20 files changed, 1264 insertions, 0 deletions

diff --git a/security/ossec-hids-local/Makefile b/security/ossec-hids-local/Makefile
new file mode 100644
index 0000000..2cc888e
--- /dev/null
+++ b/security/ossec-hids-local/Makefile
@@ -0,0 +1,247 @@
+# $FreeBSD$
+
+PORTNAME=	ossec-hids
+PORTVERSION=	3.0.0
+PORTREVISION=
+CATEGORIES=	security
+PKGNAMESUFFIX=	-${OSSEC_TYPE}
+
+MAINTAINER=	dominik.lisiak@bemsoft.pl
+COMMENT=	Security tool to monitor and check logs and intrusions
+
+LICENSE=	GPLv2
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+OSSEC_TYPE?=	local
+
+.if ${OSSEC_TYPE} == local
+CONFLICTS_INSTALL=	ossec-hids-client-* \
+			ossec-hids-agent-* \
+			ossec-hids-server-*
+.elif ${OSSEC_TYPE} == agent
+CONFLICTS_INSTALL=	ossec-hids-client-* \
+			ossec-hids-local-* \
+			ossec-hids-server-*
+.elif ${OSSEC_TYPE} == server
+CONFLICTS_INSTALL=	ossec-hids-client-* \
+			ossec-hids-agent-* \
+			ossec-hids-local-*
+.endif
+
+.if ${OSSEC_TYPE} != agent
+RUN_DEPENDS=	expect:lang/expect
+.endif
+
+GEOIP_LIB_DEPENDS=	libGeoIP.so:net/GeoIP
+INOTIFY_LIB_DEPENDS=	libinotify.so:devel/libinotify
+PRELUDE_LIB_DEPENDS=	libprelude.so:security/libprelude
+ZEROMQ_LIB_DEPENDS=	libczmq.so:net/czmq
+
+USES=		gmake readline ssl
+MYSQL_USE=	mysql
+PGSQL_USES=	pgsql
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	ossec
+USE_RC_SUBR=	ossec-hids
+
+.if ${OSSEC_TYPE} != agent
+USES+=		shebangfix
+SHEBANG_LANG=	expect
+expect_OLD_CMD=	"/usr/bin/env expect"
+expect_CMD=	${LOCALBASE}/bin/expect
+SHEBANG_FILES=	src/agentlessd/scripts/main.exp \
+		src/agentlessd/scripts/ssh.exp \
+		src/agentlessd/scripts/ssh_asa-fwsmconfig_diff \
+		src/agentlessd/scripts/ssh_foundry_diff \
+		src/agentlessd/scripts/ssh_generic_diff \
+		src/agentlessd/scripts/ssh_integrity_check_bsd \
+		src/agentlessd/scripts/ssh_integrity_check_linux \
+		src/agentlessd/scripts/ssh_nopass.exp \
+		src/agentlessd/scripts/ssh_pixconfig_diff \
+		src/agentlessd/scripts/sshlogin.exp \
+		src/agentlessd/scripts/su.exp
+.endif
+
+OPTIONS_SUB=			yes
+OPTIONS_DEFINE=			DOCS INOTIFY
+
+.if ${OSSEC_TYPE} != agent
+OPTIONS_DEFINE+=		GEOIP PRELUDE ZEROMQ
+
+OPTIONS_RADIO=			DATABASE
+OPTIONS_RADIO_DATABASE=		MYSQL PGSQL
+.endif
+
+OPTIONS_DEFAULT=		INOTIFY
+
+INOTIFY_DESC=		Kevent based real time monitoring
+PRELUDE_DESC=		Sensor support from Prelude SIEM
+ZEROMQ_DESC=		ZeroMQ support (experimental)
+DATABASE_DESC=		Database output
+
+GEOIP_VARS=	OSSEC_ARGS+=USE_GEOIP=yes
+INOTIFY_VARS=	OSSEC_ARGS+=USE_INOTIFY=yes
+PRELUDE_VARS=	OSSEC_ARGS+=USE_PRELUDE=yes
+ZEROMQ_VARS=	OSSEC_ARGS+=USE_ZEROMQ=yes
+MYSQL_VARS=	OSSEC_ARGS+=DATABASE=mysql PKGMSG_FILES+=message-database DB_TYPE=mysql DB_SCHEMA=mysql.schema
+PGSQL_VARS=	OSSEC_ARGS+=DATABASE=pgsql PKGMSG_FILES+=message-database DB_TYPE=postgresql DB_SCHEMA=postgresql.schema
+
+OSSEC_ARGS+=	TARGET=${OSSEC_TYPE}
+.if ${OSSEC_TYPE} == agent
+STRIP_FILES=	agent-auth \
+		manage_agents \
+		ossec-agentd \
+		ossec-execd \
+		ossec-logcollector \
+		ossec-lua \
+		ossec-luac \
+		ossec-syscheckd
+.else
+STRIP_FILES=	agent_control \
+		clear_stats \
+		list_agents \
+		manage_agents \
+		ossec-agentlessd \
+		ossec-analysisd \
+		ossec-authd \
+		ossec-csyslogd \
+		ossec-dbd \
+		ossec-execd \
+		ossec-logcollector \
+		ossec-logtest \
+		ossec-lua \
+		ossec-luac \
+		ossec-maild \
+		ossec-makelists \
+		ossec-monitord \
+		ossec-regex \
+		ossec-remoted \
+		ossec-reportd \
+		ossec-syscheckd \
+		rootcheck_control \
+		syscheck_control \
+		syscheck_update \
+		verify-agent-conf
+.endif
+.if defined(MAINTAINER_MODE)
+OSSEC_HOME=		${PREFIX}/${PORTNAME}
+.else
+OSSEC_HOME?=		${PREFIX}/${PORTNAME}
+.endif
+OSSEC_RC=		${PREFIX}/etc/rc.d/ossec-hids
+FIREWALL_DROP_BIN=	${OSSEC_HOME}/active-response/bin/firewall-drop.sh
+IPFILTER_BIN=		${OSSEC_HOME}/active-response/bin/ipfilter.sh
+RESTART_OSSEC_BIN=	${OSSEC_HOME}/active-response/bin/restart-ossec.sh
+SHARED_DIR=		${OSSEC_HOME}/etc/shared
+INTERNAL_OPTS_CONF=	${OSSEC_HOME}/etc/local_internal_options.conf
+
+.if empty(USER)
+USER=$$(${ID} -un)
+.endif
+.if empty(GROUP)
