zmena zjistovani promennych pomoci fgrep -> promenne totiz nejsou prirazene

53830333 · Tomáš Plesník · 0fe8834f · ced3b6d0 · 53830333 · 53830333
Commit 53830333 authored 10 years ago by Tomáš Plesník
--- a/src/warden-server/doc/CHANGELOG
+++ b/src/warden-server/doc/CHANGELOG
 2014-??-?? v2.2 stable version
 ------------------------------
+- fixed bug in re-activation of invalid clients
+- fixed bug in disabling of validation hash
+- added user specified client ID
+- added Warden Watchdog system
+- added validity system of events and clients
+- added logging of incoming events
+- added API to send information about registered clients to Warden client
+- deleted obsolete items of evens
+- enhanced getClients and getStatus scripts
+- enhanced client's managment system
+- enhanced database schema
+- other minor bugs


 2012-11-16 v2.1 stable version

--- a/src/warden-server/doc/INSTALL
+++ b/src/warden-server/doc/INSTALL
@@ -31,11 +31,11 @@ C. Installation step

 1) Install Warden server package (examples)

-	$ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem
+	$ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem -e admin@domain.com

 	or (if you want to create symlinks to Warden server control scripts during the installation process - optional)

-	$ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem -s /usr/local/bin
+	$ ./warden-server-2.2/install.sh -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/bundle.pem -e admin@domain.com -s /usr/local/bin


 D. Post-installation steps

--- a/src/warden-server/doc/README
+++ b/src/warden-server/doc/README
@@ -44,7 +44,6 @@ A. Overall Information
        LICENSE
 	MANIFEST
        README
-	README.wardenWatchdog
        UNINSTALL
        UPDATE
        warden21to22.patch
@@ -115,6 +114,7 @@ C. Installation
        -k <ssl_key_file>         SSL certificate key file path
        -c <ssl_cert_file>        SSL certificate file path
        -a <ssl_ca_file>          CA certificate file path
+        -e <e-mail address>       e-mail address to Warden server administrator
        -s <directory>            directory for symlinks to Warden server control scripts (optional)
        -h                        print this help
        -V                        print script version number and exit
@@ -124,6 +124,7 @@ C. Installation
                            -k /etc/ssl/private/server.key
                            -c /etc/ssl/certs/server.pem
                            -a /etc/ssl/certs/bundle.pem
+			    -e admin@domain.com
                            -s /usr/local/bin

 4. Configuration files

--- a/src/warden-server/etc/warden-watchdog.conf
+++ b/src/warden-server/etc/warden-watchdog.conf
 #
 # warden-watchdog.conf - configuration file for Wachdog script
 #
-# Copyright (C) 2011-2013 Cesnet z.s.p.o
+# Copyright (C) 2011-2014 Cesnet z.s.p.o
 #
 # Use of this source is governed by a BSD-style license, see LICENSE file.

@@ -10,6 +10,11 @@
 #-------------------------------------------------------------------------------
 $domain_name = "warden-dev.cesnet.cz";

+#-------------------------------------------------------------------------------
+# contact - contact to server administrator
+#-------------------------------------------------------------------------------
+$contact = "jakubcegan@cesnet.cz, ph@cesnet.cz";
+
 #-------------------------------------------------------------------------------
 # email_subject - ...
 #-------------------------------------------------------------------------------
@@ -59,10 +64,10 @@ END;');
 #                          in a database table.
 #-------------------------------------------------------------------------------
 @sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});

 #-------------------------------------------------------------------------------
 # sql_postcondition - array of procedures which are executed "after" main action

--- a/src/warden-server/etc/warden-watchdog.conf.tmpl
+++ b/src/warden-server/etc/warden-watchdog.conf.tmpl
 #
-# wardenWatchdog.conf - configuration file for Wachdog script
+# warden-watchdog.conf - configuration file for Wachdog script
 #
+# Copyright (C) 2011-2014 Cesnet z.s.p.o
+#
+# Use of this source is governed by a BSD-style license, see LICENSE file.

 #-------------------------------------------------------------------------------
 # domain_name - server full domain name
 #-------------------------------------------------------------------------------
 $domain_name = "_HOSTNAME_";

+#-------------------------------------------------------------------------------
+# contact - contact to server administrator
+#-------------------------------------------------------------------------------
+$contact = "_CONTACT_";
+
 #-------------------------------------------------------------------------------
 # email_subject - ...
 #-------------------------------------------------------------------------------
-$email_subject = "Kontrola stavu udalosti warden serveru na stroji $domain_name";
+$email_subject = "Database check of a Warden server ($domain_name)";

 #-------------------------------------------------------------------------------
 # email_server_conf - path and params of an email server for reports sending
@@ -56,10 +64,10 @@ END;');
 #                          in a database table.
 #-------------------------------------------------------------------------------
 @sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});

 #-------------------------------------------------------------------------------
 # sql_postcondition - array of procedures which are executed "after" main action

--- a/src/warden-server/etc/warden-watchdog.conf.tmpl.update
+++ b/src/warden-server/etc/warden-watchdog.conf.tmpl.update
 #
-# wardenWatchdog.conf - configuration file for Wachdog script
+# warden-watchdog.conf - configuration file for Wachdog script
 #
+# Copyright (C) 2011-2014 Cesnet z.s.p.o
+#
+# Use of this source is governed by a BSD-style license, see LICENSE file.

