diff options
Diffstat (limited to 'security/ossec-hids-local/files')
13 files changed, 449 insertions, 0 deletions
diff --git a/security/ossec-hids-local/files/message-config.in b/security/ossec-hids-local/files/message-config.in new file mode 100644 index 0000000..f3a13b3 --- /dev/null +++ b/security/ossec-hids-local/files/message-config.in @@ -0,0 +1,2 @@ +Consider installing "%%CATEGORY%%/%%PORTNAME%%-%%OSSEC_TYPE%%-config" to ease +OSSEC configuration. diff --git a/security/ossec-hids-local/files/message-database.in b/security/ossec-hids-local/files/message-database.in new file mode 100644 index 0000000..6115a16 --- /dev/null +++ b/security/ossec-hids-local/files/message-database.in @@ -0,0 +1,8 @@ +The database schema file: +%%DB_SCHEMA%% + +To enable database output execute: +# %%OSSEC_HOME%%/bin/ossec-control enable database + +For further steps see the documentation: +https://www.ossec.net/docs/syntax/head_ossec_config.database_output.html diff --git a/security/ossec-hids-local/files/message-firewall.in b/security/ossec-hids-local/files/message-firewall.in new file mode 100644 index 0000000..9e066e6 --- /dev/null +++ b/security/ossec-hids-local/files/message-firewall.in @@ -0,0 +1,12 @@ +If you intend to use "firewall-drop" active response on this OSSEC instance +create the script: +%%OSSEC_HOME%%/active-response/bin/firewall-drop.sh + +You can copy or hard link (symbolic link is not supported) one of the scripts +already provided by OSSEC: +%%OSSEC_HOME%%/active-response/bin/ipfilter.sh +%%OSSEC_HOME%%/active-response/bin/ipfw.sh +%%OSSEC_HOME%%/active-response/bin/pf.sh + +For further steps see the documentation: +https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html diff --git a/security/ossec-hids-local/files/message-header.in b/security/ossec-hids-local/files/message-header.in new file mode 100644 index 0000000..d05e6d8 --- /dev/null +++ b/security/ossec-hids-local/files/message-header.in @@ -0,0 +1,10 @@ +All the files related to OSSEC have been installed in: +%%OSSEC_HOME%% + +You need to create main configuration file: +%%OSSEC_HOME%%/etc/ossec.conf + +For information on proper configuration see: +https://www.ossec.net/docs/syntax/ossec_config.html + +To enable the startup script add ossec_hids_enable="YES" to /etc/rc.conf. diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in new file mode 100644 index 0000000..08efa1d --- /dev/null +++ b/security/ossec-hids-local/files/ossec-hids.in @@ -0,0 +1,264 @@ +#!/bin/sh +# +# PROVIDE: ossec_hids +# REQUIRE: DAEMON +# BEFORE: LOGIN +# KEYWORD: shutdown + +# ossec_hids_enable (bool): Set it to YES to enable %%PORTNAME%%. +# Default: NO +# ossec_hids_clear_log (bool): Set it to YES to clear ossec.log before %%PORTNAME%% startup. +# Default: NO +# ossec_hids_clear_ar_log (bool): Set it to YES to clear active-responses.log before %%PORTNAME%% startup. +# Default: NO +# ossec_hids_fetch_time (int): Time in seconds to wait for the shared configuration to be downloaded from the server. +# Used only by agent installation. +# Default: 60 + +. /etc/rc.subr + +name="ossec_hids" +rcvar=ossec_hids_enable + +load_rc_config $name + +: ${ossec_hids_enable="NO"} +: ${ossec_hids_clear_log="NO"} +: ${ossec_hids_clear_ar_log="NO"} +: ${ossec_hids_fetch_time=60} + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" + +ossec_conf="${ossec_home}/etc/ossec.conf" +ossec_conf_dir="${ossec_home}/etc/ossec.conf.d" +ossec_conf_bin="${ossec_home}/bin/config/ossec-conf" + +agent_conf="${ossec_home}/etc/shared/agent.conf" +agent_conf_dir="${ossec_home}/etc/agent.conf.d" +agent_conf_bin="${ossec_home}/bin/config/agent-conf" + +ossec_client_keys="${ossec_home}/etc/client.keys" +ossec_ar_tmp="${ossec_home}/active-response" +ossec_log="${ossec_home}/logs/ossec.log" +ossec_ar_log="${ossec_home}/logs/active-responses.log" +ossec_merged="${ossec_home}/etc/shared/merged.mg" + +ossec_local_time="/etc/localtime" + +ossec_fts_queue="${ossec_home}/queue/fts/fts-queue" +ossec_ig_queue="${ossec_home}/queue/fts/ig-queue" + +extra_commands="reload