From 495280d9dc4ff5efd555f50e65a120df1b780003 Mon Sep 17 00:00:00 2001 From: Dominik Lisiak Date: Sat, 13 Oct 2018 20:51:51 +0200 Subject: Initial commit for version 3.0.0 --- security/ossec-hids-local-config/Makefile | 446 +++++++++++++++++++++ security/ossec-hids-local-config/distinfo | 3 + .../ossec-hids-local-config/files/agent-conf.in | 33 ++ .../files/command-last-logins.sh.in | 8 + .../files/command-open-ports.sh.in | 19 + .../ossec-hids-local-config/files/command.conf.in | 6 + .../files/merge-config.sh.in | 32 ++ .../files/message-agent-conf.in | 3 + .../files/message-ossec-conf.in | 3 + .../ossec-hids-local-config/files/message-pf.in | 4 + .../ossec-hids-local-config/files/ossec-conf.in | 60 +++ .../ossec-hids-local-config/files/pkg-deinstall.in | 10 + .../ossec-hids-local-config/files/pkg-install.in | 32 ++ .../files/rules-cmdout.xml.in | 67 ++++ .../files/rules-config.xml.in | 52 +++ .../files/template-ar-cmds-default.xml.in | 38 ++ .../files/template-ar-cmds-merge.xml.in | 10 + .../files/template-ar-fwdrop.xml.in | 13 + .../files/template-ar-hostdeny.xml.in | 12 + .../files/template-ar-merge.xml.in | 11 + .../files/template-ar-restart.xml.in | 11 + .../files/template-cmdout-last-logins.xml.in | 10 + .../files/template-cmdout-open-ports-tcp.xml.in | 28 ++ .../files/template-cmdout-open-ports-udp.xml.in | 28 ++ .../files/template-header-disabled.xml.in | 10 + .../files/template-header-enabled.xml.in | 4 + .../files/template-header-sample.xml.in | 1 + .../files/template-logs-apache.xml.in | 28 ++ .../files/template-logs-default.xml.in | 68 ++++ .../files/template-logs-nginx.xml.in | 28 ++ .../files/template-logs-radius.xml.in | 18 + .../files/template-logs-response.xml.in | 18 + .../files/template-logs-vsftpd.xml.in | 18 + .../files/template-rootcheck-default.xml.in | 23 ++ .../files/template-rules-cmdout.xml.in | 8 + .../files/template-rules-config.xml.in | 8 + .../files/template-rules-default.xml.in | 82 ++++ .../files/template-sample-agent.xml.in | 14 + .../files/template-sample-database.xml.in | 12 + .../files/template-sample-local.xml.in | 17 + .../files/template-sample-server.xml.in | 23 ++ .../files/template-syscheck-default.xml.in | 18 + .../files/template-syscheck-hostdeny.xml.in | 16 + .../files/template-syscheck-newfiles.xml.in | 16 + .../files/template-syscheck-noauto.xml.in | 16 + .../files/template-syscheck-ossec.xml.in | 18 + security/ossec-hids-local-config/opt-ar.mk | 46 +++ security/ossec-hids-local-config/opt-cmdout.mk | 27 ++ security/ossec-hids-local-config/opt-logs.mk | 52 +++ security/ossec-hids-local-config/opt-rootcheck.mk | 12 + security/ossec-hids-local-config/opt-rules.mk | 27 ++ security/ossec-hids-local-config/opt-syscheck.mk | 41 ++ security/ossec-hids-local-config/pkg-descr | 9 + security/ossec-hids-local-config/pkg-plist-agent | 23 ++ security/ossec-hids-local-config/pkg-plist-local | 30 ++ security/ossec-hids-local-config/pkg-plist-server | 39 ++ security/ossec-hids-local-config/scripts/plist.sh | 113 ++++++ security/ossec-hids-local-config/scripts/rules.sh | 89 ++++ .../scripts/template-to-agent.sh | 33 ++ .../scripts/template-to-ossec.sh | 45 +++ 60 files changed, 1989 insertions(+) create mode 100644 security/ossec-hids-local-config/Makefile create mode 100644 security/ossec-hids-local-config/distinfo create mode 100644 security/ossec-hids-local-config/files/agent-conf.in create mode 100644 security/ossec-hids-local-config/files/command-last-logins.sh.in create mode 100644 security/ossec-hids-local-config/files/command-open-ports.sh.in create mode 100644 security/ossec-hids-local-config/files/command.conf.in create mode 100644 security/ossec-hids-local-config/files/merge-config.sh.in create mode 100644 security/ossec-hids-local-config/files/message-agent-conf.in create mode 100644 security/ossec-hids-local-config/files/message-ossec-conf.in create mode 100644 security/ossec-hids-local-config/files/message-pf.in create mode 100644 security/ossec-hids-local-config/files/ossec-conf.in create mode 100644 security/ossec-hids-local-config/files/pkg-deinstall.in create mode 100644 security/ossec-hids-local-config/files/pkg-install.in create mode 100644 security/ossec-hids-local-config/files/rules-cmdout.xml.in create mode 100644 security/ossec-hids-local-config/files/rules-config.xml.in create mode 100644 security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in create mode 100644 security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in create mode 100644 security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in create mode 100644 security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in create mode 100644 security/ossec-hids-local-config/files/template-ar-merge.xml.in create mode 100644 security/ossec-hids-local-config/files/template-ar-restart.xml.in create mode 100644 security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in create mode 100644 security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in create mode 100644 security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in create mode 100644 security/ossec-hids-local-config/files/template-header-disabled.xml.in create mode 100644 security/ossec-hids-local-config/files/template-header-enabled.xml.in create mode 100644 security/ossec-hids-local-config/files/template-header-sample.xml.in create mode 100644 security/ossec-hids-local-config/files/template-logs-apache.xml.in create mode 100644 security/ossec-hids-local-config/files/template-logs-default.xml.in create mode 100644 security/ossec-hids-local-config/files/template-logs-nginx.xml.in create mode 100644 security/ossec-hids-local-config/files/template-logs-radius.xml.in create mode 100644 security/ossec-hids-local-config/files/template-logs-response.xml.in create mode 100644 security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in create mode 100644 security/ossec-hids-local-config/files/template-rootcheck-default.xml.in create mode 100644 security/ossec-hids-local-config/files/template-rules-cmdout.xml.in create mode 100644 security/ossec-hids-local-config/files/template-rules-config.xml.in create mode 100644 security/ossec-hids-local-config/files/template-rules-default.xml.in create mode 100644 security/ossec-hids-local-config/files/template-sample-agent.xml.in create mode 100644 security/ossec-hids-local-config/files/template-sample-database.xml.in create mode 100644 security/ossec-hids-local-config/files/template-sample-local.xml.in create mode 100644 security/ossec-hids-local-config/files/template-sample-server.xml.in create mode 100644 security/ossec-hids-local-config/files/template-syscheck-default.xml.in create mode 100644 security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in create mode 100644 security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in create mode 100644 security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in create mode 100644 security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in create mode 100644 security/ossec-hids-local-config/opt-ar.mk create mode 100644 security/ossec-hids-local-config/opt-cmdout.mk create mode 100644 security/ossec-hids-local-config/opt-logs.mk create mode 100644 security/ossec-hids-local-config/opt-rootcheck.mk create mode 100644 security/ossec-hids-local-config/opt-rules.mk create mode 100644 security/ossec-hids-local-config/opt-syscheck.mk create mode 100644 security/ossec-hids-local-config/pkg-descr create mode 100644 security/ossec-hids-local-config/pkg-plist-agent create mode 100644 security/ossec-hids-local-config/pkg-plist-local create mode 100644 security/ossec-hids-local-config/pkg-plist-server create mode 100755 security/ossec-hids-local-config/scripts/plist.sh create mode 100755 security/ossec-hids-local-config/scripts/rules.sh create mode 100755 security/ossec-hids-local-config/scripts/template-to-agent.sh create mode 100755 security/ossec-hids-local-config/scripts/template-to-ossec.sh (limited to 'security/ossec-hids-local-config') diff --git a/security/ossec-hids-local-config/Makefile b/security/ossec-hids-local-config/Makefile new file mode 100644 index 0000000..15f3ffc --- /dev/null +++ b/security/ossec-hids-local-config/Makefile @@ -0,0 +1,446 @@ +# $FreeBSD$ + +PORTNAME= ossec-hids +PORTVERSION= 3.0.0 +PORTREVISION= +CATEGORIES= security +PKGNAMESUFFIX= -${OSSEC_TYPE}-config + +MAINTAINER= dominik.lisiak@bemsoft.pl +COMMENT= Configuration manager for ossec-hids + +LICENSE= GPLv2 + +OSSEC_TYPE?= local + +MASTERDIR?