From c6aa933ec6fe3f71f87a9496428ea7ab9b76f48ae969405f4c4ea9108a3452d7 Mon Sep 17 00:00:00 2001 From: Ana Guerrero Date: Tue, 19 Nov 2024 09:18:45 +0000 Subject: [PATCH] - Remove BuildRequires on gamin, it's being removed. OBS-URL: https://build.opensuse.org/package/show/server:monitoring/prelude-lml?expand=0&rev=26 --- .gitattributes | 23 ++ .gitignore | 1 + prelude-lml-5.2.0.tar.gz | 3 + prelude-lml-5.2.0.tar.gz.sig | Bin 0 -> 72 bytes prelude-lml-conf_rsyslog.patch | 38 +++ prelude-lml-fix_check.patch | 510 ++++++++++++++++++++++++++++++++ prelude-lml-fix_etc_perms.patch | 45 +++ prelude-lml-tmpfiles.conf | 1 + prelude-lml.changes | 92 ++++++ prelude-lml.keyring | 25 ++ prelude-lml.service | 22 ++ prelude-lml.spec | 123 ++++++++ 12 files changed, 883 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 prelude-lml-5.2.0.tar.gz create mode 100644 prelude-lml-5.2.0.tar.gz.sig create mode 100644 prelude-lml-conf_rsyslog.patch create mode 100644 prelude-lml-fix_check.patch create mode 100644 prelude-lml-fix_etc_perms.patch create mode 100644 prelude-lml-tmpfiles.conf create mode 100644 prelude-lml.changes create mode 100644 prelude-lml.keyring create mode 100644 prelude-lml.service create mode 100644 prelude-lml.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/prelude-lml-5.2.0.tar.gz b/prelude-lml-5.2.0.tar.gz new file mode 100644 index 0000000..2b57ccb --- /dev/null +++ b/prelude-lml-5.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d386d02fea12e45e215f038b19572278414ddbc75d7f9d9f2a43171ba5faf5f +size 1584414 diff --git a/prelude-lml-5.2.0.tar.gz.sig b/prelude-lml-5.2.0.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..3b85150dbfbe90bb2da7e7d12ba9c538ce3adf4581f457cd65d9add686e2837c GIT binary patch literal 72 zcmV-O0Jr~$Mg#y60ssaD0$*E;-2e&+5H;w)!?R@=n6^a#psay&GL}3NvN$e}#n2gg ek5wU7ApoC!uzWT!$+LDBIwTux%UmBfg&-VX)EO24 literal 0 HcmV?d00001 diff --git a/prelude-lml-conf_rsyslog.patch b/prelude-lml-conf_rsyslog.patch new file mode 100644 index 0000000..7fe425d --- /dev/null +++ b/prelude-lml-conf_rsyslog.patch @@ -0,0 +1,38 @@ +From: Thomas Andrejak +Date: 2017-02-27 23:25:00 +0100 +References: Specific +Upstream: no +Subject: Add default syslog format to work out of the box + +--- prelude-lml.conf 2016-09-15 09:03:39.835000884 +0200 ++++ prelude-lml.conf 2017-02-18 00:46:18.061525071 +0100 +@@ -88,6 +88,13 @@ + # + + ++[format=rsyslog] ++time-format = "%Y-%m-%dT%H:%M:%S" ++prefix-regex = "^(?P.{20}).{12} (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" ++file = /var/log/messages ++file = /var/log/secure ++ ++ + [format=syslog] + time-format = "%b %d %H:%M:%S" + prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" +--- prelude-lml.conf.in 2016-09-15 08:49:20.170000884 +0200 ++++ prelude-lml.conf.in 2017-02-18 00:46:47.168897144 +0100 +@@ -88,6 +88,13 @@ + # + + ++[format=rsyslog] ++time-format = "%Y-%m-%dT%H:%M:%S" ++prefix-regex = "^(?P.{20}).{12} (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" ++file = /var/log/messages ++file = /var/log/secure ++ ++ + [format=syslog] + time-format = "%b %d %H:%M:%S" + prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" diff --git a/prelude-lml-fix_check.patch b/prelude-lml-fix_check.patch new file mode 100644 index 0000000..403b984 --- /dev/null +++ b/prelude-lml-fix_check.patch @@ -0,0 +1,510 @@ +From: Thomas Andrejak +Date: 2017-10-04 07:00:00 +0100 +References: http://prelude-siem.org/issues/872 +Upstream: submitted +Subject: Fix make check + +diff -Nru src/file-server.c src/file-server.c +--- ./src/file-server.c 2016-09-15 08:49:20.170000884 +0200 ++++ ./src/file-server.c 2017-01-28 18:18:06.634761198 +0100 +@@ -346,6 +346,9 @@ + ssize_t ret; + struct stat st; + ++ if ( config.dry_run ) ++ return 0; ++ + if ( fstat(fileno(monitor->metadata_fd), &st) < 0 ) { + prelude_log(PRELUDE_LOG_WARN, "fstat failed : %s.