

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > 014aff055889869c7f8c49e88dbfddf6 > files > 2


%define name psad
%define version 1.4.2
%define release %mkrel 1

Summary: Psad analyzses iptables log messages for suspect traffic
Name: %name
Version: %version
Release: %release
License: GPL
Group: System/Servers
BuildRoot: %_tmppath/%{name}-buildroot
Buildrequires: perl-devel
Requires: perl-Unix-Syslog, perl-Date-Calc, sendmail-command
Requires: perl-Net-IPv4Addr perl-IPTables-Parse
Requires: userspace-ipfilter perl-Bit-Vector
Requires(pre): rpm-helper

Port Scan Attack Detector (psad) is a collection of four lightweight
system daemons written in Perl and C that are designed to work with
Linux firewalling code (iptables in the 2.4.x kernels, and ipchains
in the 2.2.x kernels) to detect port scans. It features a set of highly
configurable danger thresholds (with sensible defaults provided),
verbose alert messages that include the source, destination, scanned
port range, begin and end times, TCP flags and corresponding nmap
options (Linux 2.4.x kernels only), email alerting, and automatic
blocking of offending IP addresses via dynamic configuration of
ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels
psad incorporates many of the TCP, UDP, and ICMP signatures included in
Snort to detect highly suspect scans for various backdoor programs
(e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and
advanced port scans (syn, fin, Xmas) which are easily leveraged against
a machine via nmap. Psad also uses packet TTL, IP id, TOS, and TCP
window sizes to passively fingerprint the remote operating system from
which scans originate.

%package -n perl-IPTables-Parse
Summary: Parse iptables rules
Group: System/Configuration/Networking

%description -n perl-IPTables-Parse
Psad package provides a IPTables-Parse perl module.

%package -n perl-IPTables-ChainMgr
Summary: ChainMgr iptables perl module
Group: System/Configuration/Networking

%description -n perl-IPTables-ChainMgr
Psad package provides a IPTables-ChainMgr perl module.

[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

%setup -q

cd Psad && perl Makefile.PL PREFIX=/usr/lib/psad LIB=/usr/lib/psad
cd ..

cd IPTables-Parse 
%{__perl} Makefile.PL INSTALLDIRS=vendor PREFIX=%{_prefix}

cd ../IPTables-ChainMgr
%{__perl} Makefile.PL INSTALLDIRS=vendor PREFIX=%{_prefix}

### build psad binaries (kmsgsd, psadwatchd, and diskmond)
### build the whois client
%make OPTS="$RPM_OPT_FLAGS" -C whois
### build perl modules used by psad
%make OPTS="$RPM_OPT_FLAGS" -C Psad

### log directory
mkdir -p $RPM_BUILD_ROOT/var/log/psad
### dir for psadfifo
mkdir -p $RPM_BUILD_ROOT/var/lib/psad
### dir for pidfiles
mkdir -p $RPM_BUILD_ROOT/var/run/psad

### psad module dirs
mkdir -p $RPM_BUILD_ROOT%_libdir/psad/i386-linux/auto/Psad
#mkdir -p $RPM_BUILD_ROOT/usr/lib/psad/i386-linux/auto/IPTables/Parse
mkdir -p $RPM_BUILD_ROOT%_libdir/psad/share/man/man3
mkdir -p $RPM_BUILD_ROOT%_libdir/psad/share/man/man1
mkdir -p $RPM_BUILD_ROOT%_libdir/psad/bin
mkdir -p $RPM_BUILD_ROOT%_libdir/psad/Net

mkdir -p $RPM_BUILD_ROOT%_libdir/psad/IPTables

### whois_psad binary
mkdir -p $RPM_BUILD_ROOT%_bindir
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT%_sbindir
### psad config
mkdir -p $RPM_BUILD_ROOT%_sysconfdir/%name
### psad init script
mkdir -p $RPM_BUILD_ROOT%_initrddir

install -m 500 {psad,kmsgsd,psadwatchd} $RPM_BUILD_ROOT%_sbindir/
install -m 500 $RPM_BUILD_ROOT%_sbindir/fwcheck_psad
install -m 755 whois/whois $RPM_BUILD_ROOT/usr/bin/whois_psad
install -m 755 init-scripts/psad-init.redhat $RPM_BUILD_ROOT%_initrddir/psad
install -m 644 {psad.conf,kmsgsd.conf,psadwatchd.conf,fw_search.conf} $RPM_BUILD_ROOT%_sysconfdir/%name/
install -m 644 {signatures,icmp_types,auto_dl,posf} $RPM_BUILD_ROOT%_sysconfdir/%name/
install -m 644 *.8 $RPM_BUILD_ROOT%{_mandir}/man8/

mkdir -p $RPM_BUILD_ROOT%{perl_vendorlib}/IPTables
install -m 444 IPTables-Parse/lib/IPTables/ $RPM_BUILD_ROOT%{perl_vendorlib}/IPTables
install -m 444 Psad/lib/ $RPM_BUILD_ROOT%_libdir/psad/

mkdir -p $RPM_BUILD_ROOT%{perl_vendorlib}/IPTables-ChainMgr
install -m 444 IPTables-ChainMgr/lib/IPTables/ $RPM_BUILD_ROOT%{perl_vendorlib}/IPTables-ChainMgr/

