diff options
Diffstat (limited to 'security/ossec-hids-local/files')
6 files changed, 102 insertions, 128 deletions
diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in index 08efa1d..d49f01d 100644 --- a/security/ossec-hids-local/files/ossec-hids.in +++ b/security/ossec-hids-local/files/ossec-hids.in @@ -5,15 +5,18 @@ # BEFORE: LOGIN # KEYWORD: shutdown -# ossec_hids_enable (bool): Set it to YES to enable %%PORTNAME%%. -# Default: NO -# ossec_hids_clear_log (bool): Set it to YES to clear ossec.log before %%PORTNAME%% startup. -# Default: NO -# ossec_hids_clear_ar_log (bool): Set it to YES to clear active-responses.log before %%PORTNAME%% startup. -# Default: NO -# ossec_hids_fetch_time (int): Time in seconds to wait for the shared configuration to be downloaded from the server. -# Used only by agent installation. -# Default: 60 +# ossec_hids_enable (bool): Set it to YES to enable %%PORTNAME%%. +# Default: NO +# ossec_hids_clear_log (bool): Set it to YES to clear ossec.log before %%PORTNAME%% startup. +# Default: NO +# ossec_hids_clear_ar_log (bool): Set it to YES to clear active-responses.log before %%PORTNAME%% startup. +# Default: NO +# ossec_hids_fetch_connect_time (int): Time in seconds to wait for the download of the shared configuration to start. +# Used only by agent installation. +# Default: 20 +# ossec_hids_fetch_read_time (int): Time in seconds to wait for subsequent download chunks of the shared configuration. +# Used only by agent installation. +# Default: 5 . /etc/rc.subr @@ -25,7 +28,8 @@ load_rc_config $name : ${ossec_hids_enable="NO"} : ${ossec_hids_clear_log="NO"} : ${ossec_hids_clear_ar_log="NO"} -: ${ossec_hids_fetch_time=60} +: ${ossec_hids_fetch_connect_time=20} +: ${ossec_hids_fetch_read_time=5} ossec_type="%%OSSEC_TYPE%%" ossec_home="%%OSSEC_HOME%%" @@ -46,16 +50,13 @@ ossec_merged="${ossec_home}/etc/shared/merged.mg" ossec_local_time="/etc/localtime" -ossec_fts_queue="${ossec_home}/queue/fts/fts-queue" -ossec_ig_queue="${ossec_home}/queue/fts/ig-queue" - extra_commands="reload ossec_conf" case ${ossec_type} in server) - extra_commands="${extra_commands} agent_conf" + extra_commands="${extra_commands} agent_conf reset_counter" ;; agent) - extra_commands="${extra_commands} fetch_config" + extra_commands="${extra_commands} fetch_config reset_counter" ;; esac if [ -x "${ossec_conf_bin}" ]; then @@ -67,14 +68,16 @@ stop_cmd="ossec_hids_command stop" restart_cmd="ossec_hids_command restart" status_cmd="ossec_hids_command status" reload_cmd="ossec_hids_command reload" +reset_counter_cmd="ossec_hids_command start" fetch_config_cmd="ossec_hids_command restart" -merge_config_cmd="ossec_hids_create_configs force" +merge_config_cmd="ossec_hids_create_config force" ossec_conf_cmd="ossec_hids_ossec_conf" agent_conf_cmd="ossec_hids_agent_conf" start_precmd="ossec_hids_prepare" restart_precmd="ossec_hids_prepare" reload_precmd="ossec_hids_prepare" +reset_counter_precmd="ossec_hids_prepare" fetch_config_precmd="ossec_hids_prepare" ossec_hids_create_file() { @@ -91,12 +94,14 @@ ossec_hids_check() { case ${ossec_type} in server) if [ ! -s "${ossec_client_keys}" ]; then - echo "WARNING: There are no client keys created - remote connections will be disabled" + echo "WARNING: There are no client keys created - remote connections will be disabled." + echo fi ;; agent) if [ ! -s "${ossec_client_keys}" ]; then - echo "WARNING: There are is no client key imported - connection to server not possible" + echo "WARNING: There are is no client key imported - connection to server not possible." + echo fi ;; esac @@ -121,7 +126,7 @@ ossec_hids_config_is_outdated() { return 1 } -ossec_hids_create_configs() { +ossec_hids_create_config() { case ${ossec_type} in server) if [ -x "${agent_conf_bin}" ]; then @@ -132,10 +137,6 @@ ossec_hids_create_configs() { fi fi ;; - agent) - # Touch agent.conf so the agent daemons won't complain if it doesn't exist - ossec_hids_create_file "${agent_conf}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0644 - ;; esac if [ -x "${ossec_conf_bin}" ]; then @@ -149,30 +150,15 @@ ossec_hids_create_configs() { return 0 } -ossec_hids_create_logs() { - # Create required log files if they don't exist - ossec_hids_create_file "${ossec_log}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0660 - ossec_hids_create_file "${ossec_ar_log}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0660 - - return 0 -} - ossec_hids_create_env() { # Copy required files from outside of home directory if [ ! -e "${ossec_local_time}" ]; then - echo "Missing \"${ossec_local_time}\". Run command \"tzsetup\"." + echo "ERROR: Missing \"${ossec_local_time}\". Run command \"tzsetup\"." + echo return 1 fi install -o %%USER%% -g %%OSSEC_GROUP%% -m 0440 "${ossec_local_time}" "${ossec_home}${ossec_local_time}" - # Install missing files - case ${ossec_type} in - server) - ossec_hids_create_file "${ossec_fts_queue}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0640 - ossec_hids_create_file "${ossec_ig_queue}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0640 - ;; - esac - return 0 } @@ -181,33 +167,86 @@ ossec_hids_clean() { rm -f "${ossec_merged}" fi - if checkyesno ossec_hids_clear_log; then + if checkyesno ossec_hids_clear_log && [ -e "${ossec_log}" ]; then echo -n > "${ossec_log}" fi - if checkyesno ossec_hids_clear_ar_log; then + if checkyesno ossec_hids_clear_ar_log && [ -e "${ossec_ar_log}" ]; then echo -n > "${ossec_ar_log}" fi return 0 } -ossec_hids_fetch_configs() { +ossec_hids_reset_counter() { + case ${ossec_type} in + local) + echo "ERROR: Counters are only available for agent and server installations." + echo + return 1 + ;; + *) + ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo + agent_ids=`${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'` + agent_counter=0 + for agent_id in ${agent_ids}; do + rm -f "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) + done + echo "Removed ${agent_counter} counter(s)." + echo + ;; + esac + + return 0 +} + +ossec_hids_fetch_config() { case ${ossec_type} in agent) + ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo rm -f "${ossec_merged}" - ossec_hids_command stop - sleep 1 - ossec_hids_command start - echo "Waiting ${ossec_hids_fetch_time} seconds for the shared configuration to be downloaded from the OSSEC server" - sleep ${ossec_hids_fetch_time} + ossec_hids_command start || return 1 + echo + echo "Waiting ${ossec_hids_fetch_connect_time} seconds for the shared configuration download to start." + sleep ${ossec_hids_fetch_connect_time} if [ ! -s "${ossec_merged}" ]; then - echo "Failed to download shared configuration from the OSSEC server" + echo "ERROR: Failed to download shared configuration from the OSSEC server." + echo + ossec_log_tail=$(tail "${ossec_log}") + echo "Portion of the \"${ossec_log}\":" + echo "${ossec_log_tail}" + echo + if echo "${ossec_log_tail}" | grep -q "ERROR: Unable to send message to"; then + echo "Check if your configuration contains the correct server address in \"server-ip\" option." + echo + fi + if echo "${ossec_log_tail}" | grep -q "ERROR: Incorrectly formatted message from"; then + echo "If you are certain the imported agent key is correct then execute command:" + echo "$(realpath $0) reset_counter" + echo "and fetch config again:" + echo "$(realpath $0) fetch_config" + echo + fi return 1 + else + # The download has started + while true; do + current_time=$(date +%s) + modification_time=$(stat -f %m "${ossec_merged}") + if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then + echo "Download finished." + echo + break; + else + echo "Download in progress..." + sleep 10 + fi + done fi ;; *) - echo "Shared configuration is only available for agent installations" + echo "ERROR: Shared configuration is only available for agent installations." + echo return 1 ;; esac @@ -218,23 +257,28 @@ ossec_hids_fetch_configs() { ossec_hids_prepare() { case ${rc_arg} in start|restart) - ossec_hids_create_logs && \ ossec_hids_create_env && \ - ossec_hids_create_configs && \ + ossec_hids_create_config && \ + ossec_hids_clean && \ + ossec_hids_check || return 1 + ;; + reset_counter) + ossec_hids_create_env && \ + ossec_hids_create_config && \ ossec_hids_clean && \ + ossec_hids_reset_counter && \ ossec_hids_check || return 1 ;; fetch_config) - ossec_hids_create_logs && \ ossec_hids_create_env && \ - ossec_hids_create_configs && \ + ossec_hids_create_config && \ ossec_hids_clean && \ - ossec_hids_fetch_configs && \ + ossec_hids_fetch_config && \ ossec_hids_check || return 1 ;; reload) ossec_hids_create_env && \ - ossec_hids_create_configs || return 1 + ossec_hids_create_config || return 1 ;; esac diff --git a/security/ossec-hids-local/files/patch-active-response_host-deny.sh