Permalink
Browse files

Add compatibility with 'upstart' init daemons

- Added compatibility with 'upstart' init daemons with assistance from Tim
Kramer.  This change adds a new config variable 'ENABLE_PSADWATCHD' that
can be used to disable psadwatchd when deployed with upstart since it
has built-in process monitoring and restarting capabilities.  In addition,
a new init script located at init-scripts/upstart/psad has been added that
is compatible with upstart - this script is meant to be copied to the
/etc/init.d/ directory.
  • Loading branch information...
1 parent f8cb23e commit 9d15ebda1bdb59e327d267b5c80c77938ec8dd4f @mrash committed Feb 7, 2014
Showing with 53 additions and 2 deletions.
  1. +4 −0 CREDITS
  2. +9 −0 ChangeLog
  3. +26 −0 init-scripts/upstart/psad.conf
  4. +2 −1 psad
  5. +12 −1 psad.conf
View
@@ -503,3 +503,7 @@ Gusta-BH
- Reported a bug in the auto-blocking mode where the danger level for IP
block renewals was not being initialized properly for FLUSH_IPT_AT_INIT
set to N.
+
+Tim Kramer
+ - Provided guidance on getting psad to be compatible with the upstart init
+ daemon on RHEL systems. This effort was tracked via issue #12 on github.
View
@@ -1,3 +1,12 @@
+psad-2.2.3 (//2014):
+ - Added compatibility with 'upstart' init daemons with assistance from Tim
+ Kramer. This change adds a new config variable 'ENABLE_PSADWATCHD' that
+ can be used to disable psadwatchd when deployed with upstart since it
+ has built-in process monitoring and restarting capabilities. In
+ addition, a new init script located at init-scripts/upstart/psad has
+ been added that is compatible with upstart - this script is meant to be
+ copied to the /etc/init.d/ directory.
+
psad-2.2.2 (01/13/2014):
- Added detection for Errata Security's "Masscan" port scanner that was
used in an Internet-wide scan for port 22 on Sept. 12, 2013 (see:
@@ -0,0 +1,26 @@
+# psad - the Port Scan Attack Detector daemon
+#
+# The psad daemon parses iptables log messages for many different classes
+# of malicious behavior such as port scans, sweeps, connections to back door
+# ports, worm traffic, full malicious payload matches from fwsnort, and more.
+
+description "psad daemon"
+
+start on (local-filesystems and net-device-up IFACE!=lo)
+stop on runlevel [!2345]
+
+respawn
+respawn limit 10 5
+umask 022
+
+### uncomment the post-start lines below if you want email notifications
+### whenever psad is (re)started - be sure to edit the EMAIL_ADDR variable
+# post-start script
+# HOST=`hostname`
+# EMAIL_ADDR=you@domain.com
+# mail -s "Starting psad on $HOST" $EMAIL_ADDR < /dev/null > /dev/null 2>&1
+# end script
+
+expect fork
+
+exec /usr/sbin/psad
View
3 psad
@@ -700,7 +700,7 @@ unless ($kmsgsd_started) {
unlink $pidfiles{'kmsgsd'} if -e $pidfiles{'kmsgsd'};
}
-unless ($debug or $no_daemon) {
+unless ($debug or $no_daemon or $config{'ENABLE_PSADWATCHD'} eq 'N') {
$cmd = $cmds{'psadwatchd'};
$cmd .= " -c $config_file";
$cmd .= " -O $override_config_str"
@@ -11017,6 +11017,7 @@ sub required_vars() {
AUTO_BLOCK_DL1_TIMEOUT AUTO_BLOCK_DL2_TIMEOUT
AUTO_BLOCK_DL3_TIMEOUT AUTO_BLOCK_DL4_TIMEOUT
AUTO_BLOCK_DL5_TIMEOUT EMAIL_THROTTLE EXPECT_TCP_OPTIONS
+ ENABLE_PSADWATCHD
));
&defined_vars(\@required_vars);
return;
View
@@ -5,7 +5,12 @@
# Normally this file gets installed at /etc/psad/psad.conf, but can be put
# anywhere in the filesystem and then the path can be specified on the
# command line argument "-c <file>" to psad. All three psad daemons (psad,
-# kmsgsd, and psadwatchd) reference this config file.
+# kmsgsd, and psadwatchd) reference this config file. Note that kmsgsd is
+# generally deprecated since by default psad parses iptables log messages
+# directly from the file where syslog writes them. Further, psadwatchd is
+# not required if running on a Linux system that already has a process
+# monitoring and restarting capability built-in such as provided by the
+# upstart daemon.
#
# Each line has the form "<variable name> <value>;". Note the semi-
# colon after the <value>. All characters after the semicolon will be
@@ -89,6 +94,12 @@ CHECK_INTERVAL 5;
### or snort2iptables
SNORT_SID_STR SID;
+### For systems with an init daemon like 'upstart' that offer built-in process
+### monitoring, it is not necessary to run the psadwatchd daemon. For such
+### systems, the following variable can be set to 'N' to disable psadwatched
+### altogether.
+ENABLE_PSADWATCHD Y;
+
### Set the minimum range of ports that must be scanned before
### psad will send an alert. The default is 1 so that at
### least two port must be scanned (p2-p1 >= 1). This can be set

0 comments on commit 9d15ebd

Please sign in to comment.