Recipe for building rpm standalone, but managed installer packages for Centos 5.4 i386
1. find the kernel version and gcc version used to compile the kernel
# cat /proc/version
2. install the kernel-headers, kernel-devel and gcc packages "with" version numbers to override installing the latest version (the normal yum behavior is to install latest available versions, which usually isn't what is desired)
# yum install kernel-headers-2.6.18-164.el5 kernel-devel-2.6.18-164.el5 gcc-4.1.2-46.el5
3. download a zipped archive of the your distribution CID and unpack it
# unzip savlinux.zip
4. run the installer script
# cd savlinux; chmod 744 install.sh; ./install.sh
5. stop the currently running sophos services
# service sav-protect stop; service sav-rms stop; service sav-web stop
6. install the rpm-build package
# yum install rpm-build
7. run the package build script specifying the rpm option
# cd savlinux; chmod 744 mkinstpkg.sh; ./mkinstpkg.sh -r
8. provide the update source from which to update
RPM package is '/savlinux/savinstpkg-0.0-1.i386.rpm'
if using Windows 2008 IIS to distribute the linux updates, be aware of the ++ not served problem
9. enable double escaping request feature in the IIS server configuration (consider the the security implications)
C:\>%windir%\system32\inetsrv\appcmd set config "Default Web Site" -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
10. copy the rpm to new end point and install
# rpm -i savinstpkg-0.0-1.i386.rpmnote: if serving updates from IIS and double escaping is not enabled, rpm will fail with a %post scriplet failure
Steps 1, 2, 4 & 5 shouldn't be required to create the RPM package.
Steps 1 & 2 are required on all the machines you are installing the RPM on. (Unless you set-up custom Talpa Binary Pack distribution).
Step 5 shouldn't be required in general - stopping sav-web is required to work-around a bug in the current SAV6 code.
You should problem use 700 permissions, rather than 744, although it won't make an real difference.
On a patched system with access to remote repositories, the kernel and gcc versions pulled by a default yum command, do pull the most recent available versions. It's still happening.. so I'm puzzled why it's not necessary.
Perhaps its assumed a yum.conf file is configured to be "Secure" and not trust other repositories?
Agreed 700 would be preferred.. but didn't know what would be required by the build process.. so changed as little as possible.
You don't need kernel headers or compiler to create an RPM package.
You do need matching kernel headers and compiler (to the running kernel) in order to compile Talpa, to get on-access scanning.
You don't need to install Sophos Anti-Virus before you create a RPM package.
Issues configuring Windows IIS6.1 (Windows 2008r2) to serve Sophos Linux client updates:
Using the [ Internet Information Services (IIS) Manager ] - there may be CLI methods, but they drift so much between releases they are a moving target.. most of the time Windows standardizes and supports the GUI more often than not, so its advisable not to fight their decisions.
1. double escape
Default Web Site (at appropriate level) - Features View - Request Filtering - Actions: Edit Feature Settings... - Checkbox - Allow double escaping
2. [bin] path blockage
This effects path:
Which if its not available, updates will not occur.
IIS error message page will say
404 - File or directory not found.
rpm package install will say
warning: %post(savinstpkg-0.0-1.x86_64) scriptlet failed, exit status 1
Default Web Site (at appropriate level) - Features View - Request Filtering - Hidden Segments (tab) - Select [bin] - Actions: Remove
3. Handler mappings (or Mime)
Default Web Site (at appropriate level) - Features View - Handler Mappings - Actions: Add Managed Handler. - Request path: .* - Type: application/octe-stream - Name: Sophos
4. Repository needs to be addressed with a particular managed CID when creating RPM packages
NOT this ->
5. Restart the [entire] Web service to make sure changes go into effect.