Merge remote-tracking branch 'origin/topic/robin/maintenaince'

* origin/topic/robin/maintenaince:
  Add pre-commit config.
  Reformat Zeek scripts with `zeek-script`.
  Update license.
  Hardcode Ubuntu version for CI.

.github/workflows/main.yml

@@ -2,13 +2,17 @@ name: CI pipeline
 
 on: push
 
-env:
-  ZEEK_LTS: -lts
-  ZEEK_VERSION: 4.0.4-0
-
 jobs:
-  test_ubuntu_latest:
-    runs-on: ubuntu-latest
+  test_ubuntu_22:
+    runs-on: ubuntu-22.04
+
+    strategy:
+      matrix:
+        zeek: [{version: 6.0.2-0, tag: -lts}]
+
+    env:
+      ZEEK_VERSION: ${{ matrix.zeek.version }}
+      ZEEK_TAG: ${{ matrix.zeek.tag }}
 
     steps:
       - name: Prepare
@@ -19,8 +23,8 @@ jobs:
 
       - name: Install Zeek
         run: |
-          (cd /tmp && curl -L -O https://download.zeek.org/binary-packages/xUbuntu_20.04/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb)
-          sudo apt install -y /tmp/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb
+          (cd /tmp && curl -L -O https://download.zeek.org/binary-packages/xUbuntu_22.04/amd64/zeek${ZEEK_TAG}-core_${ZEEK_VERSION}_amd64.deb)
+          sudo apt install -y /tmp/zeek${ZEEK_TAG}-core_${ZEEK_VERSION}_amd64.deb
           echo "/opt/zeek/bin:$PATH" >> $GITHUB_PATH
 
       - name: Checkout repository
@@ -45,9 +49,9 @@ jobs:
             zeek-agent/tests/.tmp
 
   publish_release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: startsWith(github.ref, 'refs/tags/v')
-    needs: [test_ubuntu_latest]
+    needs: [test_ubuntu_22]
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

.pre-commit-config.yaml

@@ -15,11 +15,12 @@ repos:
   hooks:
   - id: trailing-whitespace
   - id: end-of-file-fixer
+  - id: check-yaml
   - id: check-added-large-files
 
 - repo: https://github.com/jorisroovers/gitlint
   rev:  v0.17.0
   hooks:
   - id: gitlint
 
-exclude: /Baseline/
+exclude: 3rdparty/|/Baseline/

CHANGES

@@ -1,3 +1,12 @@
+2.3.0-dev.10 | 2024-01-15 10:56:14 +0100
+
+  * Various maintenance:
+
+      - Add pre-commit config.
+      - Reformat Zeek scripts with `zeek-script`.
+      - Update license.
+      - Hardcode Ubuntu version for CI.
+
 2.3.0-dev.5 | 2024-01-09 08:54:27 +0100
 
   * `authorized_keys`: Split file globs by platform. Scanning

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2022 by the Zeek Project through the International
+Copyright (c) 2022-2024 by the Zeek Project through the International
 Computer Science Institute. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

VERSION

@@ -1 +1 @@
-2.3.0-dev.5
+2.3.0-dev.10

auxil/format-zeek-script

@@ -1,7 +1,12 @@
-#! /bin/sh
+#! /usr/bin/env bash
 
-type -P zeek-script >/dev/null 2>&1 || exit 0
+type zeek-script >/dev/null 2>&1 || exit 0
 
-for i in $@; do
-    zeek-script format ${i} >${i}.tmp && mv -f ${i}.tmp ${i}
+rc=0
+
+for i in "$@"; do
+    zeek-script format -ir "${i}" 2>&1 | grep -v '0 errors'
+    test "${PIPESTATUS[0]}" -ne 0 && rc=1
 done
+
+exit ${rc}

scripts/framework/main.zeek

@@ -86,10 +86,10 @@ export {
 
 	## Expiration interval for an agent's state after not hearing from it
 	## anymore. (Note that this should be longer than the agent's hello interval.)
-	option agent_timeout = 10 mins;
+	option agent_timeout = 10mins;
 
 	## Interval to broadcast ``hello`` events to all connected agents.
-	option hello_interval = 60 secs;
+	option hello_interval = 60secs;
 
 @if ( Version::number < 50000 )
 	## If non-zero and we are on Zeek < 5.0, listen on this port for
@@ -155,7 +155,7 @@ function log_update(agent_id: string, type_: string)
 	# Callers guarantee that the ID is in the table.
 	local agent = agents[agent_id];
 
-	local log: Info = [$ts=network_time(), $type_=type_, $hid=agent_id];
+	local log: Info = [ $ts=network_time(), $type_=type_, $hid=agent_id ];
 
 	local hello = agent$hello;
 
