security/crowdsec*: update to their latest releases

security/crowdsec:
- update to version 1.2.3

security/crowdsec-firewall-bouncer:
- update to version 0.0.20
- update pkg-message

Add log rotation to both ports, and other small improvements.

PR:             260262

security/crowdsec-firewall-bouncer/Makefile

@@ -1,5 +1,5 @@
 PORTNAME=	crowdsec-firewall-bouncer
-PORTVERSION=	0.0.17	# NOTE: change BUILD_VERSION and BUILD_TAG as well
+PORTVERSION=	0.0.20  # NOTE: change BUILD_VERSION and BUILD_TAG as well
 DISTVERSIONPREFIX=	v
 CATEGORIES=	security
 
@@ -19,6 +19,7 @@ RUN_DEPENDS=	crowdsec>0:security/crowdsec
 USE_GITHUB=	yes
 GH_ACCOUNT=	crowdsecurity
 GH_PROJECT=	cs-firewall-bouncer
+GH_TAGNAME=	v0.0.20-freebsd
 #GH_TAGNAME is automatically set from DISTVERSION
 
 USE_RC_SUBR=	crowdsec_firewall
@@ -28,14 +29,11 @@ SUB_FILES=	pkg-message \
 
 # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))
 # BUILD_TAG=$(git rev-parse HEAD)
-MAKE_ENV=	BUILD_VERSION="v0.0.17" \
-		BUILD_TAG="b330209afcdefd0046fd6790999bbb342c02f1b3"
+MAKE_ENV=	BUILD_VERSION="v0.0.20" \
+		BUILD_TAG="a456a4debdf3d3551c89b8490bb942f626027310"
 
 ETCDIR=		${PREFIX}/etc/crowdsec/bouncers
 
-do-patch:
-	cd ${WRKSRC} && go mod download github.com/mattn/go-sqlite3
-
 post-patch:
 	${REINPLACE_CMD} 's,$${BACKEND},pf,g' \
 		${WRKSRC}/config/crowdsec-firewall-bouncer.yaml
@@ -56,4 +54,10 @@ do-install:
 	${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \
 		${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample
 
+	#
+	# Log rotation
+	#
+
+	${INSTALL_DATA} ${FILESDIR}/crowdsec-firewall-bouncer.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample
+
 .include <bsd.port.mk>

security/crowdsec-firewall-bouncer/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1637702397
-SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 53af239b86c6b554da3711e3686d7d3036d33b2e561bfb00e195b6c8a06918c8
-SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.17_GH0.tar.gz) = 143037
+TIMESTAMP = 1640213523
+SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 95f8abf5f44e700e7f0a41edf5367715ce06918cb0de7a5d084bdca277563171
+SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.20-v0.0.20-freebsd_GH0.tar.gz) = 3018717

security/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.conf-newsyslog

@@ -0,0 +1,2 @@
+# logfilename				[owner:group]	mode	count	size(kb)	when	flags	[/pid_file]			[sig_num]
+/var/log/crowdsec-firewall-bouncer.log	root:wheel	644  	10	5120		*	JC	/var/run/crowdsec_firewall.pid

security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in

@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # PROVIDE: crowdsec_firewall
-# REQUIRE: LOGIN DAEMON NETWORKING
+# REQUIRE: LOGIN DAEMON NETWORKING crowdsec
 # KEYWORD: shutdown
 #
 # Add the following lines to /etc/rc.conf.local or /etc/rc.conf
@@ -41,6 +41,15 @@ crowdsec_firewall_precmd() {
             fi
         fi
     fi
+
+    # needs real tabs
+    cat <<-EOT | /sbin/pfctl -f /dev/fd/0
+	table <crowdsec-blacklists> persist
+	table <crowdsec6-blacklists> persist
+	block drop in quick from <crowdsec-blacklists> to any
+	block drop in quick from <crowdsec6-blacklists> to any
+	EOT
+
 }
 
