Summary: Port Scan Attack Detector (psad) watches for suspect traffic
Name: psad
Version: 2.4.3
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: https://www.cipherdyne.org/psad/
Source0: https://www.cipherdyne.org/psad/download/psad-%{version}.tar.bz2
Source1: https://www.cipherdyne.org/psad/download/psad-%{version}.tar.bz2.asc
# curl -O https://www.cipherdyne.org/signing_key ; gpg --import ./signing_key
# gpg --export --export-options export-minimal 4D6644A9DA036904BDA2CB90E6C9E3350D3E7410 > 4D6644A9DA036904BDA2CB90E6C9E3350D3E7410.gpg
Source2: 4D6644A9DA036904BDA2CB90E6C9E3350D3E7410.gpg
Source3: psad.service
Source4: psad-tmpfiles.conf
# patch to:
# * allow specifying Fedora CFLAGS
# * use system whois
# * set some sensible defaults in /etc/psad/psad.conf
Patch0: psad-fedora.patch
BuildRequires: %{_bindir}/gpgv2
BuildRequires: perl-generators
BuildRequires: systemd
# works with system one, but doesn't crash or break without it
Recommends: %{_bindir}/whois
Requires: iptables
# The automatic dependency generator doesn't find these
Requires: perl(Bit::Vector)
Requires: perl(Carp::Clan)
Requires: perl(Date::Calc)
Requires: perl(IPTables::ChainMgr)
Requires: perl(IPTables::Parse)
Requires: perl(NetAddr::IP)
Requires: perl(Storable)
Requires: perl(Unix::Syslog)
Requires(post): %{_sbindir}/semodule
Requires(postun): %{_sbindir}/semodule

%description
Port Scan Attack Detector (psad) is a collection of three lightweight
system daemons written in Perl and in C that are designed to work with Linux
iptables firewalling code to detect port scans and other suspect traffic.  It
features a set of highly configurable danger thresholds (with sensible
defaults provided), verbose alert messages that include the source,
destination, scanned port range, begin and end times, tcp flags and
corresponding nmap options, reverse DNS info, email and syslog alerting,
automatic blocking of offending ip addresses via dynamic configuration of
iptables rulesets, and passive operating system fingerprinting.  In addition,
psad incorporates many of the tcp, udp, and icmp signatures included in the
snort intrusion detection system (https://www.snort.org) to detect highly
suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend,
SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin,
xmas) which are easily leveraged against a machine via nmap.  psad can also
alert on snort signatures that are logged via fwsnort
(https://www.cipherdyne.org/fwsnort/), which makes use of the
iptables string match module to detect application layer signatures.

%prep
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q
%patch0 -p1 -b .f
# remove bundled stuff
rm -r deps/{Bit-Vector,Carp-Clan,Date-Calc,IPTables-ChainMgr,IPTables-Parse,NetAddr-IP,Storable,Unix-Syslog,whois}

%build
make OPTS="%{optflags}" %{?_smp_mflags}

%install
install -Dpm755 -t %{buildroot}%{_sbindir} kmsgsd psad{,watchd}
install  -pm755 fwcheck_psad.pl %{buildroot}%{_sbindir}/fwcheck_psad
install -Dpm755 -t %{buildroot}%{_bindir} nf2csv
install -Dpm644 logrotate.psad %{buildroot}%{_sysconfdir}/logrotate.d/psad
install -Dpm644 -t %{buildroot}%{_sysconfdir}/%{name} \
 auto_dl \
 icmp_types \
 icmp6_types \
 ip_options \
 pf.os \
 posf \
 protocols \
 psad.conf \
 signatures \
 snort_rule_dl \

install -Dpm644 -t %{buildroot}%{_mandir}/man8 {fwcheck_psad,kmsgsd,psad{,watchd}}.8
install -Dpm644 -t %{buildroot}%{_mandir}/man1 nf2csv.1

cp -pr deps/snort_rules %{buildroot}%{_sysconfdir}/%{name}

install -Dpm644 -t %{buildroot}%{_unitdir} %{S:3}
install -Dpm644 %{S:4} %{buildroot}%{_tmpfilesdir}/psad.conf

