[Buildroot] [PATCH 2/2] package/suricata: new package
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sat Apr 13 20:53:18 UTC 2019
Hello Fabrice,
On Thu, 14 Mar 2019 22:26:00 +0100
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> Suricata is a free and open source, mature, fast and robust
> network threat detection engine.
>
> The Suricata engine is capable of real time intrusion
> detection (IDS), inline intrusion prevention (IPS), network
> security monitoring (NSM) and offline pcap processing.
>
> https://suricata-ids.org
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Overall looks good. I was about to commit, but I have some doubts about
the systemd unit, and therefore will take advantage of those doubts to
also make a few comments about other aspects.
> diff --git a/package/suricata/S99suricata b/package/suricata/S99suricata
> new file mode 100644
> index 0000000000..35a034b179
> --- /dev/null
> +++ b/package/suricata/S99suricata
In terms of init scripts, package/busybox/S02klogd is now the
"reference". I recommend following this example.
> @@ -0,0 +1,39 @@
> +#!/bin/sh
> +
> +NAME=suricata
> +PIDFILE=/var/run/$NAME.pid
> +DAEMON=/usr/bin/$NAME
> +DAEMON_ARGS="-c /etc/suricata/suricata.yaml -i eth0"
You clearly want to include a /etc/default/${DAEMON} file. DAEMON
should be just the name of the program, see S02klogd.
> +case "$1" in
> + start)
> + start
> + ;;
> + stop)
> + stop
> + ;;
> + restart|reload)
> + restart
> + ;;
> + *)
> + echo "Usage: $0 {start|stop|restart}"
> + exit 1
Please follow the indentation style of S02klogd.
> +ifeq ($(BR2_PACKAGE_PYTHON),y)
> +SURICATA_CONF_OPTS += --enable-python
> +SURICATA_DEPENDENCIES += python
> +else
> +SURICATA_CONF_OPTS += --disable-python
> +endif
So only Python 2.x is supported ?
> +ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
> +SURICATA_CONF_OPTS += --enable-gccprotect
> +else
> +SURICATA_CONF_OPTS += --disable-gccprotect
> +endif
We should unconditionally use --disable-gccprotect and let our
gcc/wrapper pass the appropriate SSP/hardening options.
> diff --git a/package/suricata/suricata.service b/package/suricata/suricata.service
> new file mode 100644
> index 0000000000..ca0be02dae
> --- /dev/null
> +++ b/package/suricata/suricata.service
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Suricata Intrusion Detection Service
> +After=network.target
> +
> +[Service]
> +ExecStartPre=/bin/rm -f /var/run/suricata.pid
> +ExecStartPre=/usr/bin/mkdir -p /var/log/suricata
> +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid
> +ExecReload=/bin/kill -USR2 $MAINPID
I am a bit skeptical about the PID file handling. How is systemd going
to know that the PID file is /var/run/suricata.pid ? Is this useful in
the context of systemd ?
I'm by no means not a systemd expert, but this seems weird to me. If a
systemd-person could give more details about this, it would be nice.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list