+GROUP=$$(${ID} -gn)
+.endif
+
+.if !defined(MAINTAINER_MODE)
+USER_ARGS+=	OSSEC_GROUP=${GROUP} \
+		OSSEC_USER=${USER} \
+		OSSEC_USER_MAIL=${USER} \
+		OSSEC_USER_REM=${USER}
+.endif
+OSSEC_USER=	ossec
+OSSEC_GROUP=	ossec
+USERS=		${OSSEC_USER} ossecm ossecr
+GROUPS=		${OSSEC_GROUP}
+
+SUB_LIST+=	PORTNAME=${PORTNAME} \
+		CATEGORY=${CATEGORIES:[1]} \
+		OSSEC_TYPE=${OSSEC_TYPE} \
+		OSSEC_HOME=${OSSEC_HOME} \
+		VERSION=${PORTVERSION} \
+		DB_TYPE=${DB_TYPE} \
+		DB_SCHEMA=${DOCSDIR}/${DB_SCHEMA} \
+		USER=${USER} \
+		OSSEC_USER=${OSSEC_USER} \
+		OSSEC_GROUP=${OSSEC_GROUP} \
+		OSSEC_RC=${OSSEC_RC}
+SUB_FILES=	pkg-install \
+		pkg-deinstall \
+		${PKGMSG_FILES} \
+		restart-ossec.sh
+
+.if defined(MAINTAINER_MODE)
+PLIST_SUB=	OSSEC_HOME=${PORTNAME}
+.else
+PLIST_SUB=	OSSEC_HOME=${OSSEC_HOME}
+.endif
+PLIST=		${PKGDIR}/pkg-plist-${OSSEC_TYPE}
+DOCSFILES=	BUGS CHANGELOG CONTRIBUTORS LICENSE README.md SUPPORT.md
+PKGHELP=	${PKGDIR}/pkg-help-${OSSEC_TYPE}
+PKGMESSAGE=	${WRKDIR}/pkg-message
+PKGMSG_FILES=	message-header
+
+CFLAGS+=	-I${LOCALBASE}/include
+
+BUILD_ARGS+=	${MAKE_ARGS} ${OSSEC_ARGS} PREFIX=${OSSEC_HOME}
+INSTALL_ARGS+=	${USER_ARGS} ${OSSEC_ARGS} PREFIX=${STAGEDIR}${OSSEC_HOME}
+
+.include <bsd.port.pre.mk>
+
+PKGMSG_FILES+=	message-firewall message-config
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|-DLUA_USE_LINUX|& ${CPPFLAGS}|' \
+		-e 's|-lreadline|& ${LDFLAGS}|' \
+		${WRKSRC}/src/external/lua/src/Makefile
+
+do-build:
+	@cd ${WRKSRC}/src; ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${BUILD_ARGS} build
+
+do-install:
+	@cd ${WRKSRC}/src; ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${INSTALL_ARGS} install
+
+post-install:
+	@${MV} -f ${STAGEDIR}${INTERNAL_OPTS_CONF} ${STAGEDIR}${INTERNAL_OPTS_CONF}.sample
+	@${MV} -f ${STAGEDIR}${FIREWALL_DROP_BIN} ${STAGEDIR}${IPFILTER_BIN}
+	@${CP} -f ${WRKDIR}/restart-ossec.sh ${STAGEDIR}${RESTART_OSSEC_BIN}
+	@${CHMOD} 550 ${STAGEDIR}${RESTART_OSSEC_BIN}
+.if defined(MAINTAINER_MODE)
+	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${RESTART_OSSEC_BIN}
+.endif
+	
+.if ${OSSEC_TYPE} == agent
+.if defined(MAINTAINER_MODE)
+	@for file_name in $$(find "${STAGEDIR}${SHARED_DIR}" -type f); do ${CHMOD} 0644 $${file_name}; ${CHOWN} ${OSSEC_USER}:${OSSEC_GROUP} $${file_name}; done
+.else
+	@for file_name in $$(find "${STAGEDIR}${SHARED_DIR}" -type f); do ${CHMOD} 0644 $${file_name}; done
+.endif
+.endif
+	@${ECHO_CMD} -n > ${PKGMESSAGE}
+.for file_name in ${PKGMSG_FILES}
+	@${CAT} ${WRKDIR}/${file_name} >> ${PKGMESSAGE}
+	@${ECHO_CMD} >> ${PKGMESSAGE}
+.endfor
+.for file_name in ${STRIP_FILES}
+	@${STRIP_CMD} ${STAGEDIR}${OSSEC_HOME}/bin/${file_name}
+.endfor
+
+.if defined(MAINTAINER_MODE)
+plist: makeplist
+	@${SCRIPTDIR}/plist.sh ${OSSEC_TYPE} ${OSSEC_HOME} ${PLIST} ${WRKDIR} ${STAGEDIR}
+.endif
+
+post-install-DOCS-on:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	@cd ${WRKSRC} && ${INSTALL_DATA} ${DOCSFILES} ${STAGEDIR}${DOCSDIR}
+	@cd ${WRKSRC} && ${INSTALL_DATA} etc/ossec-${OSSEC_TYPE}.conf ${STAGEDIR}${DOCSDIR}/ossec.conf.sample
+
+post-install-MYSQL-on:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/${DB_SCHEMA} ${STAGEDIR}${DOCSDIR}
+
+post-install-PGSQL-on:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/${DB_SCHEMA} ${STAGEDIR}${DOCSDIR}
+
+.include <bsd.port.post.mk>
diff --git a/security/ossec-hids-local/distinfo b/security/ossec-hids-local/distinfo
new file mode 100644
index 0000000..bd846f2
--- /dev/null
+++ b/security/ossec-hids-local/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1532285963
+SHA256 (ossec-ossec-hids-3.0.0_GH0.tar.gz) = a271d665ed502b3df4ff055a177159dfc0bc8a69dd44eab1f7c57fe8fff42a98
+SIZE (ossec-ossec-hids-3.0.0_GH0.tar.gz) = 1817324
diff --git a/security/ossec-hids-local/files/message-config.in b/security/ossec-hids-local/files/message-config.in
new file mode 100644
index 0000000..f3a13b3
--- /dev/null
+++ b/security/ossec-hids-local/files/message-config.in
@@ -0,0 +1,2 @@
+Consider installing "%%CATEGORY%%/%%PORTNAME%%-%%OSSEC_TYPE%%-config" to ease
+OSSEC configuration.
