diff options
Diffstat (limited to 'security/ossec-hids-local-config/files')
44 files changed, 954 insertions, 0 deletions
diff --git a/security/ossec-hids-local-config/files/agent-conf.in b/security/ossec-hids-local-config/files/agent-conf.in new file mode 100644 index 0000000..673d0f6 --- /dev/null +++ b/security/ossec-hids-local-config/files/agent-conf.in @@ -0,0 +1,33 @@ +#!/bin/sh + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" + +agent_conf_dir="${ossec_home}/etc/agent.conf.d" +agent_conf_files="${agent_conf_dir}/*.conf" + +select_elements() { + local element="$1" + sed -n "/<${element}.*>/,/<\/${element}>/p" +} + +remove_comments() { + # Comments must be on separate lines i.e. not next to uncommented code + awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}' +} + +remove_empty_lines() { + sed '/^\s*$/d' +} + +agent_conf() { + + echo "<!-- OSSEC HIDS %%VERSION%% -->" + echo + echo "<!-- DO NOT EDIT - file generated automatically - edit \"agent.conf.d/900.local.conf\" instead -->" + echo + + cat $@ | remove_comments | select_elements "agent_config" | remove_empty_lines +} + +agent_conf "${agent_conf_files}" diff --git a/security/ossec-hids-local-config/files/command-last-logins.sh.in b/security/ossec-hids-local-config/files/command-last-logins.sh.in new file mode 100644 index 0000000..7bd8242 --- /dev/null +++ b/security/ossec-hids-local-config/files/command-last-logins.sh.in @@ -0,0 +1,8 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +ossec_home="%%OSSEC_HOME%%" +. "${ossec_home}/etc/command.conf" + +last -n ${last_logins} diff --git a/security/ossec-hids-local-config/files/command-open-ports.sh.in b/security/ossec-hids-local-config/files/command-open-ports.sh.in new file mode 100644 index 0000000..d5ba047 --- /dev/null +++ b/security/ossec-hids-local-config/files/command-open-ports.sh.in @@ -0,0 +1,19 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +family=$1 +protocol=$2 +ports=$3 + +if [ -z "${ports}" ]; then + privileged_ports="1-$((`sysctl -n net.inet.ip.portrange.first` - 1))" + + ossec_home="%%OSSEC_HOME%%" + . "${ossec_home}/etc/command.conf" + + ports="privileged_${protocol}_ports" + eval ports=\$${ports} +fi + +sockstat -l -${family} -P ${protocol} -p ${ports} | grep -Eo '[^[:space:]]+:[0-9]+' | sort -u diff --git a/security/ossec-hids-local-config/files/command.conf.in b/security/ossec-hids-local-config/files/command.conf.in new file mode 100644 index 0000000..b6ef2ad --- /dev/null +++ b/security/ossec-hids-local-config/files/command.conf.in @@ -0,0 +1,6 @@ +#!/bin/sh + +last_logins=5 + +privileged_tcp_ports=${privileged_ports},10050-10051 +privileged_udp_ports=${privileged_ports} diff --git a/security/ossec-hids-local-config/files/merge-config.sh.in b/security/ossec-hids-local-config/files/merge-config.sh.in new file mode 100644 index 0000000..a7939f7 --- /dev/null +++ b/security/ossec-hids-local-config/files/merge-config.sh.in @@ -0,0 +1,32 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" +ossec_rc="%%OSSEC_RC%%" + +ACTION=$1 +USER=$2 +IP=$3 + +LOCAL=`dirname $0`; +cd $LOCAL +cd ../../tmp + +# Logging the call +echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log" + +case ${ACTION} in + add) + "${ossec_rc}" merge_config + exit 0 + ;; + delete) + exit 0 + ;; + *) + echo "$0: invalid action: ${ACTION}" + exit 1 + ;; +esac diff --git a/security/ossec-hids-local-config/files/message-agent-conf.in b/security/ossec-hids-local-config/files/message-agent-conf.in new file mode 100644 index 0000000..8d61c0d --- /dev/null +++ b/security/ossec-hids-local-config/files/message-agent-conf.in @@ -0,0 +1,3 @@ +The "agent.conf" must no longer be used for configuration. It will be +overwritten by merged "*.conf" files from the configuration directory: +%%OSSEC_HOME%%/etc/agent.conf.d diff --git a/security/ossec-hids-local-config/files/message-ossec-conf.in b/security/ossec-hids-local-config/files/message-ossec-conf.in new file mode 100644 index 0000000..d6170ca --- /dev/null +++ b/security/ossec-hids-local-config/files/message-ossec-conf.in @@ -0,0 +1,3 @@ +The "ossec.conf" must no longer be used for configuration. It will be +overwritten by merged "*.conf" files from the configuration directory: +%%OSSEC_HOME%%/etc/ossec.conf.d diff --git a/security/ossec-hids-local-config/files/message-pf.in b/security/ossec-hids-local-config/files/message-pf.in new file mode 100644 index 0000000..707e44b --- /dev/null +++ b/security/ossec-hids-local-config/files/message-pf.in @@ -0,0 +1,4 @@ +Add the ossec_fwtable to /etc/pf.conf if using "firewall-drop" active response: + table <ossec_fwtable> persist + block in quick from <ossec_fwtable> to any + block out quick from any to <ossec_fwtable> diff --git a/security/ossec-hids-local-config/files/ossec-conf.in b/security/ossec-hids-local-config/files/ossec-conf.in new file mode 100644 index 0000000..d28d238 --- /dev/null +++ b/security/ossec-hids-local-config/files/ossec-conf.in @@ -0,0 +1,60 @@ +#!