= ${.CURDIR} + +.if ${OSSEC_TYPE} == local +CONFLICTS_INSTALL= ossec-hids-client-* \ + ossec-hids-agent-* \ + ossec-hids-server-* +.elif ${OSSEC_TYPE} == agent +CONFLICTS_INSTALL= ossec-hids-client-* \ + ossec-hids-local-* \ + ossec-hids-server-* +.elif ${OSSEC_TYPE} == server +CONFLICTS_INSTALL= ossec-hids-client-* \ + ossec-hids-agent-* \ + ossec-hids-local-* +.endif + +.if !defined(MAINTAINER_MODE) +RUN_DEPENDS= ossec-hids-${OSSEC_TYPE}>=${PORTVERSION}:security/ossec-hids-${OSSEC_TYPE} +.endif + +.if defined(MAINTAINER_MODE) +USE_GITHUB= yes +GH_ACCOUNT= ossec +.else +MASTER_SITES= # +DISTFILES= # +EXTRACT_ONLY= # +.endif +NO_BUILD= yes +NO_ARCH= yes + +OPTIONS_SUB= yes + +OPTIONS_SINGLE= FIREWALL +OPTIONS_SINGLE_FIREWALL= IPF IPFW PF + +OPTIONS_DEFAULT+= IPF + +FIREWALL_DESC= Active response firewall +PF_DESC= Packet Filter +IPFW_DESC= ipfirewall +IPF_DESC= ipfilter + +TEMPL_ENABLED_HEADER= template-header-enabled.xml +TEMPL_DISABLED_HEADER= template-header-disabled.xml +TEMPL_SAMPLE_HEADER= template-header-sample.xml +TEMPL_PUSHED_ENABLED_HEADER= ${TEMPL_ENABLED_HEADER} +TEMPL_PUSHED_DISABLED_HEADER= ${TEMPL_DISABLED_HEADER} + +TEMPL_SAMPLE= template-sample-${OSSEC_TYPE}.xml +TEMPL_SAMPLE_DB= template-sample-database.xml + +PF_VARS= FW_DROP=pf.sh PKGMSG_FILES+=message-pf +IPFW_VARS= FW_DROP=ipfw.sh +IPF_VARS= FW_DROP=ipfilter.sh + +.if defined(MAINTAINER_MODE) +OSSEC_HOME= ${PREFIX}/${PORTNAME} +.else +OSSEC_HOME?= ${PREFIX}/${PORTNAME} +.endif +OSSEC_RC= ${PREFIX}/etc/rc.d/ossec-hids +TEMPL_TO_OSSEC= ${SCRIPTDIR}/template-to-ossec.sh ${OSSEC_TYPE} ${OSSEC_HOME} +TEMPL_TO_AGENT= ${SCRIPTDIR}/template-to-agent.sh ${OSSEC_TYPE} ${OSSEC_HOME} + +OSSEC_DIR= ${STAGEDIR}${OSSEC_HOME} +BIN_DIR= ${OSSEC_DIR}/bin +CONF_BIN_DIR= ${BIN_DIR}/config +OSSEC_CONF_BIN= ${CONF_BIN_DIR}/ossec-conf +AGENT_CONF_BIN= ${CONF_BIN_DIR}/agent-conf +COMMAND_BIN_DIR= ${BIN_DIR}/command + +AR_BIN_DIR= ${OSSEC_DIR}/active-response/bin +MERGE_CONFIG_BIN= ${AR_BIN_DIR}/merge-config.sh + +ETC_DIR= ${OSSEC_DIR}/etc +OSSEC_CONF_DIR= ${ETC_DIR}/ossec.conf.d +AGENT_CONF_DIR= ${ETC_DIR}/agent.conf.d +OSSEC_LOCAL_CONF_DIR= ${OSSEC_CONF_DIR}/disabled +AGENT_LOCAL_CONF_DIR= ${AGENT_CONF_DIR}/disabled +OSSEC_SAMPLE_CONF= ${OSSEC_CONF_DIR}/900.local.conf.sample +COMMAND_CONF_DIR= ${ETC_DIR} +COMMAND_CONF= ${COMMAND_CONF_DIR}/command.conf.sample +RULES_DIR= ${OSSEC_DIR}/rules + +.if empty(USER) +USER=$$(${ID} -un) +.endif +.if empty(GROUP) +GROUP=$$(${ID} -gn) +.endif + +OSSEC_USER= ossec +OSSEC_GROUP= ossec + +SUB_LIST+= PORTNAME=${PORTNAME} \ + OSSEC_TYPE=${OSSEC_TYPE} \ + OSSEC_HOME=${OSSEC_HOME} \ + VERSION=${PORTVERSION} \ + USER=${USER} \ + OSSEC_USER=${OSSEC_USER} \ + OSSEC_GROUP=${OSSEC_GROUP} \ + OSSEC_RC=${OSSEC_RC} \ + FW_DROP=${FW_DROP} +SUB_FILES= pkg-install \ + pkg-deinstall \ + ${PKGMSG_FILES} \ + ${TEMPL_ENABLED_HEADER} \ + ${TEMPL_DISABLED_HEADER} \ + ${TEMPL_SAMPLE_HEADER} \ + ${TEMPL_PUSHED_ENABLED_HEADER} \ + ${TEMPL_PUSHED_DISABLED_HEADER} \ + ${TEMPL_SAMPLE} \ + merge-config.sh \ + ossec-conf \ + command.conf +.if ${OSSEC_TYPE} == server +SUB_FILES+= agent-conf +.endif + +.if defined(MAINTAINER_MODE) +PLIST_SUB= OSSEC_HOME=${PORTNAME} +.else +PLIST_SUB= OSSEC_HOME=${OSSEC_HOME} +.endif +PLIST= ${PKGDIR}/pkg-plist-${OSSEC_TYPE} +PKGHELP= ${PKGDIR}/pkg-help-${OSSEC_TYPE} +PKGMESSAGE= ${WRKDIR}/pkg-message +PKGMSG_FILES= message-ossec-conf +.if ${OSSEC_TYPE} == server +PKGMSG_FILES+= message-agent-conf +.endif + +CONF_GROUPS= RULES AR ROOTCHECK SYSCHECK CMDOUT LOGS + +############################################################ + +.for conf_group in ${CONF_GROUPS} +. include "${MASTERDIR}/opt-${conf_group:tl}.mk" +${conf_group}_INSTANCE_OPTIONS= +${conf_group}_PUSHED_OPTIONS= +. for option in ${${conf_group}_OPTIONS} +. if ${${option}_DEFINE:M${OSSEC_TYPE}} +${conf_group}_INSTANCE_OPTIONS+= ${option} +. endif +. if ${OSSEC_TYPE} == server && ${${option}_DEFINE:Mpushed} +${conf_group}_PUSHED_OPTIONS+= ${option} +. endif +. endfor +.endfor + +############################################################ + +.for conf_group in ${CONF_GROUPS} +. if !empty(${conf_group}_PROFILE) +. if ${OSSEC_TYPE} == agent +. if empty(CLIENT_PROFILES) +CLIENT_PROFILES:= ${${conf_group}_PROFILE} +. else +CLIENT_PROFILES:= ${CLIENT_PROFILES}, ${${conf_group}_PROFILE} +. endif +. endif +SUB_LIST+= ${conf_group}_PROFILE=${${conf_group}_PROFILE} +. endif +. for option in ${${conf_group}_INSTANCE_OPTIONS} +. if !empty(${option}_PROFILE) +. if ${OSSEC_TYPE} == agent +. if empty(CLIENT_PROFILES) +CLIENT_PROFILES:= ${${option}_PROFILE} +. else +CLIENT_PROFILES:= ${CLIENT_PROFILES}, ${${option}_PROFILE} +. endif +. endif +SUB_LIST+= ${option}_PROFILE=${${option}_PROFILE} +. endif +. endfor +.endfor + +SUB_LIST+= CLIENT_PROFILES="${CLIENT_PROFILES}" + +############################################################ + +.for conf_group in ${CONF_GROUPS} +. for option in ${${conf_group}_INSTANCE_OPTIONS} +. if !defined(${option}_TEMPLATE) +${option}_TEMPLATE= template-${option:tl:S/_/-/g}.xml +. endif +. if !empty(${option}_TEMPLATE) +SUB_FILES+= ${${option}_TEMPLATE} +. endif +. endfor +.endfor + +.for file_name in ${RULES_FILES} +SUB_FILES+= rules-${file_name}.xml +.endfor + +.for file_name in ${CMDOUT_SCRIPTS} +SUB_FILES+= command-${file_name}.sh +.endfor + +############################################################ + +.for conf_group in ${CONF_GROUPS} +. for option in ${${conf_group}_INSTANCE_OPTIONS} +. if !empty(${option}_DEPENDS) && !empty(${${option}_DEPENDS}_OPTION) && ${${${option}_DEPENDS:S/_/ /:[1]}_INSTANCE_OPTIONS:M${${option}_DEPENDS}} +${${${option}_DEPENDS}_OPTION}_VARS+= ${conf_group}_INSTANCE_OPTIONS_ENABLED+=${option} +${${${option}_DEPENDS}_OPTION}_VARS_OFF+= ${conf_group}_INSTANCE_OPTIONS_DISABLED+=${option} +. elif !empty(${option}_OPTION) +OPTIONS_GROUP_G_${conf_group}+= ${${option}_OPTION} +${${option}_OPTION}_DESC= ${${option}_DESC} +. if ${${option}_DEFAULT:M${OSSEC_TYPE}} +OPTIONS_DEFAULT+= ${${option}_OPTION} +. endif +${${option}_OPTION}_VARS+= ${conf_group}_INSTANCE_OPTIONS_ENABLED+=${option} +${${option}_OPTION}_VARS_OFF+= ${conf_group}_INSTANCE_OPTIONS_DISABLED+=${option} +. endif +. endfor +. if !empty(OPTIONS_GROUP_G_${conf_group}) +OPTIONS_GROUP+= G_${conf_group} +G_${conf_group}_DESC= ${${conf_group}_DESC} +. endif +.endfor + +############################################################ + +.for conf_group in ${CONF_GROUPS} +. for option in ${${conf_group}_PUSHED_OPTIONS} +. if !empty(${option}_DEPENDS) && !empty(${${option}_DEPENDS}_OPTION) && ${${${option}_DEPENDS:S/_/ /:[1]}_PUSHED_OPTIONS:M${${option}_DEPENDS}} +${${${option}_DEPENDS}_OPTION}_P_VARS+= ${conf_group}_PUSHED_OPTIONS_ENABLED+=${option} +${${${option}_DEPENDS}_OPTION}_P_VARS_OFF+= ${conf_group}_PUSHED_OPTIONS_DISABLED+=${option} +. elif !empty(${option}_DEPENDS) && !empty(${${option}_DEPENDS}_OPTION) && ${${${option}_DEPENDS:S/_/ /:[1]}_INSTANCE_OPTIONS:M${${option}_DEPENDS}} +${${${option}_DEPENDS}_OPTION}_VARS+= ${conf_group}_PUSHED_OPTIONS_ENABLED+=${option} +${${${option}_DEPENDS}_OPTION}_VARS_OFF+= ${conf_group}_PUSHED_OPTIONS_DISABLED+=${option} +. elif !empty(${option}_OPTION) +OPTIONS_GROUP_G_${conf_group}_P+= ${${option}_OPTION}_P +${${option}_OPTION}_P_DESC= ${${option}_DESC} +. if !empty(${option}_PROFILE) +${${option}_OPTION}_P_DESC+= (profile: ${${option}_PROFILE}) +. endif +. if ${${option}_DEFAULT:Mpushed} +OPTIONS_DEFAULT+= ${${option}_OPTION}_P +. endif +${${option}_OPTION}_P_VARS+= ${conf_group}_PUSHED_OPTIONS_ENABLED+=${option} +${${option}_OPTION}_P_VARS_OFF+= ${conf_group}_PUSHED_OPTIONS_DISABLED+=${option} +. endif +. endfor +. if !empty(OPTIONS_GROUP_G_${conf_group}_P) +OPTIONS_GROUP+= G_${conf_group}_P +G_${conf_group}_P_DESC= Pushed ${${conf_group}_DESC} +. if !empty(${conf_group}_PROFILE) +G_${conf_group}_P_DESC+= (profile: ${${conf_group}_PROFILE}) +. endif +. endif +.endfor + +############################################################ + +.include + +show-opts: +.for conf_group in ${CONF_GROUPS} + @${ECHO_CMD} "${conf_group}: ${${conf_group}_DESC}" +. for option in ${${conf_group}_INSTANCE_OPTIONS} + @${ECHO_CMD} " ${option}: ${${option}_DESC}" +. if empty(${option}_TEMPLATE) + @${ECHO_CMD} " Template: -" +. else + @${ECHO_CMD} " Template: ${${option}_TEMPLATE}" +. endif +. if !empty(${conf_group}_INSTANCE_OPTIONS_ENABLED) && ${${conf_group}_INSTANCE_OPTIONS_ENABLED:M${option}} + @${ECHO_CMD} " Enabled: true" +. endif +. if !empty(${conf_group}_INSTANCE_OPTIONS_DISABLED) && ${${conf_group}_INSTANCE_OPTIONS_DISABLED:M${option}} + @${ECHO_CMD} " Enabled: false" +. endif +. if !empty(${conf_group}_PUSHED_OPTIONS_ENABLED) && ${${conf_group}_PUSHED_OPTIONS_ENABLED:M${option}} + @${ECHO_CMD} " Pushed: true" +. endif +. if !empty(${conf_group}_PUSHED_OPTIONS_DISABLED) && ${${conf_group}_PUSHED_OPTIONS_DISABLED:M${option}} + @${ECHO_CMD} " Pushed: false" +. endif +. endfor +.endfor + +pre-install: + @-${OSSEC_HOME}/bin/ossec-dbd -h 2>&1 | ${GREP} -q 'PostgreSQL' && \ + ${SED} -e 's|%%OSSEC_HOME%%|${OSSEC_HOME}|g' -e 's|%%DB_TYPE%%|postgresql|g' \ + ${FILESDIR}/${TEMPL_SAMPLE_DB}.in > ${WRKDIR}/${TEMPL_SAMPLE_DB} + @-${OSSEC_HOME}/bin/ossec-dbd -h 2>&1 | ${GREP} -q 'MySQL' && \ + ${SED} -e 's|%%OSSEC_HOME%%|${OSSEC_HOME}|g' -e 's|%%DB_TYPE%%|mysql|g' \ + ${FILESDIR}/${TEMPL_SAMPLE_DB}.in > ${WRKDIR}/${TEMPL_SAMPLE_DB} + +ossec-dirs: + @${MKDIR} -p ${CONF_BIN_DIR} ${COMMAND_BIN_DIR} ${AR_BIN_DIR} ${OSSEC_CONF_DIR} ${OSSEC_LOCAL_CONF_DIR} ${COMMAND_CONF_DIR} +.if ${OSSEC_TYPE} != agent + @${MKDIR} -p ${RULES_DIR} +.endif +.if ${OSSEC_TYPE} == server + @${MKDIR} -p ${AGENT_CONF_DIR} ${AGENT_LOCAL_CONF_DIR} +.endif + +ossec-scripts: + @${CP} -f ${WRKDIR}/ossec-conf ${OSSEC_CONF_BIN} +.if ${OSSEC_TYPE} == server + @${CP} -f ${WRKDIR}/agent-conf ${AGENT_CONF_BIN} +.endif +.for file_name in ${CMDOUT_SCRIPTS} + @${CP} -f ${WRKDIR}/command-${file_name}.sh ${COMMAND_BIN_DIR}/${file_name}.sh +.endfor + @${CP} -f ${WRKDIR}/command.conf ${COMMAND_CONF} + @${CP} -f ${WRKDIR}/merge-config.sh ${MERGE_CONFIG_BIN} + +ossec-rules: +.if ${OSSEC_TYPE} != agent +. for file_name in ${RULES_FILES} + @${SED} -e 's|||' ${WRKDIR}/rules-${file_name}.xml > ${RULES_DIR}/freebsd_${file_name}_rules.xml +. endfor +.endif + +ossec-conf-managed: +.for conf_group in ${CONF_GROUPS} +. if !empty(${conf_group}_INSTANCE_OPTIONS) + @${CAT} ${WRKDIR}/${TEMPL_ENABLED_HEADER} > ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF} +. if !empty(${conf_group}_INSTANCE_OPTIONS_ENABLED) +. for option in ${${conf_group}_INSTANCE_OPTIONS} +. if ${${conf_group}_INSTANCE_OPTIONS_ENABLED:M${option}} +. if !empty(${option}_TEMPLATE) + @${TEMPL_TO_OSSEC} ${WRKDIR}/${${option}_TEMPLATE} >> ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF} + @${ECHO_CMD} >> ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF} +. endif +. endif +. endfor +. endif +. endif +.endfor + +ossec-conf-local: +.for conf_group in ${CONF_GROUPS} +. if !empty(${conf_group}_INSTANCE_OPTIONS) + @${CAT} ${WRKDIR}/${TEMPL_DISABLED_HEADER} > ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF} +. if !empty(${conf_group}_INSTANCE_OPTIONS_DISABLED) +. for option in ${${conf_group}_INSTANCE_OPTIONS} +. if ${${conf_group}_INSTANCE_OPTIONS_DISABLED:M${option}} +. if !empty(${option}_TEMPLATE) + @${TEMPL_TO_OSSEC} ${WRKDIR}/${${option}_TEMPLATE} >> ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF} + @${ECHO_CMD} >> ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF} +. endif +. endif +. endfor +. endif +. endif +.endfor + +ossec-conf-sample: + @${CAT} ${WRKDIR}/${TEMPL_SAMPLE_HEADER} > ${OSSEC_SAMPLE_CONF} + @${ECHO_CMD} >> ${OSSEC_SAMPLE_CONF} + @${TEMPL_TO_OSSEC} ${WRKDIR}/${TEMPL_SAMPLE} >> ${OSSEC_SAMPLE_CONF} + @${ECHO_CMD} >> ${OSSEC_SAMPLE_CONF} + @-${TEST} -f ${WRKDIR}/${TEMPL_SAMPLE_DB} && \ + ${TEMPL_TO_OSSEC} ${WRKDIR}/${TEMPL_SAMPLE_DB} >> ${OSSEC_SAMPLE_CONF} && \ + ${ECHO_CMD} >> ${OSSEC_SAMPLE_CONF} + +agent-conf-managed: +.for conf_group in ${CONF_GROUPS} +. if !empty(${conf_group}_PUSHED_OPTIONS) + @${CAT} ${WRKDIR}/${TEMPL_PUSHED_ENABLED_HEADER} > ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF} +. if !empty(${conf_group}_PUSHED_OPTIONS_ENABLED) +. for option in ${${conf_group}_PUSHED_OPTIONS} +. if ${${conf_group}_PUSHED_OPTIONS_ENABLED:M${option}} +. if !empty(${option}_TEMPLATE) + @${TEMPL_TO_AGENT} ${WRKDIR}/${${option}_TEMPLATE} >> ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF} + @${ECHO_CMD} >> ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF} +. endif +. endif +. endfor +. endif +. endif +.endfor + +agent-conf-local: +.for conf_group in ${CONF_GROUPS} +. if !empty(${conf_group}_PUSHED_OPTIONS) + @${CAT} ${WRKDIR}/${TEMPL_PUSHED_DISABLED_HEADER} > ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF} +. if !empty(${conf_group}_PUSHED_OPTIONS_DISABLED) +. for option in ${${conf_group}_PUSHED_OPTIONS} +. if ${${conf_group}_PUSHED_OPTIONS_DISABLED:M${option}} +. if !empty(${option}_TEMPLATE) + @${TEMPL_TO_AGENT} ${WRKDIR}/${${option}_TEMPLATE} >> ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF} + @${ECHO_CMD} >> ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF} +. endif +. endif +. endfor +. endif +. endif +.endfor + +do-install: ossec-dirs ossec-scripts ossec-rules ossec-conf-managed ossec-conf-local ossec-conf-sample agent-conf-managed agent-conf-local + +ossec-permissions: + @${CHMOD} -R 550 ${OSSEC_DIR} + @${CHMOD} 640 ${COMMAND_CONF} ${OSSEC_CONF_DIR}/* ${OSSEC_LOCAL_CONF_DIR}/* + @${CHMOD} 550 ${OSSEC_CONF_DIR} ${OSSEC_LOCAL_CONF_DIR} +.if ${OSSEC_TYPE} != agent + @${CHMOD} 640 ${RULES_DIR}/* +.endif +.if ${OSSEC_TYPE} == server + @${CHMOD} 640 ${AGENT_CONF_DIR}/* ${AGENT_LOCAL_CONF_DIR}/* + @${CHMOD} 550 ${AGENT_CONF_DIR} ${AGENT_LOCAL_CONF_DIR} +.endif +.if defined(MAINTAINER_MODE) + @${CHOWN} -R ${USER}:${OSSEC_GROUP} ${OSSEC_DIR} + @${CHOWN} -R ${USER}:${GROUP} ${BIN_DIR} +.endif + +post-install: ossec-permissions + @${ECHO_CMD} -n > ${PKGMESSAGE} +.for file_name in ${PKGMSG_FILES} + @${CAT} ${WRKDIR}/${file_name} >> ${PKGMESSAGE} + @${ECHO_CMD} >> ${PKGMESSAGE} +.endfor + +.if defined(MAINTAINER_MODE) +plist: makeplist + @${SCRIPTDIR}/plist.sh ${OSSEC_TYPE} ${OSSEC_HOME} ${PLIST} ${WRKDIR} ${STAGEDIR} + +rules: extract + @${SCRIPTDIR}/rules.sh ${FILESDIR}/${RULES_DEFAULT_TEMPLATE}.in ${WRKSRC} +.endif + +.include diff --git a/security/ossec-hids-local-config/distinfo b/security/ossec-hids-local-config/distinfo new file mode 100644 index 0000000..22bce30 --- /dev/null +++ b/security/ossec-hids-local-config/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1535297705 +SHA256 (ossec-ossec-hids-3.0.0_GH0.tar.gz) = a271d665ed502b3df4ff055a177159dfc0bc8a69dd44eab1f7c57fe8fff42a98 +SIZE (ossec-ossec-hids-3.0.0_GH0.tar.gz) = 1817324 diff --git a/security/ossec-hids-local-config/files/agent-conf.in b/security/ossec-hids-local-config/files/agent-conf.in new file mode 100644 index 0000000..673d0f6 --- /dev/null +++ b/security/ossec-hids-local-config/files/agent-conf.in @@ -0,0 +1,33 @@ +#!/bin/sh + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" + +agent_conf_dir="${ossec_home}/etc/agent.conf.d" +agent_conf_files="${agent_conf_dir}/*.conf" + +select_elements() { + local element="$1" + sed -n "/<${element}.*>/,/<\/${element}>/p" +} + +remove_comments() { + # Comments must be on separate lines i.e. not next to uncommented code + awk '// {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}' +} + +remove_empty_lines() { + sed '/^\s*$/d' +} + +agent_conf() { + + echo "" + echo + echo "" + echo + + cat $@ | remove_comments | select_elements "agent_config" | remove_empty_lines +} + +agent_conf "${agent_conf_files}" diff --git a/security/ossec-hids-local-config/files/command-last-logins.sh.in b/security/ossec-hids-local-config/files/command-last-logins.sh.in new file mode 100644 index 0000000..7bd8242 --- /dev/null +++ b/security/ossec-hids-local-config/files/command-last-logins.sh.in @@ -0,0 +1,8 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +ossec_home="%%OSSEC_HOME%%" +. "${ossec_home}/etc/command.conf" + +last -n ${last_logins} diff --git a/security/ossec-hids-local-config/files/command-open-ports.sh.in b/security/ossec-hids-local-config/files/command-open-ports.sh.in new file mode 100644 index 0000000..d5ba047 --- /dev/null +++ b/security/ossec-hids-local-config/files/command-open-ports.sh.in @@ -0,0 +1,19 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +family=$1 +protocol=$2 +ports=$3 + +if [ -z "${ports}" ]; then + privileged_ports="1-$((`sysctl -n net.inet.ip.portrange.first` - 1))" + + ossec_home="%%OSSEC_HOME%%" + . "${ossec_home}/etc/command.conf" + + ports="privileged_${protocol}_ports" + eval ports=\$${ports} +fi + +sockstat -l -${family} -P ${protocol} -p ${ports} | grep -Eo '[^[:space:]]+:[0-9]+' | sort -u diff --git a/security/ossec-hids-local-config/files/command.conf.in b/security/ossec-hids-local-config/files/command.conf.in new file mode 100644 index 0000000..b6ef2ad --- /dev/null +++ b/security/ossec-hids-local-config/files/command.conf.in @@ -0,0 +1,6 @@ +#!