# Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/app-admin/osiris/osiris-1.5.2.ebuild,v 1.7 2004/06/24 21:33:10 agriffis Exp $ DESCRIPTION="File integrity verification system" HOMEPAGE="http://osiris.shmoo.com/" SRC_URI="http://osiris.shmoo.com/data/${P}.tar.gz" LICENSE="OSIRIS" SLOT="0" KEYWORDS="x86 -ppc" IUSE="mysql" DEPEND="mysql? ( >=dev-db/mysql-3.23.54a )" src_compile() { # Osiris provides the necessary gdbm source so that gdbm does not # need to be installed to use Osiris. If mysql is set as a USE # variable, Osiris will use mysql instead of gdbm. einfo "Osiris uses gdbm by default, and will use MySQL if \"mysql\"" einfo "is set as a USE variable; it cannot be configured to use both." local myconf use mysql && myconf="${myconf} --enable-module=mysql" # The mysql module searches for the mysql.h file in the wrong place # sed line replaces it with the proper path (mysql/mysql.h) use mysql && sed -i -e "s:mysql.h:mysql/mysql.h:" \ ${S}/src/modules/module_mysql.c ./configure \ --host=${CHOST} \ --prefix=/usr \ --infodir=/usr/share/info \ --mandir=/usr/share/man \ ${myconf} || die "./configure failed" emake || die "emake failed" } src_install() { DESTDIR=${D} einstall }
It is basicly just renamed...
Old ebuilds I've seen use the ssl flag, does this one need to be concerned with support for SSL? How about init scripts for osirisd and optional support for osirismd and the osiris CLI?
the only one I have here is 1.5.2 and this 4.1.5 and nothing else.... basicaly this is a renamed 1.5.2 I think even more can be done because there are seperate modules available now. I intend to look into that later. This one I sent in because of the difference between 1.5.2 and 4.1.5
Yeah, the 1.5 branch appears to be so old you can no longer find mention of it on the shmoo site. I'm submitting an ebuild and some init scripts I've put together, the ebuild builds and installs fine for me, but there is an issue with the init scripts I'm hoping someone can work out. When you try to stop the services you get something about PID not found, I think because of the privilege seperation spawning another process? Or else I'm just handling it wrong.
Created attachment 55621 [details] Osiris 4.1.5 ebuild Based on osiris-4.0.3 ebuild from latexer.
Created attachment 55622 [details] osirisd init script Please check for correctness
Created attachment 55623 [details] osirismd init script Please check for correctness
Should both init script need some section like: ---8<--- depend() { use logger dns need net } checkconfig() { if [ ! -d /usr/osiris ] ; then eerror "You need an osiris root directory to run osirism?d" return 1 fi } and in start: { checkconfig || return 1 ---8<--- This is in my current ones. it does depend on the network, it uses the syslog.
Created attachment 55823 [details] New ebuild with extra modules.
Created attachment 55824 [details] new osirisd start script The directories are made by the package, so an extra check in not needed here.
Created attachment 55825 [details] new osirismd start/stop script
I modified/updated to new versions of the scripts the start stop scripts do have a depend() routine now. The ebuild also adds two optional modules. BTW, there is a scheduled update for 4.1.7 on april 15th.
Created attachment 56019 [details] New update with ${OSIRISMD_OPTS} added.
Created attachment 56020 [details] modified the postinstall... moved postinstall actions to install. Except for the message.