diff --git a/security/ossec-hids-local/files/message-database.in b/security/ossec-hids-local/files/message-database.in
new file mode 100644
index 0000000..6115a16
--- /dev/null
+++ b/security/ossec-hids-local/files/message-database.in
@@ -0,0 +1,8 @@
+The database schema file:
+%%DB_SCHEMA%%
+
+To enable database output execute:
+# %%OSSEC_HOME%%/bin/ossec-control enable database
+
+For further steps see the documentation:
+https://www.ossec.net/docs/syntax/head_ossec_config.database_output.html
diff --git a/security/ossec-hids-local/files/message-firewall.in b/security/ossec-hids-local/files/message-firewall.in
new file mode 100644
index 0000000..9e066e6
--- /dev/null
+++ b/security/ossec-hids-local/files/message-firewall.in
@@ -0,0 +1,12 @@
+If you intend to use "firewall-drop" active response on this OSSEC instance
+create the script:
+%%OSSEC_HOME%%/active-response/bin/firewall-drop.sh
+
+You can copy or hard link (symbolic link is not supported) one of the scripts
+already provided by OSSEC:
+%%OSSEC_HOME%%/active-response/bin/ipfilter.sh
+%%OSSEC_HOME%%/active-response/bin/ipfw.sh
+%%OSSEC_HOME%%/active-response/bin/pf.sh
+
+For further steps see the documentation:
+https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html
diff --git a/security/ossec-hids-local/files/message-header.in b/security/ossec-hids-local/files/message-header.in
new file mode 100644
index 0000000..d05e6d8
--- /dev/null
+++ b/security/ossec-hids-local/files/message-header.in
@@ -0,0 +1,10 @@
+All the files related to OSSEC have been installed in:
+%%OSSEC_HOME%%
+
+You need to create main configuration file:
+%%OSSEC_HOME%%/etc/ossec.conf
+
+For information on proper configuration see:
+https://www.ossec.net/docs/syntax/ossec_config.html
+
+To enable the startup script add ossec_hids_enable="YES" to /etc/rc.conf.
diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in
new file mode 100644
index 0000000..08efa1d
--- /dev/null
+++ b/security/ossec-hids-local/files/ossec-hids.in
@@ -0,0 +1,264 @@
+#!/bin/sh
+#
+# PROVIDE: ossec_hids
+# REQUIRE: DAEMON
+# BEFORE:  LOGIN
+# KEYWORD: shutdown
+
+# ossec_hids_enable (bool):         Set it to YES to enable %%PORTNAME%%.
+#                                   Default: NO
+# ossec_hids_clear_log (bool):      Set it to YES to clear ossec.log before %%PORTNAME%% startup.
+#                                   Default: NO
+# ossec_hids_clear_ar_log (bool):   Set it to YES to clear active-responses.log before %%PORTNAME%% startup.
+#                                   Default: NO
+# ossec_hids_fetch_time (int):      Time in seconds to wait for the shared configuration to be downloaded from the server.
+#                                   Used only by agent installation.
+#                                   Default: 60
+
+. /etc/rc.subr
+
+name="ossec_hids"
+rcvar=ossec_hids_enable
+
+load_rc_config $name
+
+: ${ossec_hids_enable="NO"}
+: ${ossec_hids_clear_log="NO"}
+: ${ossec_hids_clear_ar_log="NO"}
+: ${ossec_hids_fetch_time=60}
+
+ossec_type="%%OSSEC_TYPE%%"
+ossec_home="%%OSSEC_HOME%%"
+
+ossec_conf="${ossec_home}/etc/ossec.conf"
+ossec_conf_dir="${ossec_home}/etc/ossec.conf.d"
+ossec_conf_bin="${ossec_home}/bin/config/ossec-conf"
+
+agent_conf="${ossec_home}/etc/shared/agent.conf"
+agent_conf_dir="${ossec_home}/etc/agent.conf.d"
+agent_conf_bin="${ossec_home}/bin/config/agent-conf"
+
+ossec_client_keys="${ossec_home}/etc/client.keys"
+ossec_ar_tmp="${ossec_home}/active-response"
+ossec_log="${ossec_home}/logs/ossec.log"
+ossec_ar_log="${ossec_home}/logs/active-responses.log"
+ossec_merged="${ossec_home}/etc/shared/merged.mg"
+
+ossec_local_time="/etc/localtime"
+
+ossec_fts_queue="${ossec_home}/queue/fts/fts-queue"
+ossec_ig_queue="${ossec_home}/queue/fts/ig-queue"
+
+extra_commands="reload ossec_conf"
+case ${ossec_type} in
+    server)
+        extra_commands="${extra_commands} agent_conf"
+        ;;
+    agent)
+        extra_commands="${extra_commands} fetch_config"
+        ;;
+esac
+if [ -x "${ossec_conf_bin}" ]; then
+    extra_commands="${extra_commands} merge_config"
+fi
+
+start_cmd="ossec_hids_command start"
+stop_cmd="ossec_hids_command stop"
+restart_cmd="ossec_hids_command restart"
+status_cmd="ossec_hids_command status"
+reload_cmd="ossec_hids_command reload"
+fetch_config_cmd="ossec_hids_command restart"
+merge_config_cmd="ossec_hids_create_configs force"
+ossec_conf_cmd="ossec_hids_ossec_conf"
+agent_conf_cmd="ossec_hids_agent_conf"
+
+start_precmd="ossec_hids_prepare"
+restart_precmd="ossec_hids_prepare"
+reload_precmd="ossec_hids_prepare"
+fetch_config_precmd="ossec_hids_prepare"
+
+ossec_hids_create_file() {
+    local path=$1
+    local owner=$2
+    local mode=$3
+
+    if [ ! -e "${path}" ]; then
+        touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}"
+    fi
+}
+
+ossec_hids_check() {
+    case ${ossec_type} in
+        server)
+            if [ ! -s "${ossec_client_keys}" ]; then
+                echo "WARNING: There are no client keys created - remote connections will be disabled"
+            fi
+            ;;
+        agent)
+            if [ ! -s "${ossec_client_keys}" ]; then
+                echo "WARNING: There are is no client key imported - connection to server not possible"
+            fi
+            ;;
+    esac
+
+    return 0
+}
+
+ossec_hids_config_is_outdated() {
+    dst_file="$1"
+    src_dir="$2"
+
+    if [ ! -e "${dst_file}" ]; then
+        return 0
+    fi
+
+    for src_file in $(find "${src_dir}" -maxdepth 1 -type f -name "*.conf"); do
+        if [ "${src_file}" -nt "${dst_file}" ]; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+ossec_hids_create_configs() {
+    case ${ossec_type} in
+        server)
+            if [ -x "${agent_conf_bin}" ]; then
+                # Merge agent.conf.d files into agent.conf
+                if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${agent_conf}" "${agent_conf_dir}"; then
+                    ossec_hids_create_file "${agent_conf}" %%USER%%:%%OSSEC_GROUP%% 0640
+                    "${agent_conf_bin}" > "${agent_conf}"
+                fi
+            fi
+            ;;
+        agent)
+            # Touch agent.conf so the agent daemons won't complain if it doesn't exist
+            ossec_hids_create_file "${agent_conf}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0644
+            ;;
+    esac
+
+    if [ -x "${ossec_conf_bin}" ]; then
+        # Merge ossec.conf.d files into ossec.conf
+        if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${ossec_conf}" "${ossec_conf_dir}"; then
+            ossec_hids_create_file "${ossec_conf}" %%USER%%:%%OSSEC_GROUP%% 0640
+            "${ossec_conf_bin}" > "${ossec_conf}"
+        fi
+    fi
+
+    return 0
+}
+
+ossec_hids_create_logs() {
+    # Create required log files if they don't exist
+    ossec_hids_create_file "${ossec_log}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0660
+    ossec_hids_create_file "${ossec_ar_log}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0660
+
+    return 0
+}
+
+ossec_hids_create_env() {
+    # Copy required files from outside of home directory
+    if [ ! -e "${ossec_local_time}" ]; then
+        echo "Missing \"${ossec_local_time}\". Run command \"tzsetup\"."
