diff --git a/src/warden-server/doc/CHANGELOG b/src/warden-server/doc/CHANGELOG
index 0ebe0b4b1b1d07a78ddcbf18bcc27dd95c2863ad..e2335308fecf464894ff8949eb80a1f75046af7c 100644
--- a/src/warden-server/doc/CHANGELOG
+++ b/src/warden-server/doc/CHANGELOG
@@ -1,5 +1,17 @@
2014-??-?? v2.2 stable version
------------------------------
+- fixed bug in re-activation of invalid clients
+- fixed bug in disabling of validation hash
+- added user specified client ID
+- added Warden Watchdog system
+- added validity system of events and clients
+- added logging of incoming events
+- added API to send information about registered clients to Warden client
+- deleted obsolete items of evens
+- enhanced getClients and getStatus scripts
+- enhanced client's managment system
+- enhanced database schema
+- other minor bugs
2012-11-16 v2.1 stable version
diff --git a/src/warden-server/doc/INSTALL b/src/warden-server/doc/INSTALL
index cb598623a7bd337da280518cdcd759ebb760a2da..6a7e507b57d57c6f3dde597b9b4eea3d668301d4 100644
--- a/src/warden-server/doc/INSTALL
+++ b/src/warden-server/doc/INSTALL
@@ -31,11 +31,11 @@ C. Installation step
1) Install Warden server package (examples)
- $ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem
+ $ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem -e admin@domain.com
or (if you want to create symlinks to Warden server control scripts during the installation process - optional)
- $ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem -s /usr/local/bin
+ $ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem -e admin@domain.com -s /usr/local/bin
D. Post-installation steps
diff --git a/src/warden-server/doc/README b/src/warden-server/doc/README
index fcc57650901ca837c04014b2dc9f2b8b45d37a99..1c24d6507c0450ed47e903665c874588ef790597 100644
--- a/src/warden-server/doc/README
+++ b/src/warden-server/doc/README
@@ -44,7 +44,6 @@ A. Overall Information
LICENSE
MANIFEST
README
- README.wardenWatchdog
UNINSTALL
UPDATE
warden21to22.patch
@@ -115,6 +114,7 @@ C. Installation
-k <ssl_key_file> SSL certificate key file path
-c <ssl_cert_file> SSL certificate file path
-a <ssl_ca_file> CA certificate file path
+ -e <e-mail address> e-mail address to Warden server administrator
-s <directory> directory for symlinks to Warden server control scripts (optional)
-h print this help
-V print script version number and exit
@@ -124,6 +124,7 @@ C. Installation
-k /etc/ssl/private/server.key
-c /etc/ssl/certs/server.pem
-a /etc/ssl/certs/bundle.pem
+ -e admin@domain.com
-s /usr/local/bin
4. Configuration files
diff --git a/src/warden-server/etc/warden-watchdog.conf b/src/warden-server/etc/warden-watchdog.conf
index 0fbf76178bba3590d3f532e2f65cf47155799b57..6bfa3974a92e9c9ec5765af40e68abdd021cd161 100644
--- a/src/warden-server/etc/warden-watchdog.conf
+++ b/src/warden-server/etc/warden-watchdog.conf
@@ -1,7 +1,7 @@
#
# warden-watchdog.conf - configuration file for Wachdog script
#
-# Copyright (C) 2011-2013 Cesnet z.s.p.o
+# Copyright (C) 2011-2014 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
@@ -10,6 +10,11 @@
#-------------------------------------------------------------------------------
$domain_name = "warden-dev.cesnet.cz";
+#-------------------------------------------------------------------------------
+# contact - contact to server administrator
+#-------------------------------------------------------------------------------
+$contact = "jakubcegan@cesnet.cz, ph@cesnet.cz";
+
#-------------------------------------------------------------------------------
# email_subject - ...
#-------------------------------------------------------------------------------
@@ -59,10 +64,10 @@ END;');
