+1

nixos/doc/manual/release-notes/rl-unstable.xml

··· 42 <itemizedlist> 43 <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem> 44 <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem> 0 45 </itemizedlist> 46 </para> 47

··· 42 <itemizedlist> 43 <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem> 44 <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem> 45 + <listitem><para><literal>services/security/haka.nix</literal></para></listitem> 46 </itemizedlist> 47 </para> 48

+1

nixos/modules/module-list.nix

··· 395 ./services/security/fprintd.nix 396 ./services/security/fprot.nix 397 ./services/security/frandom.nix 0 398 ./services/security/haveged.nix 399 ./services/security/hologram.nix 400 ./services/security/munge.nix

··· 395 ./services/security/fprintd.nix 396 ./services/security/fprot.nix 397 ./services/security/frandom.nix 398 + ./services/security/haka.nix 399 ./services/security/haveged.nix 400 ./services/security/hologram.nix 401 ./services/security/munge.nix

+156

nixos/modules/services/security/haka.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + # This module defines global configuration for Haka. 2 + 3 + { config, lib, pkgs, ... }: 4 + 5 + with lib; 6 + 7 + let 8 + 9 + cfg = config.services.haka; 10 + 11 + haka = cfg.package; 12 + 13 + hakaConf = pkgs.writeText "haka.conf" 14 + '' 15 + [general] 16 + configuration = ${if lib.strings.hasPrefix "/" cfg.configFile 17 + then "${cfg.configFile}" 18 + else "${haka}/share/haka/sample/${cfg.configFile}"} 19 + ${optionalString (builtins.lessThan 0 cfg.threads) "thread = ${cfg.threads}"} 20 + 21 + [packet] 22 + ${optionalString cfg.pcap ''module = "packet/pcap"''} 23 + ${optionalString cfg.nfqueue ''module = "packet/nqueue"''} 24 + ${optionalString cfg.dump.enable ''dump = "yes"''} 25 + ${optionalString cfg.dump.enable ''dump_input = "${cfg.dump.input}"''} 26 + ${optionalString cfg.dump.enable ''dump_output = "${cfg.dump.output}"''} 27 + 28 + interfaces = "${lib.strings.concatStringsSep "," cfg.interfaces}" 29 + 30 + [log] 31 + # Select the log module 32 + module = "log/syslog" 33 + 34 + # Set the default logging level 35 + #level = "info,packet=debug" 36 + 37 + [alert] 38 + # Select the alert module 39 + module = "alert/syslog" 40 + 41 + # Disable alert on standard output 42 + #alert_on_stdout = no 43 + 44 + # alert/file module option 45 + #file = "/dev/null" 46 + ''; 47 + 48 + in 49 + 50 + { 51 + 52 + ###### interface 53 + 54 + options = { 55 + 56 + services.haka = { 57 + 58 + enable = mkEnableOption "Haka"; 59 + 60 + package = mkOption { 61 + default = pkgs.haka; 62 + type = types.package; 63 + description = " 64 + Which Haka derivation to use. 65 + "; 66 + }; 67 + 68 + configFile = mkOption { 69 + default = "empty.lua"; 70 + example = "/srv/haka/myfilter.lua"; 71 + type = types.string; 72 + description = '' 73 + Specify which configuration file Haka uses. 74 + It can be absolute path or a path relative to the sample directory of 75 + the haka git repo. 76 + ''; 77 + }; 78 + 79 + interfaces = mkOption { 80 + default = [ "eth0" ]; 81 + example = [ "any" ]; 82 + type = with types; listOf string; 83 + description = '' 84 + Specify which interface(s) Haka listens to. 85 + Use 'any' to listen to all interfaces. 86 + ''; 87 + }; 88 + 89 + threads = mkOption { 90 + default = 0; 91 + example = 4; 92 + type = types.int; 93 + description = '' 94 + The number of threads that will be used. 95 + All system threads are used by default. 96 + ''; 97 + }; 98 + 99 + pcap = mkOption { 100 + default = true; 101 + example = false; 102 + type = types.bool; 103 + description = "Whether to enable pcap"; 104 + }; 105 + 106 + nfqueue = mkEnableOption "nfqueue"; 107 + 108 + dump.enable = mkEnableOption "dump"; 109 + dump.input = mkOption { 110 + default = "/tmp/input.pcap"; 111 + example = "/path/to/file.pcap"; 112 + type = types.path; 113 + description = "Path to file where incoming packets are dumped"; 114 + }; 115 + 116 + dump.output = mkOption { 117 + default = "/tmp/output.pcap"; 118 + example = "/path/to/file.pcap"; 119 + type = types.path; 120 + description = "Path to file where outgoing packets are dumped"; 121 + }; 122 + }; 123 + }; 124 + 125 + 126 + ###### implementation 127 + 128 + config = mkIf cfg.enable { 129 + 130 + assertions = [ 131 + { assertion = cfg.pcap != cfg.nfqueue; 132 + message = "either pcap or nfqueue can be enabled, not both."; 133 + } 134 + { assertion = cfg.nfqueue -> !dump.enable; 135 + message = "dump can only be used with nfqueue."; 136 + } 137 + { assertion = cfg.interfaces != []; 138 + message = "at least one interface must be specified."; 139 + }]; 140 + 141 + 142 + environment.systemPackages = [ haka ]; 143 + 144 + systemd.services.haka = { 145 + description = "Haka"; 146 + wantedBy = [ "multi-user.target" ]; 147 + after = [ "network.target" ]; 148 + serviceConfig = { 149 + ExecStart = "${haka}/bin/haka -c ${hakaConf}"; 150 + ExecStop = "${haka}/bin/hakactl stop"; 151 + User = "root"; 152 + Type = "forking"; 153 + }; 154 + }; 155 + }; 156 + }