Testing build results: Successful build and installation on amd64 (tested with '~amd64' added to KEYWORDS). Osiris (c) 2000-2005 The Shmoo Group (TSG) ----------------------------------------------------- ==> Configuration Complete. ==> Osiris has been configured with the following options: Host: x86_64-pc-linux-gnu Compiler: x86_64-pc-linux-gnu-gcc Compiler flags: -Wall -march=athlon64 -O2 -pipe Preprocessor flags: -I/usr/kerberos/include/ -I/var/lib Linker flags: -L/var/lib Libraries: -lpthread -lssl -lcrypto -lresolv Privlege Separation: yes SSL Location: /var/lib Osiris Root Directory: /var/lib/osiris Osiris user: osiris Osiris MD Directory: /var/lib/osiris Osiris MD user: osiris Osiris MD config dir: /var/lib/osiris ====================================== Found Scan Agent Modules: ==> mod_dns ==> mod_groups ==> mod_kmods ==> mod_ports ==> mod_uptime ==> mod_users ====================================== $ qpkg -l osiris app-admin/osiris-4.1.5 * CONTENTS: /usr /usr/sbin /usr/sbin/osirisd /var /var/lib /var/lib/osiris /etc /etc/init.d /etc/init.d/osirisd $ ldd /usr/sbin/osirisd libpthread.so.0 => /lib/tls/libpthread.so.0 (0x0000002a9566c000) libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x0000002a95781000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x0000002a958b8000) libresolv.so.2 => /lib/libresolv.so.2 (0x0000002a95af2000) libc.so.6 => /lib/tls/libc.so.6 (0x0000002a95c06000) /lib64/ld-linux-x86-64.so.2 (0x0000002a95556000) libdl.so.2 => /lib/libdl.so.2 (0x0000002a95e2d000) Linux deathstar 2.6.9-gentoo-r12 #11 Sun Mar 20 18:24:16 MST 2005 x86_64 AMD Athlon(tm) 64 Processor 3500+ AuthenticAMD GNU/Linux
Still an issue with errors from the init script when killing osirisd: $ sudo /etc/init.d/osirisd stop * Stop osirisd... start-stop-daemon: warning: failed to kill 28791: No such process 1 pids were not killed ...even after this error, the daemon exits successfully: Apr 11 21:51:31 deathstar osirisd[28792]: [info] SIGTERM Apr 11 21:51:31 deathstar osirisd[28792]: [warning] daemon process was killed. Apr 11 21:51:31 deathstar osirisd[28792]: [info] server is shut down, daemon exiting.
The ebuild needs to set the ownership on /var/lib/osiris correctly or else the manager is unable to initialize the host: >>> new host (deathstar) has been created. Initialize this host? (yes/no): yes !! unable to contact host: deathstar initialization halted. ...osirisd is unable to write the certificate to /var/lib/osiris/. When ownership is fixed this operation works.
*** Bug 49401 has been marked as a duplicate of this bug. ***
Created attachment 56141 [details] osirisd init script that properly stops processes Replaced the binary name (--exec arg) with --pidfile and path to osirisd's PID file. This fixes the error during init script 'stop' operation.
After renaming the scripts (latest above) to <whatever>-4.1.7 and renaming the ebuild to version 4.1.7 the following errors are given: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../../src -I../../src/libosirisctl -I../../src/libfileapi -I../../src/libosirism -I../../src/libosiris -I../../src/libosirisdb -I../../src/db-4.2.52/build_unix -I/usr/kerberos/include/ -I/var/lib -Wall -O2 -march=pentium4 -fomit-frame-pointer -c `test -f 'get_user_input.c' || echo './'`get_user_input.c get_user_input.c: In function `save_command': get_user_input.c:492: error: `cq' undeclared (first use in this function) get_user_input.c:492: error: (Each undeclared identifier is reported only once get_user_input.c:492: error: for each function it appears in.) get_user_input.c:493: error: `last_command' undeclared (first use in this function) get_user_input.c: In function `get_next_command': get_user_input.c:500: error: `last_command' undeclared (first use in this function) get_user_input.c:507: error: `CMD_PREVIOUS' undeclared (first use in this function) get_user_input.c:511: error: `cq' undeclared (first use in this function) get_user_input.c:520: error: `CMD_NEXT' undeclared (first use in this function) make[3]: *** [get_user_input.o] Error 1 make[3]: *** Waiting for unfinished jobs.... osiris.c: In function `initialize_signals': osiris.c:384: warning: implicit declaration of function `sigset' osiris.c: In function `prompt_for_scheduling_information': osiris.c:4373: warning: implicit declaration of function `strptime' The following was reported after config: Osiris (c) 2000-2005 The Shmoo Group (TSG) ----------------------------------------------------- ==> Configuration Complete. ==> Osiris has been configured with the following options: Host: i686-pc-linux-gnu Compiler: i686-pc-linux-gnu-gcc Compiler flags: -Wall -O2 -march=pentium4 -fomit-frame-pointer Preprocessor flags: -I/usr/kerberos/include/ -I/var/lib Linker flags: -L/var/lib Libraries: -lpthread -lssl -lcrypto -lresolv Privlege Separation: yes SSL Location: /var/lib Osiris Root Directory: /var/lib/osiris Osiris user: osiris Osiris MD Directory: /var/lib/osiris Osiris MD user: osiris Osiris MD config dir: /var/lib/osiris ====================================== Found Scan Agent Modules: ==> mod_dns ==> mod_groups ==> mod_kmods ==> mod_ports ==> mod_uptime ==> mod_users ====================================== ==> use one of the following targets: all: make everything, agent, CLI and management console. agent: create scan agent installer package. console: create management console installer package. install: run installation script. clean: remove object files. and if was building all-recursive.