+        return 1
+    fi
+    install -o %%USER%% -g %%OSSEC_GROUP%% -m 0440 "${ossec_local_time}" "${ossec_home}${ossec_local_time}"
+
+    # Install missing files
+    case ${ossec_type} in
+        server)
+            ossec_hids_create_file "${ossec_fts_queue}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0640
+            ossec_hids_create_file "${ossec_ig_queue}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0640
+            ;;
+    esac
+
+    return 0
+}
+
+ossec_hids_clean() {
+    if [ "${ossec_type}" == "server" ]; then
+        rm -f "${ossec_merged}"
+    fi
+
+    if checkyesno ossec_hids_clear_log; then
+        echo -n > "${ossec_log}"
+    fi
+
+    if checkyesno ossec_hids_clear_ar_log; then
+        echo -n > "${ossec_ar_log}"
+    fi
+
+    return 0
+}
+
+ossec_hids_fetch_configs() {
+    case ${ossec_type} in
+        agent)
+            rm -f "${ossec_merged}"
+            ossec_hids_command stop
+            sleep 1
+            ossec_hids_command start
+            echo "Waiting ${ossec_hids_fetch_time} seconds for the shared configuration to be downloaded from the OSSEC server"
+            sleep ${ossec_hids_fetch_time}
+            if [ ! -s "${ossec_merged}" ]; then
+                echo "Failed to download shared configuration from the OSSEC server"
+                return 1
+            fi
+            ;;
+        *)
+            echo "Shared configuration is only available for agent installations"
+            return 1
+            ;;
+    esac
+
+    return 0
+}
+
+ossec_hids_prepare() {
+    case ${rc_arg} in
+        start|restart)
+            ossec_hids_create_logs && \
+            ossec_hids_create_env && \
+            ossec_hids_create_configs && \
+            ossec_hids_clean && \
+            ossec_hids_check || return 1
+            ;;
+        fetch_config)
+            ossec_hids_create_logs && \
+            ossec_hids_create_env && \
+            ossec_hids_create_configs && \
+            ossec_hids_clean && \
+            ossec_hids_fetch_configs && \
+            ossec_hids_check || return 1
+            ;;
+        reload)
+            ossec_hids_create_env && \
+            ossec_hids_create_configs || return 1
+            ;;
+    esac
+
+    return 0
+}
+
+ossec_hids_ossec_conf() {
+    if [ -x "${ossec_conf_bin}" ]; then
+        "${ossec_conf_bin}"
+    elif [ -f "${ossec_conf}" ]; then
+        cat "${ossec_conf}"
+    fi
+}
+
+ossec_hids_agent_conf() {
+    if [ -x "${agent_conf_bin}" ]; then
+        "${agent_conf_bin}"
+    elif [ -f "${agent_conf}" ]; then
+        cat "${agent_conf}"
+    fi
+}
+
+ossec_hids_command() {
+    "${ossec_home}/bin/ossec-control" "$1"
+}
+
+run_rc_command "$1"
diff --git a/security/ossec-hids-local/files/patch-active-response_host-deny.sh b/security/ossec-hids-local/files/patch-active-response_host-deny.sh
new file mode 100644
index 0000000..aff6243
--- /dev/null
+++ b/security/ossec-hids-local/files/patch-active-response_host-deny.sh
@@ -0,0 +1,15 @@
+--- active-response/host-deny.sh.orig	2018-06-26 12:15:38 UTC
++++ active-response/host-deny.sh
+@@ -126,10 +126,10 @@ if [ "x${ACTION}" = "xadd" ]; then
+ # Deleting from hosts.deny
+ elif [ "x${ACTION}" = "xdelete" ]; then
+    lock;
+-   TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
++   TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX`
+    if [ "X${TMP_FILE}" = "X" ]; then
+      # Cheap fake tmpfile, but should be harder then no random data
+-     TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
++     TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
+    fi
+    echo "${IP}" | grep "\:" > /dev/null 2>&1
+    if [ $? = 0 ]; then
diff --git a/security/ossec-hids-local/files/patch-src_Makefile b/security/ossec-hids-local/files/patch-src_Makefile
new file mode 100644
index 0000000..06cd53c
--- /dev/null
+++ b/security/ossec-hids-local/files/patch-src_Makefile
@@ -0,0 +1,19 @@
+--- src/Makefile.orig	2018-06-26 12:15:38 UTC
++++ src/Makefile
+@@ -397,7 +397,6 @@ endif
+ 	install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/diff
+ 
+ 	install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc
+-	install -m 0440 -o root -g ${OSSEC_GROUP} /etc/localtime ${PREFIX}/etc
+ 
+ 	install -d -m 1550 -o root -g ${OSSEC_GROUP} ${PREFIX}/tmp
+ 
+@@ -425,7 +424,7 @@ endif
+ endif
+ 
+ 	install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc/shared
+-	install -m 0640 -o ossec -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/
++	install -m 0640 -o ${OSSEC_USER} -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/
+ 
+ 	install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response
+ 	install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response/bin
diff --git a/security/ossec-hids-local/files/patch-src_init_adduser.sh b/security/ossec-hids-local/files/patch-src_init_adduser.sh
new file mode 100644
index 0000000..21c0d0b
--- /dev/null
+++ b/security/ossec-hids-local/files/patch-src_init_adduser.sh
@@ -0,0 +1,11 @@
+--- src/init/adduser.sh.orig	2018-06-26 12:15:38 UTC
++++ src/init/adduser.sh
+@@ -69,7 +69,7 @@ else
+     fi
+ 
+     if [ -x /usr/bin/getent ]; then
