diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..8006b5f
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,15 @@
+## 0.1.3 - 2023-08-07
+
+### Added
+- Integrated OpenSearch support to enable powerful search capabilities.
+- Implemented OpenSearch template with specific mappings to align with new data structure.
+- Added nested field support in OpenSearch for enhanced querying within the `misp` field.
+- RPM install capabilities.
+- Gem packaging of the code.
+
+### Changed
+- Modified Fluentd configuration to forward logs to OpenSearch.
+- Adjusted log format to match the new OpenSearch template (if applicable).
+
+### Fixed
+-
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..28c33c5
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-out_filter_list.gemspec
+gemspec
+
diff --git a/Gemfile.lock b/Gemfile.lock
new file mode 100644
index 0000000..70236e4
--- /dev/null
+++ b/Gemfile.lock
@@ -0,0 +1,55 @@
+PATH
+ remote: .
+ specs:
+ pdnssoc (0.1.0)
+ fluent-plugin-filter-list
+ misp
+ parseconfig
+
+GEM
+ remote: https://rubygems.org/
+ specs:
+ concurrent-ruby (1.2.2)
+ cool.io (1.7.1)
+ fluent-plugin-filter-list (0.7.5)
+ fluentd (>= 0.14.0, < 2.0.0)
+ fluentd (1.16.2)
+ bundler
+ cool.io (>= 1.4.5, < 2.0.0)
+ http_parser.rb (>= 0.5.1, < 0.9.0)
+ msgpack (>= 1.3.1, < 2.0.0)
+ serverengine (>= 2.3.2, < 3.0.0)
+ sigdump (~> 0.2.5)
+ strptime (>= 0.2.4, < 1.0.0)
+ tzinfo (>= 1.0, < 3.0)
+ tzinfo-data (~> 1.0)
+ webrick (~> 1.4)
+ yajl-ruby (~> 1.0)
+ http_parser.rb (0.8.0)
+ misp (0.1.4)
+ msgpack (1.7.2)
+ parseconfig (1.1.2)
+ rake (13.0.6)
+ serverengine (2.3.2)
+ sigdump (~> 0.2.2)
+ sigdump (0.2.5)
+ strptime (0.2.5)
+ tzinfo (2.0.6)
+ concurrent-ruby (~> 1.0)
+ tzinfo-data (1.2023.3)
+ tzinfo (>= 1.0.0)
+ webrick (1.8.1)
+ yajl-ruby (1.4.3)
+
+PLATFORMS
+ x86_64-linux
+
+DEPENDENCIES
+ fluent-plugin-filter-list
+ misp
+ parseconfig
+ pdnssoc!
+ rake
+
+BUNDLED WITH
+ 2.4.17
diff --git a/README.md b/README.md
index 6c9d332..68d8d40 100644
--- a/README.md
+++ b/README.md
@@ -70,103 +70,72 @@ pDNSSOC operators are typically security teams at NREN CERTs, e-infratructure se
### VM deployment
1. Get a fresh CENTOS 9 or AlmaLinux 9 (or any binary-compatible system with Red Hat Enterprise Linux 9) VM
-2. Execute the install script, for example:
+2. Install the needed libraries:
```
- curl -L https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/install.sh | sh
+yum install gem jq rubygems-devel
```
-3. Populate the configuration in `/etc/pdnssoc/pdnssoc.conf` with the MISP server(s) details and the alert emails details
-4. Do an initial load of malicious domains from MISP:
+3. Download and install td-agent (fluentd):
```
-/etc/pdnssoc/pdnssoc.cron
-systemctl restart td-agent
+curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent4.sh | sh
```
-5. That's it!
