw/docs/README.ssh_hwconf_import %{buildroot}/hw/docs/README.ssh_hwconf_import
185%{__install} -D -m 0750 hw/sbin/hwruleupdate %{buildroot}/hw/sbin/hwruleupdate
186%{__install} -D -m 0700 usr/sbin/menu %{buildroot}/usr/sbin/menu
187%{__install} -D -m 0750 usr/sbin/bootcustom.sh %{buildroot}/usr/sbin/bootcustom.sh
188%{__install} -D -m 0750 usr/local/bin/privmsg.pl %{buildroot}/usr/local/bin/privmsg.pl
189%{__install} -D -m 0750 usr/local/bin/showvars %{buildroot}/usr/local/bin/showvars
190%{__install} -D -m 0750 usr/local/bin/connect_count %{buildroot}/usr/local/bin/connect_count
191%{__install} -D -m 0750 usr/local/bin/ircdump.py %{buildroot}/usr/local/bin/ircdump.py
192%{__install} -D -m 0750 usr/local/bin/summary.sh %{buildroot}/usr/local/bin/summary.sh
193%{__install} -D -m 0750 usr/local/bin/rpm-key-import %{buildroot}/usr/local/bin/rpm-key-import
194%{__install} -D -m 0750 usr/local/bin/lockdown-hw.sh %{buildroot}/usr/local/bin/lockdown-hw.sh
195%{__install} -D -m 0750 usr/local/bin/traffic_summary.py %{buildroot}/usr/local/bin/traffic_summary.py
196%{__install} -D -m 0750 usr/local/bin/runtw.sh %{buildroot}/usr/local/bin/runtw.sh
197%{__install} -D -m 0750 usr/local/bin/ipgrep %{buildroot}/usr/local/bin/ipgrep
198%{__install} -D -m 0750 usr/local/bin/loadvars %{buildroot}/usr/local/bin/loadvars
199%{__install} -D -m 0750 usr/local/bin/hwrepoconf %{buildroot}/usr/local/bin/hwrepoconf
200%{__install} -D -m 0750 usr/local/bin/hwctl %{buildroot}/usr/local/bin/hwctl
201%{__install} -D -m 0750 usr/local/bin/hwvarcheck %{buildroot}/usr/local/bin/hwvarcheck
202%{__install} -D -m 0750 usr/local/bin/dumpvars %{buildroot}/usr/local/bin/dumpvars
203%{__install} -D -m 0750 usr/local/bin/hwreset_tally.sh %{buildroot}/usr/local/bin/hwreset_tally.sh
204%{__install} -D -m 0750 usr/local/bin/getstats %{buildroot}/usr/local/bin/getstats
205%{__install} -D -m 0750 usr/local/bin/get-cached-updates.sh %{buildroot}/usr/local/bin/get-cached-updates.sh
206
207##################################################
208# Parameter     %pre    %post    %preun  %postun #
209# 1st install     1       1        N/C     N/C   #
210# Upgrade         2       2         1       1    #
211# Removal        N/C     N/C        0       0    #
212##################################################
213
214# If upgrade, stop HW services (will make this smarter later)
215#if [ $1 == 2 ]; then
216#       /etc/init.d/hwdaemons stop || :
217#       /etc/init.d/rc.firewall stop || :
218#fi
219
220################################################################################
221%post
222################################################################################
223if [ $1 -eq 1 ]; then
224# DO IF INSTALL
225#######################################
226# Create user 'roo' password "honey"
227   /usr/sbin/useradd -p '$1$mdOgmbxC$ZtXFdACTRLlkom8fTUyaA0' roo
228
229# Enable HW services
230   for SERVICE_ADD in rc.firewall hwnetwork bridge.sh hwdont_run swatch.sh; do
231        chkconfig --add ${SERVICE_ADD}
232   done
233
234# Disable stuff we dont need (by default)
235   for SERVICE_OFF in mcstrans ip6tables restorecond; do
236        chkconfig ${SERVICE_OFF} off
237   done
238
239# Disable IPV6