+-        if [ `getent group ossec | wc -l` -lt 1 ]; then
++        if [ `getent group "${GROUP}" | wc -l` -lt 1 ]; then
+             ${GROUPADD} "${GROUP}"
+         fi
+     elif ! grep "^${GROUP}" /etc/group > /dev/null 2>&1; then
diff --git a/security/ossec-hids-local/files/patch-src_os__net_os__net.c b/security/ossec-hids-local/files/patch-src_os__net_os__net.c
new file mode 100644
index 0000000..fe99e5c
--- /dev/null
+++ b/security/ossec-hids-local/files/patch-src_os__net_os__net.c
@@ -0,0 +1,24 @@
+--- src/os_net/os_net.c.orig	2017-12-19 21:30:31 UTC
++++ src/os_net/os_net.c
+@@ -48,16 +48,16 @@ int OS_Bindport(char *_port, unsigned in
+ 
+ 
+     memset(&hints, 0, sizeof(struct addrinfo));
+-#ifdef AI_V4MAPPED
+-    hints.ai_family = AF_INET6;    /* Allow IPv4 and IPv6 */
+-    hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED;
+-#else
++//#ifdef AI_V4MAPPED
++//    hints.ai_family = AF_INET6;    /* Allow IPv4 and IPv6 */
++//    hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED;
++//#else
+     /* Certain *BSD OS (eg. OpenBSD) do not allow binding to a
+        single-socket for both IPv4 and IPv6 per RFC 3493.  This will 
+        allow one or the other based on _ip. */
+     hints.ai_family = AF_UNSPEC;    /* Allow IPv4 or IPv6 */
+     hints.ai_flags = AI_PASSIVE;
+-#endif
++//#endif
+     hints.ai_protocol = _proto;
+     if (_proto == IPPROTO_UDP) {
+         hints.ai_socktype = SOCK_DGRAM;
diff --git a/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt b/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt
new file mode 100644
index 0000000..424c10e
--- /dev/null
+++ b/security/ossec-hids-local/files/patch-src_rootcheck_db_system__audit__rcl.txt
@@ -0,0 +1,11 @@
+--- src/rootcheck/db/system_audit_rcl.txt.orig	2017-12-19 21:30:31 UTC
++++ src/rootcheck/db/system_audit_rcl.txt
+@@ -25,7 +25,7 @@
+ # Multiple patterns can be specified by using " && " between them.
+ # (All of them must match for it to return true).
+ 
+-$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
++$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini;
+ $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
+ 
+ # PHP checks
diff --git a/security/ossec-hids-local/files/pkg-deinstall.in b/security/ossec-hids-local/files/pkg-deinstall.in
new file mode 100644
index 0000000..d081d40
--- /dev/null
+++ b/security/ossec-hids-local/files/pkg-deinstall.in
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+ossec_home="%%OSSEC_HOME%%"
+ar_conf="${ossec_home}/etc/shared/ar.conf"
+merged_mg="${ossec_home}/etc/shared/merged.mg"
+client_keys="${ossec_home}/etc/client.keys"
+firewall_drop="${ossec_home}/active-response/bin/firewall-drop.sh"
+local_time="${ossec_home}/etc/localtime"
+
+if [ "$2" == "DEINSTALL"  ]; then
+    rm -f "${ar_conf}"
+    rm -f "${merged_mg}"
+    if [ ! -s "${client_keys}" ]; then
+        rm -f "${client_keys}"
+    fi
+    rm -f "${firewall_drop}"
+    rm -f "${local_time}"
+fi
diff --git a/security/ossec-hids-local/files/pkg-install.in b/security/ossec-hids-local/files/pkg-install.in
new file mode 100644
index 0000000..d819e70
--- /dev/null
+++ b/security/ossec-hids-local/files/pkg-install.in
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+ossec_home="%%OSSEC_HOME%%"
+client_keys="${ossec_home}/etc/client.keys"
+
+create_file() {
+    local path=$1
+    local owner=$2
+    local mode=$3
+
+    if [ ! -e "${path}" ]; then
+        touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}"
+    fi
+}
+
+if [ "$2" == "POST-INSTALL"  ]; then
+    pw usermod %%OSSEC_USER%% -d "${ossec_home}"
+    pw usermod ossecm -d "${ossec_home}"
+    pw usermod ossecr -d "${ossec_home}"
+    chown %%USER%%:%%OSSEC_GROUP%% "${ossec_home}"
+
+    create_file "${client_keys}" root:ossec 0640
+fi
diff --git a/security/ossec-hids-local/files/restart-ossec.sh.in b/security/ossec-hids-local/files/restart-ossec.sh.in
new file mode 100644
index 0000000..9b8a649
--- /dev/null
+++ b/security/ossec-hids-local/files/restart-ossec.sh.in
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# This script is part of FreeBSD port - report any issues to the port MAINTAINER
+
+ossec_type="%%OSSEC_TYPE%%"
+ossec_home="%%OSSEC_HOME%%"
+ossec_rc="%%OSSEC_RC%%"
+
+ACTION=$1
+USER=$2
+IP=$3
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../../tmp
+
+# Logging the call
+echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"
+
+case ${ACTION} in
+    add)
+        "${ossec_rc}" restart
+        exit 0
+        ;;
+    delete)
+        exit 0
+        ;;
+    *)
+        echo "$0: invalid action: ${ACTION}"
+        exit 1
+        ;;
+esac
diff --git a/security/ossec-hids-local/pkg-descr b/security/ossec-hids-local/pkg-descr
new file mode 100644
index 0000000..3156a70
--- /dev/null
+++ b/security/ossec-hids-local/pkg-descr
@@ -0,0 +1,6 @@
+OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection
+System (HIDS). It has a powerful correlation and analysis engine, integrating
+log analysis, file integrity checking, Windows registry monitoring, centralized
+policy enforcement, rootkit detection, real-time alerting and active response.