-
-Directory structure:
+4. Download the gem file:
```
-/etc/pdnssoc/pdnssoc.conf
-/etc/pdnssoc/notification_email.html
-/etc/td-agent/misp_domains.txt
-/etc/td-agent/td-agent.conf
-/var/log/td-agent/alerts.log
-/var/log/td-agent/pdnssoc_sys.log
-/var/log/td-agent/alerts.log
-/var/log/td-agent/buffer
-/var/log/td-agent/pdnssoc-alerts
-/var/log/td-agent/pdnssoc-alerts/pdnssoc-buffer
-/var/log/td-agent/pdnssoc-alerts/results
-/var/log/td-agent/pdnssoc_sys.log
-/var/log/td-agent/queries
+curl -o /path/to/download/pdnssoc-VERSION.gem https://rubygems.org/downloads/pdnssoc-VERSION.gem
```
-
-
-### Container deployment
-
-1. You need to have `docker`, `docker-compose` and `git` installed. An example for AlmaLinux 9 / Centos 9:
+5. Install the rpm:
```
-sudo yum update -y
-sudo yum install -y yum-utils
-sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
-sudo yum update -y
-sudo yum install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-sudo systemctl start docker
-sudo yum install -y git
+rpm -i pdnssoc-VERSION-RELEASE.noarch.rpm
```
-
-2. Clone the repo:
-
+6. Populate the configuration in `/etc/pdnssoc/pdnssoc.conf` with the MISP server(s) details and the alert emails details
+7. Use the fluentd config template in `/etc/pdnssoc/td-agent.conf.template` to overwrite or adapt `/etc/td-agent/td-agent.conf`
+8. Include the appropriate firewall rules in order to accept incoming traffic:
```
-git clone https://github.com/CERN-CERT/pDNSSOC.git
+firewall-cmd --zone=public --add-port=5140-5143/tcp --permanent
+firewall-cmd --zone=public --add-port=5555/tcp --permanent
+firewall-cmd --reload
```
-
-3. Go to the `files` directory inside the repo.
-4. Populate the configuration `pdnssoc.conf` with the MISP server(s) details and the alert emails details.
-5. Make any changes (if needed) on the fluentd configuration `td-agent.conf`.
-6. Build the docker container:
-
+9. Do an initial load of malicious domains from MISP:
```
-docker build -t pdnssoc .
+/bin/bash /usr/local/bin/pdnssoc/misp_refresh.sh
+systemctl restart td-agent
```
-
-7. Start the docker container:
-
+10. That's it! You can do the following to check that the system is well configured:
```
-docker compose up
+systemctl list-timers
+netstat -putan | grep -E ':(514[0-3]|5555) '
```
-8. That's it!
+Directory structure:
+```
+/etc/pdnssoc/
+├── notification_email.html
+├── pdnssoc.conf
+└── td-agent.conf.template
+/etc/td-agent/
+├── misp_domains.txt
+├── misp_ips.txt
+├── plugin
+└── td-agent.conf -> /etc/pdnssoc/td-agent.conf
-Directory structure:
+/var/log/td-agent/
+...
+├── queries/
+├── pdnssoc-alerts
+│ └──pdnssoc-buffer/
+├── alerts.log
+├── pdnssoc_sys.log
+└── td-agent.log
+
+/usr/lib/systemd/system/
+...
+├── lookingback.service
+├── lookingback.timer
+├── misp_refresh.service
+├── misp_refresh.timer
+├── pdnssoc.service
+└── pdnssoc.timer
-```
-./pDNSSOC
-├── docs
-├── files
-│ ├── code
-│ │ ├── alerts.rb
-│ │ ├── configalerts.rb
-│ │ ├── constants.rb
-│ │ ├── email.rb
-│ │ ├── pdnssoc.rb
-│ │ └── trigger.rb
-│ ├── crontab
-│ ├── docker-compose.yml
-│ ├── Dockerfile
-│ ├── install.sh
-│ ├── logs
-│ │ ├── alerts.log
-│ │ ├── buffer
-│ │ ├── pdnssoc-alerts
-│ │ │ ├── pdnssoc-buffer
-│ │ ├── pdnssoc_sys.log
-│ │ ├── queries
-│ ├── notification_email.html
-│ ├── pdnssoc.conf
-│ ├── pdnssoc.cron
-│ └── td-agent.conf
-├── images
-└── README.md
```
