Package integalert-source: Specfile
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 | %define _unpackaged_files_terminate_build 1 %define pname integalert # Using ifarch instead of ExclusiveArch tag in order to make # the other packages available on non-PVE arches. %ifarch x86_64 aarch64 %def_with pve %else %def_without pve %endif Name: %pname-source Version: 0.4.3 Release: alt5 Summary: Osec-based integrity checking script and settings License: GPLv2 Group: Monitoring Url: http://git.altlinux.org/people/manowar/packages/integalert.git Packager: Paul Wolneykien <manowar@altlinux.org> Source: %name-%version.tar %description Osec-based integrity checking script and settings. %package -n %pname Summary: Osec-based integrity checking script and settings Group: Monitoring BuildArch: noarch Requires: systemd Requires: osec-cronjob >= 1.3.1-alt2 Obsoletes: integ < 0.4.2-alt2 %description -n %pname Osec-based integrity checking script and settings. %package -n installer-feature-integalert-stage2 Summary: Run integrity check after install (installer files) Group: System/Configuration/Other BuildArch: noarch %description -n installer-feature-integalert-stage2 Run integrity check after install (installer files). %package -n installer-feature-integalert-stage3 Summary: Run integrity check after install (chroot files) Group: System/Configuration/Other Requires: integalert = %version-%release BuildArch: noarch %description -n installer-feature-integalert-stage3 Run integrity check after install (chroot files). %package -n %pname-vm-check Summary: Run VM integrity check before vm.target and every 5 mins Group: Monitoring BuildArch: noarch %description -n %pname-vm-check Includes service that 'integalert vm' is configured to run before 'vm.target' and every 5 mins (using a timer). %package -n %pname-trigger-pve Summary: Lock down PVE cluster VMs on integrity failure Group: Monitoring %description -n %pname-trigger-pve Lock down PVE cluster VMs on integalert_vm.service failure. %prep %setup %build %make_build %install %makeinstall_std sbindir=/sbin sysconfdir=%_sysconfdir datadir=%_datadir unitdir=%_unitdir presetdir=/lib/systemd/system-preset WITH_PVE=%{with pve} %post -n %pname # On package update (don't check the $1 value due to package # rename): if systemctl -q is-enabled integalert.service; then systemctl daemon-reload systemctl -q preset integalert.service fi # On first installation, try to migrate from existing # configuration not maintained by RPM: if [ $1 -eq 1 ]; then for d in integalert integalert_vm integalert_container; do for f in pipe.conf; do if [ -e "%_sysconfdir/osec/$d/$f.rpmnew" ]; then if [ -e "%_sysconfdir/osec/$d/$f.rpmold" ]; then mv -vf "%_sysconfdir/osec/$d/$f.rpmold" \ "$(mktemp %_sysconfdir/osec/$d/$f.rpmold.XXX)" fi mv -vf "%_sysconfdir/osec/$d/$f" \ "%_sysconfdir/osec/$d/$f.rpmold" mv -vf "%_sysconfdir/osec/$d/$f.rpmnew" \ "%_sysconfdir/osec/$d/$f" echo "Warning! %_sysconfdir/osec/$d/$f.rpmnew was automatically re-installed as %_sysconfdir/osec/$d/$f. Existing file has been saved as %_sysconfdir/osec/$d/$f.rpmold." >&2 fi done if [ -d %_sysconfdir/osec/${d}_fix ]; then ls %_sysconfdir/osec/${d}_fix | while read f; do if [ -e "%_sysconfdir/osec/$d/$f.fix.rpmold" ]; then mv -vf "%_sysconfdir/osec/$d/$f.fix.rpmold" \ "$(mktemp %_sysconfdir/osec/$d/$f.fix.rpmold.XXX)" fi mv -vf "%_sysconfdir/osec/${d}_fix/$f" \ "%_sysconfdir/osec/${d}/$f.fix.rpmold" done rmdir -v %_sysconfdir/osec/${d}_fix echo "Warning! Files in %_sysconfdir/osec/${d}_fix were automatically saved as *.fix.rpmold files in %_sysconfdir/osec/$d." >&2 fi done fi %files -n installer-feature-integalert-stage2 %_datadir/install2/postinstall.d/90-integrity-init.sh %files -n installer-feature-integalert-stage3 %files -n %pname %_unitdir/integalert.service /lib/systemd/system-preset/65-integrity.preset /sbin/integalert %dir %_sysconfdir/osec/integalert* %config(noreplace) %_sysconfdir/osec/integalert*/*.conf %_sysconfdir/osec/integalert*/sender %dir %_sysconfdir/osec/integalert*/trigger.d %files -n %pname-vm-check %_unitdir/integalert_vm.service %_unitdir/integalert_vm.timer %if_with pve %files -n %pname-trigger-pve %config(noreplace) %_sysconfdir/osec/integalert_vm/trigger.d/*-pve-* %endif %changelog * Fri Jan 26 2024 Paul Wolneykien <manowar@altlinux.org> 0.4.3-alt5 - Cosmetic improvement in the sender script. - Fixed possible errors in the packaged default configuration files (there was a race condition). * Wed Jan 24 2024 Paul Wolneykien <manowar@altlinux.org> 0.4.3-alt4 - Added migration %%post script which makes backup copies of old integalert profiles. - Generate and package the default configuration files for the default ('main'), 'vm' and 'container' profiles. - Added 'configure' action which writes down the configuration files for the specified integalert profile. - Run 'integalert container' from integalert_vm.service. * Wed Jan 17 2024 Paul Wolneykien <manowar@altlinux.org> 0.4.3-alt3 - Fix: Use %%ifarch instead of ExclusiveArch tag in order to make the other packages available on non-PVE arches. * Tue Dec 26 2023 Paul Wolneykien <manowar@altlinux.org> 0.4.3-alt2 - Make *-trigger-pve package exclusive arch: x86_64 aarch64. * Tue Dec 19 2023 Paul Wolneykien <manowar@altlinux.org> 0.4.3-alt1 - Check that the selected osec profile exists before running osec. - Add two more packages for VM checking and locking (PVE). - Added 3 VM lock down scripts for PVE. - Run triggers in /etc/osec/*/trigger.d after a failed check. - Added VM check service and timer. - Clarify the unit's description. - Isolate the emergency.target on failure, set to required by sysinit.target. - Don't directly write to TTY: rely on StandardError=tty. - Use /etc/osec/*/sender script to write down the report and to send a summary message to the system log. - Allow to explicitly specify the 'check' mode ('integalert check'). - Use the same /etc/osec/*/ config both for 'check' and 'fix' modes. - Write logs to /var/log/integalert* and /var/log/integalert*_logs. * Fri Nov 03 2023 Paul Wolneykien <manowar@altlinux.org> 0.4.2-alt4 - Rename installer packages to installer-feature-integalert-*. * Thu Nov 02 2023 Paul Wolneykien <manowar@altlinux.org> 0.4.2-alt3 - Obsolete integ < 0.4.2-alt2. * Wed Nov 01 2023 Paul Wolneykien <manowar@altlinux.org> 0.4.2-alt2 - Remove 65-settings.sh and the corresponding package. - Rename package to "integalert". - Don't require 'checker' package. - Add dirs.conf for "vm" and "container" profiles. * Tue Apr 25 2023 Paul Wolneykien <manowar@altlinux.org> 0.4.2-alt1 - Provide the default dirs.conf for 'integalert' profile as a part of the 'integ' package. - Output a warning and exit if dirs.conf is empty. - Support for 'container' and 'vm' profiles. * Fri Oct 02 2020 Paul Wolneykien <manowar@altlinux.org> 0.4.1-alt1 - Set integalert service state from its preset after system installation. * Thu Oct 01 2020 Paul Wolneykien <manowar@altlinux.org> 0.4-alt1 - Setup OSEC for full journal output after integrity database initialization after install. - Update: Make integ inself require osec-controls. - Moved postinstall.d/90-integrity-init.sh to the new stage2 package. - Use "IMMUTABLE_DATABASE" configuration option for read-only osec runs. This requires osec-cronjob >= 1.3.1-alt2. - Don't modify the main pipe.conf file after 'integ' package installation. - Always create /var/log/lastosec_logs. - Don't display a warning in "fix" mode. - Run osec using 'integalert' and 'integalert_fix' sub-configs. - Initialize OSEC after install, don't initialize it at first boot. - Setup osec.cron for read-only use and full journal output after install. * Mon Sep 07 2020 Denis Medvedev <nbr@altlinux.org> 0.3-alt3 - added missing requires, set control of osec to journal (essential). * Mon Sep 07 2020 Denis Medvedev <nbr@altlinux.org> 0.3-alt2 - revert direct execution of osec from integalert, lastosec data is needed too. * Sat Sep 05 2020 Alexey Shabalin <shaba@altlinux.org> 0.3-alt1 - update systemd unit - not requires plymouth - improve failure output - direct execute osec for check integrity in integalert * Mon Oct 28 2019 Denis Medvedev <nbr@altlinux.org> 0.2-alt5 - reenable service (to switch from required to wanted from sysinit) only when it is an upgrade, not on initial install. * Fri Oct 11 2019 Denis Medvedev <nbr@altlinux.org> 0.2-alt4 - force systemd reconfigure dependencies, fix archiving of osec messages * Wed Oct 09 2019 Denis Medvedev <nbr@altlinux.org> 0.2-alt3 - force plymouth quit on integrity error * Wed Oct 09 2019 Denis Medvedev <nbr@altlinux.org> 0.2-alt2 - integalert wanted, not required for sysinit by default * Wed Oct 09 2019 Denis Medvedev <nbr@altlinux.org> 0.2-alt1 - fix integalert behavour, see nagwad package for modified osec.pipe. Also disabled interruption of boot by default * Mon Oct 07 2019 Denis Medvedev <nbr@altlinux.org> 0.1-alt4 - Fixed wrong separator in Conflicts line. Also fixed permissions on a unit. * Wed Sep 25 2019 Denis Medvedev <nbr@altlinux.org> 0.1-alt3 - latest update to sisyphus * Thu Aug 22 2019 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.18 - fixed dependencies for integalert service, avoiding loops. * Wed Mar 20 2019 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.17 - do not start service, it is needed only on boot. * Mon Mar 18 2019 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.16 - fixes on integ integalert service * Wed Mar 28 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.15 - grub is modified adding option in some other place. Removed addition of duplicated entry * Mon Mar 26 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.14 - fixed delimiters * Mon Mar 26 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.13 - removed perl parts of settings * Thu Mar 22 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.12 - fixed place of postinstall.d * Wed Mar 21 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.11 - moved to postinstall.d, added features from branding * Thu Mar 01 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.10 - separated to two packets: general settings and integrity service Removed rhosts from skel: it harms selinux settings. * Thu Jan 18 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.9 - integrity check strictly before user login now * Wed Jan 17 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.8 - added "Before" to unit to make it start before DM * Wed Jan 17 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.7 - changed wanted to required in unit * Wed Jan 17 2018 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.6 - added alerting on integrity checks on boot * Wed Dec 13 2017 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.5 - added fixed rhosts, added dependency to custom settings checker * Mon Dec 11 2017 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.3 - Updated settings * Fri Dec 01 2017 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.2 - fixed permissions * Wed Nov 29 2017 Denis Medvedev <nbr@altlinux.org> 0.1-alt0.M80C.1 - backport to c8 * Wed Nov 29 2017 Denis Medvedev <nbr@altlinux.org> 0.1-alt1 Initial release |