 crowdsec_firewall_start() {

security/crowdsec-firewall-bouncer/files/patch-Makefile

@@ -1,11 +1,11 @@
---- Makefile.orig	2021-12-07 09:00:17 UTC
+--- Makefile.orig	2021-12-22 22:57:23 UTC
 +++ Makefile
-@@ -11,7 +11,7 @@ GOGET=$(GOCMD) get
- BUILD_VERSION?="$(shell git describe --tags `git rev-list --tags --max-count=1`)"
+@@ -11,7 +11,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l
  BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -r 's/[go]+//g')"
  BUILD_TIMESTAMP=$(shell date +%F"_"%T)
--BUILD_TAG="$(shell git rev-parse HEAD)"
-+BUILD_TAG?="$(shell git rev-parse HEAD)"
- export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \
+ BUILD_TAG?="$(shell git rev-parse HEAD)"
+-export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \
++export LD_OPTS=-mod vendor -modcacherw --ldflags "-s -w -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=$(BUILD_VERSION) \
  -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=$(BUILD_TIMESTAMP) \
  -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=$(BUILD_TAG) \
+ -X github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=$(BUILD_GOVERSION)"

security/crowdsec-firewall-bouncer/files/pkg-message.in

@@ -11,27 +11,35 @@ configuration file, which is now in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml
 In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need
 to check if you made any changes there.
 
-If it's the first time, you need to edit your Packet Filter configuration.
-Add the following in /etc/pf.conf to create the tables:
+This package depends on the Packet Filter service.
+To make sure it's active:
 
 ----------
-# create crowdsec ipv4 table
-table <crowdsec-blacklists> persist
+# sysrc pf_enable=YES
+pf_enable: NO -> YES
+# service pf start
+Enabling pf.
+----------
 
-# create crowdsec ipv6 table
-table <crowdsec6-blacklists> persist
+Then activate the bouncer via sysrc:
 
+----------
+# sysrc crowdsec_firewall_enable="YES"
+crowdsec_firewall_enable: NO -> YES
+# service crowdsec_firewall start
+----------
+
+After a few seconds, the bouncer should have created the tables and rules:
+
+----------
+# pfctl -s Tables
+crowdsec-blacklists
+crowdsec6-blacklists
+# pfctl -s Tables -s rules
 block drop in quick from <crowdsec-blacklists> to any
 block drop in quick from <crowdsec6-blacklists> to any
 ----------
 
-To apply the file:
-
-# pfctl -f /etc/pf.conf
-
-Then activate the bouncer via sysrc:
-
-# sysrc crowdsec_firewall_enable="YES"
 EOM
 }
 ]

security/crowdsec-firewall-bouncer/pkg-plist

@@ -1,4 +1,7 @@
 @mode 0755
 bin/crowdsec-firewall-bouncer
+@dir etc/newsyslog.conf.d
 @mode 0600
 @sample %%ETCDIR%%/crowdsec-firewall-bouncer.yaml.sample
+@mode 0644
+@sample etc/newsyslog.conf.d/crowdsec-firewall-bouncer.conf.sample

security/crowdsec/Makefile

@@ -1,5 +1,5 @@
 PORTNAME=	crowdsec
-PORTVERSION=	1.2.1	# NOTE: change BUILD_VERSION and BUILD_TAG as well
+PORTVERSION=	1.2.3	# NOTE: change BUILD_VERSION and BUILD_TAG as well
 DISTVERSIONPREFIX=	v
 CATEGORIES=	security
 
@@ -18,19 +18,18 @@ USES=		gmake
 USE_GITHUB=	yes
 GH_ACCOUNT=	crowdsecurity
 GH_PROJECT=	crowdsec
+GH_TAGNAME=	v1.2.3-freebsd
 #GH_TAGNAME is automatically set from DISTVERSION
 
 USE_RC_SUBR=	crowdsec
 
-USE_RC_SUBR=	crowdsec
-
 SUB_FILES=	pkg-message \
 		pkg-deinstall
 
 # BUILD_VERSION=$(git describe --tags $(git rev-list --tags --max-count=1))
 # BUILD_TAG=$(git rev-parse HEAD)
-MAKE_ENV=	BUILD_VERSION="v1.2.1" \
-		BUILD_TAG="dd03d073558e380c283afe66942f537c3da647ff"
+MAKE_ENV=	BUILD_VERSION="v1.2.3" \
+		BUILD_TAG="fc4be1e0ffc5888f2824358464cb2426cd4472e1"
 
