Skip to content
Snippets Groups Projects
Commit 8632cad4 authored by Michal Kostenec's avatar Michal Kostenec
Browse files

Upraveno warden-apache.readme

parent b5c5a431
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
packages/TODO.zcu
+ 1
1
View file @ 8632cad4
* sjednotit warden-client.conf a warden-server.conf * sjednotit warden-client.conf a warden-server.conf
* ipv6 * ipv6
* zrusit vsude licence a nahradit jedinym radkem s odkazem * zrusit vsude licence a nahradit jedinym radkem s odkazem
* generovani konfigutracnich souboru z template z balicku a ne primo ze shell skriptu * generovani konfiguracnich souboru z template z balicku a ne primo ze shell skriptu
* verze klienta a serveru jsou mimo sync coz je osklive, proc mam pouzivat c1.1.1 a s0.1.1 ? to nedava smysl ... * verze klienta a serveru jsou mimo sync coz je osklive, proc mam pouzivat c1.1.1 a s0.1.1 ? to nedava smysl ...
packages/build-client.sh
+ 1
1
View file @ 8632cad4
...@@ -49,7 +49,7 @@ err() ...@@ -49,7 +49,7 @@ err()
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# edit when you build new package # edit when you build new package
version="1.1.0" version="1.1.1"
package_name="warden-client" package_name="warden-client"
package="$package_name-$version" package="$package_name-$version"
......
src/warden-client/lib/WardenClientReceive.pm
+ 74
21
View file @ 8632cad4
...@@ -36,10 +36,11 @@ package WardenClientReceive; ...@@ -36,10 +36,11 @@ package WardenClientReceive;
use strict; use strict;
use SOAP::Lite; use SOAP::Lite;
use IO::Socket::SSL qw(debug1); use IO::Socket::SSL qw(debug1);
use SOAP::Transport::TCP; #use SOAP::Transport::TCP;
use SOAP::Transport::HTTP;
use FindBin; use FindBin;
our $VERSION = "1.2"; our $VERSION = "1.1";
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# errMsg - print error message and die # errMsg - print error message and die
...@@ -54,6 +55,52 @@ sub errMsg ...@@ -54,6 +55,52 @@ sub errMsg
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# c2s - connect to server, send request and receive response # c2s - connect to server, send request and receive response
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
#sub c2s
#{
# my $uri = shift;
# my $ssl_key_file = shift;
# my $ssl_cert_file = shift;
# my $ssl_ca_file = shift;
# my $method = shift;
# my $data = shift;
#
# my $client;
# my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/;
# if (!($client = SOAP::Transport::TCP::Client->new(
# PeerAddr => $server,
# PeerPort => $port,
# Proto => 'tcp',
# SSL_use_cert => 1,
# SSL_verify_mode => 0x02,
# SSL_key_file => $ssl_key_file,
# SSL_cert_file => $ssl_cert_file,
# SSL_ca_file => $ssl_ca_file,
# ))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::TCP::Client::errstr)}
#
# # setting of URI and serialize SOAP envelope and data object
# my $soap = SOAP::Lite->uri($uri);
# my $envelope;
# if (!defined $data) {
# $envelope = $soap->serializer->envelope(method => $method);
# } else {
# $envelope = $soap->serializer->envelope(method => $method, $data);
# }
#
# # setting of TCP URI and send serialized SOAP envelope and data
# my $tcp_uri = "tcp://$server:$port/$service";
# my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri);
#
# # check server response
# if (!defined $result) {
# errMsg("Error: server returned empty response." . "\n" . "Problem with used SSL ceritificates or Warden server at $server:$port is down.");
# } else {
# # deserialized response from server -> create SOAP envelope and data object
# my $response = $soap->deserializer->deserialize($result);
# # check SOAP fault status
# $response->fault ? errMsg("Server sent error message:: " . $response->faultstring) : return $response;
# }
#}
sub c2s sub c2s
{ {
my $uri = shift; my $uri = shift;
...@@ -65,19 +112,17 @@ sub c2s ...@@ -65,19 +112,17 @@ sub c2s
my $client; my $client;