# in a database table.
#-------------------------------------------------------------------------------
@sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});
#-------------------------------------------------------------------------------
# sql_postcondition - array of procedures which are executed "after" main action
diff --git a/src/warden-server/etc/warden-watchdog.conf.tmpl b/src/warden-server/etc/warden-watchdog.conf.tmpl
index c7d56e7643019af9d9ce25b58846fc8c08fd2fad..c9a1a6371ae24aaa95ea95c695af0b32020389dd 100644
--- a/src/warden-server/etc/warden-watchdog.conf.tmpl
+++ b/src/warden-server/etc/warden-watchdog.conf.tmpl
@@ -1,16 +1,24 @@
#
-# wardenWatchdog.conf - configuration file for Wachdog script
+# warden-watchdog.conf - configuration file for Wachdog script
#
+# Copyright (C) 2011-2014 Cesnet z.s.p.o
+#
+# Use of this source is governed by a BSD-style license, see LICENSE file.
#-------------------------------------------------------------------------------
# domain_name - server full domain name
#-------------------------------------------------------------------------------
$domain_name = "_HOSTNAME_";
+#-------------------------------------------------------------------------------
+# contact - contact to server administrator
+#-------------------------------------------------------------------------------
+$contact = "_CONTACT_";
+
#-------------------------------------------------------------------------------
# email_subject - ...
#-------------------------------------------------------------------------------
-$email_subject = "Kontrola stavu udalosti warden serveru na stroji $domain_name";
+$email_subject = "Database check of a Warden server ($domain_name)";
#-------------------------------------------------------------------------------
# email_server_conf - path and params of an email server for reports sending
@@ -56,10 +64,10 @@ END;');
# in a database table.
#-------------------------------------------------------------------------------
@sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});
#-------------------------------------------------------------------------------
# sql_postcondition - array of procedures which are executed "after" main action
diff --git a/src/warden-server/etc/warden-watchdog.conf.tmpl.update b/src/warden-server/etc/warden-watchdog.conf.tmpl.update
index 8d75f84227ce223250377106491255243086d277..af88c3161c9cde389bca9eb9713134fddfacca3e 100644
--- a/src/warden-server/etc/warden-watchdog.conf.tmpl.update
+++ b/src/warden-server/etc/warden-watchdog.conf.tmpl.update
@@ -1,12 +1,20 @@
#
-# wardenWatchdog.conf - configuration file for Wachdog script
+# warden-watchdog.conf - configuration file for Wachdog script
#
+# Copyright (C) 2011-2014 Cesnet z.s.p.o
+#
+# Use of this source is governed by a BSD-style license, see LICENSE file.
#-------------------------------------------------------------------------------
# domain_name - server full domain name
#-------------------------------------------------------------------------------
$domain_name = "_HOSTNAME_";
+#-------------------------------------------------------------------------------
+# contact - contact to server administrator
+#-------------------------------------------------------------------------------
+$contact = "_CONTACT_";
+
#-------------------------------------------------------------------------------
# email_subject - ...
#-------------------------------------------------------------------------------
@@ -56,10 +64,10 @@ END;');
# in a database table.
#-------------------------------------------------------------------------------
@sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});
#-------------------------------------------------------------------------------
# sql_postcondition - array of procedures which are executed "after" main action
diff --git a/src/warden-server/sh/install.sh b/src/warden-server/sh/install.sh
index 866aca1d188183bc7377cf4915e005df8076edbb..5fbd6ada97575c3f2f1ca1f729ff372524e58a91 100755
--- a/src/warden-server/sh/install.sh
+++ b/src/warden-server/sh/install.sh
@@ -19,11 +19,12 @@ usage()
echo "-k <ssl_key_file> path to SSL certificate key file"
echo "-c <ssl_cert_file> path to SSL certificate file"
echo "-a <ssl_ca_file> path to CA certificate file"
+ echo "-e <e-mail address> e-mail address to Warden server administrator"
echo "-s <directory> directory for symlinks to Warden server control scripts (optional)"
echo "-h print this help"
echo "-V print script version number and exit"
echo
- echo "Example: $ ./${0##*/} -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/tcs-ca-bundle.pem -s /usr/local/bin"
+ echo "Example: $ ./${0##*/} -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/tcs-ca-bundle.pem -e admin@domain.com -s /usr/local/bin"
echo
echo "For more information about installation process, see README file (section Installation)."
