diff options
| author | Dominik Lisiak <dominik.lisiak@bemsoft.pl> | 2018-10-26 18:45:19 +0200 |
|---|---|---|
| committer | Dominik Lisiak <dominik.lisiak@bemsoft.pl> | 2018-10-26 18:45:19 +0200 |
| commit | 5cde0e0520c72804b6eac8f08d976db777d7ba04 (patch) | |
| tree | 9a7288c8b9d7b69790929a0121b264b8883f2f39 | |
| parent | Upgrade to 3.1.0. (diff) | |
| download | ossec-5cde0e0520c72804b6eac8f08d976db777d7ba04.tar.xz | |
Added CIS benchmarks. Improved profiles.
16 files changed, 184 insertions, 80 deletions
diff --git a/security/ossec-hids-local-config/Makefile b/security/ossec-hids-local-config/Makefile index 9ca25d4..c8e795c 100644 --- a/security/ossec-hids-local-config/Makefile +++ b/security/ossec-hids-local-config/Makefile @@ -157,9 +157,15 @@ ${conf_group}_PUSHED_OPTIONS= . for option in ${${conf_group}_OPTIONS} . if ${${option}_DEFINE:M${OSSEC_TYPE}} ${conf_group}_INSTANCE_OPTIONS+= ${option} +${conf_group}_ALL_OPTIONS+= ${option} . endif -. if ${OSSEC_TYPE} == server && ${${option}_DEFINE:Mpushed} +. if ${${option}_DEFINE:Mpushed} +. if ${OSSEC_TYPE} == server ${conf_group}_PUSHED_OPTIONS+= ${option} +. endif +. if !${${conf_group}_ALL_OPTIONS:M${option}} +${conf_group}_ALL_OPTIONS+= ${option} +. endif . endif . endfor .endfor @@ -177,7 +183,7 @@ CLIENT_PROFILES:= ${CLIENT_PROFILES}, ${${conf_group}_PROFILE} . endif SUB_LIST+= ${conf_group}_PROFILE=${${conf_group}_PROFILE} . endif -. for option in ${${conf_group}_INSTANCE_OPTIONS} +. for option in ${${conf_group}_ALL_OPTIONS} . if !empty(${option}_PROFILE) . if ${OSSEC_TYPE} == agent . if empty(CLIENT_PROFILES) @@ -196,11 +202,11 @@ SUB_LIST+= CLIENT_PROFILES="${CLIENT_PROFILES}" ############################################################ .for conf_group in ${CONF_GROUPS} -. for option in ${${conf_group}_INSTANCE_OPTIONS} +. for option in ${${conf_group}_ALL_OPTIONS} . if !defined(${option}_TEMPLATE) ${option}_TEMPLATE= template-${option:tl:S/_/-/g}.xml . endif -. if !empty(${option}_TEMPLATE) +. if !empty(${option}_TEMPLATE) && !${SUB_FILES:M${${option}_TEMPLATE}} SUB_FILES+= ${${option}_TEMPLATE} . endif . endfor diff --git a/security/ossec-hids-local-config/files/template-logs-default.xml.in b/security/ossec-hids-local-config/files/template-logs-system.xml.in index 47b9a77..eee09aa 100644 --- a/security/ossec-hids-local-config/files/template-logs-default.xml.in +++ b/security/ossec-hids-local-config/files/template-logs-system.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%LOGS_DEFAULT_PROFILE%%"> +<template_config os="FreeBSD" profile="%%LOGS_SYSTEM_PROFILE%%"> <localfile> <log_format>syslog</log_format> @@ -33,7 +33,7 @@ </template_config> -<template_config os="Linux" profile="%%LOGS_DEFAULT_PROFILE%%"> +<template_config os="Linux" profile="%%LOGS_SYSTEM_PROFILE%%"> <localfile> <log_format>syslog</log_format> diff --git a/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in index 63e5f1e..37c2166 100644 --- a/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in +++ b/security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%ROOTCHECK_PROFILE%%"> +<template_config os="FreeBSD" profile="%%ROOTCHECK_BASIC_PROFILE%%"> <rootcheck> <rootkit_files>%%OSSEC_HOME%%/etc/shared/rootkit_files.txt</rootkit_files> @@ -10,14 +10,13 @@ </template_config> -<template_config os="Linux" profile="%%ROOTCHECK_PROFILE%%"> +<template_config os="Linux" profile="%%ROOTCHECK_BASIC_PROFILE%%"> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> - <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> </rootcheck> </template_config> diff --git a/security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in new file mode 100644 index 0000000..1b2f20c --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<template_config