Summary: Port Scan Attack Detector (psad) watches for suspect traffic

Name: psad

Version: 2.4.3

Release: 2%{?dist}

License: GPLv2+

Group: System Environment/Daemons

URL: https://www.cipherdyne.org/psad/

Source0: https://www.cipherdyne.org/psad/download/psad-%{version}.tar.bz2

Source1: https://www.cipherdyne.org/psad/download/psad-%{version}.tar.bz2.asc

# curl -O https://www.cipherdyne.org/signing_key ; gpg --import ./signing_key

# gpg --export --export-options export-minimal 4D6644A9DA036904BDA2CB90E6C9E3350D3E7410 > 4D6644A9DA036904BDA2CB90E6C9E3350D3E7410.gpg

Source2: 4D6644A9DA036904BDA2CB90E6C9E3350D3E7410.gpg

Source3: psad.service

Source4: psad-tmpfiles.conf

# patch to:

# * allow specifying Fedora CFLAGS

# * use system whois

# * set some sensible defaults in /etc/psad/psad.conf

Patch0: psad-fedora.patch

BuildRequires: %{_bindir}/gpgv2

BuildRequires: perl-generators

BuildRequires: systemd

# works with system one, but doesn't crash or break without it

Recommends: %{_bindir}/whois

Requires: iptables

# The automatic dependency generator doesn't find these

Requires: perl(Bit::Vector)

Requires: perl(Carp::Clan)

Requires: perl(Date::Calc)

Requires: perl(IPTables::ChainMgr)

Requires: perl(IPTables::Parse)

Requires: perl(NetAddr::IP)

Requires: perl(Storable)

Requires: perl(Unix::Syslog)

Requires(post): %{_sbindir}/semodule

Requires(postun): %{_sbindir}/semodule

%description

Port Scan Attack Detector (psad) is a collection of three lightweight

system daemons written in Perl and in C that are designed to work with Linux

iptables firewalling code to detect port scans and other suspect traffic.  It

features a set of highly configurable danger thresholds (with sensible

defaults provided), verbose alert messages that include the source,

destination, scanned port range, begin and end times, tcp flags and

corresponding nmap options, reverse DNS info, email and syslog alerting,

automatic blocking of offending ip addresses via dynamic configuration of

iptables rulesets, and passive operating system fingerprinting.  In addition,

psad incorporates many of the tcp, udp, and icmp signatures included in the

snort intrusion detection system (https://www.snort.org) to detect highly

suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend,

SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin,

xmas) which are easily leveraged against a machine via nmap.  psad can also

alert on snort signatures that are logged via fwsnort

(https://www.cipherdyne.org/fwsnort/), which makes use of the

iptables string match module to detect application layer signatures.

%prep

gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}

%setup -q

%patch0 -p1 -b .f

# remove bundled stuff

rm -r deps/{Bit-Vector,Carp-Clan,Date-Calc,IPTables-ChainMgr,IPTables-Parse,NetAddr-IP,Storable,Unix-Syslog,whois}

%build

make OPTS="%{optflags}" %{?_smp_mflags}

%install

install -Dpm755 -t %{buildroot}%{_sbindir} kmsgsd psad{,watchd}

install  -pm755 fwcheck_psad.pl %{buildroot}%{_sbindir}/fwcheck_psad

install -Dpm755 -t %{buildroot}%{_bindir} nf2csv

install -Dpm644 logrotate.psad %{buildroot}%{_sysconfdir}/logrotate.d/psad

install -Dpm644 -t %{buildroot}%{_sysconfdir}/%{name} \

 auto_dl \

 icmp_types \

 icmp6_types \

 ip_options \

 pf.os \

 posf \

 protocols \

 psad.conf \

 signatures \

 snort_rule_dl \

install -Dpm644 -t %{buildroot}%{_mandir}/man8 {fwcheck_psad,kmsgsd,psad{,watchd}}.8

install -Dpm644 -t %{buildroot}%{_mandir}/man1 nf2csv.1

cp -pr deps/snort_rules %{buildroot}%{_sysconfdir}/%{name}

install -Dpm644 -t %{buildroot}%{_unitdir} %{S:3}

install -Dpm644 %{S:4} %{buildroot}%{_tmpfilesdir}/psad.conf

# upstream's installer creates those as root-accessible only

install  -dm700 %{buildroot}/var/{lib,log,run}/%{name}

touch %{buildroot}/var/lib/%{name}/psadfifo

touch %{buildroot}/var/run/%{name}/psad.cmd

%post

%systemd_post psad.service

# missing from current SELinux policy (rhbz#1174309)

TMPDIR=$(%{_bindir}/mktemp -d)

cat >> $TMPDIR/psad-rpm.cil << __EOF__

(allow psad_t psad_var_log_t(file (read rename unlink write)))