echo
@@ -87,6 +88,10 @@ paramsChck()
echo "Parameter -a <ssl_ca_file> is not set!"
exit 1
fi
+ if [ -z "$contact" ]; then
+ echo "Parameter -e <e-mail address> is not set!"
+ exit 1
+ fi
}
@@ -185,12 +190,13 @@ createSymlinks()
# MAIN
#-------------------------------------------------------------------------------
# read input
-while getopts "d:k:c:a:s:Vh" options; do
+while getopts "d:k:c:a:e:s:Vh" options; do
case "$options" in
d ) basedir="$OPTARG";;
k ) key_file="$OPTARG";;
c ) cert_file="$OPTARG";;
a ) ca_file="$OPTARG";;
+ e ) contact="$OPTARG";;
s ) symbin="$OPTARG";;
h ) usage;;
V ) version;;
@@ -263,6 +269,7 @@ doTemplate \
echo -n "Creating Warden Watchdog configuration file ... "
doTemplate \
_HOSTNAME_ "$hostname" \
+ _CONTACT_ "$contact" \
< $watchdog_conf_tmpl \
> $watchdog_conf && echo "OK" || errClean
diff --git a/src/warden-server/sh/update.sh b/src/warden-server/sh/update.sh
index fb7b61ac0ac7bd70c39e0cf236698bd2cc1e07eb..bf9f22ff4adc50b602686dcfd01ac36da22b93cd 100755
--- a/src/warden-server/sh/update.sh
+++ b/src/warden-server/sh/update.sh
@@ -281,6 +281,7 @@ doTemplate \
# update Apache configuration file
echo -n "Updating Apache configuration file ... "
+<<<<<<< HEAD
cert_file_tmp=`fgrep SSLCertificateFile $apache_conf`
key_file_tmp=`fgrep SSLCertificateKeyFile $apache_conf`
ca_file_tmp=`fgrep SSLCACertificateFile $apache_conf`
@@ -289,6 +290,7 @@ cert_file=${cert_file_tmp##*" "}
key_file=${key_file_tmp##*" "}
ca_file=${ca_file_tmp##*" "}
lib=${lib_tmp##*" "}
+>>>>>>> ced3b6d0c942211d77a5763d722ec616009be87f
doTemplate \
_CERT_FILE_ "$cert_file" \
_KEY_FILE_ "$key_file" \
@@ -299,11 +301,13 @@ doTemplate \
# update wardenWatchdog configuration file
echo -n "Updating Warden Watchdog configuration file ... "
-hostname=$(getConfValue "$watchdog_conf" HOSTNAME)
-email_subject=$(getConfValue "$watchdog_conf" EMAIL_SUBJECT)
-email_server_conf=$(getConfValue "$watchdog_conf" EMAIL_SERVER_CONF)
+hostname=$(getConfValue "$watchdog_conf" hostname)
+contact=$(getConfValue "$watchdog_conf" contact)
+email_subject=$(getConfValue "$warden_conf" email_subject)
+email_server_conf=$(getConfValue "$warden_conf" email_server_conf)
doTemplate \
_HOSTNAME_ "$hostname" \
+ _CONTACT_ "$contact" \
_EMAIL_SUBJECT_ "$email_subject" \
_EMAIL_SERVER_CONF_ "$email_server_conf" \
< $watchdog_conf_tmpl \