os="Linux" profile="%%ROOTCHECK_CIS_L1_PROFILE%%"> + + <rootcheck> + <system_audit>/var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt</system_audit> + </rootcheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in new file mode 100644 index 0000000..d156887 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<template_config os="Linux" profile="%%ROOTCHECK_CIS_L2_PROFILE%%"> + + <rootcheck> + <system_audit>/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt</system_audit> + </rootcheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in new file mode 100644 index 0000000..0640be7 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<template_config os="Linux" profile="%%ROOTCHECK_CIS_PROFILE%%"> + + <rootcheck> + <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> + </rootcheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-syscheck-default.xml.in b/security/ossec-hids-local-config/files/template-syscheck-basic.xml.in index 78ae8f8..516b921 100644 --- a/security/ossec-hids-local-config/files/template-syscheck-default.xml.in +++ b/security/ossec-hids-local-config/files/template-syscheck-basic.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="FreeBSD" profile="%%SYSCHECK_BASIC_PROFILE%%"> <syscheck> <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories> @@ -8,7 +8,7 @@ </template_config> -<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="Linux" profile="%%SYSCHECK_BASIC_PROFILE%%"> <syscheck> <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories> diff --git a/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in index f35f4d5..07f278d 100644 --- a/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in +++ b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="FreeBSD"> <syscheck> <ignore>/etc/hosts.allow</ignore> @@ -7,7 +7,7 @@ </template_config> -<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="Linux"> <syscheck> <ignore>/etc/hosts.deny</ignore> diff --git a/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in index 7a303e5..eee5915 100644 --- a/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in +++ b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="FreeBSD"> <syscheck> <alert_new_files>yes</alert_new_files> @@ -7,7 +7,7 @@ </template_config> -<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="Linux"> <syscheck> <alert_new_files>yes</alert_new_files> diff --git a/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in index 03f5943..b71e1ae 100644 --- a/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in +++ b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="FreeBSD"> <syscheck> <auto_ignore>no</auto_ignore> @@ -7,7 +7,7 @@ </template_config> -<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="Linux"> <syscheck> <auto_ignore>no</auto_ignore> diff --git a/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in index 8342f63..42911ef 100644 --- a/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in +++ b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="FreeBSD" profile="%%SYSCHECK_OSSEC_PROFILE%%"> <syscheck> <directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_BIN_DIRS%%</directories> @@ -8,7 +8,7 @@ </template_config> -<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> +<template_config os="Linux" profile="%%SYSCHECK_OSSEC_PROFILE%%"> <syscheck> <directories realtime="yes" check_all="yes">/var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless</directories> diff --git a/security/ossec-hids-local-config/opt-logs.mk b/security/ossec-hids-local-config/opt-logs.mk index 8352b0b..cec8bd4 100644 --- a/security/ossec-hids-local-config/opt-logs.mk +++ b/security/ossec-hids-local-config/opt-logs.mk @@ -4,24 +4,24 @@ LOGS_LOCAL_CONF= 550.logs.local.conf LOGS_DESC= Log Monitoring # Default logs support -LOGS_DEFAULT_OPTION= DEFAULT -LOGS_DEFAULT_PROFILE= system-log -LOGS_DEFAULT_DESC= Default system logs -LOGS_DEFAULT_DEFINE= server local agent pushed -LOGS_DEFAULT_DEFAULT= server