b/security/ossec-hids-local/files/patch-active-response_host-deny.sh deleted file mode 100644 index aff6243..0000000 --- a/security/ossec-hids-local/files/patch-active-response_host-deny.sh +++ /dev/null @@ -1,15 +0,0 @@ ---- active-response/host-deny.sh.orig 2018-06-26 12:15:38 UTC -+++ active-response/host-deny.sh -@@ -126,10 +126,10 @@ if [ "x${ACTION}" = "xadd" ]; then - # Deleting from hosts.deny - elif [ "x${ACTION}" = "xdelete" ]; then - lock; -- TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` -+ TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX` - if [ "X${TMP_FILE}" = "X" ]; then - # Cheap fake tmpfile, but should be harder then no random data -- TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" -+ TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" - fi - echo "${IP}" | grep "\:" > /dev/null 2>&1 - if [ $? = 0 ]; then diff --git a/security/ossec-hids-local/files/patch-src_Makefile b/security/ossec-hids-local/files/patch-src_Makefile index 06cd53c..18a9290 100644 --- a/security/ossec-hids-local/files/patch-src_Makefile +++ b/security/ossec-hids-local/files/patch-src_Makefile @@ -1,6 +1,6 @@ ---- src/Makefile.orig 2018-06-26 12:15:38 UTC +--- src/Makefile.orig 2018-10-11 22:25:16 UTC +++ src/Makefile -@@ -397,7 +397,6 @@ endif +@@ -406,7 +406,6 @@ endif install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/diff install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc @@ -8,12 +8,3 @@ install -d -m 1550 -o root -g ${OSSEC_GROUP} ${PREFIX}/tmp -@@ -425,7 +424,7 @@ endif - endif - - install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc/shared -- install -m 0640 -o ossec -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/ -+ install -m 0640 -o ${OSSEC_USER} -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/ - - install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response - install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response/bin diff --git a/security/ossec-hids-local/files/patch-src_init_adduser.sh b/security/ossec-hids-local/files/patch-src_init_adduser.sh deleted file mode 100644 index 21c0d0b..0000000 --- a/security/ossec-hids-local/files/patch-src_init_adduser.sh +++ /dev/null @@ -1,11 +0,0 @@ ---- src/init/adduser.sh.orig 2018-06-26 12:15:38 UTC -+++ src/init/adduser.sh -@@ -69,7 +69,7 @@ else - fi - - if [ -x /usr/bin/getent ]; then -- if [ `getent group ossec | wc -l` -lt 1 ]; then -+ if [ `getent group "${GROUP}" | wc -l` -lt 1 ]; then - ${GROUPADD} "${GROUP}" - fi - elif ! grep "^${GROUP}" /etc/group > /dev/null 2>&1; then diff --git a/security/ossec-hids-local/files/patch-src_os__net_os__net.c b/security/ossec-hids-local/files/patch-src_os__net_os__net.c deleted file mode 100644 index fe99e5c..0000000 --- a/security/ossec-hids-local/files/patch-src_os__net_os__net.c +++ /dev/null @@ -1,24 +0,0 @@ ---- src/os_net/os_net.c.orig 2017-12-19 21:30:31 UTC -+++ src/os_net/os_net.c -@@ -48,16 +48,16 @@ int OS_Bindport(char *_port, unsigned in - - - memset(&hints, 0, sizeof(struct addrinfo)); --#ifdef AI_V4MAPPED -- hints.ai_family = AF_INET6; /* Allow IPv4 and IPv6 */ -- hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED; --#else -+//#ifdef AI_V4MAPPED -+// hints.ai_family = AF_INET6; /* Allow IPv4 and IPv6 */ -+// hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED; -+//#else - /* Certain *BSD OS (eg. OpenBSD) do not allow binding to a - single-socket for both IPv4 and IPv6 per RFC 3493. This will - allow one or the other based on _ip. */ - hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ - hints.ai_flags = AI_PASSIVE; --#endif -+//#endif - hints.ai_protocol = _proto; - if (_proto == IPPROTO_UDP) { - hints.ai_socktype = SOCK_DGRAM; diff --git a/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt b/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt deleted file mode 100644 index 424c10e..0000000 --- a/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt +++ /dev/null @@ -1,11 +0,0 @@ ---- src/rootcheck/db/system_audit_rcl.txt.orig 2017-12-19 21:30:31 UTC -+++ src/rootcheck/db/system_audit_rcl.txt -@@ -25,7 +25,7 @@ - # Multiple patterns can be specified by using " && " between them. - # (All of them must match for it to return true). - --$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; -+$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini; - $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; - - # PHP checks |