# upstream's installer creates those as root-accessible only
install  -dm700 %{buildroot}/var/{lib,log,run}/%{name}
touch %{buildroot}/var/lib/%{name}/psadfifo
touch %{buildroot}/var/run/%{name}/psad.cmd

%post
%systemd_post psad.service
# missing from current SELinux policy (rhbz#1174309)
TMPDIR=$(%{_bindir}/mktemp -d)
cat >> $TMPDIR/psad-rpm.cil << __EOF__
(allow psad_t psad_var_log_t(file (read rename unlink write)))
__EOF__
%{_sbindir}/semodule -i $TMPDIR/psad-rpm.cil
rm $TMPDIR/psad-rpm.cil && rmdir $TMPDIR
exit 0

%preun
%systemd_preun psad.service

%postun
%systemd_postun_with_restart psad.service
%{_sbindir}/semodule -r psad-rpm || :

%files
%license LICENSE
%doc BENCHMARK FW_HELP FW_EXAMPLE_RULES README README.SYSLOG SCAN_LOG
%{_bindir}/nf2csv
%{_sbindir}/fwcheck_psad
%{_sbindir}/kmsgsd
%{_sbindir}/psad
%{_sbindir}/psadwatchd
%{_mandir}/man1/nf2csv.1*
%{_mandir}/man8/fwcheck_psad.8*
%{_mandir}/man8/kmsgsd.8*
%{_mandir}/man8/psad.8*
%{_mandir}/man8/psadwatchd.8*
%{_tmpfilesdir}/psad.conf
%{_unitdir}/psad.service
%dir %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/psad
%config(noreplace) %{_sysconfdir}/%{name}/psad.conf
%config(noreplace) %{_sysconfdir}/%{name}/signatures
%config(noreplace) %{_sysconfdir}/%{name}/auto_dl
%config(noreplace) %{_sysconfdir}/%{name}/ip_options
%config(noreplace) %{_sysconfdir}/%{name}/snort_rule_dl
%config(noreplace) %{_sysconfdir}/%{name}/posf
%config(noreplace) %{_sysconfdir}/%{name}/pf.os
%config(noreplace) %{_sysconfdir}/%{name}/icmp_types
%config(noreplace) %{_sysconfdir}/%{name}/icmp6_types
%config(noreplace) %{_sysconfdir}/%{name}/protocols
%dir %{_sysconfdir}/%{name}/snort_rules
%config(noreplace) %{_sysconfdir}/%{name}/snort_rules/*
%dir /var/lib/%{name}
%ghost %attr(0700,root,root) /var/lib/%{name}/psadfifo
%dir /var/log/%{name}
%ghost %dir /var/run/%{name}
%ghost %attr(0700,root,root) /var/run/%{name}/psad.cmd

%changelog
* Sun Oct 09 2016 Dominik Mierzejewski <rpm@greysector.net> - 2.4.3-2
- fix SELinux policy temporarily (#1040425)
- document patch purpose and file/dir permissions
- depend on whois binary, not package
- verify tarball GPG signature in prep

* Fri Aug 12 2016 Dominik Mierzejewski <rpm@greysector.net> - 2.4.3-1
- update to 2.4.3
- use https in URLs
- supply native systemd unit
- drop obsolete patches
- merge Fedora-specific changes into one patch
- use system whois client instead of bundled one
- update (and sort) Requires list
- tighten file list
- remove bundled stuff in prep

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.2.1-2
- Perl 5.18 rebuild

* Tue Jan 22 2013 Viktor Hercinger <vhercing@redhat.com> - 2.2.1-1
- Update to psad-2.2.1

* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Tue Feb 07 2012 Peter Vrabec <pvrabec@redhat.com>  2.1.7-5
- don't write to /tmp (#782527)

* Thu Jan 19 2012 Peter Vrabec <pvrabec@redhat.com>  2.1.7-4
- adjust qw() use to new perl (#771779)

* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Thu Nov 25 2010 Peter Vrabec <pvrabec@redhat.com>  2.1.7-1
- upgrade

* Tue Aug 11 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.1.3-4
- Use bzipped upstream tarball.

* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com>  2.1.3-1
- some adjustments to meet fedora standartds

* Sun Apr 27 2008 Steve Grubb <sgrubb@redhat.com> 2.1.2-1
- Initial packaging