From 17b010001677e49464b7e0525532b05994a57f5f969fa27d8574cac7867caa98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 13 Jan 2025 12:29:56 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main arpwatch revision 450750ad69a798560f02c581780dc3c6 --- .gitattributes | 23 ++ 0001-Ignore-802.1Q-frames.patch | 48 +++ arp2ethers.patch | 62 ++++ arpwatch-2.1a11-chrootbuild.diff | 20 ++ arpwatch-2.1a11-drop-privs-manpage.dif | 24 ++ arpwatch-2.1a11-drop-privs.dif | 206 +++++++++++++ arpwatch-3.4-include-time.patch | 14 + arpwatch-3.6.tar.gz | 3 + arpwatch-exit.patch | 13 + arpwatch-gcc14.patch | 13 + arpwatch-no-source-zero.dif | 19 ++ arpwatch.ETHERCODES.patch | 23 ++ arpwatch.changes | 409 +++++++++++++++++++++++++ arpwatch.service | 31 ++ arpwatch.spec | 135 ++++++++ arpwatch@.service | 32 ++ report-iface.patch | 55 ++++ sysconfig.arpwatch | 10 + 18 files changed, 1140 insertions(+) create mode 100644 .gitattributes create mode 100644 0001-Ignore-802.1Q-frames.patch create mode 100644 arp2ethers.patch create mode 100644 arpwatch-2.1a11-chrootbuild.diff create mode 100644 arpwatch-2.1a11-drop-privs-manpage.dif create mode 100644 arpwatch-2.1a11-drop-privs.dif create mode 100644 arpwatch-3.4-include-time.patch create mode 100644 arpwatch-3.6.tar.gz create mode 100644 arpwatch-exit.patch create mode 100644 arpwatch-gcc14.patch create mode 100644 arpwatch-no-source-zero.dif create mode 100644 arpwatch.ETHERCODES.patch create mode 100644 arpwatch.changes create mode 100644 arpwatch.service create mode 100644 arpwatch.spec create mode 100644 arpwatch@.service create mode 100644 report-iface.patch create mode 100644 sysconfig.arpwatch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0001-Ignore-802.1Q-frames.patch b/0001-Ignore-802.1Q-frames.patch new file mode 100644 index 0000000..bba3649 --- /dev/null +++ b/0001-Ignore-802.1Q-frames.patch @@ -0,0 +1,48 @@ +From 5d852d6f81d4022d500ccfea3e9b84a1d3b07dd0 Mon Sep 17 00:00:00 2001 +From: Rob Leslie +Date: Sun, 10 Jun 2012 12:35:02 -0700 +Subject: [PATCH] Ignore 802.1Q frames + +Due to the way Linux packet filtering works, the pcap library will +return ARP/RARP packets belonging to other VLANs when listening on the +corresponding physical interface. This confuses arpwatch as it is not +expecting such packets; the symptom is many "... sent bad hardware +format ..." syslog messages. + +Since VLAN packets can be accessed via another interface and a separate +arpwatch instance could be run there (if desired), we simply ignore all +802.1Q frames. +--- + arpwatch.c | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +Index: arpwatch-3.1/arpwatch.c +=================================================================== +--- arpwatch-3.1.orig/arpwatch.c ++++ arpwatch-3.1/arpwatch.c +@@ -109,6 +109,10 @@ struct rtentry; + #define ETHERTYPE_APOLLO 0x8019 + #endif + ++#ifndef ETHERTYPE_VLAN ++#define ETHERTYPE_VLAN 0x8100 ++#endif ++ + #ifndef IN_CLASSD_NET + #define IN_CLASSD_NET 0xf0000000 + #endif +@@ -619,6 +623,14 @@ sanity_ether(struct ether_header *eh, st + return(0); + } + ++ /* ignore 802.1Q (VLAN) frames */ ++ if (eh->ether_type == ETHERTYPE_VLAN) { ++ if (debug) ++ syslog(LOG_INFO, "ignoring 802.1Q frame from %s\n", ++ e2str(shost)); ++ return(0); ++ } ++ + /* XXX sysv r4 seems to use hardware format 6 */ + if (ea->arp_hrd != ARPHRD_ETHER && ea->arp_hrd != 6) { + lg(LOG_ERR, "%s sent bad hardware format 0x%x\n", diff --git a/arp2ethers.patch b/arp2ethers.patch new file mode 100644 index 0000000..1dad264 --- /dev/null +++ b/arp2ethers.patch @@ -0,0 +1,62 @@ +Index: arpwatch-3.1/arp2ethers +=================================================================== +--- arpwatch-3.1.orig/arp2ethers ++++ arpwatch-3.1/arp2ethers +@@ -13,11 +13,50 @@ + # - sort + # + +-sort +2rn arp.dat | ++sort -k 2 -rn arp.dat | \ + awk 'NF == 4 { print }' | +- awk -f p.awk | +- egrep -v '\.[0-9][0-9]*$' | +- sed -e 's/ .* / /' | +- awk -f d.awk | +- awk -f e.awk | +- sort ++ awk ' ++{ ++ e = $1 ++ if (seen[e]) ++ next ++ seen[e] = 1 ++ print ++}' | egrep -v '\.[0-9][0-9]*$' | \ ++ sed -e 's/ .