240   sed -i 's,NETWORKING_IPV6=yes,NETWORKING_IPV6=no,' /etc/sysconfig/network
241   if [ "$(grep -c 'alias net-pf-10 off' /etc/modprobe.conf)" -ne 1 ]; then
242        echo "alias net-pf-10 off" >> /etc/modprobe.conf
243   fi
244   if [ "$(grep -c 'alias ipv6 off' /etc/modprobe.conf)" -ne 1 ]; then
245        echo "alias ipv6 off" >> /etc/modprobe.conf
246   fi
247
248# Set up the system crontab
249cat <<EOF>> /etc/crontab
2505 0 * * * root /etc/init.d/hw-snort_inline restart
2511 * * * * root /etc/init.d/hw-pcap restart
2520 1 * * * root /usr/local/bin/summary.sh
253*/10 * * * * root /usr/local/bin/hwreset_tally.sh
254EOF
255
256#######################################
257# Fix the initial (after install) boot splash
258   GRUBC="/boot/grub/grub.conf"
259# Determin root device
260   rootdev=$(grep -v "#" ${GRUBC} | grep "root.*(" | sed "s/^.*root.*(\(.*\))/\1/" | sort | uniq)
261   if [ $(echo ${rootdev} | wc -l) -eq 1 ]; then
262# Only one root device, this is good; Check for "splashimage" line
263        if [ $(grep -v "#" ${GRUBC} | grep -c "splashimage=(${rootdev})\/boot\/grub\/splash\.xpm\.gz") -ne 1 ]; then
264                sed -i "s/\(default.*$\)/splashimage=(${rootdev})\/boot\/grub\/splash\.xpm\.gz\n\1/" ${GRUBC}
265        fi
266   fi
267# check for "hiddenmenu"
268   if [ $(grep -v "#" ${GRUBC} | grep -c "hiddenmenu") -lt 1 ]; then
269        sed -i "s/\(default.*$\)/hiddenmenu\n\1/" ${GRUBC}
270   fi
271#######################################
272# Create IPS rules
273   if [ -x /hw/sbin/hwruleupdate ]; then
274        /hw/sbin/hwruleupdate --snortconfig || :
275   fi
276#######################################
277# Disable SELinux :(
278   sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
279
280#######################################
281# fix logrotate to look at /hw/etc/logrotate.d for confs
282# This should last becaus logrotate has: "%config(noreplace) /etc/logrotate.conf"
283   if [ -f /etc/logrotate.conf ]; then
284        sed -i 's,include /etc/logrotate.d,include /hw/etc/logrotate.d,' /etc/logrotate.conf
285   fi
286# END DO IF INSTALL
287fi
288################################################################################
289# DO ON INSTALL or UPGRADE
290
291#######################################
292# Fix /etc/sysconfig/sylsog if necessary
293syslog_restart="no"
294sys_conf="/etc/sysconfig/syslog"
295if [ -f "${sys_conf}" ]; then
296# Is it ok?
297        if [ $(sed /#.*/d ${sys_conf} | grep -c "KLOGD_OPTIONS=\"-x -c 4\"") -lt 1 ] ||
298           [ $(sed /#.*/d ${sys_conf} | grep -c "SYSLOGD_OPTIONS=\"-m 0\"") -lt 1 ]; then
299                now=$(date +"%Y%m%d-%M%S")
300                echo "Backing up ${sys_conf} to ${sys_conf}.${now}"
301                cp ${sys_conf} ${sys_conf}.${now}
302# Put everything back except potential wrong setting(s)
303                sed 's/^[ \t]*//' ${sys_conf}.${now} | egrep -v "^KLOGD_OPTIONS|^SYSLOGD_OPTIONS" > ${sys_conf}
304# Hand jam back in what we want
305                echo "KLOGD_OPTIONS=\"-x -c 4\"" >> ${sys_conf}
306                echo "SYSLOGD_OPTIONS=\"-m 0\"" >> ${sys_conf}
307                syslog_restart="yes"
308        fi
309else
310# We shouldnt be here (Requires: sysklogd) but just in case...
