#!/bin/sh # # PROVIDE: ossec_hids # REQUIRE: DAEMON # BEFORE: LOGIN # KEYWORD: shutdown # ossec_hids_enable (bool): Set it to YES to enable %%PORTNAME%%. # Default: NO # ossec_hids_clear_log (bool): Set it to YES to clear ossec.log before %%PORTNAME%% startup. # Default: NO # ossec_hids_clear_ar_log (bool): Set it to YES to clear active-responses.log before %%PORTNAME%% startup. # Default: NO # ossec_hids_fetch_connect_time (int): Time in seconds to wait for the download of the shared configuration to start. # Used only by agent installation. # Default: 20 # ossec_hids_fetch_read_time (int): Time in seconds to wait for subsequent download chunks of the shared configuration. # Used only by agent installation. # Default: 5 . /etc/rc.subr name="ossec_hids" rcvar=ossec_hids_enable load_rc_config $name : ${ossec_hids_enable="NO"} : ${ossec_hids_clear_log="NO"} : ${ossec_hids_clear_ar_log="NO"} : ${ossec_hids_fetch_connect_time=20} : ${ossec_hids_fetch_read_time=5} ossec_type="%%OSSEC_TYPE%%" ossec_home="%%OSSEC_HOME%%" ossec_conf="${ossec_home}/etc/ossec.conf" ossec_conf_dir="${ossec_home}/etc/ossec.conf.d" ossec_conf_bin="${ossec_home}/bin/config/ossec-conf" agent_conf="${ossec_home}/etc/shared/agent.conf" agent_conf_dir="${ossec_home}/etc/agent.conf.d" agent_conf_bin="${ossec_home}/bin/config/agent-conf" ossec_client_keys="${ossec_home}/etc/client.keys" ossec_ar_tmp="${ossec_home}/active-response" ossec_log="${ossec_home}/logs/ossec.log" ossec_ar_log="${ossec_home}/logs/active-responses.log" ossec_merged="${ossec_home}/etc/shared/merged.mg" ossec_local_time="/etc/localtime" extra_commands="reload ossec_conf" case ${ossec_type} in server) extra_commands="${extra_commands} agent_conf reset_counter" ;; agent) extra_commands="${extra_commands} fetch_config reset_counter" ;; esac if [ -x "${ossec_conf_bin}" ]; then extra_commands="${extra_commands} merge_config" fi start_cmd="ossec_hids_command start" stop_cmd="ossec_hids_command stop" restart_cmd="ossec_hids_command restart" status_cmd="ossec_hids_command status" reload_cmd="ossec_hids_command reload" reset_counter_cmd="ossec_hids_command start" fetch_config_cmd="ossec_hids_command restart" merge_config_cmd="ossec_hids_create_config force" ossec_conf_cmd="ossec_hids_ossec_conf" agent_conf_cmd="ossec_hids_agent_conf" start_precmd="ossec_hids_prepare" restart_precmd="ossec_hids_prepare" reload_precmd="ossec_hids_prepare" reset_counter_precmd="ossec_hids_prepare" fetch_config_precmd="ossec_hids_prepare" ossec_hids_create_file() { local path=$1 local owner=$2 local mode=$3 if [ ! -e "${path}" ]; then touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}" fi } ossec_hids_check() { case ${ossec_type} in server) if [ ! -s "${ossec_client_keys}" ]; then echo "WARNING: There are no client keys created - remote connections will be disabled." echo fi ;; agent) if [ ! -s "${ossec_client_keys}" ]; then echo "WARNING: There are is no client key imported - connection to server not possible." echo fi ;; esac return 0 } ossec_hids_config_is_outdated() { dst_file="$1" src_dir="$2" if [ ! -e "${dst_file}" ]; then return 0 fi for src_file in $(find "${src_dir}" -maxdepth 1 -type f -name "*.conf"); do if [ "${src_file}" -nt "${dst_file}" ]; then return 0 fi done return 1 } ossec_hids_create_config() { case ${ossec_type} in server) if [ -x "${agent_conf_bin}" ]; then # Merge agent.conf.d files into agent.conf if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${agent_conf}" "${agent_conf_dir}"; then ossec_hids_create_file "${agent_conf}" %%USER%%:%%OSSEC_GROUP%% 0640 "${agent_conf_bin}" > "${agent_conf}" fi fi ;; esac if [ -x "${ossec_conf_bin}" ]; then # Merge ossec.conf.d files into