* / /' | \ ++ awk ' ++BEGIN { ++ n = 0 ++ sdecnet = "aa:0:4:" ++ ldecnet = length(sdecnet) ++} ++ ++{ ++ ++n ++ e[n] = $1 ++ h[n] = $2 ++ if (sdecnet == substr($1, 1, ldecnet)) ++ decnet[$2] = 1 ++} ++ ++END { ++ for (i = 1; i <= n; ++i) { ++ if (decnet[h[i]] && sdecnet != substr(e[i], 1, ldecnet)) ++ h[i] = h[i] "-ip" ++ print e[i] "\t" h[i] ++ } ++}' | awk ' ++{ ++ if (!seen[$2]) { ++ seen[$2] = 1 ++ print ++ next ++ } ++ h = $2 "-old" ++ s = h ++ for (n = 1; seen[h]; ++n) ++ h = s n ++ seen[h] = 1 ++ print $1 "\t" h ++ next ++}' | sort diff --git a/arpwatch-2.1a11-chrootbuild.diff b/arpwatch-2.1a11-chrootbuild.diff new file mode 100644 index 0000000..56f9b71 --- /dev/null +++ b/arpwatch-2.1a11-chrootbuild.diff @@ -0,0 +1,20 @@ +Index: arpwatch-3.1/Makefile.in +=================================================================== +--- arpwatch-3.1.orig/Makefile.in ++++ arpwatch-3.1/Makefile.in +@@ -127,11 +127,14 @@ version.c: $(srcdir)/VERSION + install: $(ALL) + $(INSTALL) -v -m 555 $(PROG) $(DESTDIR)$(BINDEST) + $(INSTALL) -v -m 555 arpsnmp $(DESTDIR)$(BINDEST) ++ $(INSTALL) -d -m 755 $(DESTDIR)/var/lib/arpwatch ++ $(INSTALL) -d -m 755 $(DESTDIR)/usr/share/arpwatch ++ #$(INSTALL) -m 444 ethercodes.dat $(DESTDIR)/usr/share/arpwatch + @diff $(srcdir)/$(PROG).8 $(DESTDIR)$(MANDEST)/man8 >/dev/null 2>&1 || \ + $(INSTALL) -v -m 444 $(srcdir)/$(PROG).8 $(DESTDIR)$(MANDEST)/man8 + @diff $(srcdir)/arpsnmp.8 $(DESTDIR)$(MANDEST)/man8 >/dev/null 2>&1 || \ + $(INSTALL) -v -m 444 $(srcdir)/arpsnmp.8 $(DESTDIR)$(MANDEST)/man8 +-@HAVE_FREEBSD_TRUE@ @$(INSTALL) -v -m 555 arpwatch.sh $(DESTDIR)$(prefix)/etc/rc.d/arpwatch ++#@HAVE_FREEBSD_TRUE@ @$(INSTALL) -v -m 555 arpwatch.sh $(DESTDIR)$(prefix)/etc/rc.d/arpwatch + + clean: + rm -f $(CLEANFILES) diff --git a/arpwatch-2.1a11-drop-privs-manpage.dif b/arpwatch-2.1a11-drop-privs-manpage.dif new file mode 100644 index 0000000..95c131b --- /dev/null +++ b/arpwatch-2.1a11-drop-privs-manpage.dif @@ -0,0 +1,24 @@ +Index: arpwatch-3.1/arpwatch.8.in +=================================================================== +--- arpwatch-3.1.orig/arpwatch.8.in ++++ arpwatch-3.1/arpwatch.8.in +@@ -43,6 +43,7 @@ + .Op Fl n Ar net[/width] + .Op Fl x Ar net[/width] + .Op Fl r Ar file ++.Op Fl u Ar username + .Sh DESCRIPTION + .Nm + keeps track of ethernet/ip address pairings. It syslogs activity +@@ -161,6 +162,11 @@ flag@MANZFLAG@ uses zero padded ethernet + .Ar arp.dat , + e.g. 00:08:e1:01:02:d6. + .Pp ++The ++.Fl u ++flag allows to drop root privileges and change to the user ID ++and group ID to that of the primary group of username. ++.Pp + .Sh "REPORT MESSAGES" + Here's a quick list of the report messages generated by + .Xr arpwatch 1 diff --git a/arpwatch-2.1a11-drop-privs.dif b/arpwatch-2.1a11-drop-privs.dif new file mode 100644 index 0000000..56fb2f4 --- /dev/null +++ b/arpwatch-2.1a11-drop-privs.dif @@ -0,0 +1,206 @@ +Index: arpwatch-3.1/arpwatch.c +=================================================================== +--- arpwatch-3.1.orig/arpwatch.c ++++ arpwatch-3.1/arpwatch.c +@@ -71,6 +71,8 @@ struct rtentry; + #include + #include + #include ++#include ++#include + + #include + +@@ -170,6 +172,66 @@ int sanity_fddi(struct fddi_header *, st + int toskip(u_int32_t); + void usage(void) __attribute__((noreturn)); + ++void dropprivileges(const char* user) ++{ ++ struct passwd* pw; ++ pw = getpwnam( user ); ++ if ( pw ) { ++ char *arpfiledir; ++ char *lastslash; ++ ++ arpfiledir = malloc(strlen(arpfile)+1); ++ if(arpfiledir == NULL) { ++ syslog(LOG_ERR, "Fatal: malloc()."); ++ exit(1); ++ } ++ strcpy(arpfiledir, arpfile); ++ lastslash = strrchr(arpfiledir, '/'); ++ if(lastslash == NULL) { ++ syslog(LOG_ERR, "Fatal: cannot determine directory of %s", arpfile); ++ exit(1); ++ } ++ lastslash[0]='\0'; ++ ++ if (!safe_base_path(arpfiledir)) { ++ syslog(LOG_ERR, "Fatal: directory structure %s not safe, can't operate here. Please make root owner of underlying directories and remove write access for other", arpfiledir); ++ exit(1); ++ } ++ ++ // ensure we have a safe place to operate ++ if (lchown( arpfiledir, 0, 0) != 0 ) { ++ syslog(LOG_ERR, "Fatal: could not chown %s to root).", arpfiledir); ++ exit(1); ++ } ++ // change permissions of the file if it exists ++ if (!access(arpfile, F_OK) && lchown ( arpfile, pw->pw_uid, -1) != 0) { ++ syslog(LOG_ERR, "Fatal: could not chown %s to %d).", arpfile, pw->pw_uid); ++ exit(1); ++ } ++ /* files arp.dat.eth0- and arp.dat.eth0.new that are created ++ as backup/lastversion and for temporary storage are ++ deleted before created again, therefor the users needs ++ to control this directory . */ ++ if ( lchown ( arpfiledir, pw->pw_uid, -1) != 0 ) { ++ syslog(LOG_ERR, "Fatal: could not chown %s to %d).", ++ arpfiledir, pw->pw_uid); ++ exit(1); ++ } ++ free(arpfiledir); ++ if ( initgroups(pw->pw_name, pw->pw_gid) != 0 || setgid(pw->pw_gid) != 0 || ++ setuid(pw->pw_uid) != 0 ) { ++ syslog(LOG_ERR, "Fatal: Couldn't change to user/group '%.32s' uid=%d gid=%d", user, ++ pw->pw_uid, pw->pw_gid); ++ exit(1); ++ } ++ } ++ else { ++ syslog(LOG_ERR, "No such user: '%.32s'", user); ++ exit(1); ++ } ++ syslog(LOG_DEBUG, "arpwatch running as uid=%d gid=%d", getuid(), getgid()); ++} ++ + int + main(int argc, char **argv) + { +@@ -181,6 +243,7 @@ main(int argc, char **argv) + char *interface, *rfilename; + struct bpf_program code; + char errbuf[PCAP_ERRBUF_SIZE]; ++ char *serveruser = NULL; + + if (argv[0] == NULL) + prog = "arpwatch"; +@@ -198,7 +261,7 @@ main(int argc, char **argv) + interface = NULL; + rfilename = NULL; + pd = NULL; +- while ((op = getopt(argc, argv, "CdD:Ff:i:n:NpP:qr:svw:W:x:zZ")) != EOF) ++ while ((op = getopt(argc, argv, "CdD:Ff:i:n:NpP:qr:svw:W:x:zZu:")) != EOF) + switch (op) { + + case 'C': +@@ -283,6 +346,16 @@ main(int argc, char **argv) + zeropad = 1; + break; + ++ case 'u': ++ if ( optarg ) { ++ serveruser = strdup(optarg); ++ } ++ else { ++ fprintf(stderr, "%s: Need username after -u\n", prog); ++ usage(); ++ } ++ break; ++ + default: + usage(); + } +@@ -383,8 +456,9 @@ main(int argc, char **argv) + * Revert to non-privileged user after opening sockets + * (not needed on most systems). + */ +- setgid(getgid()); +- setuid(getuid()); ++ if ( serveruser ) { ++ dropprivileges( serveruser ); ++ } + + /* Must be ethernet or fddi */ + linktype = pcap_datalink(pd); +@@ -933,6 +1007,6 @@ usage(void) + "usage: %s [-CdFNpqsvzZ] [-D arpdir] [-f datafile]" + " [-i interface]\n\t" + " [-P pidfile] [-w watcher@email] [-W watchee@email]\n\t" +- " [-n net[/width]] [-x net[/width]] [-r file]\n", prog); ++ " [-n net[/width]] [-x net[/width]] [-r file] [-u username]\n", prog); + exit(1); + } +Index: arpwatch-3.1/util.c +=================================================================== +--- arpwatch-3.1.orig/util.c ++++ arpwatch-3.1/util.c +@@ -36,6 +36,7 @@ static const char rcsid[] = + + #include + #include ++#include + + #include + #include +@@ -212,3 +213,47 @@ savestr(const char *str) + strsize -= i; + return (cp); + } ++ ++int safe_base_path(char *arpfiledir) { ++ // check directories below arpfiledir for safe ownwership/permissions ++ char *path_component; ++ char *lastslash = NULL; ++ int safe_path = 1; ++ ++ if (!arpfiledir) { ++ syslog(LOG_ERR, "Fatal: safe_base_path invalid invocation."); ++ exit(1); ++ } ++ ++ path_component = malloc(strlen(arpfiledir)+1); ++ if(path_component == NULL) { ++ syslog(LOG_ERR, "Fatal: malloc()."); ++ exit(1); ++ } ++ strcpy(path_component, arpfiledir); ++ ++ while ((lastslash = strrchr(path_component, '/'))) { ++ struct stat stats; ++ ++ lastslash[0]='\0'; ++ if ( lstat(path_component, &stats) ) { ++ /* on the last iteration the string will be empty and this fails, ++ which is okay, if / is unsafe all is lost anyway and we can ++ skip the check. Otherwise fail safe if lstat doesn't work */ ++ if (strlen(path_component)) ++ safe_path = 0; ++ } else { ++ if ( stats.st_uid != 0 || ++ stats.st_gid != 0 || ++ stats.st_mode & S_IWOTH ++ ) { ++ /* this is not a safe path to operate on with privileges because ++ it isn't owned by root:root or others can write there */ ++ safe_path = 0; ++ } ++ } ++ } ++ ++ free(path_component); ++ return safe_path; ++} +Index: arpwatch-3.1/util.h +=================================================================== +--- arpwatch-3.1.orig/util.h ++++ arpwatch-3.1/util.h +@@ -8,6 +8,7 @@ char *intoa(u_int32_t); + void lg(int, const char *, ...) __attribute__ ((format (printf, 2, 3))); + int readdata(void); + char *savestr(const char *); ++int safe_base_path(char *); + + extern