my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/; my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/;
if (!($client = SOAP::Transport::TCP::Client->new( if (!($client = SOAP::Transport::HTTP::Client->new(
PeerAddr => $server, ))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::HTTP::Client::errstr)}
PeerPort => $port, $client->ssl_opts( verify_hostname => 1,
Proto => 'tcp', SSL_use_cert => 1,
SSL_use_cert => 1, SSL_verify_mode => 0x02,
SSL_verify_mode => 0x02, SSL_key_file => $ssl_key_file,
SSL_key_file => $ssl_key_file, SSL_cert_file => $ssl_cert_file,
SSL_cert_file => $ssl_cert_file, SSL_ca_file => $ssl_ca_file);
SSL_ca_file => $ssl_ca_file,
))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::TCP::Client::errstr)}
# setting of URI and serialize SOAP envelope and data object # setting of URI and serialize SOAP envelope and data object
my $soap = SOAP::Lite->uri($uri); my $soap = SOAP::Lite->uri($service)->proxy($uri);
my $envelope; my $envelope;
if (!defined $data) { if (!defined $data) {
$envelope = $soap->serializer->envelope(method => $method); $envelope = $soap->serializer->envelope(method => $method);
...@@ -86,7 +131,7 @@ sub c2s ...@@ -86,7 +131,7 @@ sub c2s
} }
# setting of TCP URI and send serialized SOAP envelope and data # setting of TCP URI and send serialized SOAP envelope and data
my $tcp_uri = "tcp://$server:$port/$service"; my $tcp_uri = "https://$server:$port/$service";
my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri); my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri);
# check server response # check server response
...@@ -101,6 +146,8 @@ sub c2s ...@@ -101,6 +146,8 @@ sub c2s
} }
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# getNewEvents - get new events from warden server greater than last received ID # getNewEvents - get new events from warden server greater than last received ID
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
...@@ -145,19 +192,20 @@ sub getNewEvents ...@@ -145,19 +192,20 @@ sub getNewEvents
# create SOAP data obejct # create SOAP data obejct
my $request_data = SOAP::Data->name(request => \SOAP::Data->value( my $request_data = SOAP::Data->name(request => \SOAP::Data->value(
SOAP::Data->name(REQUESTED_TYPE => $requested_type), SOAP::Data->name(REQUESTED_TYPE => $requested_type),
SOAP::Data->name(LAST_ID => $last_id) SOAP::Data->name(LAST_ID => $last_id)
)); ));
# call server method getNewEvents
my $response = c2s($uri, $ssl_key_file, $ssl_cert_file, $ssl_ca_file, "getNewEvents", $request_data); my $response = c2s($uri, $ssl_key_file, $ssl_cert_file, $ssl_ca_file, "getNewEvents", $request_data);
# match getNewEvents functions response
$response->match('/Envelope/Body/getNewEventsResponse/');
my ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout); my ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout);
my @events; my @events;
# parse returned SOAP data object # parse returned SOAP data object
my @response_list = $response->valueof('/Envelope/Body/getNewEventsResponse/event/'); my $i = 1;
while (scalar @response_list) { my $response_data = $response->valueof("[$i]");
my $response_data = shift(@response_list); while (defined $response_data) {
my @event; my @event;
# parse items of one event # parse items of one event
...@@ -181,8 +229,12 @@ sub getNewEvents ...@@ -181,8 +229,12 @@ sub getNewEvents
# set maximum received ID from current batch # set maximum received ID from current batch
if ($id > $last_id) { if ($id > $last_id) {
$last_id = $id; $last_id = $id;
} }
# go to the next received event
$i++;
$response_data = $response->valueof("[$i]");
} }
# write last return ID # write last return ID
...@@ -192,6 +244,7 @@ sub getNewEvents ...@@ -192,6 +244,7 @@ sub getNewEvents
close ID; close ID;
} }
# return event array of arrays
return @events; return @events;
} # End of getNewEvents } # End of getNewEvents
......