 PLUGIN_DIR=	${PREFIX}/lib/crowdsec/plugins
 STAGE_PLUGINS=	${STAGEDIR}${PLUGIN_DIR}
@@ -62,6 +61,7 @@ do-install:
 	${LN} -s cscli ${STAGE_BIN}/crowdsec-cli
 
 	@${MKDIR} ${STAGE_PLUGINS}
+	${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/email/notification-email ${STAGE_PLUGINS}/
 	${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/http/notification-http ${STAGE_PLUGINS}/
 	${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/slack/notification-slack ${STAGE_PLUGINS}/
 	${INSTALL_PROGRAM} ${WRKSRC}/plugins/notifications/splunk/notification-splunk ${STAGE_PLUGINS}/
@@ -92,6 +92,10 @@ do-install:
 
 	@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications
 
+	@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/email
+	@${MV} ${WRKSRC}/plugins/notifications/email/email.yaml \
+		${STAGEDIR}${ETCDIR}/notifications/email/email.yaml.sample
+
 	@${MKDIR} ${STAGEDIR}${ETCDIR}/notifications/http
 	@${MV} ${WRKSRC}/plugins/notifications/http/http.yaml \
 		${STAGEDIR}${ETCDIR}/notifications/http/http.yaml.sample
@@ -119,4 +123,11 @@ do-install:
 	@${MKDIR} ${STAGEDIR}${ETCDIR}/hub
 	@${MKDIR} ${STAGEDIR}/var/db/crowdsec/data
 
+	#
+	# Log rotation
+	#
+
+	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+	${INSTALL_DATA} ${FILESDIR}/crowdsec.conf-newsyslog ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/crowdsec.conf.sample
+
 .include <bsd.port.mk>

security/crowdsec/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1637702390
-SHA256 (crowdsecurity-crowdsec-v1.2.1_GH0.tar.gz) = e3a9bbb70b1995a83c5001d06dbbcb5f59d43e4d7c18b60548f305a62d2dd6a3
-SIZE (crowdsecurity-crowdsec-v1.2.1_GH0.tar.gz) = 659398
+TIMESTAMP = 1642022158
+SHA256 (crowdsecurity-crowdsec-v1.2.3-v1.2.3-freebsd_GH0.tar.gz) = 9b3dd5fcc7b67cf89a1a661009a215b9a7f7a0efeb598456480e57fbd6e9bb4b
+SIZE (crowdsecurity-crowdsec-v1.2.3-v1.2.3-freebsd_GH0.tar.gz) = 19122216

security/crowdsec/files/crowdsec.conf-newsyslog

@@ -0,0 +1,3 @@
+# logfilename			[owner:group]	mode	count	size(kb)	when	flags	[/pid_file]				[sig_num]
+/var/log/crowdsec.log		root:wheel	644  	10	5120		*	JC	/var/run/crowdsec.pid
+/var/log/crowdsec_api.log	root:wheel	644  	10	5120		*	JC	/var/run/crowdsec.pid

security/crowdsec/files/crowdsec.in

@@ -43,12 +43,12 @@ crowdsec_precmd() {
     }
 
     HUB_DIR=$(Config ConfigPaths.HubDir)
-    if ! ls -1qA "$HUB_DIR/*" >/dev/null 2>&1; then
+    if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
         echo "Fetching hub inventory"
         cs_cli hub update || :
     fi
 
-    if [ -z "$(cs_cli machines list -o raw)" ]; then
+    if [ "$(cs_cli machines list -o json)" = "[]" ]; then
         echo "Registering LAPI"
         cs_cli machines add --auto || :
     fi
@@ -59,12 +59,13 @@ crowdsec_precmd() {
         cs_cli capi register || :
     fi
 
-    cs_cli collections inspect crowdsecurity/linux >/dev/null || cs_cli collections install crowdsecurity/linux || :
+    # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.
+    #    cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \
+    #        cs_cli collections install crowdsecurity/freebsd || :
 