char *arpdir; + extern char *arpfile; diff --git a/arpwatch-3.4-include-time.patch b/arpwatch-3.4-include-time.patch new file mode 100644 index 0000000..890cf46 --- /dev/null +++ b/arpwatch-3.4-include-time.patch @@ -0,0 +1,14 @@ +Index: arpwatch-3.4/report.c +=================================================================== +--- arpwatch-3.4.orig/report.c ++++ arpwatch-3.4/report.c +@@ -59,9 +59,7 @@ struct rtentry; + #include + #include + #include +-#ifdef TIME_WITH_SYS_TIME + #include +-#endif + #include + + #include "gnuc.h" diff --git a/arpwatch-3.6.tar.gz b/arpwatch-3.6.tar.gz new file mode 100644 index 0000000..997cfc2 --- /dev/null +++ b/arpwatch-3.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f86529fe57fdb5a2ff5413bc13c245063f99b3bf742421fd3133272175be8156 +size 117254 diff --git a/arpwatch-exit.patch b/arpwatch-exit.patch new file mode 100644 index 0000000..bac6aa0 --- /dev/null +++ b/arpwatch-exit.patch @@ -0,0 +1,13 @@ +Index: arpwatch-3.5/arpwatch.c +=================================================================== +--- arpwatch-3.5.orig/arpwatch.c ++++ arpwatch-3.5/arpwatch.c +@@ -1012,7 +1012,7 @@ die(int signo) + { + lg(LOG_DEBUG, "exiting"); + checkpoint(0); +- exit(1); ++ exit(0); + } + + void diff --git a/arpwatch-gcc14.patch b/arpwatch-gcc14.patch new file mode 100644 index 0000000..96eb05b --- /dev/null +++ b/arpwatch-gcc14.patch @@ -0,0 +1,13 @@ +Index: arpwatch-3.6/dns.c +=================================================================== +--- arpwatch-3.6.orig/dns.c ++++ arpwatch-3.6/dns.c +@@ -78,6 +78,8 @@ typedef union { + } querybuf; + #endif + ++extern unsigned short _getshort(unsigned char*); ++ + int + gethinfo(char *hostname, char *cpu, int cpulen, char *os, int oslen) + { diff --git a/arpwatch-no-source-zero.dif b/arpwatch-no-source-zero.dif new file mode 100644 index 0000000..4e2c46f --- /dev/null +++ b/arpwatch-no-source-zero.dif @@ -0,0 +1,19 @@ +--- a/arpwatch.c ++++ b/arpwatch.c +@@ -481,6 +481,16 @@ process_ether(u_char *u, const struct pc + if (toskip(sia)) + return; + ++ /* dhcp broadcasts source from 0.0.0.0 - ignore */ ++ if (sia == 0) { ++ static u_char old_sea[6]; ++ if (memcmp(old_sea, sea, 6)) { ++ dosyslog(LOG_INFO, "0-source", sia, sea, sha); ++ memcpy(old_sea, sea, 6); ++ } ++ return; ++ } ++ + /* Watch for bogons */ + if (isbogon(sia)) { + if (!quiet) diff --git a/arpwatch.ETHERCODES.patch b/arpwatch.ETHERCODES.patch new file mode 100644 index 0000000..3ea92e4 --- /dev/null +++ b/arpwatch.ETHERCODES.patch @@ -0,0 +1,23 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -55,7 +55,7 @@ ALL = $(PROG) arpsnmp + CC = @CC@ + CCOPT = @V_CCOPT@ + INCLS = -I. @V_INCLS@ +-DEFS = @DEFS@ -DARPDIR=\"$(ARPDIR)\" -DPATH_SENDMAIL=\"$(SENDMAIL)\" ++DEFS = @DEFS@ -DARPDIR=\"$(ARPDIR)\" -DPATH_SENDMAIL=\"$(SENDMAIL)\" -DETHERCODES=\"$(ETHERCODES)\" + + # Standard CFLAGS + CFLAGS = @CFLAGS@ @CPPFLAGS@ $(CCOPT) $(DEFS) $(INCLS) +--- a/arpwatch.h ++++ b/arpwatch.h +@@ -1,7 +1,9 @@ + /* @(#) $Id: arpwatch.h 1197 2012-11-03 00:35:36Z leres $ (LBL) */ + + #define ARPFILE "arp.dat" ++#ifndef ETHERCODES + #define ETHERCODES "ethercodes.dat" ++#endif + #define CHECKPOINT (15*60) /* Checkpoint time in seconds */ + + #ifdef ETHER_HEADER_HAS_EA diff --git a/arpwatch.changes b/arpwatch.changes new file mode 100644 index 0000000..2ac9eb7 --- /dev/null +++ b/arpwatch.changes @@ -0,0 +1,409 @@ +------------------------------------------------------------------- +Thu Jul 25 15:14:28 UTC 2024 - Marcus Meissner + +- arpwatch-gcc14.patch: fixed gcc14 issue + +------------------------------------------------------------------- +Mon Jan 22 16:25:51 UTC 2024 - Andreas Stieger + +- update to 3.6: + * Fix bug that prevented checkpoint() from being called until + after receiving a new arp/rarp packet + * Remove unconditional FreeBSD configure mandir hack + +------------------------------------------------------------------- +Sat Jan 6 11:38:48 UTC 2024 - Andreas Stieger + +- update to 3.5: + * Make SIGHUP checkpoint arp.dat + * Fix bug that prevented checkpoint() from being called until + after receiving a new arp/rarp packet + +------------------------------------------------------------------- +Sun Oct 15 18:42:22 