diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile index e9a2217fd982..538e98c54a04 100644 --- a/security/crowdsec/Makefile +++ b/security/crowdsec/Makefile @@ -1,178 +1,175 @@ PORTNAME= crowdsec DISTVERSIONPREFIX= v -DISTVERSION= 1.6.2 -# the remote tag was moved for 1.6.2, so we force another tag to avoid the version on proxy.golang.org -DISTVERSIONSUFFIX= -final -PORTREVISION= 4 +DISTVERSION= 1.6.3 CATEGORIES= security MAINTAINER= marco@crowdsec.net COMMENT= CrowdSec lightweight and collaborative security engine WWW= https://github.com/crowdsecurity/crowdsec LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE LIB_DEPENDS= libabsl_base.so:devel/abseil \ libre2.so:devel/re2 USES= go:1.22,modules pkgconfig -_COMMIT= 16bfab86 +_COMMIT= 4851945a _BUILD_DATE= $$(date -u "+%F_%T") USE_RC_SUBR= crowdsec GO_MODULE= github.com/crowdsecurity/crowdsec GO_TARGET= ./cmd/crowdsec \ ./cmd/crowdsec-cli \ ./cmd/notification-email \ ./cmd/notification-http \ ./cmd/notification-sentinel \ ./cmd/notification-slack \ ./cmd/notification-splunk GO_BUILDFLAGS= -v -trimpath -tags netgo,osusergo,sqlite_omit_load_extension,re2_cgo \ -ldflags="\ -a -s -w \ -X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION} \ -X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \ -X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT} \ -X ${GO_MODULE}/pkg/cwversion.Codename=alphaga \ -X ${GO_MODULE}/pkg/csconfig.defaultConfigDir=${PREFIX}/etc/crowdsec \ -X ${GO_MODULE}/pkg/csconfig.defaultDataDir=/var/db/crowdsec/data \ -X ${GO_MODULE}/pkg/cwversion.Libre2=C++" SUB_FILES= pkg-deinstall pkg-install pkg-message crowdsec.cron upgrade-hub OPTIONS_DEFINE= FIREWALL_BOUNCER OPTIONS_DEFAULT= FIREWALL_BOUNCER_DESC= Depend on security/crowdsec-firewall-bouncer FIREWALL_BOUNCER_RUN_DEPENDS= crowdsec-firewall-bouncer>=0.0.27:security/crowdsec-firewall-bouncer PLUGIN_DIR= ${PREFIX}/lib/crowdsec/plugins STAGE_PLUGINS= ${STAGEDIR}${PLUGIN_DIR} STAGE_BIN= ${STAGEDIR}${PREFIX}/bin post-patch: @${REINPLACE_CMD} 's,/etc/crowdsec/,${ETCDIR}/,g' \ ${WRKSRC}/config/config.yaml @${REINPLACE_CMD} 's,/var/lib/,/var/db/,g' \ ${WRKSRC}/config/config.yaml do-install: # # Binaries # ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec ${STAGE_BIN}/ ${INSTALL_PROGRAM} ${WRKDIR}/bin/crowdsec-cli ${STAGE_BIN}/cscli # keep this around for compatibility ${LN} -s cscli ${STAGE_BIN}/crowdsec-cli @${MKDIR} ${STAGE_PLUGINS} ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-email ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-http ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-sentinel ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-slack ${STAGE_PLUGINS}/ ${INSTALL_PROGRAM} ${WRKDIR}/bin/notification-splunk ${STAGE_PLUGINS}/ # # Configuration # @${MKDIR} ${STAGEDIR}${ETCDIR} @(cd ${WRKSRC}/config && ${COPYTREE_SHARE} . ${STAGEDIR}${ETCDIR}) @${MV} ${STAGEDIR}${ETCDIR}/acquis.yaml \ ${STAGEDIR}${ETCDIR}/acquis.yaml.sample @${MV} ${STAGEDIR}${ETCDIR}/config.yaml \ ${STAGEDIR}${ETCDIR}/config.yaml.sample @${MV} ${STAGEDIR}${ETCDIR}/console.yaml \ ${STAGEDIR}${ETCDIR}/console.yaml.sample @${MV} ${STAGEDIR}${ETCDIR}/profiles.yaml \ ${STAGEDIR}${ETCDIR}/profiles.yaml.sample # managed by "cscli simulation" @${MV} ${STAGEDIR}${ETCDIR}/simulation.yaml \ ${STAGEDIR}${ETCDIR}/simulation.yaml.sample # # Plugin configuration # @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/email @${MV} ${WRKSRC}/cmd/notification-email/email.yaml \ ${STAGEDIR}${ETCDIR}/notifications/email.yaml.sample @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/http @${MV} ${WRKSRC}/cmd/notification-http/http.yaml \ ${STAGEDIR}${ETCDIR}/notifications/http.yaml.sample @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/sentinel @${MV} ${WRKSRC}/cmd/notification-sentinel/sentinel.yaml \ ${STAGEDIR}${ETCDIR}/notifications/sentinel.yaml.sample @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/slack @${MV} ${WRKSRC}/cmd/notification-slack/slack.yaml \ ${STAGEDIR}${ETCDIR}/notifications/slack.yaml.sample @${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/splunk @${MV} ${WRKSRC}/cmd/notification-splunk/splunk.yaml \ ${STAGEDIR}${ETCDIR}/notifications/splunk.yaml.sample # updated by "cscli machines" at first service start @${MV} ${STAGEDIR}${ETCDIR}/local_api_credentials.yaml \ ${STAGEDIR}${ETCDIR}/local_api_credentials.yaml.sample # updated by "cscli capi" at first service start @${MV} ${STAGEDIR}${ETCDIR}/online_api_credentials.yaml \ ${STAGEDIR}${ETCDIR}/online_api_credentials.yaml.sample # # Data # @${MKDIR} ${STAGEDIR}${ETCDIR}/hub @${MKDIR} ${STAGEDIR}${ETCDIR}/acquis.d @${MKDIR} ${STAGEDIR}/var/db/crowdsec/data @${MKDIR} ${STAGEDIR}/var/db/crowdsec/data/trace # # Cron # @${MKDIR} ${STAGEDIR}${PREFIX}/libexec/crowdsec ${INSTALL_DATA} ${WRKDIR}/upgrade-hub \ ${STAGEDIR}${PREFIX}/libexec/crowdsec/upgrade-hub # # Cleanup # @${RM} ${STAGEDIR}${ETCDIR}/acquis_win.yaml @${RM} ${STAGEDIR}${ETCDIR}/config_win_no_lapi.yaml @${RM} ${STAGEDIR}${ETCDIR}/config_win.yaml @${RM} ${STAGEDIR}${ETCDIR}/crowdsec.cron.daily @${RM} ${STAGEDIR}${ETCDIR}/crowdsec.service @${RM} ${STAGEDIR}${ETCDIR}/context.yaml @${RM} ${STAGEDIR}${ETCDIR}/detect.yaml @${RM} ${STAGEDIR}${ETCDIR}/dev.yaml @${RM} ${STAGEDIR}${ETCDIR}/user.yaml @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/email @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/http @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/sentinel @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/slack @${RMDIR} ${STAGEDIR}${ETCDIR}/notifications/splunk post-install: @${MKDIR} ${STAGEDIR}${PREFIX}/etc/cron.d ${INSTALL_DATA} ${WRKDIR}/crowdsec.cron ${STAGEDIR}${PREFIX}/etc/cron.d/crowdsec .include diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo index fc31557d4e7f..4477491deabe 100644 --- a/security/crowdsec/distinfo +++ b/security/crowdsec/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1717420493 -SHA256 (go/security_crowdsec/crowdsec-v1.6.2-final/v1.6.2-final.mod) = 0cd8f4a237f0901164c8d80fa76c6bc7354054e867c7719c9691f4e5ae4b4a31 -SIZE (go/security_crowdsec/crowdsec-v1.6.2-final/v1.6.2-final.mod) = 10156 -SHA256 (go/security_crowdsec/crowdsec-v1.6.2-final/v1.6.2-final.zip) = e07898b78bd6ff09a1913b7cb8f69b6c3dd3c2add5b4554cc5b8084c91eb96ff -SIZE (go/security_crowdsec/crowdsec-v1.6.2-final/v1.6.2-final.zip) = 1505724 +TIMESTAMP = 1725967354 +SHA256 (go/security_crowdsec/crowdsec-v1.6.3/v1.6.3.mod) = d47b370bc889d0484778cfbfc610b4254d6724455fb57f1fc6b3cb080d2343cd +SIZE (go/security_crowdsec/crowdsec-v1.6.3/v1.6.3.mod) = 10157 +SHA256 (go/security_crowdsec/crowdsec-v1.6.3/v1.6.3.zip) = 9be326fa2feb5efc612a23c7309e4b6e3ca697876dbde1555c7e578f099c3eac +SIZE (go/security_crowdsec/crowdsec-v1.6.3/v1.6.3.zip) = 1581062 diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in index ba0a40a19250..42abf1d829eb 100644 --- a/security/crowdsec/files/crowdsec.in +++ b/security/crowdsec/files/crowdsec.in @@ -1,107 +1,115 @@ #!