local pushed -LOGS_OPTIONS+= LOGS_DEFAULT +LOGS_SYSTEM_OPTION= SYSTEM +LOGS_SYSTEM_PROFILE= system-logs +LOGS_SYSTEM_DESC= Default system logs +LOGS_SYSTEM_DEFINE= server local agent pushed +LOGS_SYSTEM_DEFAULT= server local pushed +LOGS_OPTIONS+= LOGS_SYSTEM # Active response log support LOGS_RESPONSE_OPTION= RESPONSE -LOGS_RESPONSE_PROFILE= active-response-log -LOGS_RESPONSE_DESC= Active response log +LOGS_RESPONSE_PROFILE= active-response-logs +LOGS_RESPONSE_DESC= Active response logs LOGS_RESPONSE_DEFINE= server local agent pushed LOGS_RESPONSE_DEFAULT= server local pushed LOGS_OPTIONS+= LOGS_RESPONSE # Apache logs support LOGS_APACHE_OPTION= APACHE -LOGS_APACHE_PROFILE= apache-log +LOGS_APACHE_PROFILE= apache-logs LOGS_APACHE_DESC= Apache logs LOGS_APACHE_DEFINE= server local agent pushed LOGS_APACHE_DEFAULT= pushed @@ -29,7 +29,7 @@ LOGS_OPTIONS+= LOGS_APACHE # Nginx logs support LOGS_NGINX_OPTION= NGINX -LOGS_NGINX_PROFILE= nginx-log +LOGS_NGINX_PROFILE= nginx-logs LOGS_NGINX_DESC= Nginx logs LOGS_NGINX_DEFINE= server local agent pushed LOGS_NGINX_DEFAULT= pushed @@ -37,7 +37,7 @@ LOGS_OPTIONS+= LOGS_NGINX # Radius logs support LOGS_RADIUS_OPTION= RADIUS -LOGS_RADIUS_PROFILE= radius-log +LOGS_RADIUS_PROFILE= radius-logs LOGS_RADIUS_DESC= FreeRADIUS logs LOGS_RADIUS_DEFINE= server local agent pushed LOGS_RADIUS_DEFAULT= pushed @@ -45,7 +45,7 @@ LOGS_OPTIONS+= LOGS_RADIUS # Vsftpd logs support LOGS_VSFTPD_OPTION= VSFTPD -LOGS_VSFTPD_PROFILE= vsftpd-log +LOGS_VSFTPD_PROFILE= vsftpd-logs LOGS_VSFTPD_DESC= Vsftpd logs LOGS_VSFTPD_DEFINE= server local agent pushed LOGS_VSFTPD_DEFAULT= pushed diff --git a/security/ossec-hids-local-config/opt-rootcheck.mk b/security/ossec-hids-local-config/opt-rootcheck.mk index 3da90af..1b41f20 100644 --- a/security/ossec-hids-local-config/opt-rootcheck.mk +++ b/security/ossec-hids-local-config/opt-rootcheck.mk @@ -1,12 +1,36 @@ ROOTCHECK_MANAGED_CONF= 120.rootcheck.conf ROOTCHECK_LOCAL_CONF= 520.rootcheck.local.conf -ROOTCHECK_PROFILE= rootcheck ROOTCHECK_DESC= System Audit and Rootkit Detection -# Default -ROOTCHECK_DEFAULT_OPTION= DEFAULT_RC -ROOTCHECK_DEFAULT_DESC= System audit and rootkit detection provided by OSSEC -ROOTCHECK_DEFAULT_DEFINE= server local agent pushed -ROOTCHECK_DEFAULT_DEFAULT= server local pushed -ROOTCHECK_OPTIONS+= ROOTCHECK_DEFAULT +# Basic +ROOTCHECK_BASIC_OPTION= BASIC_RC +ROOTCHECK_BASIC_PROFILE= basic-rootcheck +ROOTCHECK_BASIC_DESC= Basic audit and rootkits +ROOTCHECK_BASIC_DEFINE= server local agent pushed +ROOTCHECK_BASIC_DEFAULT= server local pushed +ROOTCHECK_OPTIONS+= ROOTCHECK_BASIC + +# CIS default +ROOTCHECK_CIS_OPTION= CIS_RC +ROOTCHECK_CIS_PROFILE= cis-rootcheck +ROOTCHECK_CIS_DESC= CIS benchmark - Legacy +ROOTCHECK_CIS_DEFINE= pushed +ROOTCHECK_CIS_DEFAULT= pushed +ROOTCHECK_OPTIONS+= ROOTCHECK_CIS + +# CIS level 1 +ROOTCHECK_CIS_L1_OPTION= CIS_L1_RC +ROOTCHECK_CIS_L1_PROFILE= cis-level1-rootcheck +ROOTCHECK_CIS_L1_DESC= CIS benchmark - Level 1 +ROOTCHECK_CIS_L1_DEFINE= pushed +ROOTCHECK_CIS_L1_DEFAULT= pushed +ROOTCHECK_OPTIONS+= ROOTCHECK_CIS_L1 + +# CIS level 2 +ROOTCHECK_CIS_L2_OPTION= CIS_L2_RC +ROOTCHECK_CIS_L2_PROFILE= cis-level2-rootcheck +ROOTCHECK_CIS_L2_DESC= CIS benchmark - Level 2 +ROOTCHECK_CIS_L2_DEFINE= pushed +ROOTCHECK_CIS_L2_DEFAULT= pushed +ROOTCHECK_OPTIONS+= ROOTCHECK_CIS_L2 diff --git a/security/ossec-hids-local-config/opt-rules.mk b/security/ossec-hids-local-config/opt-rules.mk index c8db7a2..f3f7413 100644 --- a/security/ossec-hids-local-config/opt-rules.mk +++ b/security/ossec-hids-local-config/opt-rules.mk @@ -7,7 +7,7 @@ RULES_FILES= config cmdout # Default rules RULES_DEFAULT_OPTION= DEFAULT_R -RULES_DEFAULT_DESC= Default rules provided by OSSEC +RULES_DEFAULT_DESC= Rules provided by OSSEC RULES_DEFAULT_DEFINE= server local RULES_DEFAULT_DEFAULT= server local