src/warden-client/lib/WardenClientSend.pm
+ 15
17
View file @ 8632cad4
...@@ -35,12 +35,12 @@ package WardenClientSend; ...@@ -35,12 +35,12 @@ package WardenClientSend;
use strict; use strict;
use SOAP::Lite; use SOAP::Lite;
#use SOAP::Lite 'trace', 'debug';
use IO::Socket::SSL qw(debug1); use IO::Socket::SSL qw(debug1);
use SOAP::Transport::TCP; #use SOAP::Transport::TCP;
use SOAP::Transport::HTTP;
our $VERSION = "1.1"; our $VERSION = "1.1";
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# errMsg - print error message and die # errMsg - print error message and die
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
...@@ -65,23 +65,21 @@ sub c2s ...@@ -65,23 +65,21 @@ sub c2s
my $client; my $client;
my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/; my ($server, $port, $service) = $uri =~ /https:\/\/(.+)\:(\d+)\/(.+)/;
if (!($client = SOAP::Transport::TCP::Client->new( if (!($client = SOAP::Transport::HTTP::Client->new(
PeerAddr => $server, ))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::HTTP::Client::errstr)}
PeerPort => $port, $client->ssl_opts( verify_hostname => 1,
Proto => 'tcp', SSL_use_cert => 1,
SSL_use_cert => 1, SSL_verify_mode => 0x02,
SSL_verify_mode => 0x02, SSL_key_file => $ssl_key_file,
SSL_key_file => $ssl_key_file, SSL_cert_file => $ssl_cert_file,
SSL_cert_file => $ssl_cert_file, SSL_ca_file => $ssl_ca_file);
SSL_ca_file => $ssl_ca_file,
))) {errMsg("Sorry, unable to create socket: " . &SOAP::Transport::TCP::Client::errstr)}
# setting of URI and serialize SOAP envelope and data object # setting of URI and serialize SOAP envelope and data object
my $soap = SOAP::Lite->uri($uri); my $soap = SOAP::Lite->uri($service)->proxy($uri);
my $envelope = $soap->serializer->envelope(method => $method, $data); my $envelope = $soap->serializer->envelope(method => $method, $data);
# setting of TCP URI and send serialized SOAP envelope and data # setting of TCP URI and send serialized SOAP envelope and data
my $tcp_uri = "tcp://$server:$port/$service"; my $tcp_uri = "https://$server:$port/$service";
my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri); my $result = $client->send_receive(envelope => $envelope, endpoint => $tcp_uri);
# check server response # check server response
......
src/warden-client/sh/install.sh
+ 21
20
View file @ 8632cad4
...@@ -156,7 +156,8 @@ old_client_chck() ...@@ -156,7 +156,8 @@ old_client_chck()
perl_chck() perl_chck()
{ {
echo -n "Checking Perl interpreter ... " echo -n "Checking Perl interpreter ... "
if which perl 1> /dev/null; then which perl 1>/dev/null; ret_val=`echo $?`
if [ $ret_val -eq 0 ]; then
echo "OK" echo "OK"
else else
echo "FAILED!" echo "FAILED!"