ossec_conf" +case ${ossec_type} in + server) + extra_commands="${extra_commands} agent_conf" + ;; + agent) + extra_commands="${extra_commands} fetch_config" + ;; +esac +if [ -x "${ossec_conf_bin}" ]; then + extra_commands="${extra_commands} merge_config" +fi + +start_cmd="ossec_hids_command start" +stop_cmd="ossec_hids_command stop" +restart_cmd="ossec_hids_command restart" +status_cmd="ossec_hids_command status" +reload_cmd="ossec_hids_command reload" +fetch_config_cmd="ossec_hids_command restart" +merge_config_cmd="ossec_hids_create_configs force" +ossec_conf_cmd="ossec_hids_ossec_conf" +agent_conf_cmd="ossec_hids_agent_conf" + +start_precmd="ossec_hids_prepare" +restart_precmd="ossec_hids_prepare" +reload_precmd="ossec_hids_prepare" +fetch_config_precmd="ossec_hids_prepare" + +ossec_hids_create_file() { + local path=$1 + local owner=$2 + local mode=$3 + + if [ ! -e "${path}" ]; then + touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}" + fi +} + +ossec_hids_check() { + case ${ossec_type} in + server) + if [ ! -s "${ossec_client_keys}" ]; then + echo "WARNING: There are no client keys created - remote connections will be disabled" + fi + ;; + agent) + if [ ! -s "${ossec_client_keys}" ]; then + echo "WARNING: There are is no client key imported - connection to server not possible" + fi + ;; + esac + + return 0 +} + +ossec_hids_config_is_outdated() { + dst_file="$1" + src_dir="$2" + + if [ ! -e "${dst_file}" ]; then + return 0 + fi + + for src_file in $(find "${src_dir}" -maxdepth 1 -type f -name "*.conf"); do + if [ "${src_file}" -nt "${dst_file}" ]; then + return 0 + fi + done + + return 1 +} + +ossec_hids_create_configs() { + case ${ossec_type} in + server) + if [ -x "${agent_conf_bin}" ]; then + # Merge agent.conf.d files into agent.conf + if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${agent_conf}" "${agent_conf_dir}"; then + ossec_hids_create_file "${agent_conf}" %%USER%%:%%OSSEC_GROUP%% 0640 + "${agent_conf_bin}" > "${agent_conf}" + fi + fi + ;; + agent) + # Touch agent.conf so the agent daemons won't complain if it doesn't exist + ossec_hids_create_file "${agent_conf}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0644 + ;; + esac + + if [ -x "${ossec_conf_bin}" ]; then + # Merge ossec.conf.d files into ossec.conf + if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${ossec_conf}" "${ossec_conf_dir}"; then + ossec_hids_create_file "${ossec_conf}" %%USER%%:%%OSSEC_GROUP%% 0640 + "${ossec_conf_bin}" > "${ossec_conf}" + fi + fi + + return 0 +} + +ossec_hids_create_logs() { + # Create required log files if they don't exist + ossec_hids_create_file "${ossec_log}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0660 + ossec_hids_create_file "${ossec_ar_log}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0660 + + return 0 +} + +ossec_hids_create_env() { + # Copy required files from outside of home directory + if [ ! -e "${ossec_local_time}" ]; then + echo "Missing \"${ossec_local_time}\". Run command \"tzsetup\"." + return 1 + fi + install -o %%USER%% -g %%OSSEC_GROUP%% -m 0440 "${ossec_local_time}" "${ossec_home}${ossec_local_time}" + + # Install missing files + case ${ossec_type} in + server) + ossec_hids_create_file "${ossec_fts_queue}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0640 + ossec_hids_create_file "${ossec_ig_queue}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0640 + ;; + esac + + return 0 +} + +ossec_hids_clean() { + if [ "${ossec_type}" == "server" ]; then + rm -f "${ossec_merged}" + fi + + if checkyesno ossec_hids_clear_log; then + echo -n > "${ossec_log}" + fi + + if checkyesno ossec_hids_clear_ar_log; then + echo -n > "${ossec_ar_log}" + fi + + return 0 +} + +ossec_hids_fetch_configs() { + case ${ossec_type} in + agent) + rm -f "${ossec_merged}" + ossec_hids_command stop + sleep 1 + ossec_hids_command start + echo "Waiting ${ossec_hids_fetch_time} seconds for the shared configuration to be downloaded from the OSSEC server" + sleep ${ossec_hids_fetch_time} + if [ ! -s "${ossec_merged}" ]; then + echo "Failed to download shared configuration from the OSSEC server" + return 1 + fi + ;; + *) + echo "Shared configuration is only available for agent installations" + return 1 + ;; + esac + + return 0 +} + +ossec_hids_prepare() { + case ${rc_arg} in + start|restart) + ossec_hids_create_logs && \ + ossec_hids_create_env && \ + ossec_hids_create_configs && \ + ossec_hids_clean && \ + ossec_hids_check || return 1 + ;; + fetch_config) + ossec_hids_create_logs && \ + ossec_hids_create_env && \ + ossec_hids_create_configs && \ + ossec_hids_clean && \ + ossec_hids_fetch_configs && \ + ossec_hids_check || return 1 + ;; + reload) + ossec_hids_create_env && \ + ossec_hids_create_configs || return 1 + ;; + esac + + return 0 +} + +ossec_hids_ossec_conf() { + if [ -x "${ossec_conf_bin}" ]; then + "${ossec_conf_bin}" + elif [ -f "${ossec_conf}" ]; then + cat "${ossec_conf}" + fi +} + +ossec_hids_agent_conf() { + if [ -x "${agent_conf_bin}" ]; then + "${agent_conf_bin}" + elif [ -f "${agent_conf}" ]; then + cat "${agent_conf}" + fi +} + +ossec_hids_command() { + "${ossec_home}/bin/ossec-control" "$1" +} + +run_rc_command "$1" diff --git a/security/ossec-hids-local/files/patch-active-response_host-deny.sh b/security/ossec-hids-local/files/patch-active-response_host-deny.sh new file mode 100644 index 0000000..aff6243 --- /dev/null +++ b/security/ossec-hids-local/files/patch-active-response_host-deny.sh @@ -0,0 +1,15 @@ +--- active-response/host-deny.sh.orig 2018-06-26 12:15:38 UTC ++++ active-response/host-deny.sh +@@ -126,10 +126,10 @@ if [ "x${ACTION}" = "xadd" ]; then + # Deleting from hosts.deny + elif [ "x${ACTION}" = "xdelete" ]; then + lock; +- TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` ++ TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX` + if [ "X${TMP_FILE}" = "X" ]; then + # Cheap fake tmpfile, but should be harder then no random data +- TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" ++ TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" + fi + echo "${IP}" | grep "\:" > /dev/null 2>&1 + if [ $? = 0 ]; then diff --git a/security/ossec-hids-local/files/patch-src_Makefile b/security/ossec-hids-local/files/patch-src_Makefile new file mode 100644 index 0000000..06cd53c --- /dev/null +++ b/security/ossec-hids-local/files/patch-src_Makefile @@ -0,0 +1,19 @@ +--- src/Makefile.orig 2018-06-26 12:15:38 UTC ++++ src/Makefile +@@ -397,7 +397,6 @@ endif + install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/diff + + install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc +- install -m 0440 -o root -g ${OSSEC_GROUP} /etc/localtime ${PREFIX}/etc + + install -d -m 1550 -o root -g ${OSSEC_GROUP} ${PREFIX}/tmp + +@@ -425,7 +424,7 @@ endif + endif + + install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc/shared +- install -m 0640 -o ossec -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/ ++ install -m 0640 -o ${OSSEC_USER} -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/ + + install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response + install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response/bin diff --git a/security/ossec-hids-local/files/patch-src_init_adduser.sh b/security/ossec-hids-local/files/patch-src_init_adduser.sh new file mode 100644 index 0000000..21c0d0b --- /dev/null +++ b/security/ossec-hids-local/files/patch-src_init_adduser.sh @@ -0,0 +1,11 @@ +--- src/init/adduser.sh.orig 2018-06-26 12:15:38 UTC ++++ src/init/adduser.sh +@@ -69,7 +69,7 @@ else + fi + + if [ -x /usr/bin/getent ]; then +- if [ `getent group ossec | wc -l` -lt 1 ]; then ++ if [ `getent group "${GROUP}" | wc -l` -lt 1 ]; then + ${GROUPADD} "${GROUP}" + fi + elif ! grep "^${GROUP}" /etc/group > /dev/null 2>&1; then diff --git