UTC 2023 - Andreas Stieger + +- update to 3.4: + * build system maintenance (upgrade to autoconf 2.71) + * add arpwatch-3.4-include-time.patch to fix build broken by it + +------------------------------------------------------------------- +Tue Dec 6 12:34:56 UTC 2022 - olaf@aepfle.de + +- Enable loading of ethercodes.dat with arpwatch.ETHERCODES.patch +- Log useless 0-source only once for each MAC + +------------------------------------------------------------------- +Wed Apr 27 11:06:26 UTC 2022 - Dominique Leuenberger + +- Update to version 3.3: + + Fix direction of memmove() in sanity_fddi(). + +------------------------------------------------------------------- +Mon Mar 21 07:52:56 UTC 2022 - Dirk Müller + +- update to 3.2: + - Change update-ethercodes to not clobber ethercodes.dat on failure. + - Add a configure option to specify the path to sendmail +- use https, its 2022 after all + +------------------------------------------------------------------- +Mon Jan 10 16:16:16 UTC 2022 - olaf@aepfle.de + +- remove instance units from post scripts, they can not be reloaded + +------------------------------------------------------------------- +Fri Sep 3 13:31:51 UTC 2021 - Johannes Segitz + +- Remove accidentially checked in manpage (arpwatch.8) + +------------------------------------------------------------------- +Fri Sep 3 07:37:27 UTC 2021 - Johannes Segitz + +- Update to version 3.1 (bsc#1185939) + * Dropped + + arpwatch-2.1a11-emailaddr.dif, this is now supported upstream. + Incompatible change: Flags change from -e and -s to -w and -W + + arpwatch-2.1a11-hname-overflow.dif: included upstream + + arpwatch-2.1a11-tokenring.diff: Dropped token ring support + + arpwatch-2.1a15-massagevendor.patch: new python version + is available + + arpwatch-MAC.patch: Fix is upstream + + getnameinfo.patch + * Refreshed + + 0001-Ignore-802.1Q-frames.patch + + arp2ethers.patch + * Notable upstream changes: + + Add python 2 compatibility to massagevendor (for pfsense <= 2.4.4). + + Add -Z (zero pad) and -C (compact) flags to arpwatch and arpsnmp to allow + run time selection of zero padded or compact ethernet addresses in arp.dat. + + arpsnmp errors now go to stderr instead of syslog. + + Add arpwatch directory flag (-D) + + Added the -x flag which is like -n but excludes cidrs + +------------------------------------------------------------------- +Wed Aug 11 13:47:36 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Modified: + * arpwatch.service + * arpwatch@.service + +------------------------------------------------------------------- +Tue Jun 29 07:10:40 UTC 2021 - Johannes Segitz + +- Fixed local privilege escalation from runtime user to root + (bsc#1186240, CVE-2021-25321) +- Added service_* calls for the @.service file + +------------------------------------------------------------------- +Tue Feb 9 08:36:27 UTC 2021 - Johannes Segitz + +- Fix arp2ethers script (bsc#1181936). Added arp2ethers.patch to + inline the awk fragments. I tried hard to do this in a script + but no matter if sed, awk or perl is used something always breaks + +------------------------------------------------------------------- +Mon Feb 1 15:15:15 UTC 2021 - olaf@aepfle.de + +- exit cleanly on SIGTERM with arpwatch-exit.patch +- refresh all patches for autosetup + +------------------------------------------------------------------- +Thu Jan 28 17:17:17 UTC 2021 - olaf@aepfle.de + +- report MAC as HH:HH:HH:HH:HH:HH with arpwatch-MAC.patch +- remove unused ARPWATCH_INTERFACE= from sysconfig template +- schedule arpwatch.service after exim/postfix/sendmail +- remove arpwatch@.service from postinstall scriptlets to avoid warning + in case no instance is configured +- move service_add_post to end of script because the macro exit + the script early + +------------------------------------------------------------------- +Thu Jan 28 10:22:41 UTC 2021 - Johannes Segitz + +- Include arp2ethers script (jsc#SLE-17224) + +------------------------------------------------------------------- +Sat Oct 17 10:52:57 UTC 2020 - Hans-Peter Jansen + +- add report-iface.patch to see, where the offending change happened + +------------------------------------------------------------------- +Tue