/bin/sh + +last_logins=5 + +privileged_tcp_ports=${privileged_ports},10050-10051 +privileged_udp_ports=${privileged_ports} diff --git a/security/ossec-hids-local-config/files/merge-config.sh.in b/security/ossec-hids-local-config/files/merge-config.sh.in new file mode 100644 index 0000000..a7939f7 --- /dev/null +++ b/security/ossec-hids-local-config/files/merge-config.sh.in @@ -0,0 +1,32 @@ +#!/bin/sh + +# This script is part of FreeBSD port - report any issues to the port MAINTAINER + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" +ossec_rc="%%OSSEC_RC%%" + +ACTION=$1 +USER=$2 +IP=$3 + +LOCAL=`dirname $0`; +cd $LOCAL +cd ../../tmp + +# Logging the call +echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log" + +case ${ACTION} in + add) + "${ossec_rc}" merge_config + exit 0 + ;; + delete) + exit 0 + ;; + *) + echo "$0: invalid action: ${ACTION}" + exit 1 + ;; +esac diff --git a/security/ossec-hids-local-config/files/message-agent-conf.in b/security/ossec-hids-local-config/files/message-agent-conf.in new file mode 100644 index 0000000..8d61c0d --- /dev/null +++ b/security/ossec-hids-local-config/files/message-agent-conf.in @@ -0,0 +1,3 @@ +The "agent.conf" must no longer be used for configuration. It will be +overwritten by merged "*.conf" files from the configuration directory: +%%OSSEC_HOME%%/etc/agent.conf.d diff --git a/security/ossec-hids-local-config/files/message-ossec-conf.in b/security/ossec-hids-local-config/files/message-ossec-conf.in new file mode 100644 index 0000000..d6170ca --- /dev/null +++ b/security/ossec-hids-local-config/files/message-ossec-conf.in @@ -0,0 +1,3 @@ +The "ossec.conf" must no longer be used for configuration. It will be +overwritten by merged "*.conf" files from the configuration directory: +%%OSSEC_HOME%%/etc/ossec.conf.d diff --git a/security/ossec-hids-local-config/files/message-pf.in b/security/ossec-hids-local-config/files/message-pf.in new file mode 100644 index 0000000..707e44b --- /dev/null +++ b/security/ossec-hids-local-config/files/message-pf.in @@ -0,0 +1,4 @@ +Add the ossec_fwtable to /etc/pf.conf if using "firewall-drop" active response: + table persist + block in quick from to any + block out quick from any to diff --git a/security/ossec-hids-local-config/files/ossec-conf.in b/security/ossec-hids-local-config/files/ossec-conf.in new file mode 100644 index 0000000..d28d238 --- /dev/null +++ b/security/ossec-hids-local-config/files/ossec-conf.in @@ -0,0 +1,60 @@ +#!/bin/sh + +ossec_type="%%OSSEC_TYPE%%" +ossec_home="%%OSSEC_HOME%%" + +ossec_conf_dir="${ossec_home}/etc/ossec.conf.d" +ossec_conf_files="${ossec_conf_dir}/*.conf" + +select_elements_content() { + local element="$1" + sed -n "/<${element}>/,/<\/${element}>/{ /<${element}>/d; /<\/${element}>/d; p; }" +} + +remove_elements() { + local element="$1" + sed -e "/<${element}>/,/<\/${element}>/d" +} + +remove_comments() { + # Comments must be on separate lines i.e. not next to uncommented code + awk '// {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}' +} + +remove_empty_lines() { + sed '/^\s*$/d' +} + +ossec_conf() { + echo "" + echo + echo "" + echo + echo "" + + if [ "${ossec_type}" != "agent" ]; then + if cat $@ | remove_comments | grep -q ""; then + echo " " + cat $@ | remove_comments | select_elements_content "rules" | remove_empty_lines + echo " " + fi + fi + + if cat $@ | remove_comments | grep -q ""; then + echo " " + cat $@ | remove_comments | select_elements_content "rootcheck" | remove_empty_lines + echo " " + fi + + if cat $@ | remove_comments | grep -q ""; then + echo " " + cat $@ | remove_comments | select_elements_content "syscheck" | remove_empty_lines + echo " " + fi + + cat $@ | remove_comments | select_elements_content "ossec_config" | remove_elements "rules" | remove_elements "rootcheck" | remove_elements "syscheck" | remove_empty_lines + + echo "" +} + +ossec_conf "${ossec_conf_files}" diff --git a/security/ossec-hids-local-config/files/pkg-deinstall.in b/security/ossec-hids-local-config/files/pkg-deinstall.in new file mode 100644 index 0000000..0de19bf --- /dev/null +++ b/security/ossec-hids-local-config/files/pkg-deinstall.in @@ -0,0 +1,10 @@ +#!/bin/sh + +ossec_home="%%OSSEC_HOME%%" +ossec_conf="${ossec_home}/etc/ossec.conf" +agent_conf="${ossec_home}/etc/shared/agent.conf" + +if [ "$2" == "DEINSTALL" ]; then + rm -f "${ossec_conf}" + rm -f "${agent_conf}" +fi diff --git a/security/ossec-hids-local-config/files/pkg-install.in b/security/ossec-hids-local-config/files/pkg-install.in new file mode 100644 index 0000000..f164b9c --- /dev/null +++ b/security/ossec-hids-local-config/files/pkg-install.in @@ -0,0 +1,32 @@ +#!/bin/sh + +ossec_home="%%OSSEC_HOME%%" +ar_bin_dir="${ossec_home}/active-response/bin" +ossec_conf="${ossec_home}/etc/ossec.conf" +ossec_conf_bak="${ossec_conf}.bak" +agent_conf="${ossec_home}/etc/shared/agent.conf" +agent_conf_bak="${ossec_home}/etc/agent.conf.bak" + +if [ "$2" == "POST-INSTALL" ]; then + ln -f "${ar_bin_dir}/%%FW_DROP%%" "${ar_bin_dir}/firewall-drop.sh" + + if [ -e "${ossec_conf}" ]; then + mv -f "${ossec_conf}" "${ossec_conf_bak}" + echo + echo "WARNING:" + echo " Existing \"${ossec_conf}\" has been saved to \"${ossec_conf_bak}\"." + echo + fi + + case "$1" in + ossec-hids-server*) + if [ -e "${agent_conf}" ]; then + mv -f "${agent_conf}" "${agent_conf_bak}" + echo + echo "WARNING:" + echo " Existing \"${agent_conf}\" has been saved to \"${agent_conf_bak}\"." + echo + fi + ;; + esac +fi diff --git a/security/ossec-hids-local-config/files/rules-cmdout.xml.in b/security/ossec-hids-local-config/files/rules-cmdout.xml.in new file mode 100644 index 0000000..59e3f4b --- /dev/null +++ b/security/ossec-hids-local-config/files/rules-cmdout.xml.in @@ -0,0 +1,67 @@ + + + + + 530 + ossec: output: 'freebsd-last-logins' + + List of the last logged in users. + + + + 530 + ossec: output: 'freebsd-open-ports-tcp4-all' + + Listening IPv4 TCP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-tcp4' + + Listening IPv4 TCP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-tcp6-all' + + Listening IPv6 TCP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-tcp6' + + Listening IPv6 TCP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-udp4-all' + + Listening IPv4 UDP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-udp4' + + Listening IPv4 UDP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-udp6-all' + + Listening IPv6 UDP port opened or closed. + + + + 530 + ossec: output: 'freebsd-open-ports-udp6' + + Listening IPv6 UDP port opened or closed. + + + diff --git a/security/ossec-hids-local-config/files/rules-config.xml.in b/security/ossec-hids-local-config/files/rules-config.xml.in new file mode 100644 index 0000000..2853c4a --- /dev/null +++ b/security/ossec-hids-local-config/files/rules-config.xml.in @@ -0,0 +1,52 @@ + + + + + syscheck + %%OSSEC_HOME%%/etc/ossec.conf.d + ossec.conf.d has been modified + + + + syscheck + %%OSSEC_HOME%%/etc/ossec.conf + ossec.conf has been modified + + + + syscheck + /var/ossec/etc/ossec.conf.d + ossec.conf.d has been modified + + + + syscheck + /var/ossec/etc/ossec.conf + ossec.conf has been modified + + + + syscheck + %%OSSEC_HOME%%/etc/agent.conf.d + agent.conf.d has been modified + + + + syscheck + %%OSSEC_HOME%%/etc/shared/agent.conf + agent.conf has been modified + + + + syscheck + /var/ossec/etc/agent.conf.d + agent.conf.d has been modified + + + + syscheck + /var/ossec/etc/shared/agent.conf + agent.conf has been modified + + + diff --git a/security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in b/security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in new file mode 100644 index 0000000..1e2dfaa --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in @@ -0,0 +1,38 @@ + + + + + host-deny + host-deny.sh + srcip + yes + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + route-null + route-null.sh + srcip + yes + + + diff --git a/security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in b/security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in new file mode 100644 index 0000000..ec2ec7e --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in @@ -0,0 +1,10 @@ + + + + + merge-config + merge-config.sh + + + + diff --git a/security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in b/security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in new file mode 100644 index 0000000..415de6c --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in @@ -0,0 +1,13 @@ + + + + + + + firewall-drop + local + 6 + 600 + + + diff --git a/security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in