diff options
| author | Dominik Lisiak <dominik.lisiak@bemsoft.pl> | 2018-10-28 07:43:57 +0100 |
|---|---|---|
| committer | Dominik Lisiak <dominik.lisiak@bemsoft.pl> | 2018-10-28 07:43:57 +0100 |
| commit | d5aba60f9d156b9532549555b3293958ca4de18f (patch) | |
| tree | aacbcd28877ad35db5aefead15c8724c53343106 | |
| parent | Added config_profile and manage_agent commands. (diff) | |
| download | ossec-d5aba60f9d156b9532549555b3293958ca4de18f.tar.xz | |
Added help command.
| -rw-r--r-- | security/ossec-hids-local/files/ossec-hids.in | 222 |
1 files changed, 151 insertions, 71 deletions
diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in index 4af1d93..c044f24 100644 --- a/security/ossec-hids-local/files/ossec-hids.in +++ b/security/ossec-hids-local/files/ossec-hids.in @@ -50,13 +50,13 @@ ossec_merged="${ossec_home}/etc/shared/merged.mg" ossec_local_time="/etc/localtime" -extra_commands="status reload ossec_conf" +extra_commands="help status reload ossec_conf" case ${ossec_type} in server) - extra_commands="${extra_commands} manage_agent reset_counter agent_conf" + extra_commands="${extra_commands} agent_conf manage_agent reset_counter" ;; agent) - extra_commands="${extra_commands} manage_agent reset_counter config_profile fetch_config" + extra_commands="${extra_commands} agent_conf manage_agent reset_counter config_profile fetch_config" ;; esac if [ -x "${ossec_conf_bin}" ]; then @@ -66,6 +66,7 @@ fi ossec_rc_command=$1 shift 1 +help_cmd="ossec_hids_help $@" start_cmd="ossec_hids_command start $@" stop_cmd="ossec_hids_command stop $@" restart_cmd="ossec_hids_command restart $@" @@ -88,6 +89,98 @@ fetch_config_precmd="${start_precmd}" agent_ids_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'" agent_names_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*Name:[[:space:]]*([^,]+).*|\1|p'" +ossec_hids_help() { + local indent=" " + for command in ${extra_commands}; do + case ${command} in + ossec_conf) + echo "${command}" + if [ -x "${ossec_conf_bin}" ]; then + echo "${indent}Displays the \"ossec.conf\" as it would have been produced" + echo "${indent}by merging files from \"ossec.conf.d\" directory." + echo "${indent}Does not overwrite the actual \"ossec.conf\"." + else + echo "${indent}Displays the current \"ossec.conf\"." + fi + echo + ;; + agent_conf) + echo "${command}" + if [ -x "${agent_conf_bin}" ]; then + echo "${indent}Displays the \"agent.conf\" as it would have been produced" + echo "${indent}by merging files from \"agent.conf.d\" directory." + echo "${indent}Does not overwrite the actual \"agent.conf\"." + else + echo "${indent}Displays the current \"agent.conf\"." + fi + echo + ;; + manage_agent) + echo "${command} [...]" + echo "${indent}Executes OSSEC Agent Manager." + echo "${indent}Any additional arguments will be passed along (-h for help)." + echo "${indent}Use this command to export and import agent keys." + echo + ;; + reset_counter) + case ${ossec_type} in + server) + echo "${command} <agent_name>" + echo "${indent}Stops the OSSEC and resets (removes) the replay attack prevention counter(s)." + echo "${indent}Only the counter for the given <agent_name> is reset." + echo "${indent}If the <agent_name> is \"-\", then counters for all agents are reset." + ;; + agent) + echo "${command}" + echo "${indent}Stops the OSSEC and resets (removes) the replay attack prevention counter." + ;; + esac + echo "${indent}Use this command on both the server and the agent to bring back connectivity." + echo "${indent}The typical scenario for desynchronization of counters is one of the OSSEC" + echo "${indent}instances has been restored from backup." + echo "${indent}Use the following procedure:" + echo "${indent}1. Reset counter on the agent." + echo "${indent}2. Reset counter on the server for that specific agent." + echo "${indent}3. Start the server." + echo "${indent}4. Start the agent." + echo + ;; + config_profile) + echo "${command}" + echo "${indent}Displays a list (i.e. union of sets) of applicable (to this agent) configuration" + echo "${indent}profiles sent by the server (current \"agent.conf\") merged with configuration" + echo "${indent}profiles enabled on this agent (current \"ossec.conf\"). Each entry on the list" + echo "${indent}is marked with one of the following markers:" + echo "${indent}(+) - The profile is sent by the server and is enabled on this agent." + echo "${indent}(-) - The profile is sent by the server and is applicable for this agent, but is" + echo "${indent} not enabled in the \"ossec.conf\"." + echo "${indent}(?) - The profile is enabled on this agent, but is not sent by the server or is" + echo "${indent} not applicable to this agent." + echo + ;; + fetch_config) + echo "${command}" + echo "${indent}(Re)starts the agent with a fresh copy of server shared configuration (including" + echo "${indent}\"agent.conf\"). Command can also be used to ensure server connectivity." + echo + ;; + merge_config) + echo "${command}" + echo "${indent}Creates \"ossec.conf\" by merging files from \"ossec.conf.d\" directory." + case ${ossec_type} in + server) + echo "${indent}Creates \"agent.conf\" by merging files from \"agent.conf.d\" directory." + ;; + esac + echo "${indent}Usually you do not need to run this command, because