311        echo "SYSLOGD_OPTIONS=\"-m 0\"" > ${sys_conf}
312        echo "KLOGD_OPTIONS=\"-x -c 4\"" >> ${sys_conf}
313        /bin/chmod 0600 ${sys_conf}
314        syslog_restart="yes"
315fi
316
317#######################################
318# Fix /etc/sysconfig/sylog (if necessary)
319syslog_conf="/etc/syslog.conf"
320if [ -f "${syslog_conf}" ]; then
321# Dont look at anything after "#" look for "kern.debug  /var/log/iptables" on a line
322# Also look for "local0.*  /hw/var/log/honeywall" on another line
323        if [ $(sed /#.*/d ${syslog_conf} | grep "kern\.=debug" | grep -c "\/var\/log\/iptables") -lt 1 ] ||
324           [ $(sed /#.*/d ${syslog_conf} | grep "local0\.\*" | grep -c "\/hw\/var\/log\/honeywall") -lt 1 ]; then
325# Strip leading whitespace, backup file to be edited
326                now=$(date +"%Y-%m-%d-%M-%S")
327                echo "Backing up ${syslog_conf} to ${syslog_conf}.${now}"
328                cp ${syslog_conf} ${syslog_conf}.${now}
329                /bin/chmod 0600 ${syslog_conf}.${now}
330# Put everything back except wrong settings
331                sed 's/^[ \t]*//' ${syslog_conf}.${now} | egrep -v "^kern\.=debug|^\*\.emerg|^local0\.\*" > ${syslog_conf}
332# Hand jam back in what we want
333                echo "kern.=debug                      /var/log/iptables" >> ${syslog_conf}
334#echo "#*.emerg                        *" >> ${syslog_conf}
335                echo "local0.*                         /hw/var/log/honeywall" >> ${syslog_conf}
336                /bin/chmod 0600 ${syslog_conf}
337                syslog_restart="yes"
338        fi
339else
340# We shouldnt be here (Requires: sysklogd) but if we are...
341        echo "kern.=debug                      /var/log/iptables" > ${syslog_conf}
342        echo "local0.*                         /hw/var/log/honeywall" >> ${syslog_conf}
343        /bin/chmod 0600 ${syslog_conf}
344        syslog_restart="yes"
345       
346fi
347###########################################
348# Restart syslog if we messed with it in either of the two fixes above
349#[ "${syslog_restart}" == "yes" ] && [ -x /etc/init.d/syslog ] && . /etc/init.d/functions && /etc/init.d/syslog restart
350if [ $1 -eq 2 ];then
351        [ "${syslog_restart}" == "yes" -a -x /etc/init.d/syslog ] && /etc/init.d/syslog restart || :
352fi
353
354###########################################
355# Fix /etc/sudoers
356# Remove ALL ROO stuff if its there
357sed -i '/ROO__/d' /etc/sudoers
358
359# Put the current ROO stuff back in
360echo "User_Alias ROO__ADMIN = apache" >> /etc/sudoers
361echo "Cmnd_Alias ROO__COMMANDS = /proc/net/ip_conntrack, /etc/rc.d/init.d/hwfuncs.sub, /etc/rc.d/init.d/sshd, /etc/init.d/flush_firewall.sh, /etc/init.d/bridge.sh, /etc/init.d/rc.firewall, /etc/init.d/hw-pcap, /etc/init.d/hw-snort_inline, /etc/init.d/hflow, /etc/init.d/swatch.sh, /dlg/config/createWhiteRules.pl, /dlg/config/createBlackRules.pl, /dlg/config/createBPFFilter.pl, /dlg/config/dns2resolv.sh, /dlg/config/hw_build_ssh_config.sh, /usr/bin/tcpdstat, /usr/bin/monit, /usr/sbin/argus, /sbin/shutdown, /sbin/ifconfig, /sbin/iptables, /bin/netstat, /bin/chown, /bin/chmod, /bin/ps, /bin/mv, /bin/cp, /bin/rm, /bin/touch, /bin/cat, /bin/hostname, /etc/rc.d/init.d/hwdaemons, /usr/local/bin/hwctl, /dlg/config/purgePcap.pl, /dlg/config/purgeDB.pl, /usr/bin/du, /bin/ls, /bin/df, /bin/mount, /tmp/unpack-iso.sh, /bin/tar, /hw/sbin/hwruleupdate, /dlg/config/ChangeSSHPort.sh" >> /etc/sudoers
362echo "ROO__ADMIN ALL = NOPASSWD: ROO__COMMANDS" >> /etc/sudoers
363
364# Be sure not to requiretty (So Walleye stuff works)
365sed -i 's/^Defaults[ \t]*requiretty/#Defaults requiretty/' /etc/sudoers
366
367###########################################
368# Make Lance happy by adding roo-base verion to /etc/issue
369if [ -f /etc/issue ]; then
370        sed -i /^roo-base.*$/d /etc/issue
371fi
372echo "roo-base-%{version}-%{release}" >> /etc/issue
373
374###########################################
375# If upgrade...