...@@ -171,7 +172,8 @@ modules_chck() ...@@ -171,7 +172,8 @@ modules_chck()
for module in ${modules[@]}; for module in ${modules[@]};
do do
echo -n "Checking $module module ... " echo -n "Checking $module module ... "
if perl -e "use $module" 2> $err; then perl -e "use $module" 2> $err; ret_val=`echo $?`
if [ $ret_val -eq 0 ]; then
echo "OK" echo "OK"
else else
err err
...@@ -183,7 +185,8 @@ modules_chck() ...@@ -183,7 +185,8 @@ modules_chck()
make_warden_dir() make_warden_dir()
{ {
echo -n "Creating warden client directory ... " echo -n "Creating warden client directory ... "
if cp -R ${dirname}/warden-client $prefix 2> $err; then cp -R $dirname/warden-client $prefix 2> $err; ret_val=`echo $?`
if [ $ret_val -eq 0 ]; then
echo "OK" echo "OK"
else else
err_clean err_clean
...@@ -192,16 +195,17 @@ make_warden_dir() ...@@ -192,16 +195,17 @@ make_warden_dir()
files=(CHANGELOG INSTALL LICENSE README README.cesnet) files=(CHANGELOG INSTALL LICENSE README README.cesnet)
for file in ${files[@]}; for file in ${files[@]};
do do
cp ${dirname}/$file "${client_path}/doc" cp $dirname/$file "$client_path/doc"
done done
cp ${dirname}/uninstall.sh "$client_path" cp $dirname/uninstall.sh "$client_path"
} }
copy_key() copy_key()
{ {
echo -n "Copying certificate key file ... " echo -n "Copying certificate key file ... "
if cp $key $etc 2> $err; then cp $key $etc 2> $err; ret_val=`echo $?`
if [ $ret_val -eq 0 ]; then
echo "OK" echo "OK"
else else
err_clean err_clean
...@@ -212,7 +216,8 @@ copy_key() ...@@ -212,7 +216,8 @@ copy_key()
copy_cert() copy_cert()
{ {
echo -n "Copying certificate file ... " echo -n "Copying certificate file ... "
if cp $cert $etc 2> $err; then cp $cert $etc 2> $err; ret_val=`echo $?`
if [ $ret_val -eq 0 ]; then
echo "OK" echo "OK"
else else
err_clean err_clean
...@@ -235,17 +240,17 @@ make_conf_file() ...@@ -235,17 +240,17 @@ make_conf_file()
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# SSL_KEY_FILE - path to client SSL certificate key file # SSL_KEY_FILE - path to client SSL certificate key file
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
\$SSL_KEY_FILE = \"${etc}/${key_file}\"; \$SSL_KEY_FILE = \"$etc/$key_file\";
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# SSL_CERT_FILE - path to client SSL certificate file # SSL_CERT_FILE - path to client SSL certificate file
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
\$SSL_CERT_FILE = \"${etc}/${cert_file}\"; \$SSL_CERT_FILE = \"$etc/$cert_file\";
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# SSL_CA_FILE - path to CA certificate file # SSL_CA_FILE - path to CA certificate file
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
\$SSL_CA_FILE = \"${ca_file}\"; \$SSL_CA_FILE = \"$ca_file\";
" > $conf_file 2> $err; ret_val=`echo $?` " > $conf_file 2> $err; ret_val=`echo $?`
if [ $ret_val -eq 0 ]; then if [ $ret_val -eq 0 ]; then
...@@ -259,10 +264,8 @@ make_conf_file() ...@@ -259,10 +264,8 @@ make_conf_file()
change_permissions() change_permissions()
{ {
echo -n "Changing permissions to installed package ... " echo -n "Changing permissions to installed package ... "
chown -R $user: $client_path 2> $err || err_clean chown -R $user: $client_path 2>$err; ret_val=`echo $?`
chmod 400 ${etc}/$key_file ${etc}/$cert_file || err_clean if [ $ret_val -eq 0 ]; then
chmod 644 ${etc}/package_version || err_clean
if chmod 600 $conf_file; then
echo "OK" echo "OK"
else else
err_clean err_clean
...@@ -306,13 +309,13 @@ params_chck ...@@ -306,13 +309,13 @@ params_chck
# create variables # create variables
dirname=`dirname $0` dirname=`dirname $0`
package_version=`cat ${dirname}/warden-client/etc/package_version` package_version=`cat $dirname/warden-client/etc/package_version`
key_file=`basename $key` key_file=`basename $key`
cert_file=`basename $cert` cert_file=`basename $cert`
[[ $prefix == */ ]] && prefix="${prefix%?}" # remove last char (slash) from prefix [[ $prefix == */ ]] && prefix="${prefix%?}" # remove last char (slash) from prefix
client_path="${prefix}/warden-client" client_path="$prefix/warden-client"
etc="${client_path}/etc" etc="$client_path/etc"
conf_file="${etc}/warden-client.conf" conf_file="$etc/warden-client.conf"
err="/tmp/warden-err" err="/tmp/warden-err"
# check if warden-client is installed # check if warden-client is installed
...@@ -349,8 +352,6 @@ change_permissions ...@@ -349,8 +352,6 @@ change_permissions
echo echo
echo "Please check configuration file in $conf_file!" echo "Please check configuration file in $conf_file!"