RULES_OPTIONS+= RULES_DEFAULT diff --git a/security/ossec-hids-local-config/opt-syscheck.mk b/security/ossec-hids-local-config/opt-syscheck.mk index 2c1210d..2023839 100644 --- a/security/ossec-hids-local-config/opt-syscheck.mk +++ b/security/ossec-hids-local-config/opt-syscheck.mk @@ -1,19 +1,20 @@ SYSCHECK_MANAGED_CONF= 130.syscheck.conf SYSCHECK_LOCAL_CONF= 530.syscheck.local.conf -SYSCHECK_PROFILE= syscheck SYSCHECK_DESC= File Integrity Checking # Default direcotries -SYSCHECK_DEFAULT_OPTION= DEFAULT_SC -SYSCHECK_DEFAULT_DESC= Check "bin", "sbin" and "etc" directories -SYSCHECK_DEFAULT_DEFINE= server local agent pushed -SYSCHECK_DEFAULT_DEFAULT= server local pushed -SYSCHECK_OPTIONS+= SYSCHECK_DEFAULT +SYSCHECK_BASIC_OPTION= BASIC_SC +SYSCHECK_BASIC_PROFILE= basic-syscheck +SYSCHECK_BASIC_DESC= "bin", "sbin" and "etc" +SYSCHECK_BASIC_DEFINE= server local agent pushed +SYSCHECK_BASIC_DEFAULT= server local pushed +SYSCHECK_OPTIONS+= SYSCHECK_BASIC # OSSEC directories SYSCHECK_OSSEC_OPTION= OSSEC_SC -SYSCHECK_OSSEC_DESC= Check OSSEC directories +SYSCHECK_OSSEC_PROFILE= ossec-syscheck +SYSCHECK_OSSEC_DESC= OSSEC directories SYSCHECK_OSSEC_DEFINE= server local agent pushed SYSCHECK_OSSEC_DEFAULT= server local pushed SYSCHECK_OPTIONS+= SYSCHECK_OSSEC diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in index d49f01d..aaafb8c 100644 --- a/security/ossec-hids-local/files/ossec-hids.in +++ b/security/ossec-hids-local/files/ossec-hids.in @@ -13,10 +13,10 @@ # Default: NO # ossec_hids_fetch_connect_time (int): Time in seconds to wait for the download of the shared configuration to start. # Used only by agent installation. -# Default: 20 +# Default: 30 # ossec_hids_fetch_read_time (int): Time in seconds to wait for subsequent download chunks of the shared configuration. # Used only by agent installation. -# Default: 5 +# Default: 10 . /etc/rc.subr @@ -28,8 +28,8 @@ load_rc_config $name : ${ossec_hids_enable="NO"} : ${ossec_hids_clear_log="NO"} : ${ossec_hids_clear_ar_log="NO"} -: ${ossec_hids_fetch_connect_time=20} -: ${ossec_hids_fetch_read_time=5} +: ${ossec_hids_fetch_connect_time=30} +: ${ossec_hids_fetch_read_time=10} ossec_type="%%OSSEC_TYPE%%" ossec_home="%%OSSEC_HOME%%" @@ -50,7 +50,7 @@ ossec_merged="${ossec_home}/etc/shared/merged.mg" ossec_local_time="/etc/localtime" -extra_commands="reload ossec_conf" +extra_commands="status reload ossec_conf" case ${ossec_type} in server) extra_commands="${extra_commands} agent_conf reset_counter" @@ -68,7 +68,7 @@ stop_cmd="ossec_hids_command stop" restart_cmd="ossec_hids_command restart" status_cmd="ossec_hids_command status" reload_cmd="ossec_hids_command reload" -reset_counter_cmd="ossec_hids_command start" +reset_counter_cmd="ossec_hids_reset_counter $2" fetch_config_cmd="ossec_hids_command restart" merge_config_cmd="ossec_hids_create_config force" ossec_conf_cmd="ossec_hids_ossec_conf" @@ -77,9 +77,10 @@ agent_conf_cmd="ossec_hids_agent_conf" start_precmd="ossec_hids_prepare" restart_precmd="ossec_hids_prepare" reload_precmd="ossec_hids_prepare" -reset_counter_precmd="ossec_hids_prepare" fetch_config_precmd="ossec_hids_prepare" +agent_ids_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'" + ossec_hids_create_file() { local path=$1 local owner=$2 @@ -110,13 +111,17 @@ ossec_hids_check() { } ossec_hids_config_is_outdated() { - dst_file="$1" - src_dir="$2" + local dst_file="$1" + local src_dir="$2" if [ ! -e "${dst_file}" ]; then return 0 fi + if [ "${src_dir}" -nt "${dst_file}" ]; then + return 0 + fi + for src_file in $(find "${src_dir}" -maxdepth 1 -type f -name "*.conf"); do if [ "${src_file}" -nt "${dst_file}" ]; then return 0 @@ -179,22 +184,58 @@ ossec_hids_clean() { } ossec_hids_reset_counter() { + local reset_agent_id="$1" + case ${ossec_type} in - local) - echo "ERROR: Counters are only available for agent and server