Created attachment 437318 [details, diff]
patch for sguil-sensor-0.9.0.ebuild
Attached are systemd units to start the various agents as systemd services as well as a patch for the current ebuild.
The agent service units are quite simple and mirror what the init scripts from bug #585766 do.
The MAX_DISK_USE functionality implemented in the log_rotate init.d script has been split into three units and a helper shell script:
log_packets@.service - starts snort in logging mode. The device to be logged can be given as instance name (previously IFACE variable in /etc/conf.d/log_packets). The Hostname is queried from systemd, hence the HOSTNAME in the conf.d file variable ignored. As options sane defaults are hardcoded into the unit. (to get a similar customizability, one just has to create a file /etc/systemd/system/log_packet@IFACE.service.d/my_vars.conf and override the ExecStart= value.
log_packets_rotate.timer - is started whenever a log_packet@.service is started. Once a day this timer starts the log_packets_rotate.service.
log_packet_rotate.service - takes care of deleting old logs when disk gets full. This unit starts the log_packet_rotate shell script, that is basically a copy of the real_cleandisk() function from the init.d script. Aditionally it restarts all running log_packets@ services, to ensure that snort is logging in a new directory each day.
I have tested all service units on a mashine, all agents run well.
The snort started by log_rotate@.service in logging appears to be doing its job, however it spams the journal with complaints about missing preprocessors. It may be neccessary to add a -c flag to a seperate config file containing preprocessor config (see Step #5 in the default snort.conf). However, just using the default /etc/snort/snort.conf one would not work, as it starts snort in IDS mode. It seems that with the init.d script the same would be happening, as it starts with the same parameters. A further fix should therefore be applied to both, the systemd unit and the init.d script.
Created attachment 437320 [details]
Created attachment 437322 [details]
Created attachment 437324 [details]
Created attachment 437326 [details]
Created attachment 437328 [details]
Created attachment 437330 [details]
Created attachment 437332 [details]
Created attachment 437334 [details]
Created attachment 437336 [details]
I just noticed that upstream has its own shell script for the log_packets service. I will rewrite the log_packet*.service / .timer unit to use the upsteam script instead of a custom one and post updated unit files soon.
Created attachment 437590 [details, diff]
updated patch for sguil-sensor-0.9.0.ebuild v2
Updated patch for the ebuild. This will only apply on top of the patch from bug #585766. I will attach the resulting ebuild below to make this more convinient.
Changes since the first patch:
* removed the pcap_agent-sancp.service again, in favor of using the pcap_agent.service for both cases. If the sancp USE flag is set, the sancp version of the agent will be installed as /usr/bin/pcap_agent.tcl now.
* added PIDFile to each agent unit
* added Restart=always to each agent, to keep them running in case of a crash. That appears to be what upstream is doing in the current git tree as well, where the first couple of systemd units have been commited.
* re-implemented the log_packets* units to use the upstream log_packets.sh and log_packets-sancp.sh script to start snort in logging mode.
This is now also backwards compatible with how the init scripts worked: configuration happens in /etc/conf.d/log_packets, unit names are the same. (note: the conf.d file is not used in the systemd units, but sourced in the patched log_packets.sh script).
The log_packets_rotate.service/.timer units do manage the resarting of the packet logger and removing of old files, as a cron job would for the init script version.
For this to work a small patch needs to be applied to the log_packets(-sancp).sh scripts. This patch removes the hard coded config values and replaces them with the included ones from the conf.d file. It also removes the piping of snort log output to a log file. Instead it will be logged in the journal now.
Created attachment 437592 [details]
Created attachment 437594 [details]
Created attachment 437596 [details]
Created attachment 437598 [details, diff]
for the files/ dir, not to be applied to the ebuild!
Created attachment 437600 [details]
Created attachment 437602 [details]
Created attachment 437604 [details]
Created attachment 437606 [details]
Created attachment 437608 [details]
will be installed as /usr/lib/tmpfiles.d/sguil-sensor.conf
it auto creates the /run/sguil directory with write permissions for user sguil, so that the agents can run without root privileges.
Created attachment 437610 [details]
finally, the ebuild with the v2 patch applied, on top of the patch from bug #585766. I included the proposed changes from #585770 (~amdd64 keyword) and #585772 (dev-tcltk/tls dependency) as well.