\n", strerror(errno)); + return -1; +@@ -416,6 +419,9 @@ + off_t offset = 0, available = 65535; + unsigned char msum[METADATA_SIZE], *sumptr = msum; + ++ if ( config.dry_run ) ++ return 0; ++ + filename = lml_log_source_get_name(monitor->source); + + ret = file_metadata_read(monitor, &offset, &sumptr); +@@ -477,6 +483,9 @@ + int fd; + char file[PATH_MAX], path[PATH_MAX], *ptr; + ++ if ( config.dry_run ) ++ return 0; ++ + strncpy(file, lml_log_source_get_name(monitor->source), sizeof(file)); + + while ( (ptr = strchr(file, '/')) ) +diff -Nru src/prelude-lml.c src/prelude-lml.c +--- ./src/prelude-lml.c 2016-09-15 08:49:20.171000884 +0200 ++++ ./src/prelude-lml.c 2017-01-28 18:19:25.373006781 +0100 +@@ -361,6 +361,7 @@ + ev_timer evt; + struct timeval end; + struct sigaction action; ++ const char *env; + + /* + * Initialize libev. +@@ -389,7 +390,11 @@ + if ( ret < 0 ) + return ret; + +- ret = log_plugins_init(LOG_PLUGIN_DIR, lml_root_optlist); ++ env = getenv("PRELUDE_LML_PLUGIN_DIR"); ++ if ( !env ) ++ env = LOG_PLUGIN_DIR; ++ ++ ret = log_plugins_init(env, lml_root_optlist); + if (ret < 0) + return ret; + +diff -Nru src/regex.c src/regex.c +--- ./src/regex.c 2016-09-15 08:49:20.172000884 +0200 ++++ ./src/regex.c 2017-01-28 18:17:45.931222693 +0100 +@@ -156,16 +156,20 @@ + FILE *fd; + size_t len; + char buf[1024]; +- const char *errptr; ++ const char *errptr, *env; + int line = 0, erroff; + regex_table_item_t *rt; + pcre_extra *regex_regex_extra = NULL; + char *regex, *options, *source, *plugin; + pcre *regex_regex = NULL, *source_regex = NULL; + +- fd = fopen(REGEX_CONF, "r"); ++ env = getenv("PRELUDE_LML_REGEX_CONF"); ++ if ( !env ) ++ env = REGEX_CONF; ++ ++ fd = fopen(env, "r"); + if ( ! fd ) { +- prelude_log(PRELUDE_LOG_ERR, "couldn't open config file %s.\n", REGEX_CONF); ++ prelude_log(PRELUDE_LOG_ERR, "couldn't open config file %s.\n", env); + return -1; + } + +diff -Nru tests/Makefile.in tests/Makefile.in +--- ./tests/Makefile.in 2016-09-15 09:03:00.925000884 +0200 ++++ ./tests/Makefile.in 2017-01-28 18:22:00.268558881 +0100 +@@ -1362,7 +1362,10 @@ + cd $(top_srcdir)/prelude-lml && make + + check-am: +- $(srcdir)/loggrep.py $(top_srcdir)/plugins/pcre/ruleset/*.rules | $(top_srcdir)/src/prelude-lml --quiet --dry-run --metadata=nowrite,head --batch-mode --no-resolve --pcre --dump-unmatched --config $(srcdir)/prelude-lml.conf 2>&1 | $(GREP) -Fvf $(srcdir)/ignored ++ rm -rf plugins && mkdir plugins ++ cp $(top_srcdir)/plugins/*/.libs/*.so plugins ++ ./loggrep.py regex.test | PRELUDE_LML_PLUGIN_DIR=plugins PRELUDE_LML_REGEX_CONF=plugins.rules $(top_srcdir)/src/prelude-lml --quiet --dry-run --metadata=nowrite,head --batch-mode --no-resolve --pcre --dump-unmatched --config $(srcdir)/prelude-lml.conf 2>&1 | $(GREP) -Fvf $(srcdir)/ignored ++ rm -rf plugins + + -include $(top_srcdir)/git.mk + +diff -Nru tests/plugins.rules tests/plugins.rules +--- ./tests/plugins.rules 1970-01-01 01:00:00.000000000 +0100 ++++ ./tests/plugins.rules 2017-01-28 18:20:24.857682680 +0100 +@@ -0,0 +1 @@ ++ * Pcre - * +diff -Nru tests/prelude-lml.conf tests/prelude-lml.conf +--- ./tests/prelude-lml.conf 2016-09-15 08:49:20.172000884 +0200 ++++ ./tests/prelude-lml.conf 2017-01-28 18:20:30.037567378 +0100 +@@ -3,51 +3,5 @@ + prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" + file = - + +-[format=apache] +-time-format = "%d/%b/%Y:%H:%M:%S" +-prefix-regex = "(?P\S+) \S+ \S+ \[(?P.