5 files changed, 74 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index 2caa964693f3..ba7dc3883e5d 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -226,6 +226,7 @@
     SUBDIR += idea
     SUBDIR += identify
     SUBDIR += ike
+    SUBDIR += imds-filter
     SUBDIR += integrit
     SUBDIR += ipfcount
     SUBDIR += ipfilter2dshield
diff --git a/security/imds-filterd/Makefile b/security/imds-filterd/Makefile
new file mode 100644
index 000000000000..d43ebdd232ec
--- /dev/null
+++ b/security/imds-filterd/Makefile
@@ -0,0 +1,44 @@
+# $FreeBSD$
+
+PORTNAME=	imds-filterd
+DISTVERSION=	0.1
+CATEGORIES=	security
+
+MAINTAINER=	cperciva@FreeBSD.org
+COMMENT=	Provides per user/group access controls to the EC2 IMDS
+
+LICENSE=	BSD2CLAUSE
+LICENSE_FILE=	${WRKSRC}/COPYRIGHT
+
+USE_GITHUB=	YES
+GH_ACCOUNT=	cperciva
+
+# Install binaries into ${STAGEDIR}${PREFIX}/sbin
+MAKE_ARGS+=	BINDIR=${STAGEDIR}${PREFIX}/sbin
+
+PORTDOCS=	README.md USAGE
+PLIST_FILES=	etc/rc.d/imds-filterd		\
+		etc/rc.d/imds-proxy		\
+		sbin/imds-filterd		\
+		sbin/imds-proxy			\
+		"@sample etc/newsyslog.conf.d/imds.conf.sample"	\
+		"@sample etc/syslog.d/imds.conf.sample"		\
+		"@sample etc/imds.conf.sample"
+
+OPTIONS_DEFINE=	DOCS
+
+USERS=		imds
+GROUPS=		imds
+
+post-install:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/syslog.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/syslog-imds.conf ${STAGEDIR}${PREFIX}/etc/syslog.d/imds.conf.sample
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/newsyslog-imds.conf ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/imds.conf.sample
+	${INSTALL_DATA} ${WRKSRC}/imds.conf ${STAGEDIR}${PREFIX}/etc/imds.conf.sample
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-filterd ${STAGEDIR}${PREFIX}/etc/rc.d/imds-filterd
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-proxy ${STAGEDIR}${PREFIX}/etc/rc.d/imds-proxy
+
+.include <bsd.port.mk>
diff --git a/security/imds-filterd/distinfo b/security/imds-filterd/distinfo
new file mode 100644
index 000000000000..f73b37bf1732
--- /dev/null
+++ b/security/imds-filterd/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1580074291
+SHA256 (cperciva-imds-filterd-0.1_GH0.tar.gz) = e0e8b28046b2a917e110d1313242947aa6901635e81552107ab2f6a2fba83441
+SIZE (cperciva-imds-filterd-0.1_GH0.tar.gz) = 64011
diff --git a/security/imds-filterd/pkg-descr b/security/imds-filterd/pkg-descr
new file mode 100644
index 000000000000..af8b6b6a54ee
--- /dev/null
+++ b/security/imds-filterd/pkg-descr
@@ -0,0 +1,12 @@
+imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which
+work together to intercept and filter requests to the EC2 Instance Metadata
+Service -- or theoretically any other service at 169.254.169.254:80.
+
+It validates requests against a configured ruleset which specifies whether
+given users and groups should be allowed or denied access to certain prefixes
+in the Instance Metadata Service.  For example, "root" could be granted
+access to everything; most unprivileged users granted access to everything
+except IAM role credentials; but the www user denied access to the entire
+Instance Metadata Service in order to guard against SSRF and similar attacks.
+
+WWW: http://github.com/cperciva/imds-filterd
diff --git a/security/imds-filterd/pkg-message b/security/imds-filterd/pkg-message
new file mode 100644
index 000000000000..7b680f611530
--- /dev/null
+++ b/security/imds-filterd/pkg-message
@@ -0,0 +1,14 @@
+[
+{ type: install
+  message: <<EOM
+To enable imds-filterd, add imds_filterd_enable=YES to /etc/rc.conf.
+
+To configure imds-filterd, edit $PREFIX/etc/imds.conf.
+
+imds-filterd ships with configurations for syslogd and newsyslog which log
+accesses to the Instance Metadata Service to /var/log/imds.log and rotate
+this file upon reaching 1 MB; these settings can be modified via
+$PREFIX/etc/{syslog.d, newsyslog.conf.d}/imds.conf.
+EOM
+}
+]