+
+WWW: https://ossec.github.io
diff --git a/security/ossec-hids-local/pkg-plist-agent b/security/ossec-hids-local/pkg-plist-agent
new file mode 100644
index 0000000..01ddca8
--- /dev/null
+++ b/security/ossec-hids-local/pkg-plist-agent
@@ -0,0 +1,70 @@
+@dir(,ossec,550) %%OSSEC_HOME%%
+@dir(,ossec,550) %%OSSEC_HOME%%/active-response
+@dir(,ossec,550) %%OSSEC_HOME%%/active-response/bin
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/disable-account.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/firewalld-drop.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/host-deny.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ip-customblock.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfilter.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfw.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfw_mac.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/npf.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-pagerduty.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-slack.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-tweeter.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/pf.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/restart-ossec.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/route-null.sh
+@dir(,,550) %%OSSEC_HOME%%/bin
+@(,,550) %%OSSEC_HOME%%/bin/agent-auth
+@(,,550) %%OSSEC_HOME%%/bin/manage_agents
+@(,,550) %%OSSEC_HOME%%/bin/ossec-agentd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-control
+@(,,550) %%OSSEC_HOME%%/bin/ossec-execd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-logcollector
+@(,,550) %%OSSEC_HOME%%/bin/ossec-lua
+@(,,550) %%OSSEC_HOME%%/bin/ossec-luac
+@(,,550) %%OSSEC_HOME%%/bin/ossec-syscheckd
+@(,,550) %%OSSEC_HOME%%/bin/util.sh
+@dir(,ossec,550) %%OSSEC_HOME%%/etc
+@(,ossec,640) %%OSSEC_HOME%%/etc/internal_options.conf
+@sample(,ossec,640) %%OSSEC_HOME%%/etc/local_internal_options.conf.sample
+@dir(,ossec,770) %%OSSEC_HOME%%/etc/shared
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_apache2224_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_debian_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_community_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_rhel5_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_rhel6_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_rhel7_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_rhel_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_sles11_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_sles12_linux_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL1_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL2_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL1_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL2_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/rootkit_files.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/win_applications_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/win_audit_rcl.txt
+@(ossec,ossec,644) %%OSSEC_HOME%%/etc/shared/win_malware_rcl.txt
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs
+@dir(,ossec,550) %%OSSEC_HOME%%/queue
+@dir(ossec,ossec,770) %%OSSEC_HOME%%/queue/alerts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/diff
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/ossec
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/rids
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/syscheck
+@dir(,ossec,550) %%OSSEC_HOME%%/tmp
+@dir(,ossec,550) %%OSSEC_HOME%%/var
+@dir(,ossec,770) %%OSSEC_HOME%%/var/run
+%%PORTDOCS%%%%DOCSDIR%%/BUGS
+%%PORTDOCS%%%%DOCSDIR%%/CHANGELOG
+%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
+%%PORTDOCS%%%%DOCSDIR%%/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/README.md
+%%PORTDOCS%%%%DOCSDIR%%/SUPPORT.md
+%%PORTDOCS%%%%DOCSDIR%%/ossec.conf.sample
diff --git a/security/ossec-hids-local/pkg-plist-local b/security/ossec-hids-local/pkg-plist-local
new file mode 100644
index 0000000..21e358e
--- /dev/null
+++ b/security/ossec-hids-local/pkg-plist-local
@@ -0,0 +1,185 @@
+@dir(,ossec,550) %%OSSEC_HOME%%
+@dir(,ossec,550) %%OSSEC_HOME%%/active-response
+@dir(,ossec,550) %%OSSEC_HOME%%/active-response/bin
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/disable-account.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/firewalld-drop.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/host-deny.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ip-customblock.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfilter.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfw.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfw_mac.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/npf.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-pagerduty.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-slack.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-tweeter.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/pf.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/restart-ossec.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/route-null.sh
+@dir(,ossec,550) %%OSSEC_HOME%%/agentless
+@(,ossec,550) %%OSSEC_HOME%%/agentless/main.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/register_host.sh
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_asa-fwsmconfig_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_foundry_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_generic_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_bsd
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_linux
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_nopass.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_pixconfig_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/sshlogin.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/su.exp
+@dir(,,550) %%OSSEC_HOME%%/bin
+@(,,550) %%OSSEC_HOME%%/bin/agent_control
+@(,,550) %%OSSEC_HOME%%/bin/clear_stats
+@(,,550) %%OSSEC_HOME%%/bin/list_agents
+@(,,550) %%OSSEC_HOME%%/bin/manage_agents
+@(,,550) %%OSSEC_HOME%%/bin/ossec-agentlessd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-analysisd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-authd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-control
+@(,,550) %%OSSEC_HOME%%/bin/ossec-csyslogd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-dbd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-execd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-logcollector
+@(,,550) %%OSSEC_HOME%%/bin/ossec-logtest
+@(,,550) %%OSSEC_HOME%%/bin/ossec-lua
+@(,,550) %%OSSEC_HOME%%/bin/ossec-luac
+@(,,550) %%OSSEC_HOME%%/bin/ossec-maild
+@(,,550) %%OSSEC_HOME%%/bin/ossec-makelists
+@(,,550) %%OSSEC_HOME%%/bin/ossec-monitord
+@(,,550) %%OSSEC_HOME%%/bin/ossec-regex
+@(,,550) %%OSSEC_HOME%%/bin/ossec-remoted
+@(,,550) %%OSSEC_HOME%%/bin/ossec-reportd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-syscheckd
+@(,,550) %%OSSEC_HOME%%/bin/rootcheck_control
+@(,,550) %%OSSEC_HOME%%/bin/syscheck_control
+@(,,550) %%OSSEC_HOME%%/bin/syscheck_update
+@(,,550) %%OSSEC_HOME%%/bin/util.sh
+@(,,550) %%OSSEC_HOME%%/bin/verify-agent-conf
+@dir(,ossec,550) %%OSSEC_HOME%%/etc
+@(,ossec,640) %%OSSEC_HOME%%/etc/decoder.xml
+@(,ossec,640) %%OSSEC_HOME%%/etc/internal_options.conf
+@sample(,ossec,640) %%OSSEC_HOME%%/etc/local_internal_options.conf.sample
+@dir(,ossec,770) %%OSSEC_HOME%%/etc/shared
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_apache2224_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_debian_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_community_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel5_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel6_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel7_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_sles11_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_sles12_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL1_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL2_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL1_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL2_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/rootkit_files.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/win_applications_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/win_audit_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/win_malware_rcl.txt
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs
+@dir(,ossec,550) %%OSSEC_HOME%%/rules