b/security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in new file mode 100644 index 0000000..59b3488 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in @@ -0,0 +1,12 @@ + + + + + + host-deny + local + 6 + 600 + + + diff --git a/security/ossec-hids-local-config/files/template-ar-merge.xml.in b/security/ossec-hids-local-config/files/template-ar-merge.xml.in new file mode 100644 index 0000000..f38d226 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-merge.xml.in @@ -0,0 +1,11 @@ + + + + + + merge-config + local + 56001,56003,56021,56023 + + + diff --git a/security/ossec-hids-local-config/files/template-ar-restart.xml.in b/security/ossec-hids-local-config/files/template-ar-restart.xml.in new file mode 100644 index 0000000..064167e --- /dev/null +++ b/security/ossec-hids-local-config/files/template-ar-restart.xml.in @@ -0,0 +1,11 @@ + + + + + + restart-ossec + local + 56002,56004,56022,56024 + + + diff --git a/security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in b/security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in new file mode 100644 index 0000000..88975ca --- /dev/null +++ b/security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in @@ -0,0 +1,10 @@ + + + + + full_command + %%OSSEC_HOME%%/bin/command/last-logins.sh + freebsd-last-logins + + + diff --git a/security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in b/security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in new file mode 100644 index 0000000..c602821 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in @@ -0,0 +1,28 @@ + + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 4 tcp 1-65535 + freebsd-open-ports-tcp4-all + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 4 tcp + freebsd-open-ports-tcp4 + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 6 tcp 1-65535 + freebsd-open-ports-tcp6-all + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 6 tcp + freebsd-open-ports-tcp6 + + + diff --git a/security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in b/security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in new file mode 100644 index 0000000..d5c3fc8 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in @@ -0,0 +1,28 @@ + + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 4 udp 1-65535 + freebsd-open-ports-udp4-all + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 4 udp + freebsd-open-ports-udp4 + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 6 udp 1-65535 + freebsd-open-ports-udp6-all + + + + full_command + %%OSSEC_HOME%%/bin/command/open-ports.sh 6 udp + freebsd-open-ports-udp6 + + + diff --git a/security/ossec-hids-local-config/files/template-header-disabled.xml.in b/security/ossec-hids-local-config/files/template-header-disabled.xml.in new file mode 100644 index 0000000..627fa27 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-header-disabled.xml.in @@ -0,0 +1,10 @@ + + + + + + diff --git a/security/ossec-hids-local-config/files/template-header-enabled.xml.in b/security/ossec-hids-local-config/files/template-header-enabled.xml.in new file mode 100644 index 0000000..224916b --- /dev/null +++ b/security/ossec-hids-local-config/files/template-header-enabled.xml.in @@ -0,0 +1,4 @@ + + + + diff --git a/security/ossec-hids-local-config/files/template-header-sample.xml.in b/security/ossec-hids-local-config/files/template-header-sample.xml.in new file mode 100644 index 0000000..e0772c3 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-header-sample.xml.in @@ -0,0 +1 @@ + diff --git a/security/ossec-hids-local-config/files/template-logs-apache.xml.in b/security/ossec-hids-local-config/files/template-logs-apache.xml.in new file mode 100644 index 0000000..b88ed1a --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-apache.xml.in @@ -0,0 +1,28 @@ + + + + + apache + /var/log/httpd-error.log + + + + apache + /var/log/httpd-access.log + + + + + + + + apache + /var/log/apache2/error.log + + + + apache + /var/log/apache2/access.log + + + diff --git a/security/ossec-hids-local-config/files/template-logs-default.xml.in b/security/ossec-hids-local-config/files/template-logs-default.xml.in new file mode 100644 index 0000000..47b9a77 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-default.xml.in @@ -0,0 +1,68 @@ + + + + + syslog + /var/log/auth.log + + + + syslog + /var/log/maillog + + + + syslog + /var/log/messages + + + + syslog + /var/log/security + + + + syslog + /var/log/userlog + + + + syslog + /var/log/xferlog + + + + + + + + syslog + /var/log/auth.log + + + + syslog + /var/log/dpkg.log + + + + syslog + /var/log/kern.log + + + + syslog + /var/log/mail.log + + + + syslog + /var/log/messages + + + + syslog + /var/log/syslog + + + diff --git a/security/ossec-hids-local-config/files/template-logs-nginx.xml.in b/security/ossec-hids-local-config/files/template-logs-nginx.xml.in new file mode 100644 index 0000000..7d25cf8 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-nginx.xml.in @@ -0,0 +1,28 @@ + + + + + apache + /var/log/nginx/error.log + + + + apache + /var/log/nginx/access.log + + + + + + + + apache + /var/log/nginx/error.log + + + + apache + /var/log/nginx/access.log + + + diff --git a/security/ossec-hids-local-config/files/template-logs-radius.xml.in b/security/ossec-hids-local-config/files/template-logs-radius.xml.in new file mode 100644 index 0000000..0b10c4b --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-radius.xml.in @@ -0,0 +1,18 @@ + + + + + syslog + /var/log/radius.log + + + + + + + + syslog + /var/log/freeradius/radius.log + + + diff --git a/security/ossec-hids-local-config/files/template-logs-response.xml.in b/security/ossec-hids-local-config/files/template-logs-response.xml.in new file mode 100644 index 0000000..17828ea --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-response.xml.in @@ -0,0 +1,18 @@ + + + + + syslog + %%OSSEC_HOME%%/logs/active-responses.log + + + + + + + + syslog + /var/ossec/logs/active-responses.log + + + diff --git a/security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in b/security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in new file mode 100644 index 0000000..9f63a21 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in @@ -0,0 +1,18 @@ + + + + + syslog + /var/log/vsftpd.log + + + + + + + + syslog + /var/log/vsftpd.log + + + diff --git a/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in b/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in new file mode 100644 index 0000000..63e5f1e --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rootcheck-default.xml.in @@ -0,0 +1,23 @@ + + + + + %%OSSEC_HOME%%/etc/shared/rootkit_files.txt + %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt + %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt + %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt + + + + + + + + /var/ossec/etc/shared/rootkit_files.txt + /var/ossec/etc/shared/rootkit_trojans.txt + /var/ossec/etc/shared/system_audit_rcl.txt + /var/ossec/etc/shared/system_audit_ssh.txt + /var/ossec/etc/shared/cis_debian_linux_rcl.txt + + + diff --git a/security/ossec-hids-local-config/files/template-rules-cmdout.xml.in b/security/ossec-hids-local-config/files/template-rules-cmdout.xml.in new file mode 100644 index 0000000..482efd6 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rules-cmdout.xml.in @@ -0,0 +1,8 @@ + + + + + freebsd_cmdout_rules.xml + + + diff --git a/security/ossec-hids-local-config/files/template-rules-config.xml.in b/security/ossec-hids-local-config/files/template-rules-config.xml.in new file mode 100644 index 0000000..2e9102f --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rules-config.xml.in @@ -0,0 +1,8 @@ + + + + + freebsd_config_rules.xml + + + diff --git a/security/ossec-hids-local-config/files/template-rules-default.xml.in b/security/ossec-hids-local-config/files/template-rules-default.xml.in new file mode 100644 index 0000000..e7c18be --- /dev/null +++ b/security/ossec-hids-local-config/files/template-rules-default.xml.in @@ -0,0 +1,82 @@ + + + + + rules_config.xml + ossec_rules.xml + syslog_rules.xml + sendmail_rules.xml + postfix_rules.xml + spamd_rules.xml + imapd_rules.xml + mailscanner_rules.xml + ms-exchange_rules.xml + courier_rules.xml + firewall_rules.xml + pix_rules.xml + netscreenfw_rules.xml + cisco-ios_rules.xml + sonicwall_rules.xml + pam_rules.xml + telnetd_rules.xml + sshd_rules.xml + solaris_bsm_rules.xml + asterisk_rules.xml + ms_dhcp_rules.xml + arpwatch_rules.xml + symantec-av_rules.xml + symantec-ws_rules.xml + trend-osce_rules.xml + hordeimp_rules.xml + roundcube_rules.xml + wordpress_rules.xml + cimserver_rules.xml + dovecot_rules.xml + vmpop3d_rules.xml + vpopmail_rules.xml + ftpd_rules.xml + proftpd_rules.xml + pure-ftpd_rules.xml + vsftpd_rules.xml + ms_ftpd_rules.xml + named_rules.xml + exim_rules.xml + smbd_rules.xml + racoon_rules.xml + vpn_concentrator_rules.xml + msauth_rules.xml + mcafee_av_rules.xml + ms-se_rules.xml + vmware_rules.xml + ids_rules.xml + apache_rules.xml + web_rules.xml + zeus_rules.xml + nginx_rules.xml + php_rules.xml + web_appsec_rules.xml + squid_rules.xml + attack_rules.xml + systemd_rules.xml + firewalld_rules.xml + mysql_rules.xml + postgresql_rules.xml + dropbear_rules.xml + openbsd_rules.xml + apparmor_rules.xml + clam_av_rules.xml + openbsd-dhcpd_rules.xml + nsd_rules.xml + owncloud_rules.xml + proxmox-ve_rules.xml + opensmtpd_rules.xml + psad_rules.xml + sysmon_rules.xml + unbound_rules.xml + local_rules.xml + + + + + + diff --git a/security/ossec-hids-local-config/files/template-sample-agent.xml.in b/security/ossec-hids-local-config/files/template-sample-agent.xml.in new file mode 100644 index 0000000..8a2fa7b --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-agent.xml.in @@ -0,0 +1,14 @@ + + + + + + 1.2.3.4 + + + + + + + + diff --git a/security/ossec-hids-local-config/files/template-sample-database.xml.in b/security/ossec-hids-local-config/files/template-sample-database.xml.in new file mode 100644 index 0000000..80f156f --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-database.xml.in @@ -0,0 +1,12 @@ + + + + + localhost + ossec + secret + ossec + %%DB_TYPE%% + + + diff --git a/security/ossec-hids-local-config/files/template-sample-local.xml.in b/security/ossec-hids-local-config/files/template-sample-local.xml.in new file mode 100644 index 0000000..bf1ec5c --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-local.xml.in @@ -0,0 +1,17 @@ + + + + + + + + + 127.0.0.1 + + + diff --git a/security/ossec-hids-local-config/files/template-sample-server.xml.in b/security/ossec-hids-local-config/files/template-sample-server.xml.in new file mode 100644 index 0000000..d4efd19 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-sample-server.xml.in @@ -0,0 +1,23 @@ + + + + + secure + + 1.2.3.4 + + + + + + + + 127.0.0.1 + + + diff --git a/security/ossec-hids-local-config/files/template-syscheck-default.xml.in b/security/ossec-hids-local-config/files/template-syscheck-default.xml.in new file mode 100644 index 0000000..78ae8f8 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-default.xml.in @@ -0,0 +1,18 @@ + + + + + /bin,/sbin,/usr/bin,/usr/sbin,%%PREFIX%%/bin,%%PREFIX%%/sbin + /etc,%%PREFIX%%/etc + + + + + + + + /bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin + /etc,/usr/local/etc + + + diff --git a/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in new file mode 100644 index 0000000..f35f4d5 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in @@ -0,0 +1,16 @@ + + + + + /etc/hosts.allow + + + + + + + + /etc/hosts.deny + + + diff --git a/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in new file mode 100644 index 0000000..7a303e5 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in @@ -0,0 +1,16 @@ + + + + + yes + + + + + + + + yes + + + diff --git a/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in new file mode 100644 index 0000000..03f5943 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in @@ -0,0 +1,16 @@ + + + + + no + + + + + + + + no + + + diff --git a/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in new file mode 100644 index 0000000..8342f63 --- /dev/null +++ b/security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in @@ -0,0 +1,18 @@ + + + + + %%OSSEC_SYSCHECK_BIN_DIRS%% + %%OSSEC_SYSCHECK_ETC_DIRS%% + + + + + + + + /var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless + /var/ossec/etc,/var/ossec/rules + + + diff --git a/security/ossec-hids-local-config/opt-ar.mk b/security/ossec-hids-local-config/opt-ar.mk new file mode 100644 index 0000000..bfe9f19 --- /dev/null +++ b/security/ossec-hids-local-config/opt-ar.mk @@ -0,0 +1,46 @@ +AR_MANAGED_CONF= 110.active-response.conf +AR_LOCAL_CONF= 510.active-response.local.conf + +AR_DESC= Active Response + +# Default commands +AR_CMDS_DEFAULT_OPTION= DEFAULT_C +AR_CMDS_DEFAULT_DESC= Commands provided by OSSEC +AR_CMDS_DEFAULT_DEFINE= server local +AR_CMDS_DEFAULT_DEFAULT=server local +AR_OPTIONS+= AR_CMDS_DEFAULT + +# Config merge commands +AR_CMDS_MERGE_OPTION= MERGE_C +AR_CMDS_MERGE_DESC= Command to merge configuration files +AR_CMDS_MERGE_DEFINE= server local +AR_CMDS_MERGE_DEFAULT= server local +AR_OPTIONS+= AR_CMDS_MERGE + +# Config merge active response +AR_MERGE_OPTION= MERGE_AR +AR_MERGE_DESC= Merge configuration files when they change +AR_MERGE_DEFINE= server local +AR_MERGE_DEFAULT= server local +AR_OPTIONS+= AR_MERGE + +# OSSEC restart active response +AR_RESTART_OPTION= RESTART_AR +AR_RESTART_DESC= Restart OSSEC when main configuration files change +AR_RESTART_DEFINE= server local +AR_RESTART_DEFAULT= server local +AR_OPTIONS+= AR_RESTART + +# Host deny active response +AR_HOSTDENY_OPTION= HOSTDENY_AR +AR_HOSTDENY_DESC= Block the attacker's IP using access control files +AR_HOSTDENY_DEFINE= server local +AR_HOSTDENY_DEFAULT= +AR_OPTIONS+= AR_HOSTDENY + +# Firewall drop active response +AR_FWDROP_OPTION= FWDROP_AR +AR_FWDROP_DESC= Block the attacker's IP on the firewall +AR_FWDROP_DEFINE= server local +AR_FWDROP_DEFAULT= +AR_OPTIONS+= AR_FWDROP diff --git a/security/ossec-hids-local-config/opt-cmdout.mk b/security/ossec-hids-local-config/opt-cmdout.mk new file mode 100644 index 0000000..98da6dd --- /dev/null +++ b/security/ossec-hids-local-config/opt-cmdout.mk @@ -0,0 +1,27 @@ +CMDOUT_MANAGED_CONF= 140.command-output.conf +CMDOUT_LOCAL_CONF= 540.command-output.local.conf + +CMDOUT_DESC= Command Output Monitoring + +CMDOUT_SCRIPTS= last-logins open-ports + +# Last logins +CMDOUT_LAST_LOGINS_OPTION= LOGINS +CMDOUT_LAST_LOGINS_DESC= Last logins +CMDOUT_LAST_LOGINS_DEFINE= server local agent +CMDOUT_LAST_LOGINS_DEFAULT= server local agent +CMDOUT_OPTIONS+= CMDOUT_LAST_LOGINS + +# Open TCP ports +CMDOUT_OPEN_PORTS_TCP_OPTION= PORTS_TCP +CMDOUT_OPEN_PORTS_TCP_DESC= Open TCP ports +CMDOUT_OPEN_PORTS_TCP_DEFINE= server local agent +CMDOUT_OPEN_PORTS_TCP_DEFAULT= server local agent +CMDOUT_OPTIONS+= CMDOUT_OPEN_PORTS_TCP + +# Open UDP ports +CMDOUT_OPEN_PORTS_UDP_OPTION= PORTS_UDP +CMDOUT_OPEN_PORTS_UDP_DESC= Open UDP ports +CMDOUT_OPEN_PORTS_UDP_DEFINE= server local agent +CMDOUT_OPEN_PORTS_UDP_DEFAULT= server local agent +CMDOUT_OPTIONS+= CMDOUT_OPEN_PORTS_UDP diff --git a/security/ossec-hids-local-config/opt-logs.mk b/security/ossec-hids-local-config/opt-logs.mk new file mode 100644 index 0000000..8352b0b --- /dev/null +++ b/security/ossec-hids-local-config/opt-logs.mk @@ -0,0 +1,52 @@ +LOGS_MANAGED_CONF= 150.logs.conf +LOGS_LOCAL_CONF= 550.logs.local.conf + +LOGS_DESC= Log Monitoring + +# Default logs support +LOGS_DEFAULT_OPTION= DEFAULT +LOGS_DEFAULT_PROFILE= system-log +LOGS_DEFAULT_DESC= Default system logs +LOGS_DEFAULT_DEFINE= server local agent pushed +LOGS_DEFAULT_DEFAULT= server local pushed +LOGS_OPTIONS+= LOGS_DEFAULT + +# Active response log support +LOGS_RESPONSE_OPTION= RESPONSE +LOGS_RESPONSE_PROFILE= active-response-log +LOGS_RESPONSE_DESC= Active response log +LOGS_RESPONSE_DEFINE= server local agent pushed +LOGS_RESPONSE_DEFAULT= server local pushed +LOGS_OPTIONS+= LOGS_RESPONSE + +# Apache logs support +LOGS_APACHE_OPTION= APACHE +LOGS_APACHE_PROFILE= apache-log +LOGS_APACHE_DESC= Apache logs +LOGS_APACHE_DEFINE= server local agent pushed +LOGS_APACHE_DEFAULT= pushed +LOGS_OPTIONS+= LOGS_APACHE + +# Nginx logs support +LOGS_NGINX_OPTION= NGINX +LOGS_NGINX_PROFILE= nginx-log +LOGS_NGINX_DESC= Nginx logs +LOGS_NGINX_DEFINE= server local agent pushed +LOGS_NGINX_DEFAULT= pushed +LOGS_OPTIONS+= LOGS_NGINX + +# Radius logs support +LOGS_RADIUS_OPTION= RADIUS +LOGS_RADIUS_PROFILE= radius-log +LOGS_RADIUS_DESC= FreeRADIUS logs +LOGS_RADIUS_DEFINE= server local agent pushed +LOGS_RADIUS_DEFAULT= pushed +LOGS_OPTIONS+= LOGS_RADIUS + +# Vsftpd logs support +LOGS_VSFTPD_OPTION= VSFTPD +LOGS_VSFTPD_PROFILE= vsftpd-log +LOGS_VSFTPD_DESC= Vsftpd logs +LOGS_VSFTPD_DEFINE= server local agent pushed +LOGS_VSFTPD_DEFAULT= pushed +LOGS_OPTIONS+= LOGS_VSFTPD diff --git a/security/ossec-hids-local-config/opt-rootcheck.mk b/security/ossec-hids-local-config/opt-rootcheck.mk new file mode 100644 index 0000000..3da90af --- /dev/null +++ b/security/ossec-hids-local-config/opt-rootcheck.mk @@ -0,0 +1,12 @@ +ROOTCHECK_MANAGED_CONF= 120.rootcheck.conf +ROOTCHECK_LOCAL_CONF= 520.rootcheck.local.conf + +ROOTCHECK_PROFILE= rootcheck +ROOTCHECK_DESC= System Audit and Rootkit Detection + +# Default +ROOTCHECK_DEFAULT_OPTION= DEFAULT_RC +ROOTCHECK_DEFAULT_DESC= System audit and rootkit detection provided by OSSEC +ROOTCHECK_DEFAULT_DEFINE= server local agent pushed +ROOTCHECK_DEFAULT_DEFAULT= server local pushed +ROOTCHECK_OPTIONS+= ROOTCHECK_DEFAULT diff --git a/security/ossec-hids-local-config/opt-rules.mk b/security/ossec-hids-local-config/opt-rules.mk new file mode 100644 index 0000000..c8db7a2 --- /dev/null +++ b/security/ossec-hids-local-config/opt-rules.mk @@ -0,0 +1,27 @@ +RULES_MANAGED_CONF= 100.rules.conf +RULES_LOCAL_CONF= 500.rules.local.conf + +RULES_DESC= Alerting Rules + +RULES_FILES= config cmdout + +# Default rules +RULES_DEFAULT_OPTION= DEFAULT_R +RULES_DEFAULT_DESC= Default rules provided by OSSEC +RULES_DEFAULT_DEFINE= server local +RULES_DEFAULT_DEFAULT= server local +RULES_OPTIONS+= RULES_DEFAULT + +# Config rules +RULES_CONFIG_OPTION= CONFIG_R +RULES_CONFIG_DESC= Alert changes of the OSSEC main configuration files +RULES_CONFIG_DEFINE= server local +RULES_CONFIG_DEFAULT= server local +RULES_OPTIONS+= RULES_CONFIG + +# Command output rules +RULES_CMDOUT_OPTION= CMDOUT_R +RULES_CMDOUT_DESC= Alert changes of output of the monitored commands +RULES_CMDOUT_DEFINE= server local +RULES_CMDOUT_DEFAULT= server local +RULES_OPTIONS+= RULES_CMDOUT diff --git a/security/ossec-hids-local-config/opt-syscheck.mk b/security/ossec-hids-local-config/opt-syscheck.mk new file mode 100644 index 0000000..2c1210d --- /dev/null +++ b/security/ossec-hids-local-config/opt-syscheck.mk @@ -0,0 +1,41 @@ +SYSCHECK_MANAGED_CONF= 130.syscheck.conf +SYSCHECK_LOCAL_CONF= 530.syscheck.local.conf + +SYSCHECK_PROFILE= syscheck +SYSCHECK_DESC= File Integrity Checking + +# Default direcotries +SYSCHECK_DEFAULT_OPTION= DEFAULT_SC +SYSCHECK_DEFAULT_DESC= Check "bin", "sbin" and "etc" directories +SYSCHECK_DEFAULT_DEFINE= server local agent pushed +SYSCHECK_DEFAULT_DEFAULT= server local pushed +SYSCHECK_OPTIONS+= SYSCHECK_DEFAULT + +# OSSEC directories +SYSCHECK_OSSEC_OPTION= OSSEC_SC +SYSCHECK_OSSEC_DESC= Check OSSEC directories +SYSCHECK_OSSEC_DEFINE= server local agent pushed +SYSCHECK_OSSEC_DEFAULT= server local pushed +SYSCHECK_OPTIONS+= SYSCHECK_OSSEC + +# Alert new files +SYSCHECK_NEWFILES_OPTION= NEWFILES_SC +SYSCHECK_NEWFILES_DESC= Alert on new files created +SYSCHECK_NEWFILES_DEFINE= server local +SYSCHECK_NEWFILES_DEFAULT= server local +SYSCHECK_OPTIONS+= SYSCHECK_NEWFILES + +# Disable auto_ignore +SYSCHECK_NOAUTO_OPTION= NOAUTO_SC +SYSCHECK_NOAUTO_DESC= Disable auto_ignore feature +SYSCHECK_NOAUTO_DEFINE= server local +SYSCHECK_NOAUTO_DEFAULT= server local +SYSCHECK_OPTIONS+= SYSCHECK_NOAUTO + +# Ignore /etc/hosts.allow +SYSCHECK_HOSTDENY_DEPENDS= AR_HOSTDENY +SYSCHECK_HOSTDENY_OPTION= HOSTDENY_SC +SYSCHECK_HOSTDENY_DESC= Ignore access control files +SYSCHECK_HOSTDENY_DEFINE= server local agent pushed +SYSCHECK_HOSTDENY_DEFAULT= server local pushed +SYSCHECK_OPTIONS+= SYSCHECK_HOSTDENY diff --git a/security/ossec-hids-local-config/pkg-descr b/security/ossec-hids-local-config/pkg-descr new file mode 100644 index 0000000..0b039e5 --- /dev/null +++ b/security/ossec-hids-local-config/pkg-descr @@ -0,0 +1,9 @@ +OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection +System (HIDS). It has a powerful correlation and analysis engine, integrating +log analysis, file integrity checking, Windows registry monitoring, centralized +policy enforcement, rootkit detection, real-time alerting and active response. + +This package adds the configuration overlay with samples, additional rules, +commands, scripts and support for multiple configuration files. + +WWW: https://ossec.github.io diff --git a/security/ossec-hids-local-config/pkg-plist-agent b/security/ossec-hids-local-config/pkg-plist-agent new file mode 100644 index 0000000..b999785 --- /dev/null +++ b/security/ossec-hids-local-config/pkg-plist-agent @@ -0,0 +1,23 @@ +@dir(,ossec,550) %%OSSEC_HOME%% +@dir(,ossec,550) %%OSSEC_HOME%%/active-response +@dir(,ossec,550) %%OSSEC_HOME%%/active-response/bin +@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/merge-config.sh +@dir(,,550) %%OSSEC_HOME%%/bin +@dir(,,550) %%OSSEC_HOME%%/bin/command +@(,,550) %%OSSEC_HOME%%/bin/command/last-logins.sh +@(,,550) %%OSSEC_HOME%%/bin/command/open-ports.sh +@dir(,,550) %%OSSEC_HOME%%/bin/config +@(,,550) %%OSSEC_HOME%%/bin/config/ossec-conf +@dir(,ossec,550) %%OSSEC_HOME%%/etc +@sample(,ossec,640) %%OSSEC_HOME%%/etc/command.conf.sample +@dir(,ossec,550) %%OSSEC_HOME%%/etc/ossec.conf.d +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/120.rootcheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/130.syscheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/140.command-output.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/150.logs.conf +@sample(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/900.local.conf.sample +@dir(,ossec,550) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/520.rootcheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/530.syscheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/540.command-output.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/550.logs.local.conf diff --git a/security/ossec-hids-local-config/pkg-plist-local b/security/ossec-hids-local-config/pkg-plist-local new file mode 100644 index 0000000..cf90641 --- /dev/null +++ b/security/ossec-hids-local-config/pkg-plist-local @@ -0,0 +1,30 @@ +@dir(,ossec,550) %%OSSEC_HOME%% +@dir(,ossec,550) %%OSSEC_HOME%%/active-response +@dir(,ossec,550) %%OSSEC_HOME%%/active-response/bin +@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/merge-config.sh +@dir(,,550) %%OSSEC_HOME%%/bin +@dir(,,550) %%OSSEC_HOME%%/bin/command +@(,,550) %%OSSEC_HOME%%/bin/command/last-logins.sh +@(,,550) %%OSSEC_HOME%%/bin/command/open-ports.sh +@dir(,,550) %%OSSEC_HOME%%/bin/config +@(,,550) %%OSSEC_HOME%%/bin/config/ossec-conf +@dir(,ossec,550) %%OSSEC_HOME%%/etc +@sample(,ossec,640) %%OSSEC_HOME%%/etc/command.conf.sample +@dir(,ossec,550) %%OSSEC_HOME%%/etc/ossec.conf.d +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/100.rules.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/110.active-response.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/120.rootcheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/130.syscheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/140.command-output.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/150.logs.conf +@sample(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/900.local.conf.sample +@dir(,ossec,550) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/500.rules.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/510.active-response.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/520.rootcheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/530.syscheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/540.command-output.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/550.logs.local.conf +@dir(,ossec,550) %%OSSEC_HOME%%/rules +@(,ossec,640) %%OSSEC_HOME%%/rules/freebsd_cmdout_rules.xml +@(,ossec,640) %%OSSEC_HOME%%/rules/freebsd_config_rules.xml diff --git a/security/ossec-hids-local-config/pkg-plist-server b/security/ossec-hids-local-config/pkg-plist-server new file mode 100644 index 0000000..a398f4f --- /dev/null +++ b/security/ossec-hids-local-config/pkg-plist-server @@ -0,0 +1,39 @@ +@dir(,ossec,550) %%OSSEC_HOME%% +@dir(,ossec,550) %%OSSEC_HOME%%/active-response +@dir(,ossec,550) %%OSSEC_HOME%%/active-response/bin +@(,ossec,550) %%OSSEC_HOME%%/active-response/bin/merge-config.sh +@dir(,,550) %%OSSEC_HOME%%/bin +@dir(,,550) %%OSSEC_HOME%%/bin/command +@(,,550) %%OSSEC_HOME%%/bin/command/last-logins.sh +@(,,550) %%OSSEC_HOME%%/bin/command/open-ports.sh +@dir(,,550) %%OSSEC_HOME%%/bin/config +@(,,550) %%OSSEC_HOME%%/bin/config/agent-conf +@(,,550) %%OSSEC_HOME%%/bin/config/ossec-conf +@dir(,ossec,550) %%OSSEC_HOME%%/etc +@dir(,ossec,550) %%OSSEC_HOME%%/etc/agent.conf.d +@(,ossec,640) %%OSSEC_HOME%%/etc/agent.conf.d/120.rootcheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/agent.conf.d/130.syscheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/agent.conf.d/150.logs.conf +@dir(,ossec,550) %%OSSEC_HOME%%/etc/agent.conf.d/disabled +@(,ossec,640) %%OSSEC_HOME%%/etc/agent.conf.d/disabled/520.rootcheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/agent.conf.d/disabled/530.syscheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/agent.conf.d/disabled/550.logs.local.conf +@sample(,ossec,640) %%OSSEC_HOME%%/etc/command.conf.sample +@dir(,ossec,550) %%OSSEC_HOME%%/etc/ossec.conf.d +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/100.rules.