376if [ $1 -eq 2 ]; then
377# Set a default val for any potentially newly added vars
378        /usr/local/bin/hwvarcheck || :
379# Restart HW servivices
380        /etc/init.d/hwdaemons restart || :
381fi
382
383################################################################################
384%preun
385################################################################################
386if [ $1 -eq 0 ]; then
387# DO ON REMOVAL (Cleanup)
388###########################################
389# Stop and remove HW services
390   for SERVICE in rc.firewall hwnetwork bridge.sh hwdont_run swatch.sh; do
391        service ${SERVICE} stop &> /dev/null || :
392        chkconfig --del ${SERVICE}
393   done
394###########################################
395# Remove the roo user
396   userdel roo &> /dev/null || :
397
398fi
399################################################################################
400%postun
401################################################################################
402
403################################################################################
404%clean
405################################################################################
406[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
407
408################################################################################
409%files
410################################################################################
411%defattr(-,root,root,-)
412%config(noreplace) /etc/whitelist.txt
413%config(noreplace) /etc/blacklist.txt
414%config(noreplace) /etc/fencelist.txt
415%config(noreplace) /etc/monitrc
416/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
417/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
418/etc/pki/rpm-gpg/RPM-GPG-KEY-beta
419/etc/pki/rpm-gpg/RPM-GPG-KEY.honeynet.txt
420/etc/pki/rpm-gpg/RPM-GPG-KEY.dag.txt
421/etc/redhat-release
422/etc/argus_summary.conf
423/etc/swatchrc
424/etc/dialogrc
425%config(noreplace) /etc/honeywall.conf
426/etc/honeywall.conf.orig
427/etc/rc.d/init.d/bridge.sh
428/etc/rc.d/init.d/hwdaemons
429/etc/rc.d/init.d/hwdaemons_old
430/etc/rc.d/init.d/hwfuncs.sub
431/etc/rc.d/init.d/hwnetwork
432/etc/rc.d/init.d/monit.sh
433/etc/rc.d/init.d/rc.firewall
434/etc/rc.d/init.d/swatch.sh
435/etc/rc.d/init.d/hwdont_run
436%config /etc/yum.repos.d/honeynet.repo
437%config /etc/yum.repos.d/honeynet-test.repo
438%config /etc/yum.repos.d/os-base.repo
439%config /etc/yum.repos.d/os-updates.repo
440%config /etc/yum.repos.d/os-extras.repo
441%config /etc/yum.repos.d/epel.repo
442%config /etc/yum.repos.d/rpmforge.repo
443%config /etc/yum.repos.d/media.repo
444
445/boot/grub/splash.xpm.gz
446/boot/grub/honeywall.xpm.gz
447
448/dlg/ShowDocs.sh
449/dlg/dowerundialog.sh
450/dlg/checkfiles
451/dlg/Status.sh
452/dlg/dialogmenu.sh
453/dlg/SetupHoneywall.sh
454/dlg/README
455/dlg/HoneyConfig.sh
456/dlg/docs.tgz
457/dlg/Administration-menu.sh
458/dlg/HoneyAdmin.sh
459/dlg/honeywall_init.sh
460/dlg/admin/DirectoryInitialization.sh
461/dlg/admin/AddUser.sh
462/dlg/admin/SSHConfig.sh
463/dlg/admin/MakeConfigs.sh
464/dlg/admin/DirectoryCleanup.sh
465/dlg/admin/Password.sh