### Configuration file
diff --git a/files/notification_email.html b/config/notification_email.html
similarity index 100%
rename from files/notification_email.html
rename to config/notification_email.html
diff --git a/files/pdnssoc.conf b/config/pdnssoc.conf
similarity index 100%
rename from files/pdnssoc.conf
rename to config/pdnssoc.conf
diff --git a/files/td-agent.conf b/config/td-agent.conf.template
similarity index 83%
rename from files/td-agent.conf
rename to config/td-agent.conf.template
index 9c674c4..4f01b25 100644
--- a/files/td-agent.conf
+++ b/config/td-agent.conf.template
@@ -66,12 +66,26 @@
@type forward
port 5555
tag pdnssocdata
+ # tls true
+ # tls_cert_path /path/to/fluentd.crt
+ # tls_private_key_path /path/to/fluentd.key
@type regexp
expression /{"date":"(?.*)","client":"(?.*)","query":"(?.*)"}/
+## OpenSearch
+# Getting logs from pdnssoc to send to OpenSearch
+#
+# @type tail
+# path /var/log/td-agent/alerts.log
+# tag pdnssoc_alerts
+# read_from_head true
+#
+# @type json
+#
+#
## DATA ROUTING
# Copying our pdnssocdata into multiple streams
@@ -101,6 +115,8 @@
#
# host upstream-pdnssoc.domain.edu
# port 5555
+ # tls true
+ # tls_cert_path /path/to/fluentd.pem
#
#
#######################
@@ -130,7 +146,7 @@
@type filter_list
filter AC
key_to_filter query
- pattern_file_paths ["/etc/td-agent/misp_domains.txt"]
+ pattern_file_paths ["/etc/pdnssoc/misp_domains.txt"]
filter_empty true
action whitelist
@@ -146,7 +162,7 @@
@type filter_list
filter AC
key_to_filter answer
- pattern_file_paths ["/etc/td-agent/misp_domains.txt", "/etc/td-agent/misp_ips.txt"]
+ pattern_file_paths ["/etc/pdnssoc/misp_domains.txt", "/etc/pdnssoc/misp_ips.txt"]
filter_empty true
action whitelist
@@ -171,3 +187,13 @@
+
+# Forward logs to OpenSearch
+#
+# @type opensearch
+# hosts https://opensearch.domain.org
+# logstash_format true
+# logstash_prefix pdnssoc
+# user %{USER}
+# password %{PASSWORD}
+#
diff --git a/files/Dockerfile b/files/Dockerfile
deleted file mode 100644
index 48e8d96..0000000
--- a/files/Dockerfile
+++ /dev/null
@@ -1,20 +0,0 @@
-FROM almalinux:9
-
-RUN yum -y update && yum -y install ruby git jq ruby-devel make gcc redhat-rpm-config sudo go && yum -y clean all && rm -rf /var/cache
-
-RUN curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent4.sh | bash
-RUN td-agent-gem install fluent-plugin-filter-list --force
-
-RUN gem install parseconfig
-RUN gem install misp
-
-
-RUN mkdir -p /etc/pdnssoc/
-RUN touch /etc/td-agent/misp_domains.txt
-
-RUN mkdir /var/run/td-agent
-
-# Setup cron job
-RUN go install github.com/aptible/supercronic@latest
-
-CMD td-agent -d /var/run/td-agent/td-agent.pid && /root/go/bin/supercronic /etc/crontab
diff --git a/files/crontab b/files/crontab
deleted file mode 100644
index 1f8b96a..0000000
--- a/files/crontab
+++ /dev/null
@@ -1,17 +0,0 @@
-SHELL=/bin/bash
-BASH_ENV=/etc/environment
-
-# Example of job definition:
-# .---------------- minute (0 - 59)
-# | .------------- hour (0 - 23)
-# | | .---------- day of month (1 - 31)
-# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
-# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
-# | | | | |
-# * * * * * user-name command to be executed
-
-*/1 * * * * date >/proc/1/fd/1 2>/proc/1/fd/2
-*/10 * * * * /usr/bin/ruby /usr/local/bin/pdnssoc.rb
-*/1 * * * * bash /etc/pdnssoc/pdnssoc.cron >/proc/1/fd/1 2>/proc/1/fd/2
-
-# An empty line is required at the end of this file for a valid cron file.
