410 lines
14 KiB
Bash
410 lines
14 KiB
Bash
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the
|
|
# maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up
|
|
# at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16
|
|
# I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD
|
|
# developers from whose OS I stole a few tricks as well.
|
|
|
|
# Set up some paths and variables for later use
|
|
PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin
|
|
pkgname=$1
|
|
rootpwd=''
|
|
confdir="${PKG_PREFIX:-%%PREFIX%%}/etc"
|
|
portdir="${CURDIR:-%%CURDIR%%}"
|
|
scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts"
|
|
if [ -x /usr/sbin/nologin ]; then
|
|
nologin=/usr/sbin/nologin
|
|
else
|
|
nologin=/sbin/nologin
|
|
fi
|
|
# Source rc.conf for later
|
|
if [ -z "${source_rc_confs_defined}" ]; then
|
|
if [ -r /etc/defaults/rc.conf ]; then
|
|
. /etc/defaults/rc.conf
|
|
source_rc_confs
|
|
elif [ -r /etc/rc.conf ]; then
|
|
. /etc/rc.conf
|
|
fi
|
|
fi
|
|
sguil_user="sguil"
|
|
sguil_group="sguil"
|
|
case $2 in
|
|
PRE-INSTALL)
|
|
echo "This sguild install script creates a \"turnkey\" install "
|
|
echo "of sguild, including configuing the database and conf files"
|
|
echo "and user accounts so that sguild can be started immediately."
|
|
echo ""
|
|
echo "You may have already done all this (especially if this is an upgrade)"
|
|
echo "and may not be interested in iterating through cert creation and"
|
|
echo "everything else that the script does."
|
|
echo ""
|
|
echo "This portion of the script creates user and group accounts named \"sguil\"."
|
|
echo "Would you like to opt out of this portion of the install script " ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
exit 0
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo "==> Pre-installation configuration of ${pkgname}"
|
|
if ! pw groupshow ${sguil_group} -q >/dev/null ; then
|
|
if ! pw groupadd ${sguil_group} -q; then
|
|
echo "Failed to create group \"${sguil_group}\"!" >&2
|
|
echo "Please create it manually." >&2
|
|
exit 1
|
|
else
|
|
echo "Group '%{sguil-group}' created successfully."
|
|
pw groupshow ${sguil_group}
|
|
fi
|
|
fi
|
|
if ! pw usershow ${sguil_user} -q >/dev/null ; then
|
|
if ! pw useradd -q -n ${sguil_user} \
|
|
-g ${sguil_group} -s "${nologin}" \
|
|
-h - ; then
|
|
echo "Failed to create user '%{sguil_user}'!" >&2
|
|
echo "Please create it manually." >&2
|
|
exit 1
|
|
else
|
|
echo "User '${sguil_user}' create successfully."
|
|
pw usershow ${sguil_user}
|
|
fi
|
|
fi
|
|
for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do
|
|
if [ ! -d ${dir} ]; then
|
|
echo "Creating ${dir} ...."
|
|
install -d -o ${sguil_user} -g ${sguil_group} \
|
|
-m 0750 ${dir}
|
|
fi
|
|
done
|
|
;;
|
|
POST-INSTALL)
|
|
echo "This sguild install script creates a \"turnkey\" install "
|
|
echo "of sguild, including configuing the database and conf files"
|
|
echo "and user accounts so that sguild can be started immediately."
|
|
echo ""
|
|
echo "You may have already done all this (especially if this is an upgrade)"
|
|
echo "and may not be interested in iterating through cert creation and"
|
|
echo "everything else that the script does."
|
|
echo ""
|
|
echo "Would you like to opt out of the entire install script "
|
|
echo "and configure sguild manually yourself?" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
exit 0
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mThere are a few things that need to be done to complete the install."
|
|
echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and "
|
|
echo "sensors will work, you need to create the database, the account to access it and "
|
|
echo "the tables for the database and you need to create the directories where all the "
|
|
echo "data will be stored. (You will also need to edit the conf files for your setup.)"
|
|
echo ""
|
|
echo "If you haven't already done this, I can do it for you now."
|
|
echo "Would you like to create certs now? (y for yes, n for no)"; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
for dir in %%SGUILDIR%%/certs ; do
|
|
if [ ! -d ${confdir}/${dir} ]; then
|
|
echo "Creating ${confdir}/${dir} ...."
|
|
install -d -o ${sguil_user} -g ${sguil_group} \
|
|
-m 0750 ${confdir}/${dir}
|
|
fi
|
|
done
|
|
echo -e "\033[1mFirst we need to create a password-protected CA cert."
|
|
echo ""
|
|
echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)"
|
|
openssl req -out CA.pem -new -x509
|
|
echo "Now we need to create a server certificate/key pair."