+@(,ossec,640) %%OSSEC_HOME%%/rules/apache_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/apparmor_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/arpwatch_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/asterisk_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/attack_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/cimserver_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/cisco-ios_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/clam_av_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/courier_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/dovecot_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/dropbear_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/exim_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/firewall_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/firewalld_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/hordeimp_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ids_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/imapd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/local_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/mailscanner_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/mcafee_av_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms-exchange_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms-se_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms_dhcp_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms_ftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/msauth_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/mysql_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/named_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/netscreenfw_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/nginx_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/nsd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/openbsd-dhcpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/openbsd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/opensmtpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ossec_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/owncloud_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/pam_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/php_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/pix_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/policy_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/postfix_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/postgresql_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/proftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/proxmox-ve_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/psad_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/pure-ftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/racoon_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/roundcube_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/rules_config.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sendmail_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/smbd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/solaris_bsm_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sonicwall_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/spamd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/squid_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sshd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/symantec-av_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/symantec-ws_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/syslog_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sysmon_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/systemd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/telnetd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/trend-osce_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/unbound_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vmpop3d_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vmware_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vpn_concentrator_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vpopmail_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vsftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/web_appsec_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/web_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/wordpress_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/zeus_rules.xml
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs/alerts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs/archives
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs/firewall
+@dir(,ossec,550) %%OSSEC_HOME%%/queue
+@dir(ossecr,ossec,750) %%OSSEC_HOME%%/queue/agent-info
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/agentless
+@dir(ossec,ossec,770) %%OSSEC_HOME%%/queue/alerts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/diff
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/fts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/ossec
+@dir(ossecr,ossec,750) %%OSSEC_HOME%%/queue/rids
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/rootcheck
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/syscheck
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/stats
+@dir(,ossec,550) %%OSSEC_HOME%%/tmp
+@dir(,ossec,550) %%OSSEC_HOME%%/var
+@dir(,ossec,770) %%OSSEC_HOME%%/var/run
+%%PORTDOCS%%%%DOCSDIR%%/BUGS
+%%PORTDOCS%%%%DOCSDIR%%/CHANGELOG
+%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
+%%PORTDOCS%%%%DOCSDIR%%/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/README.md
+%%PORTDOCS%%%%DOCSDIR%%/SUPPORT.md
+%%PORTDOCS%%%%DOCSDIR%%/ossec.conf.sample
+%%MYSQL%%%%DOCSDIR%%/mysql.schema
+%%PGSQL%%%%DOCSDIR%%/postgresql.schema
diff --git a/security/ossec-hids-local/pkg-plist-server b/security/ossec-hids-local/pkg-plist-server
new file mode 100644
index 0000000..21e358e
--- /dev/null
+++ b/security/ossec-hids-local/pkg-plist-server
@@ -0,0 +1,185 @@
+@dir(,ossec,550) %%OSSEC_HOME%%
+@dir(,ossec,550) %%OSSEC_HOME%%/active-response
+@dir(,ossec,550) %%OSSEC_HOME%%/active-response/bin
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/disable-account.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/firewalld-drop.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/host-deny.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ip-customblock.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfilter.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfw.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ipfw_mac.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/npf.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-pagerduty.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-slack.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/ossec-tweeter.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/pf.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/restart-ossec.sh
+@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/route-null.sh
+@dir(,ossec,550) %%OSSEC_HOME%%/agentless
+@(,ossec,550) %%OSSEC_HOME%%/agentless/main.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/register_host.sh
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_asa-fwsmconfig_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_foundry_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_generic_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_bsd
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_linux
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_nopass.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/ssh_pixconfig_diff
+@(,ossec,550) %%OSSEC_HOME%%/agentless/sshlogin.exp
+@(,ossec,550) %%OSSEC_HOME%%/agentless/su.exp
+@dir(,,550) %%OSSEC_HOME%%/bin
+@(,,550) %%OSSEC_HOME%%/bin/agent_control
+@(,,550) %%OSSEC_HOME%%/bin/clear_stats
+@(,,550) %%OSSEC_HOME%%/bin/list_agents
+@(,,550) %%OSSEC_HOME%%/bin/manage_agents
+@(,,550) %%OSSEC_HOME%%/bin/ossec-agentlessd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-analysisd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-authd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-control
+@(,,550) %%OSSEC_HOME%%/bin/ossec-csyslogd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-dbd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-execd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-logcollector
+@(,,550) %%OSSEC_HOME%%/bin/ossec-logtest
+@(,,550) %%OSSEC_HOME%%/bin/ossec-lua
+@(,,550) %%OSSEC_HOME%%/bin/ossec-luac
+@(,,550) %%OSSEC_HOME%%/bin/ossec-maild
+@(,,550) %%OSSEC_HOME%%/bin/ossec-makelists
+@(,,550) %%OSSEC_HOME%%/bin/ossec-monitord
+@(,,550) %%OSSEC_HOME%%/bin/ossec-regex
+@(,,550) %%OSSEC_HOME%%/bin/ossec-remoted
+@(,,550) %%OSSEC_HOME%%/bin/ossec-reportd
+@(,,550) %%OSSEC_HOME%%/bin/ossec-syscheckd
+@(,,550) %%OSSEC_HOME%%/bin/rootcheck_control
+@(,,550) %%OSSEC_HOME%%/bin/syscheck_control
+@(,,550) %%OSSEC_HOME%%/bin/syscheck_update
+@(,,550) %%OSSEC_HOME%%/bin/util.sh
+@(,,550) %%OSSEC_HOME%%/bin/verify-agent-conf
+@dir(,ossec,550) %%OSSEC_HOME%%/etc
+@(,ossec,640) %%OSSEC_HOME%%/etc/decoder.xml
+@(,ossec,640) %%OSSEC_HOME%%/etc/internal_options.conf
+@sample(,ossec,640) %%OSSEC_HOME%%/etc/local_internal_options.conf.sample
+@dir(,ossec,770) %%OSSEC_HOME%%/etc/shared
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_apache2224_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_debian_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_community_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel5_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel6_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel7_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_rhel_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_sles11_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_sles12_linux_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL1_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL2_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL1_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL2_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/rootkit_files.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/win_applications_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/win_audit_rcl.txt
+@(ossec,ossec,640) %%OSSEC_HOME%%/etc/shared/win_malware_rcl.txt
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs
+@dir(,ossec,550) %%OSSEC_HOME%%/rules