diff --git a/files/docker-compose.yml b/files/docker-compose.yml
deleted file mode 100644
index af99026..0000000
--- a/files/docker-compose.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-version: "3.9"
-services:
- pdnssoc:
- image: ghcr.io/cern-cert/pdnssoc:latest
- ports:
- - "5141:5141"
- - "5555:5555"
- volumes:
- - ./td-agent.conf:/etc/td-agent/td-agent.conf
- - ./notification_email.html:/etc/pdnssoc/notification_email.html
- - ./code/:/usr/local/bin/
- - ./pdnssoc.conf:/etc/pdnssoc/pdnssoc.conf
- - ./crontab:/etc/crontab
- - ./pdnssoc.cron:/etc/pdnssoc/pdnssoc.cron
- - ./logs:/var/log/td-agent/
- restart: on-failure
diff --git a/files/install.sh b/files/install.sh
deleted file mode 100644
index d873afb..0000000
--- a/files/install.sh
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/bash
-
-echo "Cleaning the room."
-
-rm -f /etc/pdnssoc/pdnssoc.cron 2> /dev/null
-rm -f /etc/pdnssoc/pdnssoc.conf 2> /dev/null
-rm -f /usr/local/bin/pdnssoc/ 2> /dev/null
-rm -f /etc/pdnssoc/notification_email.html 2> /dev/null
-rm -f /etc/cron.hourly/pdnssoc_misp 2> /dev/null
-rm -f /etc/td-agent/td-agent.conf 2> /dev/null
-rm -f /usr/local/bin/pdnssoc/lookingback.sh 2> /dev/null
-sed '/pdnssoc\.rb/d' -i /etc/crontab
-sed '/lookingback/d' -i /etc/crontab
-
-echo "Installing system packages."
-# Packages installation
-yum -y install ruby git jq ruby-devel
-cd /tmp/
-git clone https://github.com/CERN-CERT/pDNSSOC/
-cd pDNSSOC/files
-
-echo "Installing Fluentd."
-curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent4.sh | sh
-td-agent-gem install fluent-plugin-filter-list --force
-
-echo "Installing Ruby dependencies."
-td-agent-gem install parseconfig
-td-agent-gem install misp
-
-echo "Moving pDNSSOC files around."
-# Fluentd
-cp td-agent.conf /etc/td-agent/td-agent.conf
-
-# pDNSSOC
-mkdir -p /etc/pdnssoc/
-cp notification_email.html /etc/pdnssoc/
-mkdir -p /usr/local/bin/pdnssoc/
-cp code/*.rb /usr/local/bin/pdnssoc/
-cp pdnssoc.conf /etc/pdnssoc/pdnssoc.conf
-cp pdnssoc.cron /etc/pdnssoc/pdnssoc.cron
-cp lookingback.sh /usr/local/bin/pdnssoc/
-echo "Installing pDNSSOC files."
-
-chmod +x /etc/pdnssoc/pdnssoc.cron
-chmod +x /usr/local/bin/pdnssoc/pdnssoc.rb
-chmod +x /usr/local/bin/pdnssoc/lookingback.sh
-
-touch /etc/td-agent/misp_domains.txt
-ln -s /etc/pdnssoc/pdnssoc.cron /etc/cron.hourly/pdnssoc_misp
-
-echo "*/15 * * * * root /opt/td-agent/bin/ruby /usr/local/bin/pdnssoc/pdnssoc.rb" >> /etc/crontab
-echo "0 12 * * * * root /usr/local/bin/pdnssoc/lookingback.sh >> /etc/crontab" >> /etc/crontab
-
-
-# An empty line is required at the end of this file for a valid cron file.
-
-# Disabling the local firewall, which obviously nobody should ever do
-
-echo "Disabling the local firewall."
-systemctl disable firewalld
-systemctl stop firewalld
-
-echo "Starting Fluentd."
-
-# Start
-systemctl restart td-agent.service
-
-echo "Clearing install files."