May 7 08:51:31 UTC 2019 - Stefan Seyfried + +- add 0001-Ignore-802.1Q-frames.patch to fix log spam on networks + with configured VLANs. (deb#625796) + +------------------------------------------------------------------- +Sat Mar 16 08:57:03 UTC 2019 - Jan Engelhardt + +- Use noun phrase in summary. + +------------------------------------------------------------------- +Thu Feb 7 12:21:45 UTC 2019 - jsegitz@suse.com + +- One %service_* call for all service files + +------------------------------------------------------------------- +Tue Feb 5 12:25:15 UTC 2019 - jsegitz@suse.com + +- added getnameinfo.patch to prevent memory leak in gethname + (bsc#1119851) +- %service_* invocations for arpwatch@.service + +------------------------------------------------------------------- +Thu Nov 23 13:44:03 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Sat Aug 12 16:09:14 UTC 2017 - tchvatal@suse.com + +- Remove initscript support. Fix the service initialization to\ + either allow single full client or user has to symlink the instance + and make sure he can run only one of them. bsc#737527 +- Make sure rcarpwatch is working +- Use install commands for installation of files +- Format with spec-cleaner +- Generate temp files using systemd + +------------------------------------------------------------------- +Fri Jun 19 14:32:19 UTC 2015 - lmuelle@suse.com + +- Deal with added two whitespaces in more recent oui.txt versions. + + arpwatch-2.1a15-massagevendor.patch + +------------------------------------------------------------------- +Fri Dec 5 13:26:33 UTC 2014 - lmuelle@suse.com + +- Removed executable permission bits from arpwatch@.service file. + +------------------------------------------------------------------- +Wed May 14 14:36:51 UTC 2014 - meissner@suse.com + +- added missing %pre/%service_add_pre section + +------------------------------------------------------------------- +Tue Jan 7 10:06:22 UTC 2014 - rmilasan@suse.com + +- Rework arpwatch.service file to properly support multiple network + interfaces and arpwatch sysconfig file. (bnc#853384). + +------------------------------------------------------------------- +Thu Mar 14 11:33:23 UTC 2013 - p.drouand@gmail.com + +- Drop sysvinit support and add systemd support for opensuse > 11.4 + +------------------------------------------------------------------- +Wed Jul 18 05:56:13 CEST 2012 - draht@suse.de + +- arpwatch-2.1a11-drop-privs.dif: call initgroups() with pw->pw_gid, + not NULL, to not have groupid 0 initialized. [bnc#764521] + +------------------------------------------------------------------- +Sat Sep 17 12:17:44 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + +------------------------------------------------------------------- +Fri Nov 27 13:33:41 UTC 2009 - mseben@novell.com + +- added ARPDIR to build section in spec file, to fix error message + in logs + +------------------------------------------------------------------- +Wed Nov 12 14:33:57 CET 2008 - draht@suse.de + +- arpwatch-2.1a11-emailaddr.dif for flexibility in sender and + recipient addresses on commandline. +- arpwatch-2.1a11-drop-privs.dif to run arpwatch as different user +- arpwatch-2.1a11-drop-privs-manpage.dif for the manpage + +------------------------------------------------------------------- +Wed Nov 12 11:22:54 CET 2008 - draht@suse.de + +- start script tuned for multiple interface support and independent + databases. #149003 + +------------------------------------------------------------------- +Thu Jul 26 16:52:52 CEST 2007 - prusnak@suse.cz + +- changed libpcap to libpcap-devel in BuildRequires + +------------------------------------------------------------------- +Mon May 14 22:58:55 CEST 2007 - lrupp@suse.de + +- update to 2.1a15 + + let the database files belong to the package + + build parallel + + use rpm macros for configure and make + +------------------------------------------------------------------- +Wed Jan 25 21:34:23 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Apr 18 11:56:52 CEST 2005 - meissner@suse.de + +- Use RPM_OPT_FLAGS. + +------------------------------------------------------------------- +Fri Nov 12 00:22:36 CET 2004 - lmuelle@suse.de + +- Add %insserv_prereq %fillup_prereq to prereq. +- Add missing call to %stop_on_removal (%preun), %restart_on_update, and + %insserv_cleanup (%postun). + +------------------------------------------------------------------- +Sat Nov 6 20:11:32 CET 2004 - lmuelle@suse.de + +- Split off massagevendor script and required files as we only need them at + build time to create the ethercodes.dat file from the IEEE.org meta data. + +------------------------------------------------------------------- +Sat Nov 6 15:53:57 CET 2004 - lmuelle@suse.de + +- Add files needed by massagevendor script, [#48005]. + +------------------------------------------------------------------- +Fri Jun 25 23:07:25 CEST 2004 - lmuelle@suse.de + +- Update to version 2.1a13. +- Add sysconfig file to allow additional options in the init script. +- Compress source tar ball with bzip2. +- Move IEEE OUI and Company_id file to ethercodes sub package. + +------------------------------------------------------------------- +Thu Mar 25 16:45:57 CET 2004 - mmj@suse.de + +- Add postfix to # neededforbuild + +------------------------------------------------------------------- +Mon Jan 12 13:43:11 CET 2004 - adrian@suse.de + +- fix build as user + +------------------------------------------------------------------- +Mon Jan 12 09:28:57 CET 2004 - adrian@suse.de + +- add %defattr + +------------------------------------------------------------------- +Tue Jul 29 15:10:25 CEST 2003 - aj@suse.de + +- Fix for chown changes. + +------------------------------------------------------------------- +Thu Jun 12 16:32:53 CEST 2003 - mmj@suse.de + +- Forgot to comment in a line + +------------------------------------------------------------------- +Thu Jun 12 14:50:36 CEST 2003 - mmj@suse.de + +- Use BuildRoot + +------------------------------------------------------------------- +Wed Feb 26 15:30:01 CET 2003 - draht@suse.de + +- added /usr/sbin/rcarpwatch symlink (#24163) + +------------------------------------------------------------------- +Wed Sep 18 09:15:17 MEST 2002 - draht@suse.de + +- added fileutils to PreReq (#19782) + +------------------------------------------------------------------- +Tue Sep 17 17:34:28 CEST 2002 - ro@suse.de + +- removed bogus self-provides + +------------------------------------------------------------------- +Thu Aug 22 14:12:22 CEST 2002 - draht@suse.de + +- minor buffer overflow with dns query results, fixed by + arpwatch-2.1a11-hname-overflow.dif (#18149) + +------------------------------------------------------------------- +Mon Jul 8 15:41:39 MEST 2002 - draht@suse.de + +- do not source /etc/rc.config any more. + +------------------------------------------------------------------- +Mon Mar 18 14:01:45 MET 2002 - draht@suse.de + +- minor correction to ethercodes.dat + +------------------------------------------------------------------- +Thu Mar 14 19:17:50 MET 2002 - draht@suse.de + +- added init script (bugzilla #12548) +- fix support for token ring interfaces. Thanks to Bjoern Jacke, + fixes bugzilla #14504. +- update of vendor table (ethercodes.dat) + +------------------------------------------------------------------- +Mon Oct 15 17:26:40 MEST 2001 - draht@suse.de + +- upgrade to version 2.1a11 + syslog(3), but do not send mail for packets from IP 0.0.0.0 + +------------------------------------------------------------------- +Wed Aug 8 15:33:50 CEST 2001 - sgf@suse.de + +- removed libpcapn from neededforbuild and added libpcap + +------------------------------------------------------------------- +Thu Jan 11 02:29:47 MET 2001 - draht@suse.de + +- New version 2.1a10 fixes tmp file race (security). + +------------------------------------------------------------------- +Tue Aug 8 20:46:11 CEST 2000 - olh@suse.de + +- add /usr/share/arpwatch to file list, ethercodes.dat was missing + +------------------------------------------------------------------- +Thu Jun 1 09:47:41 CEST 2000 - kukuk@suse.de + +- Use doc macro + +------------------------------------------------------------------- +Fri Feb 18 14:09:29 CET 2000 - dipa@suse.de + +- Changed path for manuals to /usr/share/man and /usr/lib/arpwatch + to /var/lib/arpwatch for arp.dat and /usr/share/arpwatch for + ethercodes.dat + +------------------------------------------------------------------- +Fri Sep 17 11:28:09 MEST 1999 - kettner@suse.de + +- Reinserted old # Commandline: line. + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Thu Jul 22 13:10:27 MEST 1999 - msrex@suse.de + +- Fixed postinstall + + +------------------------------------------------------------------- +Mon Jul 12 01:48:03 MEST 1999 - ro@suse.de + +- libpcap is an extra package now + +------------------------------------------------------------------- +Fri Jun 11 23:17:27 CEST 1999 - msrex@suse.de + + - Spec file created from arpwatch-2.1a4.tar.gz by autospec + +------------------------------------------------------------------- +Fri Jun 11 22:37:49 CEST 1999 - msrex@suse.de + + - Spec file created from arpwatch-2.1a4.tar.gz by autospec diff --git a/arpwatch.service b/arpwatch.service new file mode 100644 index 0000000..3263655 --- /dev/null +++ b/arpwatch.service @@ -0,0 +1,31 @@ +[Unit] +Description=Arpwatch daemon which keeps track of ethernet/ip address pairings +After=network.target +After=exim.service +After=postfix.service +After=sendmail.service +Conflicts=arpwatch.target + +[Service] +Type=forking +Environment=ARPWATCH_ARGS= +EnvironmentFile=-/etc/sysconfig/arpwatch +PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +ExecStartPre=/usr/bin/touch /var/lib/arpwatch/arp.dat +ExecStart=/usr/sbin/arpwatch $ARPWATCH_ARGS -f /var/lib/arpwatch/arp.dat + +[Install] +WantedBy=multi-user.target diff --git a/arpwatch.spec b/arpwatch.spec new file mode 100644 index 0000000..829d59f --- /dev/null +++ b/arpwatch.spec @@ -0,0 +1,135 @@ +# +# spec file for package arpwatch +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: arpwatch +Version: 3.6 +Release: 0 +Summary: Tool to keep track of Ethernet<->IP address pairings +License: BSD-3-Clause +Group: Productivity/Networking/Diagnostic +URL: https://ee.lbl.gov/nrg.html +Source: https://ee.lbl.gov/downloads/arpwatch/%{name}-%{version}.tar.gz +Source10: arpwatch@.service +Source11: sysconfig.arpwatch +Source12: arpwatch.service +Patch0: arpwatch-2.1a11-chrootbuild.diff +Patch1: arpwatch-no-source-zero.dif +Patch2: arpwatch.ETHERCODES.patch +Patch5: arpwatch-2.1a11-drop-privs-manpage.dif +Patch6: arpwatch-2.1a11-drop-privs.dif +# PATCH-Fix-Upstream -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625796#20 -- seife+obs@b1-systems.com +Patch10: 0001-Ignore-802.1Q-frames.patch +Patch11: report-iface.patch +Patch13: arpwatch-exit.patch +Patch14: arp2ethers.patch +Patch15: arpwatch-3.4-include-time.patch +Patch16: arpwatch-gcc14.patch +BuildRequires: libpcap-devel +BuildRequires: postfix +BuildRequires: systemd-rpm-macros +Requires: arpwatch-ethercodes +Requires(post): %fillup_prereq +Requires(post): coreutils + +%description +Arpwatch keeps track of Ethernet and IP address pairings. It logs +activity to syslog and reports certain changes via e-mail. + +%package ethercodes-build +Summary: Tool to create ethercodes.dat from IEEE.org meta data +Group: Productivity/Networking/Diagnostic + +%description ethercodes-build +Tool and required files to create the ethercodes.dat file from the OUI +and company ID data as provided by IEEE.org. This package is only +needed if you want to build the arpwatch-ethercodes package. + +%prep +%autosetup -p1 + +%build +%configure +%make_build \ + ARPDIR=%{_localstatedir}/lib/arpwatch \ + ETHERCODES=%{_datadir}/arpwatch/ethercodes.dat \ + %{nil} + +%install +mkdir -p \ + %{buildroot}/%{_tmpfilesdir} \ + %{buildroot}/%{_sbindir} \ + %{buildroot}/%{_datadir}/arpwatch \ + %{buildroot}/%{_mandir}/man8 \ + %{buildroot}%{_fillupdir} +%make_install +# ethercodes.dat is in the arpwatch-ethercodes package +rm -f %{buildroot}/%{_datadir}/arpwatch/ethercodes.dat +for file in euppertolower.awk duplicates.awk p.awk; do + cp -p ${file} %{buildroot}/%{_datadir}/arpwatch +done +install -Dm 0644 %{SOURCE10} %{buildroot}/%{_unitdir}/arpwatch@.service +install -Dm 0644 %{SOURCE12} %{buildroot}/%{_unitdir}/arpwatch.service +ln -s service %{buildroot}%{_sbindir}/rcarpwatch +install -Dm 0644 %{SOURCE11} \ + %{buildroot}%{_fillupdir}/sysconfig.arpwatch +# own the database files +cat > %{buildroot}%{_tmpfilesdir}/arpwatch.conf <