__EOF__

%{_sbindir}/semodule -i $TMPDIR/psad-rpm.cil

rm $TMPDIR/psad-rpm.cil && rmdir $TMPDIR

exit 0

%preun

%systemd_preun psad.service

%postun

%systemd_postun_with_restart psad.service

%{_sbindir}/semodule -r psad-rpm || :

%files

%license LICENSE

%doc BENCHMARK FW_HELP FW_EXAMPLE_RULES README README.SYSLOG SCAN_LOG

%{_bindir}/nf2csv

%{_sbindir}/fwcheck_psad

%{_sbindir}/kmsgsd

%{_sbindir}/psad

%{_sbindir}/psadwatchd

%{_mandir}/man1/nf2csv.1*

%{_mandir}/man8/fwcheck_psad.8*

%{_mandir}/man8/kmsgsd.8*

%{_mandir}/man8/psad.8*

%{_mandir}/man8/psadwatchd.8*

%{_tmpfilesdir}/psad.conf

%{_unitdir}/psad.service

%dir %{_sysconfdir}/%{name}

%dir %{_sysconfdir}/logrotate.d

%config(noreplace) %{_sysconfdir}/logrotate.d/psad

%config(noreplace) %{_sysconfdir}/%{name}/psad.conf

%config(noreplace) %{_sysconfdir}/%{name}/signatures

%config(noreplace) %{_sysconfdir}/%{name}/auto_dl

%config(noreplace) %{_sysconfdir}/%{name}/ip_options

%config(noreplace) %{_sysconfdir}/%{name}/snort_rule_dl

%config(noreplace) %{_sysconfdir}/%{name}/posf

%config(noreplace) %{_sysconfdir}/%{name}/pf.os

%config(noreplace) %{_sysconfdir}/%{name}/icmp_types

%config(noreplace) %{_sysconfdir}/%{name}/icmp6_types

%config(noreplace) %{_sysconfdir}/%{name}/protocols

%dir %{_sysconfdir}/%{name}/snort_rules

%config(noreplace) %{_sysconfdir}/%{name}/snort_rules/*

%dir /var/lib/%{name}

%ghost %attr(0700,root,root) /var/lib/%{name}/psadfifo

%dir /var/log/%{name}

%ghost %dir /var/run/%{name}

%ghost %attr(0700,root,root) /var/run/%{name}/psad.cmd

%changelog

* Sun Oct 09 2016 Dominik Mierzejewski <rpm@greysector.net> - 2.4.3-2

- fix SELinux policy temporarily (#1040425)

- document patch purpose and file/dir permissions

- depend on whois binary, not package

- verify tarball GPG signature in prep

* Fri Aug 12 2016 Dominik Mierzejewski <rpm@greysector.net> - 2.4.3-1

- update to 2.4.3

- use https in URLs

- supply native systemd unit

- drop obsolete patches

- merge Fedora-specific changes into one patch

- use system whois client instead of bundled one

- update (and sort) Requires list

- tighten file list

- remove bundled stuff in prep

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-7

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.2.1-2

- Perl 5.18 rebuild

* Tue Jan 22 2013 Viktor Hercinger <vhercing@redhat.com> - 2.2.1-1

- Update to psad-2.2.1

* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Tue Feb 07 2012 Peter Vrabec <pvrabec@redhat.com>  2.1.7-5

- don't write to /tmp (#782527)

* Thu Jan 19 2012 Peter Vrabec <pvrabec@redhat.com>  2.1.7-4

- adjust qw() use to new perl (#771779)

* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Thu Nov 25 2010 Peter Vrabec <pvrabec@redhat.com>  2.1.7-1

- upgrade

* Tue Aug 11 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.1.3-4

- Use bzipped upstream tarball.

* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com>  2.1.3-1

- some adjustments to meet fedora standartds

* Sun Apr 27 2008 Steve Grubb <sgrubb@redhat.com> 2.1.2-1

- Initial packaging