/bin/sh + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" + +ossec_conf_dir="${ossec_home}/etc/ossec.conf.d" +ossec_conf_files="${ossec_conf_dir}/*.conf" + +select_elements_content() { + local element="$1" + sed -n "/<${element}>/,/<\/${element}>/{ /<${element}>/d; /<\/${element}>/d; p; }" +} + +remove_elements() { + local element="$1" + sed -e "/<${element}>/,/<\/${element}>/d" +} + +remove_comments() { + # Comments must be on separate lines i.e. not next to uncommented code + awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}' +} + +remove_empty_lines() { + sed '/^\s*$/d' +} + +ossec_conf() { + echo "<!-- OSSEC HIDS %%VERSION%% -->" + echo + echo "<!-- DO NOT EDIT - file generated automatically - edit \"ossec.conf.d/900.local.conf\" instead -->" + echo + echo "<ossec_config>" + + if [ "${ossec_type}" != "agent" ]; then + if cat $@ | remove_comments | grep -q "<rules>"; then + echo " <rules>" + cat $@ | remove_comments | select_elements_content "rules" | remove_empty_lines + echo " </rules>" + fi + fi + + if cat $@ | remove_comments | grep -q "<rootcheck>"; then + echo " <rootcheck>" + cat $@ | remove_comments | select_elements_content "rootcheck" | remove_empty_lines + echo " </rootcheck>" + fi + + if cat $@ | remove_comments | grep -q "<syscheck>"; then + echo " <syscheck>" + cat $@ | remove_comments | select_elements_content "syscheck" | remove_empty_lines + echo " </syscheck>" + fi + + cat $@ | remove_comments | select_elements_content "ossec_config" | remove_elements "rules" | remove_elements "rootcheck" | remove_elements "syscheck" | remove_empty_lines + + echo "</ossec_config>" +} + +ossec_conf "${ossec_conf_files}" diff --git a/security/ossec-hids-local-config/files/pkg-deinstall.in b/security/ossec-hids-local-config/files/pkg-deinstall.in new file mode 100644 index 0000000..0de19bf --- /dev/null +++ b/security/ossec-hids-local-config/files/pkg-deinstall.in @@ -0,0 +1,10 @@ +#!/bin/sh + +ossec_home="%%OSSEC_HOME%%" +ossec_conf="${ossec_home}/etc/ossec.conf" +agent_conf="${ossec_home}/etc/shared/agent.conf" + +if [ "$2" == "DEINSTALL" ]; then + rm -f "${ossec_conf}" + rm -f "${agent_conf}" +fi diff --git a/security/ossec-hids-local-config/files/pkg-install.in b/security/ossec-hids-local-config/files/pkg-install.in new file mode 100644 index 0000000..f164b9c --- /dev/null +++ b/security/ossec-hids-local-config/files/pkg-install.in @@ -0,0 +1,32 @@ +#!/bin/sh + +ossec_home="%%OSSEC_HOME%%" +ar_bin_dir="${ossec_home}/active-response/bin" +ossec_conf="${ossec_home}/etc/ossec.conf" +ossec_conf_bak="${ossec_conf}.bak" +agent_conf="${ossec_home}/etc/shared/agent.conf" +agent_conf_bak="${ossec_home}/etc/agent.conf.bak" + +if [ "$2" == "POST-INSTALL" ]; then + ln -f "${ar_bin_dir}/%%FW_DROP%%" "${ar_bin_dir}/firewall-drop.sh" + + if [ -e "${ossec_conf}" ]; then + mv -f "${ossec_conf}" "${ossec_conf_bak}" + echo + echo "WARNING:" + echo " Existing \"${ossec_conf}\" has been saved to \"${ossec_conf_bak}\"." + echo + fi + + case "$1" in + ossec-hids-server*) + if [ -e "${agent_conf}" ]; then + mv -f "${agent_conf}" "${agent_conf_bak}" + echo + echo "WARNING:" + echo " Existing \"${agent_conf}\" has been saved to \"${agent_conf_bak}\"." + echo + fi + ;; + esac +fi diff --git a/security/ossec-hids-local-config/files/rules-cmdout.xml.in b/security/ossec-hids-local-config/files/rules-cmdout.xml.in new file mode 100644 index 0000000..59e3f4b --- /dev/null +++ b/security/ossec-hids-local-config/files/rules-cmdout.xml.in @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<group name="ossec,"> + + <rule id="56041" level="1"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-last-logins'</match> + <check_diff /> + <description>List of the last logged in users.</description> + </rule> + + <rule id="56042" level="1"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-tcp4-all'</match> + <check_diff /> + <description>Listening IPv4 TCP port opened or closed.</description> + </rule> + + <rule id="56043" level="7"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-tcp4'</match> + <check_diff /> + <description>Listening IPv4 TCP port opened or closed.</description> + </rule> + + <rule id="56044" level="1"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-tcp6-all'</match> + <check_diff /> + <description>Listening IPv6 TCP port opened or closed.</description> + </rule> + + <rule id="56045" level="7"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-tcp6'</match> + <check_diff /> + <description>Listening IPv6 TCP port opened or closed.