-
-cd
-rm -rf /tmp/pDNSSOC
diff --git a/files/code/alerts.rb b/lib/alerts.rb
similarity index 100%
rename from files/code/alerts.rb
rename to lib/alerts.rb
diff --git a/files/code/configalerts.rb b/lib/configalerts.rb
similarity index 99%
rename from files/code/configalerts.rb
rename to lib/configalerts.rb
index 2e04825..8ee1b21 100644
--- a/files/code/configalerts.rb
+++ b/lib/configalerts.rb
@@ -1,6 +1,7 @@
require "json"
require 'logger'
require "time"
+puts $LOAD_PATH
require 'parseconfig'
require_relative 'constants'
diff --git a/files/code/constants.rb b/lib/constants.rb
similarity index 78%
rename from files/code/constants.rb
rename to lib/constants.rb
index 2d49a96..fa24e44 100644
--- a/files/code/constants.rb
+++ b/lib/constants.rb
@@ -1,9 +1,15 @@
+
module ConstantsConfig
+ file_path = File.expand_path(__FILE__)
+ lib_path = File.dirname(file_path)
+ common_path = File.dirname(lib_path)
# If the env variables are not defined, use the default values
PATH_LOG = ENV['PATH_LOG'] || "/var/log/td-agent/"
+ PATH_ALERTS = PATH_LOG + 'pdnssoc-alerts/'
+ PATH_TDAGENT = "/etc/td-agent/"
PATH_PDNS_CONF = ENV['PATH_PDNS_CONF'] || "/etc/pdnssoc/pdnssoc.conf"
- PATH_MISP_D = ENV['PATH_MISP_D'] || "/etc/td-agent/misp_domains.txt"
- PATH_MISP_IP = ENV['PATH_MISP_D'] || "/etc/td-agent/misp_ips.txt"
+ PATH_MISP_D = ENV['PATH_MISP_D'] || File.join(PATH_TDAGENT, "misp_domains.txt")
+ PATH_MISP_IP = ENV['PATH_MISP_D'] || File.join(PATH_TDAGENT, "misp_ips.txt")
PATH_HTML = ENV['PATH_HTML'] || "/etc/pdnssoc/notification_email.html"
FILENAME_LOG_ALERT = ENV['FILENAME_LOG_ALERT'] || "alerts.log"
FILENAME_LOG_SYS = ENV['FILENAME_LOG_SYS'] || "pdnssoc_sys.log"
@@ -31,7 +37,6 @@ module ConstantsAlerts
module ConstantsData
RGX_FILE_TIME = "/\d{8}-\d{4}/"
- PATH_ALERTS = '/var/log/td-agent/pdnssoc-alerts/'
RGX_FILE_REF = 'pdnssoc-buffer.*.log'
GROUP_SIZE = 5 * 1024 * 1024
end
diff --git a/files/code/email.rb b/lib/email.rb
similarity index 100%
rename from files/code/email.rb
rename to lib/email.rb
diff --git a/files/code/inputdata.rb b/lib/inputdata.rb
similarity index 97%
rename from files/code/inputdata.rb
rename to lib/inputdata.rb
index 3fe2cd8..9dccadf 100644
--- a/files/code/inputdata.rb
+++ b/lib/inputdata.rb
@@ -3,6 +3,7 @@
module InputData
include ConstantsData
+ include ConstantsConfig
def get_groups()
# Get a list of all files in the directory
diff --git a/files/lookingback.sh b/lib/lookingback.sh
old mode 100644
new mode 100755
similarity index 100%
rename from files/lookingback.sh
rename to lib/lookingback.sh
diff --git a/files/pdnssoc.cron b/lib/misp_refresh.sh
similarity index 100%
rename from files/pdnssoc.cron
rename to lib/misp_refresh.sh
diff --git a/files/code/pdnssoc.rb b/lib/pdnssoc.rb
similarity index 100%
rename from files/code/pdnssoc.rb
rename to lib/pdnssoc.rb
diff --git a/lib/post_install.rb b/lib/post_install.rb
new file mode 100644
index 0000000..2823af8
--- /dev/null
+++ b/lib/post_install.rb
@@ -0,0 +1,16 @@
+puts "PostInstallScript loaded successfully."
+
+class PostInstallScript
+ def self.run
+ puts "PostInstallScript.run method executed."
+ # Your post-installation script logic here
+ # Will read and execute the tasks defined in tasks/tasks_install.rake
+ if ENV['SKIP_POST_INSTALL_HOOK'].nil?
+ puts "Running post-installation setup..."
+ Rake::Task["rake_install:install"].invoke
+ puts "Post-installation setup completed."
