diff mbox series

[5/7] suricata: Load *.config files from default location

Message ID	20211119174458.789486-5-michael.tremer@ipfire.org
State	Rejected
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 5/7] suricata: Load *.config files from default location Date: Fri, 19 Nov 2021 17:44:56 +0000 Message-Id: <20211119174458.789486-5-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/7] suricata: Include all default rules \| [1/7] suricata: Include all default rules [2/7] rust: Drop Cargo home directory after build [3/7] suricata: Drop extra rootfiles [4/7] suricata: This package is supported on all architectures [5/7] suricata: Load *.config files from default location [6/7] IPS: Do not try to show rules when stat on rules tarball fails [7/7] suricata: Handle retransmitted SYN with TSval

Commit Message

Michael Tremer Nov. 19, 2021, 5:44 p.m. UTC

  Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/suricata | 3 ---
 config/suricata/suricata.yaml    | 7 +++----
 lfs/suricata                     | 5 +----
 3 files changed, 4 insertions(+), 11 deletions(-)

Comments

Stefan Schantl Nov. 22, 2021, 4:21 a.m. UTC | #1

Hello Michael,

thanks for working on suricata and cleaning / adjusting things.

This commit is very problematic, because it may breaks current
installations.

Currently after downloading a ruleset tarball of a certain provider,
oinkmaster is going to extract the tarball content(rules files and
*.config files) into the rules directory ("/var/lib/suricata") by
deleting the old rules files and overwriting the *.config files - so
they perfectly fits together.

When moving the config files to a new location, we have to take care
about that by moving these files after oinkmaster has launched to the
new location and we also have to take care about file permissions on
the new location.

So I would recommend to hold off this patch until we have a nice
solution for this.

Best regards,

-Stefan
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  config/rootfiles/common/suricata | 3 ---
>  config/suricata/suricata.yaml    | 7 +++----
>  lfs/suricata                     | 5 +----
>  3 files changed, 4 insertions(+), 11 deletions(-)
> 
> diff --git a/config/rootfiles/common/suricata
> b/config/rootfiles/common/suricata
> index 7c512b033..091245023 100644
> --- a/config/rootfiles/common/suricata
> +++ b/config/rootfiles/common/suricata
> @@ -40,9 +40,6 @@ usr/share/suricata/
>  #usr/share/suricata/rules/stream-events.rules
>  #usr/share/suricata/rules/tls-events.rules
>  var/lib/suricata
> -var/lib/suricata/classification.config
> -var/lib/suricata/reference.config
> -var/lib/suricata/threshold.config
>  var/log/suricata
>  #var/log/suricata/certs
>  #var/log/suricata/files
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index 0ad36e705..ba56c6a75 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -69,10 +69,9 @@ rule-files:
>      # Include enabled ruleset files from external file
>      - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
>  
> -classification-file: /var/lib/suricata/classification.config
> -reference-config-file: /var/lib/suricata/reference.config
> -threshold-file: /var/lib/suricata/threshold.config
> -
> +classification-file: /usr/share/suricata/classification.config
> +reference-config-file: /usr/share/suricata/reference.config
> +threshold-file: /usr/share/suricata/threshold.config
>  
>  ##
>  ## Logging options.
> diff --git a/lfs/suricata b/lfs/suricata
> index 0a1dcf2b8..38289962f 100644
> --- a/lfs/suricata
> +++ b/lfs/suricata
> @@ -100,10 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  
>         # Move config files for references, threshold and
> classification
>         # to the rules directory.
> -       mv /etc/suricata/*.config /var/lib/suricata
> -
> -       # Set correct permissions for the files.
> -       chmod 644 /var/lib/suricata/*.config
> +       rm -rfv /etc/suricata/*.config
>  
>         # Set correct ownership for /var/lib/suricata and the
>         # contained files

Michael Tremer Nov. 22, 2021, 9:52 a.m. UTC | #2

Hello Stefan,

Thank you for your feedback.

> On 22 Nov 2021, at 04:21, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for working on suricata and cleaning / adjusting things.
> 
> This commit is very problematic, because it may breaks current
> installations.
> 
> Currently after downloading a ruleset tarball of a certain provider,
> oinkmaster is going to extract the tarball content(rules files and
> *.config files) into the rules directory ("/var/lib/suricata") by
> deleting the old rules files and overwriting the *.config files - so
> they perfectly fits together.
> 
> When moving the config files to a new location, we have to take care
> about that by moving these files after oinkmaster has launched to the
> new location and we also have to take care about file permissions on
> the new location.
> 
> So I would recommend to hold off this patch until we have a nice
> solution for this.