This may be related to the difficulties that have been seen building the sources on OpenBSD when using "--enable-fancy-cli". A maintenence release for 4.1.7 may provide fixes for this... My suggestion is to postpone work on this ebuild until the 4.1.8 release, at which point brian@shmoo.com will be providing an option to osirisd and osirismd that will allow PID files to be written out to a configurable directory. At that point I will submit an updated ebuild that I have ready that should work with this setup. Until then, the osirismd daemon will not be able to stop or restart on Gentoo (that I've been able to see) because it runs as a user that can't write a PID file to /var/run/. Or, continue work without the osiris-console option so that osirismd is not supported.
*** Bug 57854 has been marked as a duplicate of this bug. ***
*** Bug 90099 has been marked as a duplicate of this bug. ***
Created attachment 57025 [details] osiris-4.1.8 ebuild
Created attachment 57026 [details] osirisd 4.1.8 init script
Created attachment 57027 [details] osirismd 4.1.8 init script
Created attachment 57028 [details] osirisd conf.d file for 4.1.8
Created attachment 57029 [details] osirismd conf.d file for 4.1.8
4.1.8 compiles & installs as expected, they work. (gentoo on x86) starting & stopping also works. works for me.
Darren, Ok I've started looking at this: I've changed the SRC_URI to http://www.mirrors.wiretapped.net/security/host-security/ http://osiris.shmoo.com/ seems broken. any reason you didn't add mod_nvram/mod_ports? I changed pkg_preinst -> pkg_setup because osiris user is used in src_install (not sure why though) I'd also rather it compile with Darren, Ok I've started looking at this: I've changed the SRC_URI to http://www.mirrors.wiretapped.net/security/host-security/ http://osiris.shmoo.com/ seems broken. any reason you didn't add mod_nvram/mod_ports? I changed pkg_preinst -> pkg_setup because osiris user is used in src_install (not sure why though) I'd also rather it compile with sys-libs/db rather than the included source. If you've got time can you fix that please.
Created attachment 61899 [details] osiris-4.1.8.ebuild Darren's version with small modifications.
*** Bug 49403 has been marked as a duplicate of this bug. ***
*** Bug 126764 has been marked as a duplicate of this bug. ***
Created attachment 82523 [details] Osiris 4.2.0 ebuild
Comment on attachment 82523 [details] Osiris 4.2.0 ebuild I attached the latest version's ebuild of Osiris.
Created attachment 87213 [details] ebuild for osiris 4.2.0 a la 4.1.8 This ebuild has idea's of the previous 4.2.0 ebuild merged into the 4.1.8 ebuild. (build agent only [default], or both, or console without agent; ppc flag). All files & directories are now setup with the right owner & protections. The ssl is a required dependency in stead of optional. There is no mysql code inside osiris, so that flag has been buried. enewuser complaints about the /bin/false as login script on a new system has been fixed. The enewuser is in pkg_setup now. All modules known are inserted. if nvram fails on ppc then it needs to be made conditional. Maybe it can be tested on other architectures too?
This software version is vulnerable, see CVE-2006-3120
This software version is vulnerable, see CVE-2006-3120¹ and DSA 1129-1². [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3120 [2] http://www.debian.org/security/2006/dsa-1129
*** Bug 142618 has been marked as a duplicate of this bug. ***
Created attachment 97405 [details] start stop script osirisd 4.2.2
Created attachment 97406 [details] config file for osirisd 4.2.2
Created attachment 97407 [details] osirismd start stop script for 4.2.2
Created attachment 97409 [details] osirismd config file for 4.2.2
Created attachment 97410 [details] ebuild for osiris 4.2.2
The new osiris ebuild has no flags anymore, and installs both client and server.
Would be really cool to see it in portage as we use it on every server at work.
(In reply to comment #44) > The new osiris ebuild has no flags anymore, and installs both client and > server. > Nice work Nico. Thanks for the ebuild. Changes I made were: fowners root:0 so it is BSD compatible (bsd doesn't have a root group) Patched to use the system db-4.2 libraries because its easier that way. Sorry for keeping everyone waiting.