+ end
+ end
+end
+
+load File.join(File.dirname(__FILE__), 'tasks', 'tasks_install.rake')
diff --git a/files/code/trigger.rb b/lib/trigger.rb
similarity index 100%
rename from files/code/trigger.rb
rename to lib/trigger.rb
diff --git a/pdnssoc.gemspec b/pdnssoc.gemspec
new file mode 100644
index 0000000..8392965
--- /dev/null
+++ b/pdnssoc.gemspec
@@ -0,0 +1,25 @@
+
+Gem::Specification.new do |spec|
+ spec.name = 'pdnssoc'
+ spec.version = '0.1.4'
+ spec.authors = ['Pau Cutrina', 'Romain Wartel', 'Christos Arvanitis']
+ spec.email = ['admin@safer-trust.org']
+ spec.required_ruby_version = '>= 2.5.0'
+ spec.metadata = { 'rubygems_mfa_required' => 'true' }
+
+ spec.summary = 'pDNS correlation with MISP'
+ spec.description = 'pDNS correlation with MISP'
+ spec.homepage = 'https://github.com/CERN-CERT/pDNSSOC/'
+ spec.license = 'MIT'
+
+ spec.files = Dir["lib/**/*", "config/**/*", "timers/**/*"]
+
+ spec.metadata['source_code_uri'] = 'https://github.com/CERN-CERT/pDNSSOC'
+ spec.metadata['changelog_uri'] = 'https://github.com/CERN-CERT/pDNSSOC/blob/master/CHANGELOG.md'
+ spec.metadata['homepage_uri'] = 'https://github.com/CERN-CERT/pDNSSOC'
+ spec.metadata['github_repo'] = 'ssh://github.com/CERN-CERT/pDNSSOC'
+
+ spec.requirements << 'Ruby (>= 2.5.0)'
+
+ spec.post_install_message = "pDNSSOC has been installed successfuly!"
+end
diff --git a/pdnssoc.spec b/pdnssoc.spec
new file mode 100644
index 0000000..88e0fd7
--- /dev/null
+++ b/pdnssoc.spec
@@ -0,0 +1,121 @@
+%global gem_name pdnssoc
+
+Name: rubygem-%{gem_name}
+Version: 0.1.4
+Release: 1%{?dist}
+Summary: pDNS correlation with MISP
+License: MIT
+URL: https://github.com/CERN-CERT/pDNSSOC/
+Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
+BuildRequires: ruby(release)
+BuildRequires: rubygems-devel
+BuildRequires: ruby >= 2.5.0
+BuildRequires: td-agent
+BuildRequires: systemd-rpm-macros
+BuildArch: noarch
+
+%description
+pDNS correlation with MISP.
+
+
+%package doc
+Summary: Documentation for %{name}
+Requires: %{name} = %{version}-%{release}
+BuildArch: noarch
+
+%description doc
+Documentation for %{name}.
+
+%prep
+%setup -q -n %{gem_name}-%{version}
+
+%build
+# Create the gem as gem install only works on a gem file
+gem build ../%{gem_name}-%{version}.gemspec
+
+# %%gem_install compiles any C extensions and installs the gem into ./%%gem_dir
+# by default, so that we can move it into the buildroot in %%install
+%gem_install
+
+%install
+mkdir -p %{buildroot}%{gem_dir}
+cp -a .%{gem_dir}/* \
+ %{buildroot}%{gem_dir}/
+
+# Install fluentd gems
+td-agent-gem install parseconfig
+td-agent-gem install misp
+td-agent-gem install fluent-plugin-filter-list --force
+
+# Installing files in /etc/pdnssoc
+install -d %{buildroot}%{_sysconfdir}
+install -d %{buildroot}%{_sysconfdir}/pdnssoc
+touch %{buildroot}%{_sysconfdir}/pdnssoc/misp_ips.txt
+touch %{buildroot}%{_sysconfdir}/pdnssoc/misp_domains.txt
+install -p -m0644 config/pdnssoc.conf %{buildroot}%{_sysconfdir}/pdnssoc/pdnssoc.conf
+install -p -m0644 config/td-agent.conf.template %{buildroot}%{_sysconfdir}/pdnssoc/td-agent.conf.template
+install -p -m0644 config/notification_email.html %{buildroot}%{_sysconfdir}/pdnssoc/notification_email.html
+
+# Install pdnssoc code
+mkdir -p %{buildroot}/usr/local/bin/pdnssoc
+cp -a lib/* %{buildroot}/usr/local/bin/pdnssoc
+
+# Installing timers
+install -d %{buildroot}%{_unitdir}
+install -p -m0644 timers/* %{buildroot}%{_unitdir}/
+
+%check
+pushd .%{gem_instdir}
+# Run the test suite.