466/dlg/config/hw_build_ssh_config.sh
467/dlg/config/ModeConfig.sh
468/dlg/config/FenceList.sh
469/dlg/config/purgeDB.pl
470/dlg/config/BlackWhite.sh
471/dlg/config/ChangeEmail.pl
472/dlg/config/createWhiteRules.pl
473/dlg/config/Summary.sh
474/dlg/config/RoachMotel.sh
475/dlg/config/purgePcap.pl
476/dlg/config/README
477/dlg/config/Email.pl
478/dlg/config/DNSConfig.sh
479/dlg/config/SebekConfig.sh
480/dlg/config/ConnectionLimit.sh
481/dlg/config/dns2resolv.sh
482/dlg/config/createBPFFilter.pl
483/dlg/config/DataManage.sh
484/dlg/config/SnortinlineConfig.sh
485/dlg/config/snortrules_cron.sh
486/dlg/config/snortrules_config.sh
487/dlg/config/ManagementOpts.sh
488/dlg/config/createBlackRules.pl
489/dlg/config/Upload.sh
490/dlg/status/argus.sh
491/dlg/status/tcpdstat.sh
492/dlg/status/conntrack.sh
493
494/hw/Makefile.hwctl
495%config /hw/etc/logrotate.d/rpm
496%config /hw/etc/logrotate.d/syslog
497%config /hw/etc/logrotate.d/yum
498%config /hw/etc/tripwire/twpol.txt
499/hw/docs/CREDITS
500/hw/docs/LICENSE
501/hw/docs/README
502/hw/docs/README.snortrules
503/hw/docs/README.internals
504/hw/docs/README.ssh_hwconf_import
505/hw/sbin/hwruleupdate
506
507/usr/sbin/menu
508/usr/sbin/bootcustom.sh
509
510/usr/local/bin/privmsg.pl
511/usr/local/bin/showvars
512/usr/local/bin/connect_count
513/usr/local/bin/ircdump.p*
514/usr/local/bin/summary.sh
515/usr/local/bin/rpm-key-import
516/usr/local/bin/lockdown-hw.sh
517/usr/local/bin/traffic_summary.p*
518/usr/local/bin/runtw.sh
519/usr/local/bin/ipgrep
520/usr/local/bin/loadvars
521/usr/local/bin/hwrepoconf
522/usr/local/bin/hwctl
523/usr/local/bin/hwvarcheck
524/usr/local/bin/dumpvars
525/usr/local/bin/hwreset_tally.sh
526/usr/local/bin/getstats
527/usr/local/bin/get-cached-updates.sh
528
529%dir /hw/bin
530%dir /hw/conf
531%dir /hw/docs
532%dir /hw/lib
533%dir /hw/etc
534%dir /hw/tmp
535%dir /hw/var/log
536%dir /hw/var/run
537%dir /hw/var/spool
538%dir /hw/etc/tripwire
539%dir /hw/etc/logrotate.d
540%dir /hw/sbin
541
542################################################################################
543%changelog
544################################################################################
545* Thu Dec 27 2007 Earl Sammons <[email protected]>
546- Split repos so hwrepoconf works again and added includepkgs and exclude statements
547
548* Thu Nov 29 2007 Earl Sammons <[email protected]>
549- RPM-GPG-KEY cleanup and disabled non honeynet repos getting ready for CentOS 5
550
551* Sun Apr 29 2007 Earl Sammons <[email protected]>
552- Added hwvarcheck to create default var val files when new vars are added
553- Added dialog foo for HwBPF_DISABLE
554
555* Thu Apr 05 2007 Earl Sammons <[email protected]>
556- Added commenting out of requiretty in sudoers to fix walleye admin stuff
557
558* Mon Mar 26 2007 Earl Sammons <[email protected]>
559- Fixed sudoers mods - user roo should have been user apache
560- Hard wired yum repo confs to basearch=i386 and exluded tcpdstat-uw
561- Removed unused honeynet-tools repo
562
563* Fri Mar 23 2007 Earl Sammons <[email protected]>
564- Disable IPV6
565- hwdaemons restart instead of hw_startHoneywall in conifg to defaults (reliability)