</description> + </rule> + + <rule id="56046" level="1"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-udp4-all'</match> + <check_diff /> + <description>Listening IPv4 UDP port opened or closed.</description> + </rule> + + <rule id="56047" level="7"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-udp4'</match> + <check_diff /> + <description>Listening IPv4 UDP port opened or closed.</description> + </rule> + + <rule id="56048" level="1"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-udp6-all'</match> + <check_diff /> + <description>Listening IPv6 UDP port opened or closed.</description> + </rule> + + <rule id="56049" level="7"> + <if_sid>530</if_sid> + <match>ossec: output: 'freebsd-open-ports-udp6'</match> + <check_diff /> + <description>Listening IPv6 UDP port opened or closed.</description> + </rule> + +</group> diff --git a/security/ossec-hids-local-config/files/rules-config.xml.in b/security/ossec-hids-local-config/files/rules-config.xml.in new file mode 100644 index 0000000..2853c4a --- /dev/null +++ b/security/ossec-hids-local-config/files/rules-config.xml.in @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<group name="ossec,"> + + <rule id="56001" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>%%OSSEC_HOME%%/etc/ossec.conf.d</match> + <description>ossec.conf.d has been modified</description> + </rule> + + <rule id="56002" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>%%OSSEC_HOME%%/etc/ossec.conf</match> + <description>ossec.conf has been modified</description> + </rule> + + <rule id="56003" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>/var/ossec/etc/ossec.conf.d</match> + <description>ossec.conf.d has been modified</description> + </rule> + + <rule id="56004" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>/var/ossec/etc/ossec.conf</match> + <description>ossec.conf has been modified</description> + </rule> + + <rule id="56021" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>%%OSSEC_HOME%%/etc/agent.conf.d</match> + <description>agent.conf.d has been modified</description> + </rule> + + <rule id="56022" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>%%OSSEC_HOME%%/etc/shared/agent.conf</match> + <description>agent.conf has been modified</description> + </rule> + + <rule id="56023" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>/var/ossec/etc/agent.conf.d</match> + <description>agent.conf.d has been modified</description> + </rule> + + <rule id="56024" level="10" ignore="10"> + <if_group>syscheck</if_group> + <match>/var/ossec/etc/shared/agent.conf</match> + <description>agent.conf has been modified</description> + </rule> + +</group> diff --git a/security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in b/security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in new file mode 100644 index 0000000..1e2dfaa --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in @@ -0,0 +1,38 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <command> + <name>host-deny</name> + <executable>host-deny.sh</executable> + <expect>srcip</expect> + <timeout_allowed>yes</timeout_allowed> + </command> + + <command> + <name>firewall-drop</name> + <executable>firewall-drop.sh</executable> + <expect>srcip</expect> + <timeout_allowed>yes</timeout_allowed> + </command> + + <command> + <name>disable-account</name> + <executable>disable-account.sh</executable> + <expect>user</expect> + <timeout_allowed>yes</timeout_allowed> + </command> + + <command> + <name>restart-ossec</name> + <executable>restart-ossec.sh</executable> + <expect></expect> + </command> + + <command> + <name>route-null</name> + <executable>route-null.sh</executable> + <expect>srcip</expect> + <timeout_allowed>yes</timeout_allowed> + </command> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in b/security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in new file mode 100644 index 0000000..ec2ec7e --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <command> + <name>merge-config</name> + <executable>merge-config.sh</executable> + <expect></expect> + </command> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in b/security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in new file mode 100644 index 0000000..415de6c --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in @@ -0,0 +1,13 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <active-response> + <!-- Block the IP on the firewall. --> + <!-- See: http://www.ossec.net/docs/syntax/head_ossec_config.active-response.html#active-response-options --> + <command>firewall-drop</command> + <location>local</location> + <level>6</level> + <timeout>600</timeout> + </active-response> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in b/security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in new file mode 100644 index 0000000..59b3488 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <active-response> + <!