diff options
Diffstat (limited to 'security/ossec-hids-local/files/ossec-hids.in')
| -rw-r--r-- | security/ossec-hids-local/files/ossec-hids.in | 115 |
1 files changed, 81 insertions, 34 deletions
diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in index d49f01d..aaafb8c 100644 --- a/security/ossec-hids-local/files/ossec-hids.in +++ b/security/ossec-hids-local/files/ossec-hids.in @@ -13,10 +13,10 @@ # Default: NO # ossec_hids_fetch_connect_time (int): Time in seconds to wait for the download of the shared configuration to start. # Used only by agent installation. -# Default: 20 +# Default: 30 # ossec_hids_fetch_read_time (int): Time in seconds to wait for subsequent download chunks of the shared configuration. # Used only by agent installation. -# Default: 5 +# Default: 10 . /etc/rc.subr @@ -28,8 +28,8 @@ load_rc_config $name : ${ossec_hids_enable="NO"} : ${ossec_hids_clear_log="NO"} : ${ossec_hids_clear_ar_log="NO"} -: ${ossec_hids_fetch_connect_time=20} -: ${ossec_hids_fetch_read_time=5} +: ${ossec_hids_fetch_connect_time=30} +: ${ossec_hids_fetch_read_time=10} ossec_type="%%OSSEC_TYPE%%" ossec_home="%%OSSEC_HOME%%" @@ -50,7 +50,7 @@ ossec_merged="${ossec_home}/etc/shared/merged.mg" ossec_local_time="/etc/localtime" -extra_commands="reload ossec_conf" +extra_commands="status reload ossec_conf" case ${ossec_type} in server) extra_commands="${extra_commands} agent_conf reset_counter" @@ -68,7 +68,7 @@ stop_cmd="ossec_hids_command stop" restart_cmd="ossec_hids_command restart" status_cmd="ossec_hids_command status" reload_cmd="ossec_hids_command reload" -reset_counter_cmd="ossec_hids_command start" +reset_counter_cmd="ossec_hids_reset_counter $2" fetch_config_cmd="ossec_hids_command restart" merge_config_cmd="ossec_hids_create_config force" ossec_conf_cmd="ossec_hids_ossec_conf" @@ -77,9 +77,10 @@ agent_conf_cmd="ossec_hids_agent_conf" start_precmd="ossec_hids_prepare" restart_precmd="ossec_hids_prepare" reload_precmd="ossec_hids_prepare" -reset_counter_precmd="ossec_hids_prepare" fetch_config_precmd="ossec_hids_prepare" +agent_ids_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'" + ossec_hids_create_file() { local path=$1 local owner=$2 @@ -110,13 +111,17 @@ ossec_hids_check() { } ossec_hids_config_is_outdated() { - dst_file="$1" - src_dir="$2" + local dst_file="$1" + local src_dir="$2" if [ ! -e "${dst_file}" ]; then return 0 fi + if [ "${src_dir}" -nt "${dst_file}" ]; then + return 0 + fi + for src_file in $(find "${src_dir}" -maxdepth 1 -type f -name "*.conf"); do if [ "${src_file}" -nt "${dst_file}" ]; then return 0 @@ -179,22 +184,58 @@ ossec_hids_clean() { } ossec_hids_reset_counter() { + local reset_agent_id="$1" + case ${ossec_type} in - local) - echo "ERROR: Counters are only available for agent and server installations." + server) + if [ -z "${reset_agent_id}" ]; then + echo "ERROR: Please specify agent ID to reset counter for this agent or \"all\" to reset counters for all agents." + echo + return 1 + fi + local agent_counter=0 + if [ "${reset_agent_id}" == "all" ]; then + ossec_hids_command stop + sleep 1 + echo + for agent_id in $(eval ${agent_ids_cmd}); do + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + fi + done + else + for agent_id in $(eval ${agent_ids_cmd}); do + if [ "${reset_agent_id}" == "${agent_id}" ]; then + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + ossec_hids_command stop + sleep 1 + echo + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + fi + fi + done + fi + echo "Removed ${agent_counter} counter(s)." echo - return 1 ;; - *) - ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo - agent_ids=`${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'` - agent_counter=0 - for agent_id in ${agent_ids}; do - rm -f "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + agent) + local agent_counter=0 + for agent_id in $(eval ${agent_ids_cmd}); do + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + ossec_hids_command stop + sleep 1 + echo + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + fi done echo "Removed ${agent_counter} counter(s)." echo ;; + *) + echo "ERROR: Counters are only available for agent and server installations." + echo + return 1 + ;; esac return 0 @@ -203,7 +244,9 @@ ossec_hids_reset_counter() { ossec_hids_fetch_config() { case ${ossec_type} in agent) - ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo + ossec_hids_command stop + sleep 1 + echo rm -f "${ossec_merged}" ossec_hids_command start || return 1 echo @@ -212,7 +255,7 @@ ossec_hids_fetch_config() { if [ ! -s "${ossec_merged}" ]; then echo "ERROR: Failed to download shared configuration from the OSSEC server." echo - ossec_log_tail=$(tail "${ossec_log}") + local ossec_log_tail=$(tail "${ossec_log}") echo "Portion of the \"${ossec_log}\":" echo "${ossec_log_tail}" echo @@ -221,25 +264,35 @@ ossec_hids_fetch_config() { echo fi if echo "${ossec_log_tail}" | grep -q "ERROR: Incorrectly formatted message from"; then - echo "If you are certain the imported agent key is correct then execute command:" - echo "$(realpath $0) reset_counter" - echo "and fetch config again:" - echo "$(realpath $0) fetch_config" + local ossec_rc_path="$(realpath $0)" + echo "If you are certain the imported agent key is correct then run:" + echo "${ossec_rc_path} reset_counter" + echo "${ossec_rc_path} fetch_config" + echo + echo "If this does't help you need to reset counter on the server." + echo "If the server runs FreeBSD port of OSSEC run:" + echo "On the agent:" + echo "${ossec_rc_path} reset_counter" + echo "On the server:" + echo "${ossec_rc_path} reset_counter $(eval ${agent_ids_cmd})" + echo "${ossec_rc_path} start" + echo "On the agent:" + echo "${ossec_rc_path} fetch_config" echo fi return 1 else # The download has started while true; do - current_time=$(date +%s) - modification_time=$(stat -f %m "${ossec_merged}") + local current_time=$(date +%s) + local modification_time=$(stat -f %m "${ossec_merged}") if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then echo "Download finished." echo break; else echo "Download in progress..." - sleep 10 + sleep ${ossec_hids_fetch_read_time} fi done fi @@ -262,13 +315,6 @@ ossec_hids_prepare() { ossec_hids_clean && \ ossec_hids_check || return 1 ;; - reset_counter) - ossec_hids_create_env && \ - ossec_hids_create_config && \ - ossec_hids_clean && \ - ossec_hids_reset_counter && \ - ossec_hids_check || return 1 - ;; fetch_config) ossec_hids_create_env && \ ossec_hids_create_config && \ @@ -303,6 +349,7 @@ ossec_hids_agent_conf() { ossec_hids_command() { "${ossec_home}/bin/ossec-control" "$1" + return $? } run_rc_command "$1" |