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/110.active-response.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/120.rootcheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/130.syscheck.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/140.command-output.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/150.logs.conf +@sample(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/900.local.conf.sample +@dir(,ossec,550) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/500.rules.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/510.active-response.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/520.rootcheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/530.syscheck.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/540.command-output.local.conf +@(,ossec,640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/550.logs.local.conf +@dir(,ossec,550) %%OSSEC_HOME%%/rules +@(,ossec,640) %%OSSEC_HOME%%/rules/freebsd_cmdout_rules.xml +@(,ossec,640) %%OSSEC_HOME%%/rules/freebsd_config_rules.xml diff --git a/security/ossec-hids-local-config/scripts/plist.sh b/security/ossec-hids-local-config/scripts/plist.sh new file mode 100755 index 0000000..8c7df63 --- /dev/null +++ b/security/ossec-hids-local-config/scripts/plist.sh @@ -0,0 +1,113 @@ +#!/bin/sh + +# Script generates entries for pkg-plist. +# Do not use it directly. Use the following command instead: +# +# make MAINTAINER_MODE=yes clean plist + +OSSEC_TYPE=$1 +OSSEC_HOME=$2 +PLIST=$3 +WORKDIR=$4 +STAGEDIR=$5 + +staged_plist="${WORKDIR}/.staged-plist" +fixed_lines="" +skip_lines="" +skip_paths="" +sample_paths="/etc/command.conf.sample /etc/ossec.conf.d/900.local.conf.sample /etc/agent.conf.d/900.local.conf.sample" + +print_path() { + local path="$1" + local command="$2" + local full_path="${STAGEDIR}${OSSEC_HOME}${path}" + if [ -z "${command}" ]; then + command="@" + if [ -d "${full_path}" ]; then + command="@dir" + fi + fi + local user=`stat -f "%Su" "${full_path}"` + if [ "${user}" == "${USER}" ]; then + user="" + fi + local group=`stat -f "%Sg" "${full_path}"` + if [ "${group}" == "${GROUP}" ]; then + group="" + fi + local mode=`stat -f "%p" "${full_path}" | tail -c 4` + echo -e "${command}(${user},${group},${mode}) %%OSSEC_HOME%%${path}" >> "${PLIST}" +} + +echo -n > "${PLIST}" + +print_path + +done_paths="" +while read line; do + skip_line="" + for e in ${skip_lines}; do + if [ "${e}" == "${line}" ]; then + skip_line="${e}" + break + fi + done + if [ -z "${skip_line}" ]; then + path="" + case $line in + "@dir %%OSSEC_HOME%%"*) + path=`echo "${line}" | sed -e "s|@dir %%OSSEC_HOME%%||g"` + ;; + "%%OSSEC_HOME%%"*) + path=`echo "${line}" | sed -e "s|%%OSSEC_HOME%%||g"` + ;; + "%%"*) + unchanged_lines="${unchanged_lines} ${line}" + ;; + esac + if [ -n "${path}" ]; then + segments=`echo "${path}" | tr "/" "\n"` + path="" + for segment in ${segments}; do + path="${path}/${segment}" + skip_path="" + for e in ${skip_paths}; do + if [ "${e}" == "${path}" ]; then + skip_path="${e}" + break + fi + done + if [ -n "${skip_path}" ]; then + break + fi + done_path="" + for e in ${done_paths}; do + if [ "${e}" == "${path}" ]; then + done_path="${e}" + break + fi + done + if [ -z "${done_path}" ]; then + done_paths="${done_paths} ${path}" + sample_path="" + for e in ${sample_paths}; do + if [ "${e}" == "${path}" ]; then + sample_path="${e}" + break + fi + done + if [ -n "${sample_path}" ]; then + print_path "${path}" @sample + else + print_path "${path}" + fi + fi + done + fi + fi +done < "${staged_plist}" + +unchanged_lines="${unchanged_lines} ${fixed_lines}" +for line in ${unchanged_lines}; do + echo "${line}" >> "${PLIST}" +done diff --git a/security/ossec-hids-local-config/scripts/rules.sh b/security/ossec-hids-local-config/scripts/rules.sh new file mode 100755 index 0000000..65e28e2 --- /dev/null +++ b/security/ossec-hids-local-config/scripts/rules.sh @@ -0,0 +1,89 @@ +#!/bin/sh + +# Script generates entries for template-rules-default.xml.in. +# Do not use it directly. Use the following command instead: +# +# make MAINTAINER_MODE=yes rules + +rules_template=$1 +src_dir=$2 + +skip_files="policy_rules.xml local_rules.xml" +append_files="local_rules.xml" + +rules="" +for file in `find "${src_dir}/etc/rules" -depth 1 -name "*.xml"`; do + file_name="${file##*/}" + skip_file="" + for e in ${skip_files}; do + if [ "${e}" == "${file_name}" ]; then + skip_file="${e}" + break + fi + done + if [ -z "${skip_file}" ]; then + rule_ids=`sed -Ene 's|^.*([0-9,]+).*$|\1|p' "${file}" | tr ',' '\n'` + for ref_rule_id in ${ref_rule_ids}; do + found_rule_id="" + for rule_id in ${rule_ids}; do + if [ "${ref_rule_id}" = "${rule_id}" ]; then + found_rule_id="${rule_id}" + break + fi + done + if [ -z "${found_rule_id}" ]; then + # The referenced rule id is not present in this file so it must come from another + if [ ${ref_rule_id} -gt ${min_rule_id} ]; then + # Ordering by referenced rule id doesn't need to give proper results, but let's hope it does + min_rule_id=$((ref_rule_id + 1)) + fi + fi + done + + rules="${rules}${min_rule_id} ${file_name} +" + fi + fi +done + +echo -n "${rules}" | sort -n + +if [ -n "${rules_template}" ]; then + rules=`echo -n "${rules}" | sort -n | cut -d' ' -f2` + for file_name in ${append_files}; do + rules="${rules} +${file_name}" + done + + echo ' + + + ' > "${rules_template}" + + for rule in ${rules}; do + echo " ${rule}" >> "${rules_template}" + done + + echo ' + ' >> "${rules_template}" + + for skip_file in ${skip_files}; do + append_file="" + for e in ${append_files}; do + if [ "${e}" == "${skip_file}" ]; then + append_file="${e}" + break + fi + done + if [ -z "${append_file}" ]; then + echo " " >> "${rules_template}" + fi + done + + echo ' + +' >> "${rules_template}" +fi diff --git a/security/ossec-hids-local-config/scripts/template-to-agent.sh b/security/ossec-hids-local-config/scripts/template-to-agent.sh new file mode 100755 index 0000000..3034b1f --- /dev/null +++ b/security/ossec-hids-local-config/scripts/template-to-agent.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +if [ $# -lt 3 ]; then + echo "Too few arguments" + echo "Usage: `basename $0` " + exit 1 +fi + +ossec_type="$1" +ossec_prefix="$2" +ossec_file="$3" + +if [ ! -f "${ossec_file}" ]; then + echo "File \"${ossec_file}\" does not exist" + exit 1 +fi + +ossec_syscheck_bin_dirs="${ossec_prefix}/bin,${ossec_prefix}/active-response" +ossec_syscheck_etc_dirs="${ossec_prefix}/etc" + +replace() { + sed -e 's|||' \ + -e 's|||' \ + -e "s|%%OSSEC_SYSCHECK_BIN_DIRS%%|${ossec_syscheck_bin_dirs}|" \ + -e "s|%%OSSEC_SYSCHECK_ETC_DIRS%%|${ossec_syscheck_etc_dirs}|" \ + "${ossec_file}" +} + +extract() { + sed -n '/^$/,/^<\/agent_config>$/p' +} + +replace | extract diff --git a/security/ossec-hids-local-config/scripts/template-to-ossec.sh b/security/ossec-hids-local-config/scripts/template-to-ossec.sh new file mode 100755 index 0000000..3933446 --- /dev/null +++ b/security/ossec-hids-local-config/scripts/template-to-ossec.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +if [ $# -lt 3 ]; then + echo "Too few arguments" + echo "Usage: `basename $0` " + exit 1 +fi + +ossec_type="$1" +ossec_prefix="$2" +ossec_file="$3" + +if [ ! -f "${ossec_file}" ]; then + echo "File \"${ossec_file}\" does not exist" + exit 1 +fi + +ossec_syscheck_bin_dirs="${ossec_prefix}/bin,${ossec_prefix}/active-response" +ossec_syscheck_etc_dirs="${ossec_prefix}/etc" +if [ "${ossec_type}" != "agent" ]; then + ossec_syscheck_bin_dirs="${ossec_syscheck_bin_dirs},${ossec_prefix}/agentless" + ossec_syscheck_etc_dirs="${ossec_syscheck_etc_dirs},${ossec_prefix}/rules" +fi + +replace() { + if grep -q "" "${ossec_file}"; then + sed -e 's|||' \ + -e 's|||' \ + -e "s|%%OSSEC_SYSCHECK_BIN_DIRS%%|${ossec_syscheck_bin_dirs}|" \ + -e "s|%%OSSEC_SYSCHECK_ETC_DIRS%%|${ossec_syscheck_etc_dirs}|" \ + "${ossec_file}" + else + sed -e 's|||' \ + -e 's|||' \ + -e "s|%%OSSEC_SYSCHECK_BIN_DIRS%%|${ossec_syscheck_bin_dirs}|" \ + -e "s|%%OSSEC_SYSCHECK_ETC_DIRS%%|${ossec_syscheck_etc_dirs}|" \ + "${ossec_file}" + fi +} + +extract() { + sed -n '/^$/,/^<\/ossec_config>$/p' +} + +replace | extract -- cgit v1.2.3