-- Deny the IP in "/etc/hosts.allow" or "/etc/hosts.deny". --> + <command>host-deny</command> + <location>local</location> + <level>6</level> + <timeout>600</timeout> + </active-response> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-ar-merge.xml.in b/security/ossec-hids-local-config/files/template-ar-merge.xml.in new file mode 100644 index 0000000..f38d226 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-merge.xml.in @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <active-response> + <!-- Create "ossec.conf" and "agent.conf" if "ossec.conf.d/*" or "agent.conf.d/*" files change. --> + <command>merge-config</command> + <location>local</location> + <rules_id>56001,56003,56021,56023</rules_id> + </active-response> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-ar-restart.xml.in b/security/ossec-hids-local-config/files/template-ar-restart.xml.in new file mode 100644 index 0000000..064167e --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-restart.xml.in @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <active-response> + <!-- Restart OSSEC if "ossec.conf" or "agent.conf" changes. --> + <command>restart-ossec</command> + <location>local</location> + <rules_id>56002,56004,56022,56024</rules_id> + </active-response> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in b/security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in new file mode 100644 index 0000000..88975ca --- /dev/null +++ b/security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/last-logins.sh</command> + <alias>freebsd-last-logins</alias> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in b/security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in new file mode 100644 index 0000000..c602821 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 tcp 1-65535</command> + <alias>freebsd-open-ports-tcp4-all</alias> + </localfile> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 tcp</command> + <alias>freebsd-open-ports-tcp4</alias> + </localfile> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 tcp 1-65535</command> + <alias>freebsd-open-ports-tcp6-all</alias> + </localfile> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 tcp</command> + <alias>freebsd-open-ports-tcp6</alias> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in b/security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in new file mode 100644 index 0000000..d5c3fc8 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 udp 1-65535</command> + <alias>freebsd-open-ports-udp4-all</alias> + </localfile> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 udp</command> + <alias>freebsd-open-ports-udp4</alias> + </localfile> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 udp 1-65535</command> + <alias>freebsd-open-ports-udp6-all</alias> + </localfile> + + <localfile> + <log_format>full_command</log_format> + <command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 udp</command> + <alias>freebsd-open-ports-udp6</alias> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-header-disabled.xml.in b/security/ossec-hids-local-config/files/template-header-disabled.xml.in new file mode 100644 index 0000000..627fa27 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-header-disabled.xml.in @@ -0,0 +1,10 @@ +<!-- OSSEC HIDS %%VERSION%% --> + +<!-- DO NOT EDIT - file generated automatically using disabled port options --> + +<!-- + You can indirectly edit this file by copying it to the parent directory. + The copied file will not be deleted or modified during port removal or + upgrades. +--> + diff --git a/security/ossec-hids-local-config/files/template-header-enabled.xml.in b/security/ossec-hids-local-config/files/template-header-enabled.xml.in new file mode 100644 index 0000000..224916b --- /dev/null +++ b/security/ossec-hids-local-config/files/template-header-enabled.xml.in @@ -0,0 +1,4 @@ +<!-- OSSEC HIDS %%VERSION%% --> + +<!-- DO NOT EDIT - file generated automatically using enabled port options --> + diff --git a/security/ossec-hids-local-config/files/template-header-sample.xml.in b/security/ossec-hids-local-config/files/template-header-sample.xml.in new file mode 100644 index 0000000..e0772c3 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-header-sample.xml.in @@ -0,0 +1 @@ +<!