|
|
openssl genrsa -out sguild.key 1024
|
|
echo -e "\033[1mNow we need to create a certificate request to be signed by the CA."
|
|
echo "DO NOT password protect your server key. If you do, you will be required"
|
|
echo "to enter the password every time you start the server."
|
|
echo -e "\033[0m"
|
|
openssl req -key sguild.key -new -out sguild.req
|
|
echo "Now we need to create the actual certificate for your server."
|
|
echo 44 > file.sr1
|
|
openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem
|
|
echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory "
|
|
echo "and clean up the port directory as well."
|
|
for files in sguild.key sguild.pem; do
|
|
mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/
|
|
done
|
|
for files in CA.pem privkey.pem sguild.req file.sr1; do
|
|
rm ${portdir}/$files
|
|
done
|
|
;;
|
|
n*|N*)
|
|
echo -e "\033[1mSSL is now required for all connections between server, sensors and clients."
|
|
echo "If you haven't already created certs, you will need to do that before sguil will work."
|
|
echo -e "\033[0m"
|
|
echo ""
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mIs the installation of mysql brand new and unaltered?"
|
|
echo -e "\033[0mBy default, when mysql is installed, it creates five accounts."
|
|
echo "None of those accounts are protected by passwords. That needs to be corrected."
|
|
echo "The five accounts are:"
|
|
echo " root@localhost"
|
|
echo " root@127.0.0.1"
|
|
echo " root@`hostname`"
|
|
echo " @localhost"
|
|
echo " @`hostname`"
|
|
echo "I can remove all of the accounts except root@localhost (highly recommended) "
|
|
echo "and I can set the password for the root@localhost account. (If you get an error "
|
|
echo "don't worry about it. The account may not have been created to begin with."
|
|
echo "Would you like me to do that now?" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
echo "Enabling mysql in /etc/rc.conf and starting the server....."
|
|
case ${mysql_enable} in
|
|
[Yy][Ee][Ss])
|
|
echo -e "\033[1mIt appears that mysql is already enabled!"
|
|
echo -e "\033[0m"
|
|
;;
|
|
*)
|
|
echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf
|
|
echo "mysql_enable=\"YES\"" >> /etc/rc.conf
|
|
;;
|
|
esac
|
|
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
|
|
echo "The mysql pid is ${mysql_pid}...."
|
|
if [ -z ${mysql_pid} ]; then
|
|
%%PREFIX%%/etc/rc.d/mysql-server start
|
|
fi
|
|
sleep 1
|
|
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
|
|
if [ -s ${mysql_pid} ]; then
|
|
echo "The mysql server did not start. Please fix the problem "
|
|
echo "and run this script again."
|
|
exit 64
|
|
fi
|
|
echo "Deleting users from mysql......"
|
|
mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';"
|
|
mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';"
|
|
mysql -u root -e "USE mysql; DROP USER ''@'localhost';"
|
|
mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';"
|
|
echo "All done deleting......."
|
|
echo "What would you like root@localhost's password to be?" ; read rootpwd
|
|
mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');"
|
|
mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;"
|
|
;;
|
|
n*|N*)
|
|
echo "Before you use the database, you should at least set passwords"
|
|
echo "for all the accounts. Otherwise anyone can login to your database."
|
|
echo "To remove an account, use \"drop user 'user'@'host'\"."
|
|
echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"."
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?"
|
|
echo -e "\033[0m" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
if [ ! -f /etc/my.cnf ]; then
|
|
echo "[mysqld]" >> /etc/my.cnf
|
|
echo "bind-address=127.0.0.1" >> /etc/my.cnf
|
|
echo "socket=/tmp/mysql.sock" >> /etc/my.cnf
|
|
echo "ft_min_word_len=3" >> /etc/my.cnf
|
|
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
|
|
echo "The mysql pid is ${mysql_pid}...."
|
|
if [ -z ${mysql_pid} ]; then
|
|
%%PREFIX%%/etc/rc.d/mysql-server start
|
|
else
|
|
%%PREFIX%%/etc/rc.d/mysql-server restart
|
|
fi
|
|
else
|
|
echo "/etc/my.cnf already exists!"
|
|
echo "add \"bind-address=127.0.0.1\" in the [mysqld] section "
|
|
echo "to force mysql to listen only on localhost."
|
|
echo "Then restart the server to accept the new settings."
|
|
fi
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to create the database to store all nsm data?"
|
|
echo -e "\033[0m" ; read ans
|
|
echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade."
|
|
case "$ans" in
|
|
y*|Y*)
|
|
if [ -z ${rootpwd} ]; then
|
|
echo "What is the password for the mysql root user?"; read rootpwd
|
|
fi
|
|
mysql -u root -p${rootpwd} -e "create database sguildb"
|
|
mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql
|
|
;;
|
|
n*|N*)
|
|
echo -e "\033[1mPlease note: if you are upgrading from a previous version "
|
|
echo "of sguil, you need to run the upgrade_0.7.tcl script located in "
|
|
echo "'${scriptdir}'."