configuration files will" + echo "${indent}be merged before OSSEC startup if any of them has been modified/created/deleted" + echo "${indent}since the last merging. This command, however, does merging unconditionally." + echo + ;; + esac + done +} + ossec_hids_create_file() { local path=$1 local owner=$2 @@ -281,6 +374,10 @@ ossec_hids_clean() { ossec_hids_reset_counter() { local agent_name="$1" + ossec_hids_command stop + sleep 1 + echo + case ${ossec_type} in server) if [ -z "${agent_name}" ]; then @@ -290,9 +387,6 @@ ossec_hids_reset_counter() { fi local agent_counter=0 if [ "${agent_name}" == "-" ]; then - ossec_hids_command stop - sleep 1 - echo for agent_id in $(eval ${agent_ids_cmd}); do if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) @@ -302,9 +396,6 @@ ossec_hids_reset_counter() { local agent_id=`${ossec_home}/bin/manage_agents -l | sed -En -e "s|.*ID:[[:space:]]*([[:digit:]]+),[[:space:]]*Name:[[:space:]]${agent_name},.*|\1|p"` if [ -n "${agent_id}" ]; then if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then - ossec_hids_command stop - sleep 1 - echo rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) fi fi @@ -317,9 +408,6 @@ ossec_hids_reset_counter() { for agent_id in $(eval ${agent_ids_cmd}); do # Should be executed only once if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then - ossec_hids_command stop - sleep 1 - echo rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) fi done @@ -332,70 +420,62 @@ ossec_hids_reset_counter() { } ossec_hids_fetch_config() { - case ${ossec_type} in - agent) - ossec_hids_command stop - sleep 1 + ossec_hids_command stop + sleep 1 + echo + rm -f "${ossec_merged}" + ossec_hids_command start || return 1 + echo + echo "Waiting ${ossec_hids_fetch_connect_time} seconds for the shared configuration download to start." + sleep ${ossec_hids_fetch_connect_time} + if [ ! -s "${ossec_merged}" ]; then + echo "ERROR: Failed to download shared configuration from the OSSEC server." + echo + local ossec_log_tail=$(tail "${ossec_log}") + echo "Portion of the \"${ossec_log}\":" + echo "${ossec_log_tail}" + echo + if echo "${ossec_log_tail}" | grep -q "ERROR: Unable to send message to"; then + echo "Check if your configuration contains the correct server address in \"server-ip\" option." echo - rm -f "${ossec_merged}" - ossec_hids_command start || return 1 + else + local ossec_rc_path="$(realpath $0)" + echo "Is the imported agent key correct? To import it run:" + echo "${ossec_rc_path} manage_agent" echo - echo "Waiting ${ossec_hids_fetch_connect_time} seconds for the shared configuration download to start." - sleep ${ossec_hids_fetch_connect_time} - if [ ! -s "${ossec_merged}" ]; then - echo "ERROR: Failed to download shared configuration from the OSSEC server." - echo - local ossec_log_tail=$(tail "${ossec_log}") - echo "Portion of the \"${ossec_log}\":" - echo "${ossec_log_tail}" + echo "If you are certain the imported agent key is correct, then run:" + echo "${ossec_rc_path} reset_counter" + echo "${ossec_rc_path} fetch_config" + echo + echo "If this does't help, you need to reset counter on the server." + echo "If the server runs FreeBSD port of OSSEC, run:" + echo "On the agent:" + echo "${ossec_rc_path} reset_counter" + echo "On the server:" + echo "${ossec_rc_path} reset_counter $(eval ${agent_names_cmd})" + echo "${ossec_rc_path} start" + echo "On the agent:" + echo "${ossec_rc_path} fetch_config" + echo + fi + ossec_hids_command stop + return 1 + else + # The download has started + while true; do + local current_time=$(date +%s) + local modification_time=$(stat -f %m "${ossec_merged}") + if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then + echo "Download finished." echo - if echo "${ossec_log_tail}" | grep -q "ERROR: Unable to send message to"; then - echo "Check if your configuration contains the correct server address in \"server-ip\" option." - echo - else - local ossec_rc_path="$(realpath $0)" - echo "Is the imported agent key correct? To import it run:" - echo "${ossec_rc_path} manage_agent" - echo - echo "If you are certain the imported agent key is correct then run:" - echo "${ossec_rc_path} reset_counter" - echo "${ossec_rc_path} fetch_config" - echo - echo "If this does't help you need to reset counter on the server." - echo "If the server runs FreeBSD port of OSSEC run:" - echo "On the agent:" - echo "${ossec_rc_path} reset_counter" - echo "On the server:" - echo "${ossec_rc_path} reset_counter $(eval ${agent_names_cmd})" - echo "${ossec_rc_path} start" - echo "On the agent:" - echo "${ossec_rc_path} fetch_config" - echo - fi - return 1 + ossec_hids_command restart || return 1 + break; else - # The download has started - while true; do - local current_time=$(date +%s) - local modification_time=$(stat -f %m "${ossec_merged}") - if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then - echo "Download finished." - echo - ossec_hids_command restart || return 1 - break; - else - echo "Download in progress..." - sleep ${ossec_hids_fetch_read_time} - fi - done + echo "Download in progress..." + sleep ${ossec_hids_fetch_read_time} fi - ;; - *) - echo "ERROR: Shared configuration is only available for agent installations." - echo - return 1 - ;; - esac + done + fi return 0 } |