installations." + server) + if [ -z "${reset_agent_id}" ]; then + echo "ERROR: Please specify agent ID to reset counter for this agent or \"all\" to reset counters for all agents." + echo + return 1 + fi + local agent_counter=0 + if [ "${reset_agent_id}" == "all" ]; then + ossec_hids_command stop + sleep 1 + echo + for agent_id in $(eval ${agent_ids_cmd}); do + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + fi + done + else + for agent_id in $(eval ${agent_ids_cmd}); do + if [ "${reset_agent_id}" == "${agent_id}" ]; then + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + ossec_hids_command stop + sleep 1 + echo + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + fi + fi + done + fi + echo "Removed ${agent_counter} counter(s)." echo - return 1 ;; - *) - ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo - agent_ids=`${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'` - agent_counter=0 - for agent_id in ${agent_ids}; do - rm -f "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + agent) + local agent_counter=0 + for agent_id in $(eval ${agent_ids_cmd}); do + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + ossec_hids_command stop + sleep 1 + echo + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + fi done echo "Removed ${agent_counter} counter(s)." echo ;; + *) + echo "ERROR: Counters are only available for agent and server installations." + echo + return 1 + ;; esac return 0 @@ -203,7 +244,9 @@ ossec_hids_reset_counter() { ossec_hids_fetch_config() { case ${ossec_type} in agent) - ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo + ossec_hids_command stop + sleep 1 + echo rm -f "${ossec_merged}" ossec_hids_command start || return 1 echo @@ -212,7 +255,7 @@ ossec_hids_fetch_config() { if [ ! -s "${ossec_merged}" ]; then echo "ERROR: Failed to download shared configuration from the OSSEC server." echo - ossec_log_tail=$(tail "${ossec_log}") + local ossec_log_tail=$(tail "${ossec_log}") echo "Portion of the \"${ossec_log}\":" echo "${ossec_log_tail}" echo @@ -221,25 +264,35 @@ ossec_hids_fetch_config() { echo fi if echo "${ossec_log_tail}" | grep -q "ERROR: Incorrectly formatted message from"; then - echo "If you are certain the imported agent key is correct then execute command:" - echo "$(realpath $0) reset_counter" - echo "and fetch config again:" - echo "$(realpath $0) fetch_config" + local ossec_rc_path="$(realpath $0)" + echo "If you are certain the imported agent key is correct then run:" + echo "${ossec_rc_path} reset_counter" + echo "${ossec_rc_path} fetch_config" + echo + echo "If this does't help you need to reset counter on the server." + echo "If the server runs FreeBSD port of OSSEC run:" + echo "On the agent:" + echo "${ossec_rc_path} reset_counter" + echo "On the server:" + echo "${ossec_rc_path} reset_counter $(eval ${agent_ids_cmd})" + echo "${ossec_rc_path} start" + echo "On the agent:" + echo "${ossec_rc_path} fetch_config" echo fi return 1 else # The download has started while true; do - current_time=$(date +%s) - modification_time=$(stat -f %m "${ossec_merged}") + local current_time=$(date +%s) + local modification_time=$(stat -f %m "${ossec_merged}") if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then echo "Download finished." echo break; else echo "Download in progress..." - sleep 10 + sleep ${ossec_hids_fetch_read_time} fi done fi @@ -262,13 +315,6 @@ ossec_hids_prepare() { ossec_hids_clean && \ ossec_hids_check || return 1 ;; - reset_counter) - ossec_hids_create_env && \ - ossec_hids_create_config && \ - ossec_hids_clean && \ - ossec_hids_reset_counter && \ - ossec_hids_check || return 1 - ;; fetch_config) ossec_hids_create_env && \ ossec_hids_create_config && \ @@ -303,6 +349,7 @@ ossec_hids_agent_conf() { ossec_hids_command() { "${ossec_home}/bin/ossec-control" "$1" + return $? } run_rc_command "$1" |