|
|
echo -e "\033[0mIf you've already cleaned the port directory, run "
|
|
echo "make extract to recover the files and access the script."
|
|
echo ""
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?"
|
|
echo -e "\033[0m" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
if [ -z ${rootpwd} ]; then
|
|
echo "Please enter the password for the mysql root account." ; read rootpwd
|
|
fi
|
|
echo -e "\033[1mPlease enter the password that you want to use for the sguild account."
|
|
echo -e "\033[0m"; read sguildpwd
|
|
echo "Creating account for sguild with access to sguildb....."
|
|
mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \
|
|
to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'"
|
|
mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'"
|
|
mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES"
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to create the data directory and all its subdirectories?"
|
|
echo -e "\033[0m"; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
echo "What do you want the name of the main directory to be?"
|
|
echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir
|
|
echo "The main directory will be named '${maindir}'."
|
|
for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do
|
|
if [ ! -d ${dir} ]; then
|
|
echo "Creating ${dir} ...."
|
|
install -d -o ${sguil_user} -g ${sguil_group} \
|
|
-m 0750 ${dir}
|
|
else
|
|
echo -e "\033[1mThe directory '${dir}' already exists!"
|
|
echo -e "\033[0m"
|
|
fi
|
|
done
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?"
|
|
echo -e "\033[0m"; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
case ${sguild_enable} in
|
|
[Yy][Ee][Ss])
|
|
echo -e "\033[1mIt appears that sguild is already enabled!"
|
|
echo -e "\033[0m"
|
|
;;
|
|
*)
|
|
echo -e i"\033[1mWriting to /etc/rc.conf...."
|
|
echo -e "\033[0m"
|
|
echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf
|
|
echo "sguild_enable=\"YES\"" >> /etc/rc.conf
|
|
;;
|
|
esac
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now."
|
|
echo -e "\033[0m"
|
|
if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then
|
|
echo "The sguild.conf file already exists!"
|
|
echo "Do you want me to edit it anyway?" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
echo -e "\033[1mPreparing to edit the sguild.conf file......"
|
|
if [ -z ${maindir} ]; then
|
|
echo "There's a couple of things I need to verify before continuing."
|
|
echo "What is the name of the main nsm directory that you are using?"
|
|
echo -e "\033[0m" ; read ans
|
|
maindir="$ans"
|
|
fi
|
|
if [ -z ${sguildpwd} ]; then
|
|
echo -e "\033[1mWhat is the password for the sguild database user?"
|
|
echo -e "\033[0m" ; read ans
|
|
sguildpwd="$ans"
|
|
fi
|
|
sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \
|
|
-e 's|sguild_data|'"${maindir}"'|' \
|
|
< ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
else
|
|
echo -e "\033[1mPreparing to edit the sguild.conf file......"
|
|
if [ -z ${maindir} ]; then
|
|
echo "There's a couple of things I need to verify before continuing."
|
|
echo "What is the name of the main nsm directory that you are using?"
|
|
echo -e "\033[0m" ; read ans
|
|
maindir="$ans"
|
|
fi
|
|
if [ -z ${sguildpwd} ]; then
|
|
echo -e "\033[1mWhat is the password for the sguild database user?"
|
|
echo -e "\033[0m" ; read ans
|
|
sguildpwd="$ans"
|
|
fi
|
|
sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \
|
|
-e 's|sguild_data|'"${maindir}"'|' \
|
|
< ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf
|
|
fi
|
|
if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then
|
|
cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users
|
|
fi
|
|
if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then
|
|
cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access
|
|
fi
|
|
echo -e "\033[1mYou still need to review all the conf files and configure sguil "
|
|
echo "per your desired setup before starting sguild. Refer to the port docs in "
|
|
echo "%%DOCSDIR%% before proceeding."
|
|
echo -e "\033[0m"
|
|
echo "Right now, all the conf files except sguild.conf are set to the defaults."
|
|
for files in archive_sguildb.tcl sguild incident_report.tcl ; do
|
|
if [ -f %%PREFIX%%/bin/${files} ]; then
|
|
chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files}
|
|
fi
|
|
done
|
|
chown -R ${sguil_user}:${sguil_group} %%PREFIX%%/etc/%%SGUILDIR%%
|
|
chown -R ${sguil_user}:${sguil_group} %%PREFIX%%/lib/%%SGUILDIR%%
|
|
if [ ! -f %%PREFIX%%/bin/sguild ]; then
|
|
echo "Sguild is missing! Please correct the problem before continuing!"
|
|
exit 1
|
|
fi
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
exit 0
|