a/security/ossec-hids-local/files/patch-src_os__net_os__net.c b/security/ossec-hids-local/files/patch-src_os__net_os__net.c new file mode 100644 index 0000000..fe99e5c --- /dev/null +++ b/security/ossec-hids-local/files/patch-src_os__net_os__net.c @@ -0,0 +1,24 @@ +--- src/os_net/os_net.c.orig 2017-12-19 21:30:31 UTC ++++ src/os_net/os_net.c +@@ -48,16 +48,16 @@ int OS_Bindport(char *_port, unsigned in + + + memset(&hints, 0, sizeof(struct addrinfo)); +-#ifdef AI_V4MAPPED +- hints.ai_family = AF_INET6; /* Allow IPv4 and IPv6 */ +- hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED; +-#else ++//#ifdef AI_V4MAPPED ++// hints.ai_family = AF_INET6; /* Allow IPv4 and IPv6 */ ++// hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED; ++//#else + /* Certain *BSD OS (eg. OpenBSD) do not allow binding to a + single-socket for both IPv4 and IPv6 per RFC 3493. This will + allow one or the other based on _ip. */ + hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ + hints.ai_flags = AI_PASSIVE; +-#endif ++//#endif + hints.ai_protocol = _proto; + if (_proto == IPPROTO_UDP) { + hints.ai_socktype = SOCK_DGRAM; diff --git a/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt b/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt new file mode 100644 index 0000000..424c10e --- /dev/null +++ b/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt @@ -0,0 +1,11 @@ +--- src/rootcheck/db/system_audit_rcl.txt.orig 2017-12-19 21:30:31 UTC ++++ src/rootcheck/db/system_audit_rcl.txt +@@ -25,7 +25,7 @@ + # Multiple patterns can be specified by using " && " between them. + # (All of them must match for it to return true). + +-$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; ++$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini; + $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; + + # PHP checks diff --git a/security/ossec-hids-local/files/pkg-deinstall.in b/security/ossec-hids-local/files/pkg-deinstall.in new file mode 100644 index 0000000..d081d40 --- /dev/null +++ b/security/ossec-hids-local/files/pkg-deinstall.in @@ -0,0 +1,18 @@ +#!/bin/sh + +ossec_home="%%OSSEC_HOME%%" +ar_conf="${ossec_home}/etc/shared/ar.conf" +merged_mg="${ossec_home}/etc/shared/merged.mg" +client_keys="${ossec_home}/etc/client.keys" +firewall_drop="${ossec_home}/active-response/bin/firewall-drop.sh" +local_time="${ossec_home}/etc/localtime" + +if [ "$2" == "DEINSTALL" ]; then + rm -f "${ar_conf}" + rm -f "${merged_mg}" + if [ ! -s "${client_keys}" ]; then + rm -f "${client_keys}" + fi + rm -f "${firewall_drop}" + rm -f "${local_time}" +fi diff --git a/security/ossec-hids-local/files/pkg-install.in b/security/ossec-hids-local/files/pkg-install.in new file mode 100644 index 0000000..d819e70 --- /dev/null +++ b/security/ossec-hids-local/files/pkg-install.in @@ -0,0 +1,23 @@ +#!/bin/sh + +ossec_home="%%OSSEC_HOME%%" +client_keys="${ossec_home}/etc/client.keys" + +create_file() { + local path=$1 + local owner=$2 + local mode=$3 + + if [ ! -e "${path}" ]; then + touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}" + fi +} + +if [ "$2" == "POST-INSTALL" ]; then + pw usermod %%OSSEC_USER%% -d "${ossec_home}" + pw usermod ossecm -d "${ossec_home}" + pw usermod ossecr -d "${ossec_home}" + chown %%USER%%:%%OSSEC_GROUP%% "${ossec_home}" + + create_file "${client_keys}" root:ossec 0640 +fi diff --git a/security/ossec-hids-local/files/restart-ossec.sh.in b/security/ossec-hids-local/files/restart-ossec.sh.in new file mode 100644 index 0000000..9b8a649 --- /dev/null +++ b/security/ossec-hids-local/files/restart-ossec.sh.in @@ -0,0 +1,32 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" +ossec_rc="%%OSSEC_RC%%" + +ACTION=$1 +USER=$2 +IP=$3 + +LOCAL=`dirname $0`; +cd $LOCAL +cd ../../tmp + +# Logging the call +echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log" + +case ${ACTION} in + add) + "${ossec_rc}" restart + exit 0 + ;; + delete) + exit 0 + ;; + *) + echo "$0: invalid action: ${ACTION}" + exit 1 + ;; +esac |