+popd
+
+%files
+%dir %{gem_instdir}
+%{gem_libdir}
+%{gem_instdir}/config
+%{gem_instdir}/timers
+%exclude %{gem_cache}
+%{gem_spec}
+# Timers
+%{_unitdir}/pdnssoc.timer
+%{_unitdir}/pdnssoc.service
+%{_unitdir}/lookingback.timer
+%{_unitdir}/lookingback.service
+%{_unitdir}/misp_refresh.service
+%{_unitdir}/misp_refresh.timer
+# Main pdnssoc directory
+%dir %{_sysconfdir}/pdnssoc
+%config(noreplace) %{_sysconfdir}/pdnssoc/misp_ips.txt
+%config(noreplace) %{_sysconfdir}/pdnssoc/misp_domains.txt
+%config(noreplace) %{_sysconfdir}/pdnssoc/pdnssoc.conf
+%config(noreplace) %{_sysconfdir}/pdnssoc/td-agent.conf.template
+%{_sysconfdir}/pdnssoc/notification_email.html
+
+# Code of pdnssoc
+%dir /usr/local/bin/pdnssoc
+/usr/local/bin/pdnssoc/*
+
+%files doc
+%doc %{gem_docdir}
+
+%post
+# Enable Timers
+%systemd_post pdnssoc.service
+%systemd_post lookingback.service
+%systemd_post misp_refresh.service
+
+%preun
+%systemd_preun pdnssoc.service
+%systemd_preun lookingback.service
+%systemd_preun misp_refresh.service
+
+%postun
+%systemd_postun_with_restart pdnssoc.service
+%systemd_postun_with_restart lookingback.service
+%systemd_postun_with_restart misp_refresh.service
+
+%changelog
+* Mon Aug 10 2023 Pau Cutrina, Romain Wartel, Christos Arvanitis - 1.0-1
+- Changes to make it more GEM standard
+* Mon Aug 07 2023 Pau Cutrina, Romain Wartel, Christos Arvanitis - 1.0-1
+- Initial RPM package
diff --git a/timers/lookingback.service b/timers/lookingback.service
new file mode 100644
index 0000000..9c6fb2c
--- /dev/null
+++ b/timers/lookingback.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run lookingback.sh every day at 12:00
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/pdnssoc/lookingback.sh
+User=root
diff --git a/timers/lookingback.timer b/timers/lookingback.timer
new file mode 100644
index 0000000..c4712ba
--- /dev/null
+++ b/timers/lookingback.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run lookingback.sh every day at 12:00
+
+[Timer]
+OnCalendar=*-*-* 12:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/timers/misp_refresh.service b/timers/misp_refresh.service
new file mode 100644
index 0000000..1b6ba86
--- /dev/null
+++ b/timers/misp_refresh.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run misp_refresh.sh every 15 minutes
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/pdnssoc/misp_refresh.sh
+User=root
diff --git a/timers/misp_refresh.timer b/timers/misp_refresh.timer
new file mode 100644
index 0000000..7d6e466
--- /dev/null
+++ b/timers/misp_refresh.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run misp_refresh.sh every hour
+
+[Timer]
+OnCalendar=hourly
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/timers/pdnssoc.service b/timers/pdnssoc.service
new file mode 100644
index 0000000..8b9efa9
--- /dev/null
+++ b/timers/pdnssoc.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run pdnssoc.rb every 15 minutes
+
+[Service]
+ExecStart=/opt/td-agent/bin/ruby /usr/local/bin/pdnssoc/pdnssoc.rb
+User=root
diff --git a/timers/pdnssoc.timer b/timers/pdnssoc.timer
new file mode 100644
index 0000000..2746e69
--- /dev/null
+++ b/timers/pdnssoc.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run pdnssoc.rb every 15 minutes
+
+[Timer]
+OnCalendar=*:0/15
+Persistent=true
+
+[Install]
+WantedBy=timers.target