@@ -183,7 +183,7 @@ function log_update(agent_id: string, type_: string)
 function agent_expired(t: table[string] of Agent, agent_id: string): interval
 	{
 	log_update(agent_id, "offline");
-	return 0 secs;
+	return 0secs;
 	}
 
 function make_topic(qstate: QueryState, agent_id: string): string
@@ -225,17 +225,17 @@ function send_query_to_all_agents(query_id: string)
 
 function send_hello_to_agent(agent_id: string)
 	{
-	local hello: ZeekAgentAPI::ZeekHelloV1 = [$version_string=zeek_version(),
-	    $version_number=Version::number, $package_version=package_version];
+	local hello: ZeekAgentAPI::ZeekHelloV1 = [ $version_string=zeek_version(),
+	    $version_number=Version::number, $package_version=package_version ];
 	local ev = Broker::make_event(ZeekAgentAPI::zeek_hello_v1, zeek_instance,
 	    hello);
 	Broker::publish(fmt("/zeek-agent/query/host/%s", agent_id), ev);
 	}
 
 function send_hello_to_all_agents()
 	{
-	local hello: ZeekAgentAPI::ZeekHelloV1 = [$version_string=zeek_version(),
-	    $version_number=Version::number, $package_version=package_version];
+	local hello: ZeekAgentAPI::ZeekHelloV1 = [ $version_string=zeek_version(),
+	    $version_number=Version::number, $package_version=package_version ];
 	local ev = Broker::make_event(ZeekAgentAPI::zeek_hello_v1, zeek_instance,
 	    hello);
 	Broker::publish("/zeek-agent/query/group/all", ev);
@@ -265,8 +265,8 @@ function cancel(query_id: string)
 function query(query: Query, scope: Scope, target: string): string
 	{
 	local query_id = unique_id("za_");
-	queries[query_id] = [$query_id=query_id, $scope=scope, $target=target,
-	    $query=query];
+	queries[query_id] = [ $query_id=query_id, $scope=scope, $target=target,
+	    $query=query ];
 
 	send_query_to_all_agents(query_id);
 	return query_id;
@@ -347,14 +347,13 @@ event send_zeek_hello()
 event zeek_init() &priority=100
 	{
 	zeek_instance = unique_id("zeek_");
-	Log::create_stream(LOG, [$columns=Info, $path="zeek-agent",
-	    $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $path="zeek-agent", $policy=log_policy ]);
 
 	if ( file_size(package_version_file) > 0 )
-		Input::add_event([$source=package_version_file, $reader=Input::READER_RAW,
+		Input::add_event([ $source=package_version_file, $reader=Input::READER_RAW,
 		    $mode=Input::MANUAL, $name="package_version",
 		    $fields=PackageVersionLine, $ev=package_version_line,
-		    $want_record=F]);
+		    $want_record=F ]);
 	}
 
 event zeek_init() &priority=-10
@@ -415,8 +414,8 @@ event ZeekAgentAPI::agent_hello_v1(ctx: ZeekAgent::Context,
 		}
 	else
 		{
-		agents[agent_id] = [$last_seen=network_time(), $hello_id=ctx$query_id,
-		    $hello=columns];
+		agents[agent_id] = [ $last_seen=network_time(), $hello_id=ctx$query_id,
+		    $hello=columns ];
 		log_update(agent_id, "join");
 		send_hello_to_agent(agent_id);
 		send_all_queries_to_agent(agent_id);

scripts/table/files.zeek

@@ -5,7 +5,7 @@ export {
 	const paths_to_watch = set("/etc/*", "/etc/*/*") &redef;
 
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -53,15 +53,15 @@ event zeek_init()
 		return;
 
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-files",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-files",
+	    $field_name_map=field_name_map ]);
 
 	for ( p in paths_to_watch )
 		{
 		local stmt = fmt("SELECT * FROM files_list(\"%s\")", p);
-		ZeekAgent::query([$sql_stmt=stmt, $event_=query_result,
-		    $schedule_=query_interval, $subscription=subscription]);
+		ZeekAgent::query([ $sql_stmt=stmt, $event_=query_result,
+		    $schedule_=query_interval, $subscription=subscription ]);
 		}
 	}

scripts/table/processes.zeek

@@ -2,7 +2,7 @@ module ZeekAgent_Processes;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -47,12 +47,12 @@ event ZeekAgent_Processes::query_result(ctx: ZeekAgent::Context,
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-processes",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-processes",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes",
+	ZeekAgent::query([ $sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes",
 	    $event_=query_result, $schedule_=query_interval,
-	    $subscription=subscription]);
+	    $subscription=subscription ]);
 	}