/bin/sh # PROVIDE: crowdsec # BEFORE: crowdsec_firewall # REQUIRE: LOGIN DAEMON NETWORKING # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf # to enable this service: # # crowdsec_enable (bool): Set it to YES to enable crowdsec agent. # Default is "NO". # crowdsec_config (str): Set the agent config path. # Default is "%%PREFIX%%/etc/crowdsec/config.yaml". # crowdsec_machine_name (str): Name for the crowdsec instance when it's running its own lapi. # Default is "localhost". . /etc/rc.subr name=crowdsec rcvar=crowdsec_enable load_rc_config "$name" : "${crowdsec_enable:=NO}" : "${crowdsec_config:=%%PREFIX%%/etc/crowdsec/config.yaml}" : "${crowdsec_machine_name:=localhost}" pidfile=/var/run/${name}_daemon.pid pidfile_crowdsec=/var/run/${name}.pid required_files="$crowdsec_config" command="/usr/sbin/daemon" command_crowdsec="%%PREFIX%%/bin/crowdsec" command_cscli="%%PREFIX%%/bin/cscli" command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config}" reload_cmd="${name}_reload" start_precmd="${name}_precmd" configtest_cmd="${name}_configtest" reload_precmd="${name}_configtest" restart_precmd="${name}_configtest" stop_precmd="${name}_stop_precmd" stop_postcmd="${name}_stop_postcmd" extra_commands="configtest reload" +# If the crowdsec process was not started or is in a fail loop due to misconfiguration, +# the TERM signal is not enough to terminate /usr/sbin/daemon. +sig_stop="INT" + crowdsec_stop_precmd() { # take note of the pid, because sbin/daemon will remove the file # without waiting for crowdsec to exit if [ -r "$pidfile_crowdsec" ]; then _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")" export _CROWDSECPID fi } crowdsec_stop_postcmd() { # wait for process to exit before restarting, or it will find the http port in use if [ -n "$_CROWDSECPID" ]; then wait_for_pids "$_CROWDSECPID" fi } crowdsec_precmd() { cs_cli() { "$command_cscli" -c "$crowdsec_config" "$@" } Config() { cs_cli config show --key "Config.$1" } # Is the LAPI enabled on this node? if [ "$(Config API.Server.Enable)" != "false" ]; then # There are no machines, we create one for cscli & log processor if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then echo "Registering LAPI" cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : fi CONFIG_DIR=$(Config ConfigPaths.ConfigDir) # Register to the central server to receive the community blocklist and more if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then echo "Registering CAPI" cs_cli capi register || : fi fi - # install the collection for the first time, or if it has been removed - cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ - cs_cli collections install crowdsecurity/freebsd || : + # If the hub is empty, install the freebsd collection and the private ip whitelist. + # We don't ship the whitelist in the collection because + # there are legitimate use cases for banning private ip ranges. + if [ "$(cscli hub list -o raw | wc -l)" -le 1 ]; then + cs_cli parsers install crowdsecurity/whitelists --error || : + cs_cli collections install crowdsecurity/freebsd --error || : + fi } crowdsec_configtest() { echo "Performing sanity check on ${name} configuration." if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then exit 1 fi echo "Configuration test OK" } crowdsec_reload() { echo "Reloading configuration" if [ -r "$pidfile_crowdsec" ]; then kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")" fi } run_rc_command "$1"