-- Place customized configuration here - it will not be overwritten during upgrades. --> diff --git a/security/ossec-hids-local-config/files/template-logs-apache.xml.in b/security/ossec-hids-local-config/files/template-logs-apache.xml.in new file mode 100644 index 0000000..b88ed1a --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-apache.xml.in @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%LOGS_APACHE_PROFILE%%"> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/httpd-error.log</location> + </localfile> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/httpd-access.log</location> + </localfile> + +</template_config> + +<template_config os="Linux" profile="%%LOGS_APACHE_PROFILE%%"> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/apache2/error.log</location> + </localfile> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/apache2/access.log</location> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-logs-default.xml.in b/security/ossec-hids-local-config/files/template-logs-default.xml.in new file mode 100644 index 0000000..47b9a77 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-default.xml.in @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%LOGS_DEFAULT_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/auth.log</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/maillog</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/messages</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/security</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/userlog</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/xferlog</location> + </localfile> + +</template_config> + +<template_config os="Linux" profile="%%LOGS_DEFAULT_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/auth.log</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/dpkg.log</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/kern.log</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/mail.log</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/messages</location> + </localfile> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/syslog</location> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-logs-nginx.xml.in b/security/ossec-hids-local-config/files/template-logs-nginx.xml.in new file mode 100644 index 0000000..7d25cf8 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-nginx.xml.in @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%LOGS_NGINX_PROFILE%%"> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/nginx/error.log</location> + </localfile> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/nginx/access.log</location> + </localfile> + +</template_config> + +<template_config os="Linux" profile="%%LOGS_NGINX_PROFILE%%"> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/nginx/error.log</location> + </localfile> + + <localfile> + <log_format>apache</log_format> + <location>/var/log/nginx/access.log</location> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-logs-radius.xml.in b/security/ossec-hids-local-config/files/template-logs-radius.xml.in new file mode 100644 index 0000000..0b10c4b --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-radius.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%LOGS_RADIUS_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/radius.log</location> + </localfile> + +</template_config> + +<template_config os="Linux" profile="%%LOGS_RADIUS_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/freeradius/radius.log</location> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-logs-response.xml.in b/security/ossec-hids-local-config/files/template-logs-response.xml.in new file mode 100644 index 0000000..17828ea --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-response.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%LOGS_RESPONSE_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>%%OSSEC_HOME%%/logs/active-responses.log</location> + </localfile> + +</template_config> + +<template_config os="Linux" profile="%%LOGS_RESPONSE_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/ossec/logs/active-responses.log</location> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in b/security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in new file mode 100644 index 0000000..9f63a21 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%LOGS_VSFTPD_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/vsftpd.log</location> + </localfile> + +</template_config> + +<template_config os="Linux" profile="%%LOGS_VSFTPD_PROFILE%%"> + + <localfile> + <log_format>syslog</log_format> + <location>/var/log/vsftpd.log</location> + </localfile> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in new file mode 100644 index 0000000..63e5f1e --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%ROOTCHECK_PROFILE%%"> + + <rootcheck> + <rootkit_files>%%OSSEC_HOME%%/etc/shared/rootkit_files.txt</rootkit_files> + <rootkit_trojans>%%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt</rootkit_trojans> + <system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt</system_audit> + <system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt</system_audit> + </rootcheck> + +</template_config> + +<template_config