{20}) [+-].{4}\] " +-file = - +- +-[format=apache-error] +-#[Sat Mar 12 22:56:12 2005] [error] [client 127.0.0.1] +-time-format = "%a %b %d %H:%M:%S %Y" +-prefix-regex = "^\[(?P.{24})\]" +-file = - +- +-[format=checkpoint] +-time-format = "%d%b%Y %H:%M:%S" +-prefix-regex = "^(?P.{20})" +-file = - +- +-[format=squid] +-#2005/11/28 06:00:44| +-time-format = "%Y/%m/%d %H:%M:%S" +-prefix-regex = "^(?P.{19})\| " +-file = - +- +-[format=honeyd] +-#2006-08-18-12:21:12.1239 +-time-format = "%Y-%m-%d-%H:%M:%S" +-prefix-regex = "^(?P.{19})\." +-file = - +- +-[format=honeytrap] +-#[2007-05-26 16:48:09] +-time-format = "%Y-%m-%d %H:%M:%S" +-prefix-regex = "^\[(?P.{19})\]" +-file = - +- +-[format=kojoney] +-#2007/04/12 21:57 CEST +-time-format = "%Y/%m/%d %H:%M" +-prefix-regex = "^(?P.{16}) " +-file = - +- +-[format=rishi] +-#2007-05-20 12:49:57,644 +-time-format = "%Y-%m-%d %H:%M:%S" +-prefix-regex = "^(?P.{19})," +-file = - +- + [Pcre] +-ruleset=../plugins/pcre/ruleset/pcre.rules ++ruleset=./regex.test +diff -Nru tests/regex.test tests/regex.test +--- ./tests/regex.test 1970-01-01 01:00:00.000000000 +0100 ++++ ./tests/regex.test 2017-01-28 18:20:17.921837067 +0100 +@@ -0,0 +1,340 @@ ++#FULLNAME: SSH ++#VERSION: 1.0 ++#DESCRIPTION: SSH, is a cryptographic (encrypted) network protocol to allow remote login and other network services to operate securely over an unsecured network. ++ ++##### ++# ++# Copyright (C) 2002,2004 Nicolas Delon ++# Copyright (C) 2005 G Ramon Gomez ++# All Rights Reserved ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2, or (at your option) ++# any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++##### ++ ++################### ++# Logging succeed # ++################### ++ ++#LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2 ++regex=for root from|user root; \ ++ id=1907; \ ++ assessment.impact.type=admin; \ ++ assessment.impact.severity=medium; \ ++ silent; chained ++ ++#LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2 ++#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2 ++#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2 ++#LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2 ++regex=Accepted (\S+) for (\S+) from (\S+) port (\d+); \ ++ classification.text=Remote Login; \ ++ optgoto=1907; \ ++ id=1908; \ ++ revision=3; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=low; \ ++ assessment.impact.completion=succeeded; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=User $2 logged in from $3 port $4 using the $1 method; \ ++ source(0).node.address(0).address=$3; \ ++ source(0).service.port=$4; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$2; \ ++ additional_data(0).type=string; \ ++ additional_data(0).meaning=Authentication method; \ ++ additional_data(0).data=$1; \ ++ last; ++ ++ ++################ ++# Login failed # ++################ ++ ++#LOG:Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806 ++#LOG:Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214 ++regex=Failed (\S+) for (\S+) from (\S+) port (\d+); \ ++ optgoto=1907; \ ++ classification.text=Remote Login; \ ++ id=1902; \ ++ revision=3; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=Someone tried to login as $2 from $3 port $4 using the $1 method; \ ++ source(0).node.address(0).address=$3; \ ++ source(0).service.port=$4; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$2; \ ++ additional_data(0).type=string; \ ++ additional_data(0).meaning=Authentication method; \ ++ additional_data(0).data=$1; \ ++ last ++ ++ ++############################################## ++# Invalid (not existing) user tried to login # ++############################################## ++ ++#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134 ++regex=(Illegal|Invalid) user (\S+) from (\S+); \ ++ classification.text=User login failed with an invalid user; \ ++ id=1904; \ ++ revision=2; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \ ++ source(0).node.address(0).address=$3; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$2; \ ++ last ++ ++################################################################################## ++# User listed in DenyGroups or DenyUsers (sshd_config directives) tried to login # ++################################################################################## ++ ++#LOG:Jan 6 22:50:24 localhost sshd[15489]: User nobody not allowed because none of user's groups are listed in AllowGroups ++regex=User (\S+) not allowed because (.*)listed in (\w+); \ ++ classification.text=User login failed with a denied user; \ ++ id=1905; \ ++ revision=3; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=User $1 failed to login because $2 listed in $3; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$1; \ ++ additional_data(0).type=string; \ ++ additional_data(0).meaning=ACL; \ ++ additional_data(0).data=$3; \ ++ additional_data(1).type=string; \ ++ additional_data(1).meaning=Failure reason; \ ++ additional_data(1).data=$2 listed in $3; \ ++ last ++ ++################################################################## ++# Sshd did not receive the identification string from the client # ++# (maybe a ssh server recognition) # ++################################################################## ++ ++#LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4 ++regex=Did not receive identification string from (\S+); \ ++ classification.text=Server recognition; \ ++ id=1906; \ ++ revision=2; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=recon; \ ++ assessment.impact.description=$1 is probably making a server recognition; \ ++ source(0).node.address(0).address=$1; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ additional_data(0).type=string; \ ++ additional_data(0).meaning=Failure reason; \ ++ additional_data(0).data=Did not receive identification string; \ ++ last ++ ++######################################################################### ++# Forbidden root login # ++# (directive PermitRootLogin and keyword "no" or "forced-commands-only" # ++# of the sshd_config file) # ++######################################################################### ++ ++#LOG:Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 ++regex=ROOT LOGIN REFUSED FROM (\S+); \ ++ classification.text=Admin login; \ ++ id=1909; \ ++ revision=2; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=admin; \ ++ assessment.impact.description=Root tried to login while it is forbidden; \ ++ source(0).node.address(0).address=$1; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=root; \ ++ last ++ ++ ++# Re: Generic Message Exchange Authentication For SSH ++# ++#LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail ++regex=input_userauth_request: (illegal|invalid) user (\S+); \ ++ classification.text=Invalid user in authentication request; \ ++ id=1910; \ ++ revision=3; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=General purpose authentication request was blocked. Reason: invalid user $2; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$2; \ ++ additional_data(0).type=string; \ ++ additional_data(0).meaning=Failure reason; \ ++ additional_data(0).data=$1 user; \ ++ last ++ ++# Re: Generic Message Exchange Authentication For SSH ++# ++# This rule catches several other combinations that can be output by ++# input_userauth_request() in auth2.c ++#LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail ++regex=input_userauth_request: (.+); \ ++ classification.text=Invalid user in authentication request; \ ++ id=1911; \ ++ revision=2; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=General purpose authentication request was blocked. Reason: $1; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ last ++ ++#LOG:Dec 9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886 ++#LOG:Jan 14 08:19:21 ras sshd[22774]: Failed none for invalid user remote-mail from 192.168.1.22 port 65407 ssh2 ++#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from fec0:0:201::3 port 62788 ssh2 ++#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from 1.2.3.4 port 62788 ssh2 ++#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from hostname port 62788 ssh2 ++regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \ ++ classification.text=Remote Login; \ ++ optgoto=1907; \ ++ id=1912; \ ++ revision=3; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=admin; \ ++ assessment.impact.description=Someone tried to login as $3 from $4 port $5 using the $1 method; \ ++ source(0).node.address(0).address=$4; \ ++ source(0).service.port=$5; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$3; \ ++ additional_data(0).type=string; \ ++ additional_data(0).meaning=Authentication method; \ ++ additional_data(0).data=$1; \ ++ additional_data(1).type=string; \ ++ additional_data(1).meaning=Failure reason; \ ++ additional_data(1).data=$2 user; \ ++ last ++ ++#LOG:Oct 2 14:40:05 suse-9.2 sshd[18725]: error: PAM: Authentication failure for root from unknown.anywhere.net ++#LOG:Oct 2 14:46:52 suse-9.2 sshd[18804]: error: PAM: Authentication failure for foobar from unknown.anywhere.net ++regex=error: PAM: Authentication failure for (\S+) from (\S+); \ ++ classification.text=Remote Login; \ ++ optgoto=1907; \ ++ id=1914; \ ++ revision=2; \ ++ analyzer(0).name=sshd; \ ++ analyzer(0).manufacturer=OpenSSH; \ ++ analyzer(0).class=Authentication; \ ++ assessment.impact.severity=medium; \ ++ assessment.impact.completion=failed; \ ++ assessment.impact.type=user; \ ++ assessment.impact.description=Someone tried to login as $1 from $2; \ ++ source(0).node.name=$2; \ ++ source(0).service.iana_protocol_name=tcp; \ ++ source(0).service.iana_protocol_number=6; \ ++ target(0).service.port=22; \ ++ target(0).service.name=ssh; \ ++ target(0).service.iana_protocol_name=tcp; \ ++ target(0).service.iana_protocol_number=6; \ ++ target(0).user.category=os-device; \ ++ target(0).user.user_id(0).type=target-user; \ ++ target(0).user.user_id(0).name=$1; \ ++ last diff --git a/prelude-lml-fix_etc_perms.patch b/prelude-lml-fix_etc_perms.patch new file mode 100644 index 0000000..e4f6376 --- /dev/null +++ b/prelude-lml-fix_etc_perms.patch @@ -0,0 +1,45 @@ +From: Thomas Andrejak +Date: 2017-10-04 07:00:00 +0100 +References: http://prelude-siem.org/issues/870 +Upstream: submitted +Subject: Fix Prelude LML dirs permissions + +--- ./Makefile.in 2016-09-15 