ossec.conf if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${ossec_conf}" "${ossec_conf_dir}"; then ossec_hids_create_file "${ossec_conf}" %%USER%%:%%OSSEC_GROUP%% 0640 "${ossec_conf_bin}" > "${ossec_conf}" fi fi return 0 } ossec_hids_create_env() { # Copy required files from outside of home directory if [ ! -e "${ossec_local_time}" ]; then echo "ERROR: Missing \"${ossec_local_time}\". Run command \"tzsetup\"." echo return 1 fi install -o %%USER%% -g %%OSSEC_GROUP%% -m 0440 "${ossec_local_time}" "${ossec_home}${ossec_local_time}" return 0 } ossec_hids_clean() { if [ "${ossec_type}" == "server" ]; then rm -f "${ossec_merged}" fi if checkyesno ossec_hids_clear_log && [ -e "${ossec_log}" ]; then echo -n > "${ossec_log}" fi if checkyesno ossec_hids_clear_ar_log && [ -e "${ossec_ar_log}" ]; then echo -n > "${ossec_ar_log}" fi return 0 } ossec_hids_reset_counter() { case ${ossec_type} in local) echo "ERROR: Counters are only available for agent and server installations." echo return 1 ;; *) ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo agent_ids=`${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'` agent_counter=0 for agent_id in ${agent_ids}; do rm -f "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) done echo "Removed ${agent_counter} counter(s)." echo ;; esac return 0 } ossec_hids_fetch_config() { case ${ossec_type} in agent) ossec_hids_command status > /dev/null && ossec_hids_command stop && sleep 2 && echo rm -f "${ossec_merged}" ossec_hids_command start || return 1 echo echo "Waiting ${ossec_hids_fetch_connect_time} seconds for the shared configuration download to start." sleep ${ossec_hids_fetch_connect_time} if [ ! -s "${ossec_merged}" ]; then echo "ERROR: Failed to download shared configuration from the OSSEC server." echo ossec_log_tail=$(tail "${ossec_log}") echo "Portion of the \"${ossec_log}\":" echo "${ossec_log_tail}" echo if echo "${ossec_log_tail}" | grep -q "ERROR: Unable to send message to"; then echo "Check if your configuration contains the correct server address in \"server-ip\" option." echo fi if echo "${ossec_log_tail}" | grep -q "ERROR: Incorrectly formatted message from"; then echo "If you are certain the imported agent key is correct then execute command:" echo "$(realpath $0) reset_counter" echo "and fetch config again:" echo "$(realpath $0) fetch_config" echo fi return 1 else # The download has started while true; do current_time=$(date +%s) modification_time=$(stat -f %m "${ossec_merged}") if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then echo "Download finished." echo break; else echo "Download in progress..." sleep 10 fi done fi ;; *) echo "ERROR: Shared configuration is only available for agent installations." echo return 1 ;; esac return 0 } ossec_hids_prepare() { case ${rc_arg} in start|restart) ossec_hids_create_env && \ ossec_hids_create_config && \ ossec_hids_clean && \ ossec_hids_check || return 1 ;; reset_counter) ossec_hids_create_env && \ ossec_hids_create_config && \ ossec_hids_clean && \ ossec_hids_reset_counter && \ ossec_hids_check || return 1 ;; fetch_config) ossec_hids_create_env && \ ossec_hids_create_config && \ ossec_hids_clean && \ ossec_hids_fetch_config && \ ossec_hids_check || return 1 ;; reload) ossec_hids_create_env && \ ossec_hids_create_config || return 1 ;; esac return 0 } ossec_hids_ossec_conf() { if [ -x "${ossec_conf_bin}" ]; then "${ossec_conf_bin}" elif [ -f "${ossec_conf}" ]; then cat "${ossec_conf}" fi } ossec_hids_agent_conf() { if [ -x "${agent_conf_bin}" ]; then "${agent_conf_bin}" elif [ -f "${agent_conf}" ]; then cat "${agent_conf}" fi } ossec_hids_command() { "${ossec_home}/bin/ossec-control" "$1" } run_rc_command "$1"