os="Linux" profile="%%ROOTCHECK_PROFILE%%"> + + <rootcheck> + <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> + <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> + <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> + <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> + <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> + </rootcheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-rules-cmdout.xml.in b/security/ossec-hids-local-config/files/template-rules-cmdout.xml.in new file mode 100644 index 0000000..482efd6 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rules-cmdout.xml.in @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <rules> + <include>freebsd_cmdout_rules.xml</include> + </rules> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-rules-config.xml.in b/security/ossec-hids-local-config/files/template-rules-config.xml.in new file mode 100644 index 0000000..2e9102f --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rules-config.xml.in @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <rules> + <include>freebsd_config_rules.xml</include> + </rules> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-rules-default.xml.in b/security/ossec-hids-local-config/files/template-rules-default.xml.in new file mode 100644 index 0000000..e7c18be --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rules-default.xml.in @@ -0,0 +1,82 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <rules> + <include>rules_config.xml</include> + <include>ossec_rules.xml</include> + <include>syslog_rules.xml</include> + <include>sendmail_rules.xml</include> + <include>postfix_rules.xml</include> + <include>spamd_rules.xml</include> + <include>imapd_rules.xml</include> + <include>mailscanner_rules.xml</include> + <include>ms-exchange_rules.xml</include> + <include>courier_rules.xml</include> + <include>firewall_rules.xml</include> + <include>pix_rules.xml</include> + <include>netscreenfw_rules.xml</include> + <include>cisco-ios_rules.xml</include> + <include>sonicwall_rules.xml</include> + <include>pam_rules.xml</include> + <include>telnetd_rules.xml</include> + <include>sshd_rules.xml</include> + <include>solaris_bsm_rules.xml</include> + <include>asterisk_rules.xml</include> + <include>ms_dhcp_rules.xml</include> + <include>arpwatch_rules.xml</include> + <include>symantec-av_rules.xml</include> + <include>symantec-ws_rules.xml</include> + <include>trend-osce_rules.xml</include> + <include>hordeimp_rules.xml</include> + <include>roundcube_rules.xml</include> + <include>wordpress_rules.xml</include> + <include>cimserver_rules.xml</include> + <include>dovecot_rules.xml</include> + <include>vmpop3d_rules.xml</include> + <include>vpopmail_rules.xml</include> + <include>ftpd_rules.xml</include> + <include>proftpd_rules.xml</include> + <include>pure-ftpd_rules.xml</include> + <include>vsftpd_rules.xml</include> + <include>ms_ftpd_rules.xml</include> + <include>named_rules.xml</include> + <include>exim_rules.xml</include> + <include>smbd_rules.xml</include> + <include>racoon_rules.xml</include> + <include>vpn_concentrator_rules.xml</include> + <include>msauth_rules.xml</include> + <include>mcafee_av_rules.xml</include> + <include>ms-se_rules.xml</include> + <include>vmware_rules.xml</include> + <include>ids_rules.xml</include> + <include>apache_rules.xml</include> + <include>web_rules.xml</include> + <include>zeus_rules.xml</include> + <include>nginx_rules.xml</include> + <include>php_rules.xml</include> + <include>web_appsec_rules.xml</include> + <include>squid_rules.xml</include> + <include>attack_rules.xml</include> + <include>systemd_rules.xml</include> + <include>firewalld_rules.xml</include> + <include>mysql_rules.xml</include> + <include>postgresql_rules.xml</include> + <include>dropbear_rules.xml</include> + <include>openbsd_rules.xml</include> + <include>apparmor_rules.xml</include> + <include>clam_av_rules.xml</include> + <include>openbsd-dhcpd_rules.xml</include> + <include>nsd_rules.xml</include> + <include>owncloud_rules.xml</include> + <include>proxmox-ve_rules.xml</include> + <include>opensmtpd_rules.xml</include> + <include>psad_rules.xml</include> + <include>sysmon_rules.xml</include> + <include>unbound_rules.xml</include> + <include>local_rules.xml</include> + + <!-- Files not included by default --> + <!--<include>policy_rules.xml</include>--> + </rules> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-sample-agent.xml.in b/security/ossec-hids-local-config/files/template-sample-agent.xml.in new file mode 100644 index 0000000..8a2fa7b --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-agent.xml.in @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <client> + <!-- Specify the IP address of the %%PORTNAME%% server. --> + <server-ip>1.2.3.4</server-ip> + <!-- Alternatively, specify the hostname of the %%PORTNAME%% server. --> + <!