### install snort rules files
cp -r snort_rules $RPM_BUILD_ROOT/etc/psad

[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

### put the current hostname into the psad C binaries
### (diskmond and psadwatchd).
perl -p -i -e 'use Sys::Hostname; my $hostname = hostname(); s/HOSTNAME(\s+)CHANGE.?ME/HOSTNAME${1}$hostname/' /etc/psad/psad.conf
perl -p -i -e 'use Sys::Hostname; my $hostname = hostname(); s/HOSTNAME(\s+)CHANGE.?ME/HOSTNAME${1}$hostname/' /etc/psad/psadwatchd.conf

/bin/touch /var/log/psad/fwdata
chown root.root /var/log/psad/fwdata
chmod 0600 /var/log/psad/fwdata
if [ ! -p /var/lib/psad/psadfifo ];
then [ -e /var/lib/psad/psadfifo ] && /bin/rm -f /var/lib/psad/psadfifo
/bin/mknod -m 600 /var/lib/psad/psadfifo p
chown root.root /var/lib/psad/psadfifo
chmod 0600 /var/lib/psad/psadfifo
### make psad start at boot
/sbin/chkconfig --add psad
[ -f /etc/syslog.conf ] || exit 0
### make a backup of /etc/syslog.conf
[ -f /etc/syslog.conf.orig ] || cp -p /etc/syslog.conf /etc/syslog.conf.orig
### add the psadfifo line to /etc/syslog.conf if necessary
if ! grep -v "#" /etc/syslog.conf | grep -q psadfifo;
then echo " .. Adding psadfifo line to /etc/syslog.conf"
echo " |/var/lib/psad/psadfifo" >> /etc/syslog.conf
if [ -e /var/run/ ];
echo " .. Restarting syslogd "
kill -HUP `cat /var/run/`
if grep -q "EMAIL.*root.*localhost" /etc/psad/psad.conf;
echo " .. You can edit the EMAIL_ADDRESSES variable in"
echo "    /etc/psad/psad.conf, /etc/psad/psadwatchd.conf, and"
echo "    to have email alerts sent to"
echo "    an address other than root@localhost"

%_preun_service psad


%dir %_sysconfdir/%name
%config(noreplace) %_sysconfdir/%name/*.conf
%config(noreplace) %_sysconfdir/%name/auto_dl
%config(noreplace) %_sysconfdir/%name/icmp_types
%config(noreplace) %_sysconfdir/%name/posf
%config(noreplace) %_sysconfdir/%name/signatures

%dir %_sysconfdir/%name/snort_rules
%config(noreplace) %_sysconfdir/%name/snort_rules/*

%files -n perl-IPTables-Parse

%files -n perl-IPTables-ChainMgr

* Tue Jul 26 2005 Nicolas Lécureuil <> 1.4.2-1mdk
- Fix BuildRequires
- %%mkrel

* Tue Mar 15 2005 Lenny Cartier <> 1.4.1-2mdk
- requires perl-Bit-Vector
- add a perl-IPTables-ChainMgr package

* Mon Mar 14 2005 Lenny Cartier <> 1.4.1-1mdk
- 1.4.1

* Mon Oct 25 2004 Lenny Cartier <> 1.3.4-1mdk
- 1.3.4

* Mon Sep 27 2004 Lenny Cartier <> 1.3.3-2mdk
- requires smtpdaemon rather than sendmail

* Sun Sep 12 2004 Lenny Cartier <> 1.3.3-1mdk
- 1.3.3

* Mon Jun 28 2004 Lenny Cartier <> 1.3.2-1mdk
- 1.3.2

* Tue Jun 15 2004 Lenny Cartier <> 1.3.1-1mdk
- 1.3.1

* Thu Dec 18 2003 Lenny Cartier <> 1.3-2mdk
- Bug #6568 : depends on userspace-ipfilter

* Wed Dec 03 2003 Lenny Cartier <> 1.3-1mdk
- 1.3

* Mon Oct 20 2003 Lenny Cartier <> 1.2.4-1mdk
- 1.2.4
- like Michael Rash specfile remove diskmond since psad handles it automatically

* Mon Oct 13 2003 Lenny Cartier <> 1.2.3-2mdk
- remove some perl modules
- add a sub package for perl-IPTables-Parse

* Tue Sep 23 2003 Lenny Cartier <> 1.2.3-1mdk
- mandrakized specfile

* Fri Sep 12 2003 Michael Rash <>
-Added interface tracking for scans.
-Bugfix for not opening /etc/hosts.deny the right way in
-Bugfix for psadfifo path in syslog-ng config.
-Better format for summary stats section in email alerts.
-Bugfix for INIT_DIR path on non-RedHat systems.
-Bugfix for gzip path.
-Make installed last of all perl modules installed
 by psad.
-Added additional call to incr_syscall_ctr() in psadwatchd.c

* Mon Jul 28 2003 Michael Rash <>
- Initial version.