diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 6099b5218714..3d7819803697 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -42,6 +42,7 @@ nixos.path = ./nixpkgs-unstable-2015-12-06/nixos; services/monitoring/longview.nix services/web-apps/pump.io.nix + services/security/haka.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 0780c1f4e423..f0b90d3d8c80 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -395,6 +395,7 @@ ./services/security/fprintd.nix ./services/security/fprot.nix ./services/security/frandom.nix + ./services/security/haka.nix ./services/security/haveged.nix ./services/security/hologram.nix ./services/security/munge.nix diff --git a/nixos/modules/services/security/haka.nix b/nixos/modules/services/security/haka.nix new file mode 100644 index 000000000000..4f2bdd29cc49 --- /dev/null +++ b/nixos/modules/services/security/haka.nix @@ -0,0 +1,156 @@ +# This module defines global configuration for Haka. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.haka; + + haka = cfg.package; + + hakaConf = pkgs.writeText "haka.conf" + '' + [general] + configuration = ${if lib.strings.hasPrefix "/" cfg.configFile + then "${cfg.configFile}" + else "${haka}/share/haka/sample/${cfg.configFile}"} + ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"} + + [packet] + ${optionalString cfg.pcap ''module = "packet/pcap"''} + ${optionalString cfg.nfqueue ''module = "packet/nqueue"''} + ${optionalString cfg.dump.enable ''dump = "yes"''} + ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''} + ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''} + + interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}" + + [log] + # Select the log module + module = "log/syslog" + + # Set the default logging level + #level = "info,packet=debug" + + [alert] + # Select the alert module + module = "alert/syslog" + + # Disable alert on standard output + #alert_on_stdout = no + + # alert/file module option + #file = "/dev/null" + ''; + +in + +{ + + ###### interface + + options = { + + services.haka = { + + enable = mkEnableOption "Haka"; + + package = mkOption { + default = pkgs.haka; + type = types.package; + description = " + Which Haka derivation to use. + "; + }; + + configFile = mkOption { + default = "empty.lua"; + example = "/srv/haka/myfilter.lua"; + type = types.string; + description = '' + Specify which configuration file Haka uses. + It can be absolute path or a path relative to the sample directory of + the haka git repo. + ''; + }; + + interfaces = mkOption { + default = [ "eth0" ]; + example = [ "any" ]; + type = with types; listOf string; + description = '' + Specify which interface(s) Haka listens to. + Use 'any' to listen to all interfaces. + ''; + }; + + threads = mkOption { + default = 0; + example = 4; + type = types.int; + description = '' + The number of threads that will be used. + All system threads are used by default. + ''; + }; + + pcap = mkOption { + default = true; + example = false; + type = types.bool; + description = "Whether to enable pcap"; + }; + + nfqueue = mkEnableOption "nfqueue"; + + dump.enable = mkEnableOption "dump"; + dump.input = mkOption { + default = "/tmp/input.pcap"; + example = "/path/to/file.pcap"; + type = types.path; + description = "Path to file where incoming packets are dumped"; + }; + + dump.output = mkOption { + default = "/tmp/output.pcap"; + example = "/path/to/file.pcap"; + type = types.path; + description = "Path to file where outgoing packets are dumped"; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = cfg.pcap != cfg.nfqueue; + message = "either pcap or nfqueue can be enabled, not both."; + } + { assertion = cfg.nfqueue -> !dump.enable; + message = "dump can only be used with nfqueue."; + } + { assertion = cfg.interfaces != []; + message = "at least one interface must be specified."; + }]; + + + environment.systemPackages = [ haka ]; + + systemd.services.haka = { + description = "Haka"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${haka}/bin/haka -c ${hakaConf}"; + ExecStop = "${haka}/bin/hakactl stop"; + User = "root"; + Type = "forking"; + }; + }; + }; +} diff --git a/nixos/tests/haka.nix b/nixos/tests/haka.nix new file mode 100644 index 000000000000..40548f34690f --- /dev/null +++ b/nixos/tests/haka.nix @@ -0,0 +1,24 @@ +# This test runs haka and probes it with hakactl + +import ./make-test.nix ({ pkgs, ...} : { + name = "haka"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ tvestelind ]; + }; + + nodes = { + haka = + { config, pkgs, ... }: + { + services.haka.enable = true; + }; + }; + + testScript = '' + startAll; + + $haka->waitForUnit("haka.service"); + $haka->succeed("hakactl status"); + $haka->succeed("hakactl stop"); + ''; +}) diff --git a/pkgs/tools/security/haka/default.nix b/pkgs/tools/security/haka/default.nix new file mode 100644 index 000000000000..d040aaa6aea8 --- /dev/null +++ b/pkgs/tools/security/haka/default.nix @@ -0,0 +1,34 @@ +{ stdenv, fetchurl, cmake, swig, wireshark, check, rsync, libpcap, gawk, libedit, pcre }: + +let version = "0.3.0"; in + +stdenv.mkDerivation rec { + name = "haka-${version}"; + + src = fetchurl { + name = "haka_${version}_source.tar.gz"; + url = "https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz"; + + # https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt + sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2"; + }; + + preConfigure = '' + sed -i 's,/etc,'$out'/etc,' src/haka/haka.c + sed -i 's,/etc,'$out'/etc,' src/haka/CMakeLists.txt + sed -i 's,/opt/haka/etc,$out/opt/haka/etc,' src/haka/haka.1 + sed -i 's,/etc,'$out'/etc,' doc/user/tool_suite_haka.rst + ''; + + buildInputs = [ cmake swig wireshark check rsync libpcap gawk libedit pcre ]; + + enableParallelBuilding = true; + + meta = { + dscription = "A collection of tools that allows capturing TCP/IP packets and filtering them based on Lua policy files"; + homepage = http://www.haka-security.org/; + license = stdenv.lib.licenses.mpl20; + maintaineres = [ stdenv.lib.maintainers.tvestelind ]; + platforms = stdenv.lib.platforms.linux; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 16a90aab7c7b..da89ca73a5f5 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -9365,6 +9365,8 @@ let groovebasin = callPackage ../applications/audio/groovebasin { }; + haka = callPackage ../tools/security/haka { }; + heapster = (callPackage ../servers/monitoring/heapster { }).bin // { outputs = ["bin"]; }; hbase = callPackage ../servers/hbase {};