+@(,ossec,640) %%OSSEC_HOME%%/rules/apache_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/apparmor_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/arpwatch_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/asterisk_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/attack_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/cimserver_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/cisco-ios_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/clam_av_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/courier_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/dovecot_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/dropbear_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/exim_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/firewall_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/firewalld_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/hordeimp_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ids_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/imapd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/local_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/mailscanner_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/mcafee_av_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms-exchange_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms-se_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms_dhcp_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ms_ftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/msauth_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/mysql_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/named_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/netscreenfw_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/nginx_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/nsd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/openbsd-dhcpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/openbsd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/opensmtpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/ossec_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/owncloud_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/pam_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/php_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/pix_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/policy_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/postfix_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/postgresql_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/proftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/proxmox-ve_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/psad_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/pure-ftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/racoon_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/roundcube_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/rules_config.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sendmail_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/smbd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/solaris_bsm_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sonicwall_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/spamd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/squid_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sshd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/symantec-av_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/symantec-ws_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/syslog_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/sysmon_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/systemd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/telnetd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/trend-osce_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/unbound_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vmpop3d_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vmware_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vpn_concentrator_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vpopmail_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/vsftpd_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/web_appsec_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/web_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/wordpress_rules.xml
+@(,ossec,640) %%OSSEC_HOME%%/rules/zeus_rules.xml
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs/alerts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs/archives
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/logs/firewall
+@dir(,ossec,550) %%OSSEC_HOME%%/queue
+@dir(ossecr,ossec,750) %%OSSEC_HOME%%/queue/agent-info
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/agentless
+@dir(ossec,ossec,770) %%OSSEC_HOME%%/queue/alerts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/diff
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/fts
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/ossec
+@dir(ossecr,ossec,750) %%OSSEC_HOME%%/queue/rids
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/rootcheck
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/queue/syscheck
+@dir(ossec,ossec,750) %%OSSEC_HOME%%/stats
+@dir(,ossec,550) %%OSSEC_HOME%%/tmp
+@dir(,ossec,550) %%OSSEC_HOME%%/var
+@dir(,ossec,770) %%OSSEC_HOME%%/var/run
+%%PORTDOCS%%%%DOCSDIR%%/BUGS
+%%PORTDOCS%%%%DOCSDIR%%/CHANGELOG
+%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
+%%PORTDOCS%%%%DOCSDIR%%/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/README.md
+%%PORTDOCS%%%%DOCSDIR%%/SUPPORT.md
+%%PORTDOCS%%%%DOCSDIR%%/ossec.conf.sample
+%%MYSQL%%%%DOCSDIR%%/mysql.schema
+%%PGSQL%%%%DOCSDIR%%/postgresql.schema
diff --git a/security/ossec-hids-local/scripts/plist.sh b/security/ossec-hids-local/scripts/plist.sh
new file mode 100755
index 0000000..8a3dfcd
--- /dev/null
+++ b/security/ossec-hids-local/scripts/plist.sh
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+# Script generates entries for pkg-plist.
+# Do not use it directly. Use the following command instead:
+#
+# make MAINTAINER_MODE=yes clean plist
+
+OSSEC_TYPE=$1
+OSSEC_HOME=$2
+PLIST=$3
+WORKDIR=$4
+STAGEDIR=$5
+
+staged_plist="${WORKDIR}/.staged-plist"
+fixed_lines=""
+if [ "${OSSEC_TYPE}" != "agent" ]; then
+    fixed_lines="${fixed_lines} %%MYSQL%%%%DOCSDIR%%/mysql.schema %%PGSQL%%%%DOCSDIR%%/postgresql.schema"
+fi
+skip_lines="%%PORTDOCS%%%%DOCSDIR%%/mysql.schema %%PORTDOCS%%%%DOCSDIR%%/postgresql.schema"
+skip_paths="/etc/ossec.conf /etc/client.keys /logs/active-responses.log /logs/ossec.log /lua /.ssh"
+sample_paths="/etc/local_internal_options.conf.sample"
+if [ "${OSSEC_TYPE}" == "agent" ]; then
+    skip_paths="${skip_paths} /rules /agentless"
+fi
+
+print_path() {
+    local path="$1"
+    local command="$2"
+    local full_path="${STAGEDIR}${OSSEC_HOME}${path}"
+    if [ -z "${command}" ]; then
+        command="@"
+        if [ -d "${full_path}" ]; then
+            command="@dir"
+        fi
+    fi
+    local user=`stat -f "%Su" "${full_path}"`
+    if [ "${user}" == "${USER}" ]; then
+        user=""
+    fi
+    local group=`stat -f "%Sg" "${full_path}"`
+    if [ "${group}" == "${GROUP}" ]; then
+        group=""
+    fi
+    local mode=`stat -f "%p" "${full_path}" | tail -c 4`
+    echo -e "${command}(${user},${group},${mode}) %%OSSEC_HOME%%${path}" >> "${PLIST}"
+}
+
+echo -n > "${PLIST}"
+
+print_path
+
+done_paths=""
+while read line; do
+    skip_line=""
+    for e in ${skip_lines}; do
+        if [ "${e}" == "${line}" ]; then
+            skip_line="${e}"
+            break
+        fi
+    done
+    if [ -z "${skip_line}" ]; then
+        path=""
+        case $line in
+            "@dir %%OSSEC_HOME%%"*)
+                path=`echo "${line}" | sed -e "s|@dir %%OSSEC_HOME%%||g"`
+                ;;
+            "%%OSSEC_HOME%%"*)
+                path=`echo "${line}" | sed -e "s|%%OSSEC_HOME%%||g"`
+                ;;
+            "%%"*)
+                unchanged_lines="${unchanged_lines} ${line}"
+                ;;
+        esac
+        if [ -n "${path}" ]; then
+            segments=`echo "${path}" | tr "/" "\n"`
+            path=""
+            for segment in ${segments}; do
+                path="${path}/${segment}"
+                skip_path=""
+                for e in ${skip_paths}; do
+                    if [ "${e}" == "${path}" ]; then
+                        skip_path="${e}"
+                        break
+                    fi
+                done
+                if [ -n "${skip_path}" ]; then
+                    break
+                fi
+                done_path=""
+                for e in ${done_paths}; do
+                    if [ "${e}" == "${path}" ]; then
+                        done_path="${e}"
+                        break
+                    fi
+                done
+                if [ -z "${done_path}" ]; then
+                    done_paths="${done_paths} ${path}"
+                    sample_path=""
+                    for e in ${sample_paths}; do
+                        if [ "${e}" == "${path}" ]; then
+                            sample_path="${e}"
+                            break
+                        fi
+                    done
+                    if [ -n "${sample_path}" ]; then
+                        print_path "${path}" @sample
+                    else
+                        print_path "${path}"
+                    fi
+                fi
+            done
+        fi
+    fi
+done < "${staged_plist}"
+
+unchanged_lines="${unchanged_lines} ${fixed_lines}"
+for line in ${unchanged_lines}; do
+    echo "${line}" >> "${PLIST}"
+done