-    DATA_DIR=$(Config ConfigPaths.DataDir)
-    if [ ! -f "${DATA_DIR}/GeoLite2-City.mmdb" ]; then
-        echo "Installing GeoIP enricher"
-        cs_cli parsers install crowdsecurity/geoip-enrich || :
+    # So we just check for the file
+    if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
+        cs_cli collections install crowdsecurity/freebsd || :
     fi
 }
 

security/crowdsec/files/patch-Makefile

@@ -1,11 +1,26 @@
---- Makefile.orig	2021-11-17 09:15:38 UTC
+--- Makefile.orig	2021-12-21 21:18:22 UTC
 +++ Makefile
-@@ -42,7 +42,7 @@ BUILD_VERSION?="$(shell git describe --tags `git rev-l
- BUILD_GOVERSION="$(shell go version | cut -d " " -f3 | sed -E 's/[go]+//g')"
- BUILD_CODENAME=$(shell cat RELEASE.json | jq -r .CodeName)
+@@ -44,14 +44,14 @@ BUILD_CODENAME=$(shell cat RELEASE.json | jq -r .CodeN
  BUILD_TIMESTAMP=$(shell date +%F"_"%T)
--BUILD_TAG="$(shell git rev-parse HEAD)"
-+BUILD_TAG?="$(shell git rev-parse HEAD)"
+ BUILD_TAG?="$(shell git rev-parse HEAD)"
  
- export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \
+-export LD_OPTS=-ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \
++export LD_OPTS=-mod vendor -modcacherw -ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \
  -X github.com/crowdsecurity/crowdsec/pkg/cwversion.System=$(SYSTEM) \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.BuildDate=$(BUILD_TIMESTAMP) \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Codename=$(BUILD_CODENAME)  \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Tag=$(BUILD_TAG) \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.GoVersion=$(BUILD_GOVERSION)"
+ 
+-export LD_OPTS_STATIC=-ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \
++export LD_OPTS_STATIC=-mod vendor -modcacherw -ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=$(BUILD_VERSION) \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.BuildDate=$(BUILD_TIMESTAMP) \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Codename=$(BUILD_CODENAME)  \
+ -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Tag=$(BUILD_TAG) \
+@@ -176,4 +176,4 @@ check_release:
+ release: check_release build package
+ 
+ .PHONY:
+-release_static: check_release static package_static
+\ No newline at end of file
++release_static: check_release static package_static

security/crowdsec/files/patch-config_acquis.yaml

@@ -0,0 +1,12 @@
+--- config/acquis.yaml.orig	2021-12-15 10:39:37 UTC
++++ config/acquis.yaml
+@@ -11,6 +11,8 @@ filenames:
+ labels:
+   type: syslog
+ ---
+-filename: /var/log/apache2/*.log
++filenames:
++ - /var/log/httpd-access.log
++ - /var/log/httpd-error.log
+ labels:
+   type: apache2

security/crowdsec/pkg-plist

@@ -10,9 +10,13 @@ bin/crowdsec-cli
 @sample %%ETCDIR%%/config.yaml.sample
 @sample %%ETCDIR%%/profiles.yaml.sample
 @sample %%ETCDIR%%/simulation.yaml.sample
+@sample %%ETCDIR%%/notifications/email/email.yaml.sample
 @sample %%ETCDIR%%/notifications/http/http.yaml.sample
 @sample %%ETCDIR%%/notifications/slack/slack.yaml.sample
 @sample %%ETCDIR%%/notifications/splunk/splunk.yaml.sample
+%%ETCDIR%%/dev.yaml
+%%ETCDIR%%/user.yaml
+%%ETCDIR%%/crowdsec.service
 %%ETCDIR%%/patterns/aws
 %%ETCDIR%%/patterns/bacula
 %%ETCDIR%%/patterns/bro
@@ -37,10 +41,13 @@ bin/crowdsec-cli
 %%ETCDIR%%/patterns/smb
 %%ETCDIR%%/patterns/ssh
 %%ETCDIR%%/patterns/tcpdump
+@sample etc/newsyslog.conf.d/crowdsec.conf.sample
 @mode 0755
+lib/crowdsec/plugins/notification-email
 lib/crowdsec/plugins/notification-http
 lib/crowdsec/plugins/notification-slack
 lib/crowdsec/plugins/notification-splunk
 @dir %%ETCDIR%%/hub
 @dir /var/db/crowdsec/data
 @dir /var/db/crowdsec
+@dir etc/newsyslog.conf.d