-- <server-hostname>example.com</server-hostname> --> + + <!-- Specifies the agent.conf profiles to be used by the agent. Multiple profiles can be included, separated by a comma and a space. --> + <!-- <config-profile>%%CLIENT_PROFILES%%</config-profile> --> + </client> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-sample-database.xml.in b/security/ossec-hids-local-config/files/template-sample-database.xml.in new file mode 100644 index 0000000..80f156f --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-database.xml.in @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + <!-- Run "%%OSSEC_HOME%%/bin/ossec-control enable database" to enable ossec-dbd. --> + <database_output> + <hostname>localhost</hostname> + <username>ossec</username> + <password>secret</password> + <database>ossec</database> + <type>%%DB_TYPE%%</type> + </database_output> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-sample-local.xml.in b/security/ossec-hids-local-config/files/template-sample-local.xml.in new file mode 100644 index 0000000..bf1ec5c --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-local.xml.in @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <global> + <!-- Uncomment to enable email notifications. --> + <!-- + <email_notification>yes</email_notification> + <email_to>example@example.com</email_to> + <smtp_server>smtp.example.com</smtp_server> + <email_from>ossecm@example.com</email_from> + --> + + <!-- List of IP addresses that should never be blocked by the active response (one per element). --> + <white_list>127.0.0.1</white_list> + </global> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-sample-server.xml.in b/security/ossec-hids-local-config/files/template-sample-server.xml.in new file mode 100644 index 0000000..d4efd19 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-server.xml.in @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config> + + <remote> + <connection>secure</connection> + <!-- Because of a bug, setting the address is mandatory for IPv4. --> + <local_ip>1.2.3.4</local_ip> + </remote> + + <global> + <!-- Uncomment to enable email notifications. --> + <!-- + <email_notification>yes</email_notification> + <email_to>example@example.com</email_to> + <smtp_server>smtp.example.com</smtp_server> + <email_from>ossecm@example.com</email_from> + --> + + <!-- List of IP addresses that should never be blocked by the active response (one per element). --> + <white_list>127.0.0.1</white_list> + </global> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-syscheck-default.xml.in b/security/ossec-hids-local-config/files/template-syscheck-default.xml.in new file mode 100644 index 0000000..78ae8f8 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-default.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories> + <directories realtime="yes" check_all="yes">/etc,%%PREFIX%%/etc</directories> + </syscheck> + +</template_config> + +<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories> + <directories realtime="yes" check_all="yes">/etc,/usr/local/etc</directories> + </syscheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in new file mode 100644 index 0000000..f35f4d5 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <ignore>/etc/hosts.allow</ignore> + </syscheck> + +</template_config> + +<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <ignore>/etc/hosts.deny</ignore> + </syscheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in new file mode 100644 index 0000000..7a303e5 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <alert_new_files>yes</alert_new_files> + </syscheck> + +</template_config> + +<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <alert_new_files>yes</alert_new_files> + </syscheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in new file mode 100644 index 0000000..03f5943 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <auto_ignore>no</auto_ignore> + </syscheck> + +</template_config> + +<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <auto_ignore>no</auto_ignore> + </syscheck> + +</template_config> diff --git a/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in new file mode 100644 index 0000000..8342f63 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="UTF-8"?> +<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_BIN_DIRS%%</directories> + <directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_ETC_DIRS%%</directories> + </syscheck> + +</template_config> + +<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%"> + + <syscheck> + <directories realtime="yes" check_all="yes">/var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless</directories> + <directories realtime="yes" check_all="yes">/var/ossec/etc,/var/ossec/rules</directories> + </syscheck> + +</template_config> |