scripts/table/sockets.zeek

@@ -2,7 +2,7 @@ module ZeekAgent_Sockets;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -49,11 +49,11 @@ event ZeekAgent_Sockets::query_result(ctx: ZeekAgent::Context, columns: Columns)
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-sockets",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-sockets",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT * FROM sockets", $event_=query_result,
-	    $schedule_=query_interval, $subscription=subscription]);
+	ZeekAgent::query([ $sql_stmt="SELECT * FROM sockets", $event_=query_result,
+	    $schedule_=query_interval, $subscription=subscription ]);
 	}

scripts/table/ssh.zeek

@@ -6,13 +6,12 @@ export {
 	    "/etc/ssh/sshd_config.d/*");
 
 	## Paths to find `authorized_keys` files in.
-	option key_paths_to_watch: table[string] of set[string] = {
-		["linux"] = set("/home/*/.ssh/authorized_keys"),
-		["darwin"] = set("/Users/*/.ssh/authorized_keys")
-	};
+	option key_paths_to_watch: table[string] of set[string] = { [ "linux" ] = set(
+	    "/home/*/.ssh/authorized_keys"), [ "darwin" ] = set(
+	    "/Users/*/.ssh/authorized_keys") };
 
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -95,41 +94,42 @@ event zeek_init()
 		{
 		local field_name_map_configs = ZeekAgent::log_column_map(ColumnsConfigs,
 		    "columns.");
-		Log::create_stream(LOG_CONFIGS, [$columns=InfoConfigs,
-		    $policy=log_policy_configs]);
+		Log::create_stream(LOG_CONFIGS, [ $columns=InfoConfigs,
+		    $policy=log_policy_configs ]);
 		Log::remove_default_filter(LOG_CONFIGS);
-		Log::add_filter(LOG_CONFIGS, [$name="default", $path="zeek-agent-ssh-configs",
-		    $field_name_map=field_name_map_configs]);
+		Log::add_filter(LOG_CONFIGS, [ $name="default",
+		    $path="zeek-agent-ssh-configs",
+		    $field_name_map=field_name_map_configs ]);
 
 		for ( p in config_paths_to_watch )
 			{
 			local stmt_configs = fmt("SELECT * FROM files_columns(\"%s\", \"$1:text,$2:text\")",
 			    p);
-			ZeekAgent::query([$sql_stmt=stmt_configs, $event_=query_result_configs,
+			ZeekAgent::query([ $sql_stmt=stmt_configs, $event_=query_result_configs,
 			    $schedule_=query_interval,
-			    $subscription=subscription]);
+			    $subscription=subscription ]);
 			}
 		}
 
 	if ( |key_paths_to_watch| != 0 )
 		{
 		local field_name_map_keys = ZeekAgent::log_column_map(ColumnsKeys,
 		    "columns.");
-		Log::create_stream(LOG_KEYS, [$columns=InfoKeys, $policy=log_policy_keys]);
+		Log::create_stream(LOG_KEYS, [ $columns=InfoKeys, $policy=log_policy_keys ]);
 		Log::remove_default_filter(LOG_KEYS);
-		Log::add_filter(LOG_KEYS, [$name="default",
+		Log::add_filter(LOG_KEYS, [ $name="default",
 		    $path="zeek-agent-ssh-authorized-keys",
-		    $field_name_map=field_name_map_keys]);
-
+		    $field_name_map=field_name_map_keys ]);
 
 		for ( platform in key_paths_to_watch )
 			{
 			for ( path in key_paths_to_watch[platform] )
 				{
 				local stmt_keys = fmt("SELECT * FROM files_lines(\"%s\")", path);
-				ZeekAgent::query([$sql_stmt=stmt_keys, $event_=query_result_keys,
+				ZeekAgent::query([ $sql_stmt=stmt_keys, $event_=query_result_keys,
 				    $schedule_=query_interval,
-				    $subscription=subscription], ZeekAgent::Group, platform);
+				    $subscription=subscription ],
+				    ZeekAgent::Group, platform);
 				}
 			}
 		}

scripts/table/system-logs.zeek

@@ -2,7 +2,7 @@ module ZeekAgent_SystemLogs;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -40,13 +40,13 @@ event ZeekAgent_SystemLogs::query_result(ctx: ZeekAgent::Context,
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-system-logs",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-system-logs",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT * FROM system_logs_events",
+	ZeekAgent::query([ $sql_stmt="SELECT * FROM system_logs_events",
 	    $event_=query_result, $schedule_=query_interval,
 	    $subscription=ZeekAgent::Events, $requires_tables=set(
-	    "system_logs_events")]);
+	    "system_logs_events") ]);
 	}