Okay. I marked this patch as rejected on PW.

-Michael

> 
> Best regards,
> 
> -Stefan
>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>> ---
>>  config/rootfiles/common/suricata | 3 ---
>>  config/suricata/suricata.yaml    | 7 +++----
>>  lfs/suricata                     | 5 +----
>>  3 files changed, 4 insertions(+), 11 deletions(-)
>> 
>> diff --git a/config/rootfiles/common/suricata
>> b/config/rootfiles/common/suricata
>> index 7c512b033..091245023 100644
>> --- a/config/rootfiles/common/suricata
>> +++ b/config/rootfiles/common/suricata
>> @@ -40,9 +40,6 @@ usr/share/suricata/
>>  #usr/share/suricata/rules/stream-events.rules
>>  #usr/share/suricata/rules/tls-events.rules
>>  var/lib/suricata
>> -var/lib/suricata/classification.config
>> -var/lib/suricata/reference.config
>> -var/lib/suricata/threshold.config
>>  var/log/suricata
>>  #var/log/suricata/certs
>>  #var/log/suricata/files
>> diff --git a/config/suricata/suricata.yaml
>> b/config/suricata/suricata.yaml
>> index 0ad36e705..ba56c6a75 100644
>> --- a/config/suricata/suricata.yaml
>> +++ b/config/suricata/suricata.yaml
>> @@ -69,10 +69,9 @@ rule-files:
>>      # Include enabled ruleset files from external file
>>      - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
>>  
>> -classification-file: /var/lib/suricata/classification.config
>> -reference-config-file: /var/lib/suricata/reference.config
>> -threshold-file: /var/lib/suricata/threshold.config
>> -
>> +classification-file: /usr/share/suricata/classification.config
>> +reference-config-file: /usr/share/suricata/reference.config
>> +threshold-file: /usr/share/suricata/threshold.config
>>  
>>  ##
>>  ## Logging options.
>> diff --git a/lfs/suricata b/lfs/suricata
>> index 0a1dcf2b8..38289962f 100644
>> --- a/lfs/suricata
>> +++ b/lfs/suricata
>> @@ -100,10 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  
>>         # Move config files for references, threshold and
>> classification
>>         # to the rules directory.
>> -       mv /etc/suricata/*.config /var/lib/suricata
>> -
>> -       # Set correct permissions for the files.
>> -       chmod 644 /var/lib/suricata/*.config
>> +       rm -rfv /etc/suricata/*.config
>>  
>>         # Set correct ownership for /var/lib/suricata and the
>>         # contained files
> 
>

diff mbox series

Patch

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 7c512b033..091245023 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -40,9 +40,6 @@  usr/share/suricata/
 #usr/share/suricata/rules/stream-events.rules
 #usr/share/suricata/rules/tls-events.rules
 var/lib/suricata
-var/lib/suricata/classification.config
-var/lib/suricata/reference.config
-var/lib/suricata/threshold.config
 var/log/suricata
 #var/log/suricata/certs
 #var/log/suricata/files
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0ad36e705..ba56c6a75 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -69,10 +69,9 @@  rule-files:
     # Include enabled ruleset files from external file
     - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
-classification-file: /var/lib/suricata/classification.config
-reference-config-file: /var/lib/suricata/reference.config
-threshold-file: /var/lib/suricata/threshold.config
-
+classification-file: /usr/share/suricata/classification.config
+reference-config-file: /usr/share/suricata/reference.config
+threshold-file: /usr/share/suricata/threshold.config
 
 ##
 ## Logging options.
diff --git a/lfs/suricata b/lfs/suricata
index 0a1dcf2b8..38289962f 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -100,10 +100,7 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Move config files for references, threshold and classification
 	# to the rules directory.
-	mv /etc/suricata/*.config /var/lib/suricata
-
-	# Set correct permissions for the files.
-	chmod 644 /var/lib/suricata/*.config
+	rm -rfv /etc/suricata/*.config
 
 	# Set correct ownership for /var/lib/suricata and the
 	# contained files