566 
567* Wed Mar 21 2007 Earl Sammons <[email protected]>
568- Disabling mcstrans ip6tables restorecond
569
570* Mon Mar 19 2007 Scott Buchan <[email protected]>
571- Upping release for new build
572- Fixed typo in HoneyConfig.sh
573
574* Sun Mar 18 2007 Earl Sammons <[email protected]>
575- Sudoers fix is now updatable and wont just whack existing sudoers
576
577* Mon Mar 05 2007 Earl Sammons <[email protected]>
578- Changed version to 6 to fix yum resolving of releasever so update/install
579  from upstream repos will work
580
581* Sun Feb 25 2007 Earl Sammons <[email protected]>
582- Added fedora repo config files
583- Upped ver
584
585* Sun Feb 11 2007 Earl Sammons <[email protected]>
586- Almost a re-write of the SPEC and the build process
587- Also updated repo files for new repo locations
588
589* Wed Nov 29 2006 Earl Sammons <[email protected]>
590- Added README.internals and README.ssh_hwconf_import
591  to files section
592- Removed base and updates repos from files section
593
594* Mon Nov 06 2006 Earl Sammons <[email protected]>
595- Fixed and re-enabled Black White lists
596- Added black_white list deps on snort-plain to hwctl
597
598* Fri Oct 20 2006 Earl Sammons <[email protected]>
599- Removed HwRULE* temp hack touch foo
600
601* Mon Oct 16 2006 Earl Sammons <[email protected]>
602- Fixed SSHD config process so firewall is auto updated
603- Removed UpdateFWSSHPort.sh (No longer needed)
604- Re-ordered hwdaemons start stop same as init
605- Created backup hwdaemons_old just to be sure
606- Added hwdont_run, disable items that might be re-enabled on update
607
608* Thu Oct 12 2006 Earl Sammons <[email protected]>
609- Remove non-working DriveInitialization.sh and DriveReInit.sh
610
611* Tue Oct 10 2006 Earl Sammons <[email protected]>
612- Fixed oinkmaster config location in hwruleupdate
613- Going back to restarting everything on update (the only reliable way)
614- Implimented fixes for #508 and #509
615
616* Fri Oct 06 2006 Earl Sammons <[email protected]>
617- Changed ChangeSSHPort.sh to UpdateFWSSHPort.sh
618
619* Thu Oct 05 2006 Earl Sammons <[email protected]>
620- Added /dlg/config/ChangeSSHPort.sh (#473)
621- Addedd above to sudoers file hack
622
623* Fri Sep 01 2006 Earl Sammons <[email protected]>
624- Set TMPDIR back to /tmp in /etc/init.d/hwfuncs.sub
625- Added snortrule update calls to HoneyAdmin menu
626- Completed snortrule_config.sh and snortrule_cron.sh
627- Added temp hack to create HwRULE/OINKCODE Vars so nothing chokes
628- No longer stopping ALL Hw services in %pre then starting in %post,
629   testing restarting of only rc.firewall, bridge and swatch in %post
630
631* Wed Aug 30 2006 Earl Sammons <[email protected]>
632- Added snortrules_cron.sh to dialog
633- Added HwRULE_HOUR, HwRULE_DAY, and HwRULE_ENABLE to Makefile.hwctl
634
635* Wed Aug 30 2006 Earl Sammons <[email protected]>
636- changed hwrun to hwruleupdate and added to sudoers
637
638* Sun Aug 20 2006 Earl Sammons <[email protected]>
639- Added hw_build_ssh_config.sh
640
641* Sun Aug 20 2006 Earl Sammons <[email protected]>
642- #462 Changed perms on hwfuncs.sub back to 0755