 #-------------------------------------------------------------------------------
 # domain_name - server full domain name
 #-------------------------------------------------------------------------------
 $domain_name = "_HOSTNAME_";

+#-------------------------------------------------------------------------------
+# contact - contact to server administrator
+#-------------------------------------------------------------------------------
+$contact = "_CONTACT_";
+
 #-------------------------------------------------------------------------------
 # email_subject - ...
 #-------------------------------------------------------------------------------
@@ -56,10 +64,10 @@ END;');
 #                          in a database table.
 #-------------------------------------------------------------------------------
 @sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});

 #-------------------------------------------------------------------------------
 # sql_postcondition - array of procedures which are executed "after" main action

--- a/src/warden-server/sh/install.sh
+++ b/src/warden-server/sh/install.sh
@@ -19,11 +19,12 @@ usage()
 	echo "-k <ssl_key_file>         path to SSL certificate key file"
 	echo "-c <ssl_cert_file>        path to SSL certificate file"
 	echo "-a <ssl_ca_file>          path to CA certificate file"
+	echo "-e <e-mail address>       e-mail address to Warden server administrator"
 	echo "-s <directory>            directory for symlinks to Warden server control scripts (optional)"
 	echo "-h                        print this help"
 	echo "-V                        print script version number and exit"
 	echo
-	echo "Example: $ ./${0##*/} -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/tcs-ca-bundle.pem -s /usr/local/bin"
+	echo "Example: $ ./${0##*/} -d /opt/warden-server -k /etc/ssl/private/server.key -c /etc/ssl/certs/server.pem -a /etc/ssl/certs/tcs-ca-bundle.pem -e admin@domain.com -s /usr/local/bin"
 	echo
 	echo "For more information about installation process, see README file (section Installation)."
 	echo
@@ -87,6 +88,10 @@ paramsChck()
 		echo "Parameter -a <ssl_ca_file> is not set!"
 		exit 1
 	fi
+	if [ -z "$contact" ]; then
+		echo "Parameter -e <e-mail address> is not set!"
+		exit 1
+	fi
 }


@@ -185,12 +190,13 @@ createSymlinks()
 #				MAIN
 #-------------------------------------------------------------------------------
 # read input
-while getopts "d:k:c:a:s:Vh" options; do
+while getopts "d:k:c:a:e:s:Vh" options; do
 	case "$options" in
 		d ) basedir="$OPTARG";;
 		k ) key_file="$OPTARG";;
 		c ) cert_file="$OPTARG";;
 		a ) ca_file="$OPTARG";;
+		e ) contact="$OPTARG";;
 		s ) symbin="$OPTARG";;
 		h ) usage;;
 		V ) version;;
@@ -263,6 +269,7 @@ doTemplate \
 echo -n "Creating Warden Watchdog configuration file ... "
 doTemplate \
        _HOSTNAME_	"$hostname" \
+        _CONTACT_	"$contact" \
        < $watchdog_conf_tmpl \
        > $watchdog_conf && echo "OK" || errClean


--- a/src/warden-server/sh/update.sh
+++ b/src/warden-server/sh/update.sh
@@ -281,6 +281,7 @@ doTemplate \

 # update Apache configuration file
 echo -n "Updating Apache configuration file ... "
+<<<<<<< HEAD
 cert_file_tmp=`fgrep SSLCertificateFile $apache_conf`
 key_file_tmp=`fgrep SSLCertificateKeyFile $apache_conf`
 ca_file_tmp=`fgrep SSLCACertificateFile $apache_conf`
@@ -289,6 +290,7 @@ cert_file=${cert_file_tmp##*" "}
 key_file=${key_file_tmp##*" "}
 ca_file=${ca_file_tmp##*" "}
 lib=${lib_tmp##*" "}
+>>>>>>> ced3b6d0c942211d77a5763d722ec616009be87f
 doTemplate \
        _CERT_FILE_     "$cert_file" \
        _KEY_FILE_      "$key_file" \
@@ -299,11 +301,13 @@ doTemplate \

 # update wardenWatchdog configuration file
 echo -n "Updating Warden Watchdog configuration file ... "
-hostname=$(getConfValue "$watchdog_conf" HOSTNAME)
-email_subject=$(getConfValue "$watchdog_conf" EMAIL_SUBJECT)
-email_server_conf=$(getConfValue "$watchdog_conf" EMAIL_SERVER_CONF)
+hostname=$(getConfValue "$watchdog_conf" hostname)
+contact=$(getConfValue "$watchdog_conf" contact)
+email_subject=$(getConfValue "$warden_conf" email_subject)
+email_server_conf=$(getConfValue "$warden_conf" email_server_conf)
 doTemplate \
        _HOSTNAME_		"$hostname" \
+        _CONTACT_		"$contact" \
        _EMAIL_SUBJECT_		"$email_subject" \
        _EMAIL_SERVER_CONF_	"$email_server_conf" \
        < $watchdog_conf_tmpl \