+24

nixos/tests/haka.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + # This test runs haka and probes it with hakactl 2 + 3 + import ./make-test.nix ({ pkgs, ...} : { 4 + name = "haka"; 5 + meta = with pkgs.stdenv.lib.maintainers; { 6 + maintainers = [ tvestelind ]; 7 + }; 8 + 9 + nodes = { 10 + haka = 11 + { config, pkgs, ... }: 12 + { 13 + services.haka.enable = true; 14 + }; 15 + }; 16 + 17 + testScript = '' 18 + startAll; 19 + 20 + $haka->waitForUnit("haka.service"); 21 + $haka->succeed("hakactl status"); 22 + $haka->succeed("hakactl stop"); 23 + ''; 24 + })

+34

pkgs/tools/security/haka/default.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + { stdenv, fetchurl, cmake, swig, wireshark, check, rsync, libpcap, gawk, libedit, pcre }: 2 + 3 + let version = "0.3.0"; in 4 + 5 + stdenv.mkDerivation rec { 6 + name = "haka-${version}"; 7 + 8 + src = fetchurl { 9 + name = "haka_${version}_source.tar.gz"; 10 + url = "https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz"; 11 + 12 + # https://github.com/haka-security/haka/releases/download/v${version}/haka_${version}_source.tar.gz.sha1.txt 13 + sha1 = "87625ed32841cc0b3aa92aa49397ce71ce434bc2"; 14 + }; 15 + 16 + preConfigure = '' 17 + sed -i 's,/etc,'$out'/etc,' src/haka/haka.c 18 + sed -i 's,/etc,'$out'/etc,' src/haka/CMakeLists.txt 19 + sed -i 's,/opt/haka/etc,$out/opt/haka/etc,' src/haka/haka.1 20 + sed -i 's,/etc,'$out'/etc,' doc/user/tool_suite_haka.rst 21 + ''; 22 + 23 + buildInputs = [ cmake swig wireshark check rsync libpcap gawk libedit pcre ]; 24 + 25 + enableParallelBuilding = true; 26 + 27 + meta = { 28 + dscription = "A collection of tools that allows capturing TCP/IP packets and filtering them based on Lua policy files"; 29 + homepage = http://www.haka-security.org/; 30 + license = stdenv.lib.licenses.mpl20; 31 + maintaineres = [ stdenv.lib.maintainers.tvestelind ]; 32 + platforms = stdenv.lib.platforms.linux; 33 + }; 34 + }

+2

pkgs/top-level/all-packages.nix

··· 9365 9366 groovebasin = callPackage ../applications/audio/groovebasin { }; 9367 0 0 9368 heapster = (callPackage ../servers/monitoring/heapster { }).bin // { outputs = ["bin"]; }; 9369 9370 hbase = callPackage ../servers/hbase {};

··· 9365 9366 groovebasin = callPackage ../applications/audio/groovebasin { }; 9367 9368 + haka = callPackage ../tools/security/haka { }; 9369 + 9370 heapster = (callPackage ../servers/monitoring/heapster { }).bin // { outputs = ["bin"]; }; 9371 9372 hbase = callPackage ../servers/hbase {};