643- #465, #466, #467 Updated sudoers addition and check logic
644- #473 Had to add file hw_build_ssh_config.sh and to sudoers
645
646* Wed Aug 16 2006 Earl Sammons <[email protected]>
647- Add ALL files to %files along with explicit premissions
648- Moved fence/white/blacklsit files back to /etc
649- Removed silly fence/white/bleacklist if then copy script
650- Commented out legacy updates that convert old NAT variables
651- Misc cleanup
652
653* Tue Jul 11 2006 Earl Sammons <[email protected]>
654- Split legacy repos into individual files for easier auto enable
655
656* Wed Jul 05 2006 Earl Sammons <[email protected]>
657- Added hwrun to configure IPS rules
658
659* Sun Apr 16 2006 Earl Sammons <[email protected]>
660- Added RPM keys and import script
661
662* Sat Apr 15 2006 Earl Sammons <[email protected]>
663- Added legacy repo config, disabled all repos except honeynet
664- Added /hw/etc/logrotate.d + confs and fix to make logrotate look there
665
666* Mon Dec 19 2005 Earl Sammons <[email protected]>
667- Cahnged reference from sendmail to postfix in hwfuncs.sub
668
669* Tue Dec 13 2005 Earl Sammons <[email protected]>
670- Excluding perl-GD in all repos except ours
671- We now maintain perl-GD to ensure png support
672
673* Fri Sep 30 2005 Earl Sammons <[email protected]>
674- Attempt to fix host/domain name changing in dialog
675
676* Tue Aug 30 2005 Earl Sammons <[email protected]> 1.0.hw-378
677- Fixed snort log dirs perms in lockdown so DM can read snort logs
678- Moved fence/white/blacklist files to /hw to avoid overwrite on update
679
680* Wed Aug 24 2005 Earl Sammons <[email protected]> 1.0.hw-356
681- Removed cfgtool
682
683* Mon Aug 22 2005 Earl Sammons <[email protected]> 1.0.hw-347
684- Added lines to /etc/sudoers for Camilo
685
686* Sun Aug 21 2005 Earl Sammons <[email protected]> 1.0.hw-346
687- Placed cfgtool in /usr/local/bin mode 0644 to get it in cvs
688
689* Thu Aug 18 2005 Earl Sammons <[email protected]> 1.0.hw-345
690- Made hwdaemons start/stop() work like hw_start/stopHoneywall
691- Added complete path to hwctl (which was newly added to hwdaemons)
692
693* Tue Aug 09 2005 Earl Sammons <[email protected]> 1.0.hw-329
694- Updated docs in /hw/docs as per Lance.  Please refer to:
695- http://www.honeynet.org/tools/cdrom/roo/manual/
696- for manual until further notice
697
698* Tue Jul 26 2005 Earl Sammons <[email protected]> 1.0.hw-307
699- Added if upgrade; then 'hwdaemons stop/start'
700- Added /usr/local/bin/hwreset_tally.sh + cron
701
702* Fri Jul 15 2005 Earl Sammons <[email protected]> 1.0.hw-286
703- Added blank white/black/fence list files from Kostas/Dave
704
705* Thu Jul 14 2005 Earl Sammons <[email protected]> 1.0.hw-284
706- Moved chmod/chown /etc/sudoers so it will run every time to fix bad perms issue
707
708* Wed Jul 13 2005 Earl Sammons <[email protected]> 1.0.hw-277
709- Addedd chkconfig --add swatch.sh to %post (Fix #266)
710
711* Wed Jul 13 2005 Earl Sammons <[email protected]> 1.0.hw-278
712- Addedd stop/start swatch.sh if this is an upgrade
713
714
715
Note: See TracBrowser for help on using the browser.