09:03:01.116000884 +0200 ++++ ./Makefile.in 2017-01-26 07:38:35.217447516 +0100 +@@ -1762,9 +1762,9 @@ + + + install-data-local: +- $(INSTALL) -m 700 -d $(DESTDIR)$(configdir); +- $(INSTALL) -m 700 -d $(DESTDIR)$(lml_run_dir); +- $(INSTALL) -m 700 -d $(DESTDIR)$(metadata_dir) ++ $(INSTALL) -m 755 -d $(DESTDIR)$(configdir); ++ $(INSTALL) -m 755 -d $(DESTDIR)$(lml_run_dir); ++ $(INSTALL) -m 755 -d $(DESTDIR)$(metadata_dir) + @if test -f $(DESTDIR)$(configdir)/prelude-lml.conf; then \ + echo "********************************************************************************"; \ + echo; \ +@@ -1772,9 +1772,9 @@ + echo "Installing default configuration in $(DESTDIR)$(configdir)/prelude-lml.conf-dist"; \ + echo; \ + echo "********************************************************************************"; \ +- $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/prelude-lml.conf-dist; \ ++ $(INSTALL) -m 644 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/prelude-lml.conf-dist; \ + else \ +- $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/; \ ++ $(INSTALL) -m 644 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/; \ + fi + @if test -f $(DESTDIR)$(configdir)/plugins.rules; then \ + echo "********************************************************************************"; \ +@@ -1783,9 +1783,9 @@ + echo "Installing default configuration in $(DESTDIR)$(configdir)/plugins.rules-dist"; \ + echo; \ + echo "********************************************************************************"; \ +- $(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/plugins.rules-dist; \ ++ $(INSTALL) -m 644 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/plugins.rules-dist; \ + else \ +- $(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/; \ ++ $(INSTALL) -m 644 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/; \ + fi + + uninstall-local: diff --git a/prelude-lml-tmpfiles.conf b/prelude-lml-tmpfiles.conf new file mode 100644 index 0000000..f6f1296 --- /dev/null +++ b/prelude-lml-tmpfiles.conf @@ -0,0 +1 @@ +d /run/prelude-lml 0750 root root diff --git a/prelude-lml.changes b/prelude-lml.changes new file mode 100644 index 0000000..e4c35c3 --- /dev/null +++ b/prelude-lml.changes @@ -0,0 +1,92 @@ +------------------------------------------------------------------- +Fri Nov 15 09:28:18 UTC 2024 - Ana Guerrero + +- Remove BuildRequires on gamin, it's being removed. + +------------------------------------------------------------------- +Thu Feb 29 14:51:34 UTC 2024 - Dominique Leuenberger + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + %patchN. + +------------------------------------------------------------------- +Wed Oct 20 08:59:50 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * prelude-lml.service + +------------------------------------------------------------------- +Sun Oct 25 18:29:49 UTC 2020 - Andreas Stieger + +- prelude-lml 5.2.0: + * Fix max-rotation-size-offset parsing + * Document the log-max-length option +- add upstream signing key and verify source signature + +------------------------------------------------------------------- +Mon Feb 3 15:45:03 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut through the -mini flavors. + +------------------------------------------------------------------- +Fri Oct 25 07:00:00 UTC 2019 - thomas.andrejak@gmail.com + +Bump version 5.1.0 + - Support of Syslog priority field + - Fix support of AdditionalData + - Update SELinux policies + +- Bump spec copyright to 2019 +- Update License field + +------------------------------------------------------------------- +Wed Oct 04 07:00:00 UTC 2017 - thomas.andrejak@gmail.com + +- Update to 4.0.0 +- Rename source prelude-lml.run to prelude-lml-tmpfiles.conf +- Clean prelude-lml.service +- Add patchs: + - prelude-lml-fix_check.patch: Fix make check + - prelude-lml-fix_etc_perms.patch: Fix Prelude LML dirs permissions + +------------------------------------------------------------------- +Thu Mar 23 14:41:36 UTC 2017 - aj@ajaissle.de + +- Added %ghost /run/%{name} + +------------------------------------------------------------------- +Fri Feb 10 00:33:55 UTC 2017 - thomas.andrejak@gmail.com + +- Update to 3.1.0 (Prelude 3.1.0 released on 14 Sept 2016) +- Add missing /var/lib/prelude-lml dir +- Remove unnecessary spool directory +- Patch the configuration to be naturally OK with rsyslog + prelude-lml-conf_rsyslog.patch +- Spec-Cleaner + +------------------------------------------------------------------- +Thu Jan 26 21:35:45 UTC 2017 - jengelh@inai.de + +- Use SUSE RPM group names + +------------------------------------------------------------------- +Thu Sep 15 10:25:42 UTC 2016 - thomas.andrejak@gmail.com + +- Update licence from GPL-2.0+ to GPL-3.0+ to include libmissing + +------------------------------------------------------------------- +Sun Sep 4 21:57:53 UTC 2016 - thomas.andrejak@gmail.com + +Remove Selinux since it should be directly in Security:SELinux + +Clean usage of "-n %{name}-" + +------------------------------------------------------------------- +Tue May 3 21:57:53 UTC 2016 - thomas.andrejak@gmail.com + +Initial import + +Add systemd files because it is a daemon. + +Also package SELinux files. diff --git a/prelude-lml.keyring b/prelude-lml.keyring new file mode 100644 index 0000000..596dbe5 --- /dev/null +++ b/prelude-lml.keyring @@ -0,0 +1,25 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQGiBE/R25ERBADEyDMws7lO01nlE+eefOWrCtezQu1yBx+UuM1m4jOZZVrmanDS +zjK1gPqfthopUr8u7YZb3F71iGchMwFZFL4BGCoXjTvB76KVmcqppUQjDfRMW2d1 +F0CazairAM2POYiYGzAqD1ZjVxtyayhXV/gXDLQdrWIJC7NOqIKeL+zlzwCg+AES +j9o4QLqEiWURtiFpqJ1d4CsD/1jffzqynSUHQvkNW7JmFVYdayp4VZ9PC+GP9UBH +d59IASh6tvqNUuC6Z9bwQaIeWGM51SAUE4bZJOubrL0pJuCUs5lYMU3o6Ry8Kya2 +VFr0+p/7UGqCHjtHNO0TjIO0hA/KEGyeZ5xoW6/1dOZImoyT2AkSXg2iqCoQQ9IE +Gz2JA/0cBFrJ81YdkohtZS8f+qZ2b1QPXGM6ohCgA+wtWbqq/Y65AgMu74LVs5cU +vGGrugZJKhzmOMfJlUVVtlbCR2DpdR40vLu+6hywg18sGkalRRUlNzXMk8/9EwGB +tfNTTvsmhs5lKtcxS+zTXKNpWZyVBUtUHTCN872J6Z6/Euhe47QzUFJFTFVERSAo +UmVsZWFzZSBNYW5hZ2VyKSA8Y29udGFjdEBwcmVsdWRlLWlkcy5vcmc+iGIEExEC +ACIFAk/R25ECGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEDXowMOzZRiY +qm8AoK7pz7qvV9b1YVh4sOEzUEx2tTjbAJ906X+AN1qF48WPyFE+JmkyqKLm0LkB +DQRP0duREAQA5REDx5bx6asyYTXGL6VjSDa9DwIhDwXvmyE6zO/I8i8EGrdFb6zn +XGzT06lVnMoH94OK8aOwgzDOBCtNSfc7+XyAj69VV08sEnr3U7BSN6TKts6SFVaI +5j6dnnquDVmiF0S8KFODHQyxE0NKP9y4uR7EtX9swZv9gVPvVlyBxQ8AAwUD/A2I +d5YDihKz62FBEGVIgz3ZN+I1ZXtDhfoVVRXa89DTDsXXCSd3IUyXxGDM1mYwj7Dm +KpG2Z5ZrULovoQsmdTkdfB3g+oDh3HoKjPiSEAM7tiDo37W5iYkBBiUdw9xCLG2X +POuGRKfP2cpgp8ACvHQkcrRJwdUwK0B+7Oih8vbFiEkEGBECAAkFAk/R25ECGwwA +CgkQNejAw7NlGJjDsgCg93tK1pZ0wvaGvpzTnazp4aDGFQcAn1LaS086WZRZgDRZ +RvZrLThRCzMo +=3ML2 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/prelude-lml.service b/prelude-lml.service new file mode 100644 index 0000000..59bd5c1 --- /dev/null +++ b/prelude-lml.service @@ -0,0 +1,22 @@ +[Unit] +Description=Log analyzer sensor with IDMEF output +After=remode_fs.target prelude-manager.service + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +ExecStart=/usr/bin/prelude-lml + +[Install] +WantedBy=multi-user.target diff --git a/prelude-lml.spec b/prelude-lml.spec new file mode 100644 index 0000000..8fab748 --- /dev/null +++ b/prelude-lml.spec @@ -0,0 +1,123 @@ +# +# spec file for package prelude-lml +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: prelude-lml +Version: 5.2.0 +Release: 0 +Summary: The prelude log analyzer +# Prelude is GPL-2.0+ +# libmissing is LGPL-2.1+ +# libmissing/test is GPL-3.0+ +License: GPL-2.0-or-later AND LGPL-2.1-only AND GPL-3.0-or-later +Group: System/Daemons +URL: https://www.prelude-siem.org +Source0: https://www.prelude-siem.org/pkg/src/%{version}/%{name}-%{version}.tar.gz +Source1: %{name}.service +Source2: %{name}-tmpfiles.conf +Source3: https://www.prelude-siem.org/pkg/src/%{version}/%{name}-%{version}.tar.gz.sig +Source4: https://www.prelude-siem.org/attachments/download/233/RPM-GPG-KEY-Prelude-IDS#/%{name}.keyring +# Add default syslog format to work out of the box +Patch0: %{name}-conf_rsyslog.patch +# Fix make check +Patch1: %{name}-fix_check.patch +# Fix etc files permissions +Patch2: %{name}-fix_etc_perms.patch +BuildRequires: libprelude-devel >= 5.2.0 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(gnutls) >= 1.0.17 +BuildRequires: pkgconfig(icu-io) >= 3.0 +BuildRequires: pkgconfig(libpcre) >= 4.1 +BuildRequires: pkgconfig(systemd) +%{?systemd_ordering} + +%description +Prelude-LML is a log analyser that allows Prelude to collect and +analyze information from all kind of applications emitting logs or +syslog messages in order to detect suspicious activities and transform +them into Prelude-IDMEF alerts. Prelude-LML handles events generated +by a large set of applications + +%package devel +Summary: Header files and libraries for prelude-lml development +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version}-%{release} +Requires: libprelude-devel >= 5.2.0 + +%description devel +Libraries, include files, etc you can use to develop custom +Prelude LML plugins. + +%prep +%autosetup -p0 + +%build +%configure +%make_build + +%install +mkdir -p %{buildroot}/%{_sysconfdir}/%{name}/ruleset/ +mkdir -p %{buildroot}/%{_sbindir} +%make_install +rm -f %{buildroot}/%{_libdir}/%{name}/debug.la +rm -f %{buildroot}/%{_libdir}/%{name}/pcre.la +install -d -m 0755 %{buildroot}/%{_tmpfilesdir} +install -m 0644 %{SOURCE2} %{buildroot}/%{_tmpfilesdir}/%{name}.conf +mkdir -p %{buildroot}/%{_var}/lib/%{name} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} +rm -rf %{buildroot}/%{_localstatedir}/run/%{name} +install -D -m 444 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service + +%pre +%service_add_pre %{name}.service + +%post +/sbin/ldconfig +%{_bindir}/systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +/sbin/ldconfig +%service_del_postun %{name}.service + +%files +%license COPYING +%doc NEWS HACKING.README README +%attr(0770,-,-) %dir %{_sysconfdir}/%{name}/ +%config(noreplace) %attr(0640,-,-) %{_sysconfdir}/%{name}/plugins.rules +%config(noreplace) %attr(0640,-,-) %{_sysconfdir}/%{name}/%{name}.conf +%attr(0770,-,-) %dir %{_sysconfdir}/%{name}/ruleset/ +%{_bindir}/%{name} +%dir %{_libdir}/%{name}/ +%{_libdir}/%{name}/debug.so +%{_libdir}/%{name}/pcre.so +%{_sbindir}/rc%{name} +%dir %{_tmpfilesdir} +%{_tmpfilesdir}/%{name}.conf +%{_unitdir}/%{name}.service +%dir %{_var}/lib/%{name} +%ghost /run/%{name} + +%files devel +%license COPYING +%dir %{_includedir}/%{name}/ +%{_includedir}/%{name}/%{name}.h + +%changelog