echo echo
echo "Warden client directory: $client_path"
echo
echo "Installation of $package_version package was SUCCESSFUL!!!" echo "Installation of $package_version package was SUCCESSFUL!!!"
# cleanup section # cleanup section
......
src/warden-server/doc/warden-apache.readme
+ 66
38
View file @ 8632cad4
apache2 Strucny technicky navod pro preklopeni Warden serveru pod Apache a mod_perl
mysql-server ===========================================================================
a2enmod ssl
libapache2-mod-perl2
mysql -u root -p < warden.sql
libcrypt-x509-perl
libmime-base64-perl
apache2-mpm-prefork
<IfModule mpm_prefork_module>
StartServers 2
MinSpareServers 4
MaxSpareServers 8
ServerLimit 700
MaxClients 700
MaxRequestsPerChild 0
</IfModule>
Timeout 10
KeepAlive Off
Instalace Apache
Povoleni SSL
Instalace mod_perl
Apache - Virtual Host <*:443> - pro jine jeste povolit port
Include cesty do Apache
Nastaveni spravnych Adres - klient, server
Nastaveni db na serveru
Pouziti jineho cert server/client
Instalace 2 balicku
Instalace prefork
nastavni apache2.conf
================
Instalace DB
restore db z adr. etc/warden.sql
====
Instalace serveru do jine cesty nez /opt -> nevytvari adresar, nemaze pri odinstalaci
INSTALACE
=========
1) Instalace Apache a MySQL DB
aptitude install apache2 mysql-server
2) Povoleni mod_ssl
an2enmod ssl
3) Instalace knihovny mod_perl
libapache2-mod-perl2
4) Instalace podpory metody prefork pro Apache
apache2-mpm-prefork
5) Instalace nove pridanych modulu
aptitude install libcrypt-x509-perl libmime-base64-perl
Konfigurace
===========
1) Nastaveni APACHE
a) /etc/apache2/sites-enables/default
- konfigurace sekce <VirtualHost *:443>
- includovani potrebnych parametru ze souboru {warden-server}/etc/warden-apache.conf
Include /opt/warden-server/etc/warden-apache.conf
b) Nastaveni vykonovych parametru Apache (/etc/apache2/apache2.conf)
- modul prefork (nastavujte dle vykonu vaseho serveru)
= pro 12C, 16GB RAM funguje dobre
<IfModule mpm_prefork_module>
StartServers 2
MinSpareServers 4
MaxSpareServers 8
ServerLimit 700
MaxClients 700
MaxRequestsPerChild 0
</IfModule>
- parametry spojeni
Timeout 10
KeepAlive Off
c) restartovani Apache po kazde zmene Warden.pm (serverova cast)
2) Nastaveni DB
a) (volitelne) Vytvoreni noveho uzivatele
b) Vytvoreni databazove struktury
mysql -u uzivatel -p heslo < {warden-server}/doc/warden.mysql
3) Nastaveni warden-server.conf, warden-client.conf, {warden-server}/etc/warden-apache.conf
a) Zkontrolovat spravnost IP adres, portu a hlavne cest k certifikatum + nove udaje pro pripojeni do DB
b) Pro klienta a server na jednom stroji jsou zrejme treba 2 ruzne certifikaty (me to jinak nejde, zkuste;))
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment