mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-20 04:02:27 +00:00
Code Issues Releases Activity

security/ossec-hids-server: update from 2.8.3 to 3.1.0

Browse Source 
PR:		232794
Submitted by:	Dominik Lisiak <dominik.lisiak@bemsoft.pl> (maintainer)
This commit is contained in:
Steve Wills 2018-11-09 18:52:21 +00:00
parent 33c5a7f300
commit 868061ef79
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=484537
105 changed files with 3776 additions and 867 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MOVED
View File

@ -10623,3 +10623,4 @@ science/fvm|science/code_saturne|2018-11-04|Code_Saturne merged bft, ecs, fvm, m
science/mei|science/code_saturne|2018-11-04|Code_Saturne merged bft, ecs, fvm, mei and ncs
x11-wm/cde|x11/cde|2018-11-03|Recategorise
misc/rumprun||2018-11-06|Has expired: "fails with current compilers"
security/ossec-hids-client|security/ossec-hids-agent|2018-10-29|Agent is the name used in documentation

6
UIDs
View File

@ -912,9 +912,9 @@ zookeeper:*:962:962::0:0:zookeeper user:/nonexistent:/usr/sbin/nologin
fluentd:*:963:963::0:0:fluentd user:/nonexistent:/usr/sbin/nologin
git_daemon:*:964:964::0:0:git daemon:/nonexistent:/usr/sbin/nologin
elasticsearch:*:965:965::0:0:elasticsearch user:/nonexistent:/usr/sbin/nologin
ossec:*:966:966::0:0:OSSEC user:/usr/local/ossec-hids:/usr/sbin/nologin
ossecm:*:967:966::0:0:OSSEC mail user:/usr/local/ossec-hids:/usr/sbin/nologin
ossecr:*:968:966::0:0:OSSEC rem user:/usr/local/ossec-hids:/usr/sbin/nologin
ossec:*:966:966::0:0:OSSEC user:/nonexistent:/usr/sbin/nologin
ossecm:*:967:966::0:0:OSSEC mail user:/nonexistent:/usr/sbin/nologin
ossecr:*:968:966::0:0:OSSEC rem user:/nonexistent:/usr/sbin/nologin
kippo:*:969:969::0:0:kippo user:/nonexistent:/usr/sbin/nologin
colord:*:970:970::0:0:colord color management daemon:/nonexistent:/usr/sbin/nologin
shibd:*:971:971::0:0:Shibboleth SAML daemon:/nonexistent:/usr/sbin/nologin

32
UPDATING
View File

@ -5,6 +5,38 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
20181109
AFFECTS: users of security/ossec-hids-server
AUTHOR: dominik.lisiak@bemsoft.pl
The "ossechids_enable" rc variable has been renamed to "ossec_hids_enable".
If using database output, you need to recreate database using new schema
provided in /usr/local/share/doc/ossec-hids.
20181109
AFFECTS: users of security/ossec-hids-local
AUTHOR: dominik.lisiak@bemsoft.pl
The "ossechids_enable" rc variable has been renamed to "ossec_hids_enable".
If using database output, you need to recreate database using new schema
provided in /usr/local/share/doc/ossec-hids.
20181109
AFFECTS: users of security/ossec-hids-client
AUTHOR: dominik.lisiak@bemsoft.pl
The ossec-hids-client port has been renamed to ossec-hids-agent.
Portmaster users will need to run this command:
portmaster -o security/ossec-hids-agent security/ossec-hids-client
If the switch doesn't happen automatically for you, just delete the
ossec-hids-client package and install ossec-hids-agent.
The "ossechids_enable" rc variable has been renamed to "ossec_hids_enable".
20181104:
AFFECTS: users of sysutils/ansible*
AUTHOR: lifanov@FreeBSD.org

6
security/Makefile
View File

@ -490,9 +490,13 @@
SUBDIR += ophcrack
SUBDIR += orthrus
SUBDIR += osiris
SUBDIR += ossec-hids-client
SUBDIR += ossec-hids
SUBDIR += ossec-hids-agent
SUBDIR += ossec-hids-agent-config
SUBDIR += ossec-hids-local
SUBDIR += ossec-hids-local-config
SUBDIR += ossec-hids-server
SUBDIR += ossec-hids-server-config
SUBDIR += osslsigncode
SUBDIR += otpw
SUBDIR += outguess

7
security/ossec-hids-agent-config/Makefile Normal file
View File

@ -0,0 +1,7 @@
# $FreeBSD$
OSSEC_TYPE= agent
MASTERDIR= ${.CURDIR}/../ossec-hids-local-config
.include "${MASTERDIR}/Makefile"

7
security/ossec-hids-agent/Makefile Normal file
View File

@ -0,0 +1,7 @@
# $FreeBSD$
OSSEC_TYPE= agent
MASTERDIR= ${.CURDIR}/../ossec-hids-local
.include "${MASTERDIR}/Makefile"

13
security/ossec-hids-client/Makefile
View File

@ -1,13 +0,0 @@
# Created by: Valerio Daelli <valerio.daelli@gmail.com>
# $FreeBSD$
PORTREVISION= 0
COMMENT= Client port of ossec-hids
CLIENT_ONLY= yes
MASTERDIR= ${.CURDIR}/../ossec-hids-server
PLIST= ${.CURDIR}/pkg-plist.client
.include "${MASTERDIR}/Makefile"

69
security/ossec-hids-client/pkg-plist.client
View File

@ -1,69 +0,0 @@
%%PORTNAME%%/active-response/bin/disable-account.sh
%%PORTNAME%%/active-response/bin/firewall-drop.sh
%%PORTNAME%%/active-response/bin/host-deny.sh
%%PORTNAME%%/active-response/bin/ip-customblock.sh
%%PORTNAME%%/active-response/bin/ipfw.sh
%%PORTNAME%%/active-response/bin/ipfw_mac.sh
%%PORTNAME%%/active-response/bin/ossec-tweeter.sh
%%PORTNAME%%/active-response/bin/pf.sh
%%PORTNAME%%/active-response/bin/restart-ossec.sh
%%PORTNAME%%/active-response/bin/route-null.sh
%%PORTNAME%%/bin/agent-auth
%%PORTNAME%%/bin/manage_agents
%%PORTNAME%%/bin/ossec-agentd
%%PORTNAME%%/bin/ossec-control
%%PORTNAME%%/bin/ossec-execd
%%PORTNAME%%/bin/ossec-logcollector
%%PORTNAME%%/bin/ossec-lua
%%PORTNAME%%/bin/ossec-luac
%%PORTNAME%%/bin/ossec-syscheckd
%%PORTNAME%%/bin/util.sh
@group ossec
%%PORTNAME%%/etc/shared/cis_debian_linux_rcl.txt
%%PORTNAME%%/etc/shared/cis_rhel_linux_rcl.txt
%%PORTNAME%%/etc/shared/cis_rhel5_linux_rcl.txt
%%PORTNAME%%/etc/shared/rootkit_trojans.txt
%%PORTNAME%%/etc/shared/rootkit_files.txt
%%PORTNAME%%/etc/shared/system_audit_rcl.txt
%%PORTNAME%%/etc/shared/win_malware_rcl.txt
%%PORTNAME%%/etc/shared/win_audit_rcl.txt
%%PORTNAME%%/etc/shared/win_applications_rcl.txt
@sample %%PORTNAME%%/etc/ossec.conf.sample
%%PORTNAME%%/etc/internal_options.conf
@owner ossec
%%PORTNAME%%/logs/ossec.log
@owner
%%PORTNAME%%/agentless/main.exp
%%PORTNAME%%/agentless/sshlogin.exp
%%PORTNAME%%/agentless/ssh_asa-fwsmconfig_diff
%%PORTNAME%%/agentless/ssh_foundry_diff
%%PORTNAME%%/agentless/ssh_pixconfig_diff
%%PORTNAME%%/agentless/ssh_nopass.exp
%%PORTNAME%%/agentless/ssh_integrity_check_linux
%%PORTNAME%%/agentless/ssh_integrity_check_bsd
%%PORTNAME%%/agentless/ssh_generic_diff
%%PORTNAME%%/agentless/ssh.exp
%%PORTNAME%%/agentless/register_host.sh
%%PORTNAME%%/agentless/su.exp
@dir %%PORTNAME%%/agentless
@dir %%PORTNAME%%/active-response/bin
@dir %%PORTNAME%%/active-response
@dir %%PORTNAME%%/etc/shared
@dir %%PORTNAME%%/etc
@dir %%PORTNAME%%/tmp
@dir %%PORTNAME%%/var/run
@dir %%PORTNAME%%/var
@dir %%PORTNAME%%/queue/syscheck
@dir %%PORTNAME%%/queue/rids
@owner ossec
@dir %%PORTNAME%%/queue/ossec
@dir %%PORTNAME%%/queue/diff
@owner
@dir %%PORTNAME%%/queue/alerts
@dir %%PORTNAME%%/queue
@dir %%PORTNAME%%/logs
@dir %%PORTNAME%%/bin
@owner ossec
@dir %%PORTNAME%%/.ssh
@owner
@dir %%PORTNAME%%

460
security/ossec-hids-local-config/Makefile Normal file
View File

@ -0,0 +1,460 @@
# $FreeBSD$
PORTNAME= ossec-hids
PORTVERSION= 3.1.0
PORTREVISION=
CATEGORIES= security
PKGNAMESUFFIX= -${OSSEC_TYPE}-config
MAINTAINER= dominik.lisiak@bemsoft.pl
COMMENT= Configuration manager for ossec-hids
LICENSE= GPLv2
OSSEC_TYPE?= local
MASTERDIR?= ${.CURDIR}
.if ${OSSEC_TYPE} == local
CONFLICTS_INSTALL= ossec-hids-client-* \
ossec-hids-agent-* \
ossec-hids-server-*
.elif ${OSSEC_TYPE} == agent
CONFLICTS_INSTALL= ossec-hids-client-* \
ossec-hids-local-* \
ossec-hids-server-*
.elif ${OSSEC_TYPE} == server
CONFLICTS_INSTALL= ossec-hids-client-* \
ossec-hids-agent-* \
ossec-hids-local-*
.endif
.if !defined(MAINTAINER_MODE)
RUN_DEPENDS= ossec-hids-${OSSEC_TYPE}>=${PORTVERSION}:security/ossec-hids-${OSSEC_TYPE}
.endif
.if defined(MAINTAINER_MODE)
USE_GITHUB= yes
GH_ACCOUNT= ossec
.else
MASTER_SITES= #
DISTFILES= #
EXTRACT_ONLY= #
.endif
NO_BUILD= yes
NO_ARCH= yes
OPTIONS_SUB= yes
OPTIONS_SINGLE= FIREWALL
OPTIONS_SINGLE_FIREWALL= IPF IPFW PF
OPTIONS_DEFAULT+= IPF
FIREWALL_DESC= Active Response Firewall
PF_DESC= Packet Filter
IPFW_DESC= ipfirewall
IPF_DESC= ipfilter
TEMPL_ENABLED_HEADER= template-header-enabled.xml
TEMPL_DISABLED_HEADER= template-header-disabled.xml
TEMPL_SAMPLE_HEADER= template-header-sample.xml
TEMPL_PUSHED_ENABLED_HEADER= ${TEMPL_ENABLED_HEADER}
TEMPL_PUSHED_DISABLED_HEADER= ${TEMPL_DISABLED_HEADER}
TEMPL_SAMPLE= template-sample-${OSSEC_TYPE}.xml
TEMPL_SAMPLE_DB= template-sample-database.xml
PF_VARS= FW_DROP=pf.sh PKGMSG_FILES+=message-pf
IPFW_VARS= FW_DROP=ipfw.sh
IPF_VARS= FW_DROP=ipfilter.sh
.if defined(MAINTAINER_MODE)
OSSEC_HOME= ${PREFIX}/${PORTNAME}
.else
OSSEC_HOME?= ${PREFIX}/${PORTNAME}
.endif
OSSEC_RC= ${PREFIX}/etc/rc.d/ossec-hids
TEMPL_TO_OSSEC= ${SCRIPTDIR}/template-to-ossec.sh ${OSSEC_TYPE} ${OSSEC_HOME}
TEMPL_TO_AGENT= ${SCRIPTDIR}/template-to-agent.sh ${OSSEC_TYPE} ${OSSEC_HOME}
OSSEC_DIR= ${STAGEDIR}${OSSEC_HOME}
BIN_DIR= ${OSSEC_DIR}/bin
CONF_BIN_DIR= ${BIN_DIR}/config
OSSEC_CONF_BIN= ${CONF_BIN_DIR}/ossec-conf
AGENT_CONF_BIN= ${CONF_BIN_DIR}/agent-conf
COMMAND_BIN_DIR= ${BIN_DIR}/command
AR_BIN_DIR= ${OSSEC_DIR}/active-response/bin
MERGE_CONFIG_BIN= ${AR_BIN_DIR}/merge-config.sh
ETC_DIR= ${OSSEC_DIR}/etc
OSSEC_CONF_DIR= ${ETC_DIR}/ossec.conf.d
AGENT_CONF_DIR= ${ETC_DIR}/agent.conf.d
OSSEC_LOCAL_CONF_DIR= ${OSSEC_CONF_DIR}/disabled
AGENT_LOCAL_CONF_DIR= ${AGENT_CONF_DIR}/disabled
OSSEC_SAMPLE_CONF= ${OSSEC_CONF_DIR}/900.local.conf.sample
COMMAND_CONF_DIR= ${ETC_DIR}
COMMAND_CONF= ${COMMAND_CONF_DIR}/command.conf.sample
RULES_DIR= ${OSSEC_DIR}/rules
.if empty(USER)
USER=$$(${ID} -un)
.endif
.if empty(GROUP)
GROUP=$$(${ID} -gn)
.endif
OSSEC_USER= ossec
OSSEC_GROUP= ossec
SUB_LIST+= PORTNAME=${PORTNAME} \
OSSEC_TYPE=${OSSEC_TYPE} \
OSSEC_HOME=${OSSEC_HOME} \
VERSION=${PORTVERSION} \
USER=${USER} \
OSSEC_USER=${OSSEC_USER} \
OSSEC_GROUP=${OSSEC_GROUP} \
OSSEC_RC=${OSSEC_RC} \
FW_DROP=${FW_DROP}
SUB_FILES= pkg-install \
pkg-deinstall \
${PKGMSG_FILES} \
${TEMPL_ENABLED_HEADER} \
${TEMPL_DISABLED_HEADER} \
${TEMPL_SAMPLE_HEADER} \
${TEMPL_PUSHED_ENABLED_HEADER} \
${TEMPL_PUSHED_DISABLED_HEADER} \
${TEMPL_SAMPLE} \
merge-config.sh \
ossec-conf \
command.conf
.if ${OSSEC_TYPE} == server
SUB_FILES+= agent-conf
.endif
.if defined(MAINTAINER_MODE)
PLIST_SUB= OSSEC_HOME=${PORTNAME}
.else
PLIST_SUB= OSSEC_HOME=${OSSEC_HOME}
.endif
PLIST= ${PKGDIR}/pkg-plist-${OSSEC_TYPE}
PKGHELP= ${PKGDIR}/pkg-help-${OSSEC_TYPE}
PKGMESSAGE= ${WRKDIR}/pkg-message
PKGMSG_FILES= message-ossec-conf
.if ${OSSEC_TYPE} == server
PKGMSG_FILES+= message-agent-conf
.endif
CONF_GROUPS= RULES AR ROOTCHECK SYSCHECK CMDOUT LOGS
############################################################
.for conf_group in ${CONF_GROUPS}
. include "${MASTERDIR}/opt-${conf_group:tl}.mk"
${conf_group}_INSTANCE_OPTIONS=
${conf_group}_PUSHED_OPTIONS=
. for option in ${${conf_group}_OPTIONS}
. if ${${option}_DEFINE:M${OSSEC_TYPE}}
${conf_group}_INSTANCE_OPTIONS+= ${option}
${conf_group}_ALL_OPTIONS+= ${option}
. endif
. if ${${option}_DEFINE:Mpushed}
. if ${OSSEC_TYPE} == server
${conf_group}_PUSHED_OPTIONS+= ${option}
. endif
. if !${${conf_group}_ALL_OPTIONS:M${option}}
${conf_group}_ALL_OPTIONS+= ${option}
. endif
. endif
. endfor
.endfor
############################################################
CONFIG_PROFILES=
.for conf_group in ${CONF_GROUPS}
. if !empty(${conf_group}_PROFILE)
. if ${OSSEC_TYPE} == agent
. if !${CONFIG_PROFILES:M${${conf_group}_PROFILE}}
CONFIG_PROFILES+= ${${conf_group}_PROFILE}
. endif
. endif
SUB_LIST+= ${conf_group}_PROFILE=${${conf_group}_PROFILE}
. endif
. for option in ${${conf_group}_ALL_OPTIONS}
. if !empty(${option}_PROFILE)
. if ${OSSEC_TYPE} == agent
. if !${CONFIG_PROFILES:M${${option}_PROFILE}}
CONFIG_PROFILES+= ${${option}_PROFILE}
. endif
. endif
SUB_LIST+= ${option}_PROFILE=${${option}_PROFILE}
. endif
. endfor
.endfor
.for profile in ${CONFIG_PROFILES}
. if empty(CONFIG_PROFILE_VALUE)
CONFIG_PROFILE_VALUE:= ${profile}
. else
CONFIG_PROFILE_VALUE:= ${CONFIG_PROFILE_VALUE}, ${profile}
. endif
.endfor
SUB_LIST+= CONFIG_PROFILES="${CONFIG_PROFILE_VALUE}"
############################################################
.for conf_group in ${CONF_GROUPS}
. for option in ${${conf_group}_ALL_OPTIONS}
. if !defined(${option}_TEMPLATE)
${option}_TEMPLATE= template-${option:tl:S/_/-/g}.xml
. endif
. if !empty(${option}_TEMPLATE) && !${SUB_FILES:M${${option}_TEMPLATE}}
SUB_FILES+= ${${option}_TEMPLATE}
. endif
. endfor
.endfor
.for file_name in ${RULES_FILES}
SUB_FILES+= rules-${file_name}.xml
.endfor
.for file_name in ${CMDOUT_SCRIPTS}
SUB_FILES+= command-${file_name}.sh
.endfor
############################################################
.for conf_group in ${CONF_GROUPS}
. for option in ${${conf_group}_INSTANCE_OPTIONS}
. if !empty(${option}_DEPENDS) && !empty(${${option}_DEPENDS}_OPTION) && ${${${option}_DEPENDS:S/_/ /:[1]}_INSTANCE_OPTIONS:M${${option}_DEPENDS}}
${${${option}_DEPENDS}_OPTION}_VARS+= ${conf_group}_INSTANCE_OPTIONS_ENABLED+=${option}
${${${option}_DEPENDS}_OPTION}_VARS_OFF+= ${conf_group}_INSTANCE_OPTIONS_DISABLED+=${option}
. elif !empty(${option}_OPTION)
OPTIONS_GROUP_G_${conf_group}+= ${${option}_OPTION}
${${option}_OPTION}_DESC= ${${option}_DESC}
. if ${${option}_DEFAULT:M${OSSEC_TYPE}}
OPTIONS_DEFAULT+= ${${option}_OPTION}
. endif
${${option}_OPTION}_VARS+= ${conf_group}_INSTANCE_OPTIONS_ENABLED+=${option}
${${option}_OPTION}_VARS_OFF+= ${conf_group}_INSTANCE_OPTIONS_DISABLED+=${option}
. endif
. endfor
. if !empty(OPTIONS_GROUP_G_${conf_group})
OPTIONS_GROUP+= G_${conf_group}
G_${conf_group}_DESC= ${${conf_group}_DESC}
. endif
.endfor
############################################################
.for conf_group in ${CONF_GROUPS}
. for option in ${${conf_group}_PUSHED_OPTIONS}
. if !empty(${option}_DEPENDS) && !empty(${${option}_DEPENDS}_OPTION) && ${${${option}_DEPENDS:S/_/ /:[1]}_PUSHED_OPTIONS:M${${option}_DEPENDS}}
${${${option}_DEPENDS}_OPTION}_P_VARS+= ${conf_group}_PUSHED_OPTIONS_ENABLED+=${option}
${${${option}_DEPENDS}_OPTION}_P_VARS_OFF+= ${conf_group}_PUSHED_OPTIONS_DISABLED+=${option}
. elif !empty(${option}_DEPENDS) && !empty(${${option}_DEPENDS}_OPTION) && ${${${option}_DEPENDS:S/_/ /:[1]}_INSTANCE_OPTIONS:M${${option}_DEPENDS}}
${${${option}_DEPENDS}_OPTION}_VARS+= ${conf_group}_PUSHED_OPTIONS_ENABLED+=${option}
${${${option}_DEPENDS}_OPTION}_VARS_OFF+= ${conf_group}_PUSHED_OPTIONS_DISABLED+=${option}
. elif !empty(${option}_OPTION)
OPTIONS_GROUP_G_${conf_group}_P+= ${${option}_OPTION}_P
${${option}_OPTION}_P_DESC= ${${option}_DESC}
. if !empty(${option}_PROFILE)
${${option}_OPTION}_P_DESC+= (profile: ${${option}_PROFILE})
. endif
. if ${${option}_DEFAULT:Mpushed}
OPTIONS_DEFAULT+= ${${option}_OPTION}_P
. endif
${${option}_OPTION}_P_VARS+= ${conf_group}_PUSHED_OPTIONS_ENABLED+=${option}
${${option}_OPTION}_P_VARS_OFF+= ${conf_group}_PUSHED_OPTIONS_DISABLED+=${option}
. endif
. endfor
. if !empty(OPTIONS_GROUP_G_${conf_group}_P)
OPTIONS_GROUP+= G_${conf_group}_P
G_${conf_group}_P_DESC= Pushed ${${conf_group}_DESC}
. if !empty(${conf_group}_PROFILE)
G_${conf_group}_P_DESC+= (profile: ${${conf_group}_PROFILE})
. endif
. endif
.endfor
############################################################
.include <bsd.port.pre.mk>
show-opts:
.for conf_group in ${CONF_GROUPS}
@${ECHO_CMD} "${conf_group}: ${${conf_group}_DESC}"
. for option in ${${conf_group}_INSTANCE_OPTIONS}
@${ECHO_CMD} " ${option}: ${${option}_DESC}"
. if empty(${option}_TEMPLATE)
@${ECHO_CMD} " Template: -"
. else
@${ECHO_CMD} " Template: ${${option}_TEMPLATE}"
. endif
. if !empty(${conf_group}_INSTANCE_OPTIONS_ENABLED) && ${${conf_group}_INSTANCE_OPTIONS_ENABLED:M${option}}
@${ECHO_CMD} " Enabled: true"
. endif
. if !empty(${conf_group}_INSTANCE_OPTIONS_DISABLED) && ${${conf_group}_INSTANCE_OPTIONS_DISABLED:M${option}}
@${ECHO_CMD} " Enabled: false"
. endif
. if !empty(${conf_group}_PUSHED_OPTIONS_ENABLED) && ${${conf_group}_PUSHED_OPTIONS_ENABLED:M${option}}
@${ECHO_CMD} " Pushed: true"
. endif
. if !empty(${conf_group}_PUSHED_OPTIONS_DISABLED) && ${${conf_group}_PUSHED_OPTIONS_DISABLED:M${option}}
@${ECHO_CMD} " Pushed: false"
. endif
. endfor
.endfor
pre-install:
@-${OSSEC_HOME}/bin/ossec-dbd -h 2>&1 | ${GREP} -q 'PostgreSQL' && \
${SED} -e 's|%%OSSEC_HOME%%|${OSSEC_HOME}|g' -e 's|%%DB_TYPE%%|postgresql|g' \
${FILESDIR}/${TEMPL_SAMPLE_DB}.in > ${WRKDIR}/${TEMPL_SAMPLE_DB}
@-${OSSEC_HOME}/bin/ossec-dbd -h 2>&1 | ${GREP} -q 'MySQL' && \
${SED} -e 's|%%OSSEC_HOME%%|${OSSEC_HOME}|g' -e 's|%%DB_TYPE%%|mysql|g' \
${FILESDIR}/${TEMPL_SAMPLE_DB}.in > ${WRKDIR}/${TEMPL_SAMPLE_DB}
ossec-dirs:
@${MKDIR} ${CONF_BIN_DIR} ${COMMAND_BIN_DIR} ${AR_BIN_DIR} ${OSSEC_CONF_DIR} ${OSSEC_LOCAL_CONF_DIR} ${COMMAND_CONF_DIR}
.if ${OSSEC_TYPE} != agent
@${MKDIR} ${RULES_DIR}
.endif
.if ${OSSEC_TYPE} == server
@${MKDIR} ${AGENT_CONF_DIR} ${AGENT_LOCAL_CONF_DIR}
.endif
ossec-scripts:
@${CP} ${WRKDIR}/ossec-conf ${OSSEC_CONF_BIN}
.if ${OSSEC_TYPE} == server
@${CP} ${WRKDIR}/agent-conf ${AGENT_CONF_BIN}
.endif
.for file_name in ${CMDOUT_SCRIPTS}
@${CP} ${WRKDIR}/command-${file_name}.sh ${COMMAND_BIN_DIR}/${file_name}.sh
.endfor
@${CP} ${WRKDIR}/command.conf ${COMMAND_CONF}
@${CP} ${WRKDIR}/merge-config.sh ${MERGE_CONFIG_BIN}
ossec-rules:
.if ${OSSEC_TYPE} != agent
. for file_name in ${RULES_FILES}
@${SED} -e 's|<?xml.*?>||' ${WRKDIR}/rules-${file_name}.xml > ${RULES_DIR}/freebsd_${file_name}_rules.xml
. endfor
.endif
ossec-conf-managed:
.for conf_group in ${CONF_GROUPS}
. if !empty(${conf_group}_INSTANCE_OPTIONS)
@${CAT} ${WRKDIR}/${TEMPL_ENABLED_HEADER} > ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF}
. if !empty(${conf_group}_INSTANCE_OPTIONS_ENABLED)
. for option in ${${conf_group}_INSTANCE_OPTIONS}
. if ${${conf_group}_INSTANCE_OPTIONS_ENABLED:M${option}}
. if !empty(${option}_TEMPLATE)
@${ECHO_CMD} "<!-- Enabled ${${option}_OPTION} -->" >> ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF}
@${SH} ${TEMPL_TO_OSSEC} ${WRKDIR}/${${option}_TEMPLATE} >> ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF}
@${ECHO_CMD} >> ${OSSEC_CONF_DIR}/${${conf_group}_MANAGED_CONF}
. endif
. endif
. endfor
. endif
. endif
.endfor
ossec-conf-local:
.for conf_group in ${CONF_GROUPS}
. if !empty(${conf_group}_INSTANCE_OPTIONS)
@${CAT} ${WRKDIR}/${TEMPL_DISABLED_HEADER} > ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
. if !empty(${conf_group}_INSTANCE_OPTIONS_DISABLED)
. for option in ${${conf_group}_INSTANCE_OPTIONS}
. if ${${conf_group}_INSTANCE_OPTIONS_DISABLED:M${option}}
. if !empty(${option}_TEMPLATE)
@${ECHO_CMD} "<!-- Disabled ${${option}_OPTION} -->" >> ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
@${SH} ${TEMPL_TO_OSSEC} ${WRKDIR}/${${option}_TEMPLATE} >> ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
@${ECHO_CMD} >> ${OSSEC_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
. endif
. endif
. endfor
. endif
. endif
.endfor
ossec-conf-sample:
@${CAT} ${WRKDIR}/${TEMPL_SAMPLE_HEADER} > ${OSSEC_SAMPLE_CONF}
@${ECHO_CMD} >> ${OSSEC_SAMPLE_CONF}
@${SH} ${TEMPL_TO_OSSEC} ${WRKDIR}/${TEMPL_SAMPLE} >> ${OSSEC_SAMPLE_CONF}
@${ECHO_CMD} >> ${OSSEC_SAMPLE_CONF}
@-${TEST} -f ${WRKDIR}/${TEMPL_SAMPLE_DB} && \
${SH} ${TEMPL_TO_OSSEC} ${WRKDIR}/${TEMPL_SAMPLE_DB} >> ${OSSEC_SAMPLE_CONF} && \
${ECHO_CMD} >> ${OSSEC_SAMPLE_CONF}
agent-conf-managed:
.for conf_group in ${CONF_GROUPS}
. if !empty(${conf_group}_PUSHED_OPTIONS)
@${CAT} ${WRKDIR}/${TEMPL_PUSHED_ENABLED_HEADER} > ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF}
. if !empty(${conf_group}_PUSHED_OPTIONS_ENABLED)
. for option in ${${conf_group}_PUSHED_OPTIONS}
. if ${${conf_group}_PUSHED_OPTIONS_ENABLED:M${option}}
. if !empty(${option}_TEMPLATE)
@${ECHO_CMD} "<!-- Enabled ${${option}_OPTION}_P -->" >> ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF}
@${SH} ${TEMPL_TO_AGENT} ${WRKDIR}/${${option}_TEMPLATE} >> ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF}
@${ECHO_CMD} >> ${AGENT_CONF_DIR}/${${conf_group}_MANAGED_CONF}
. endif
. endif
. endfor
. endif
. endif
.endfor
agent-conf-local:
.for conf_group in ${CONF_GROUPS}
. if !empty(${conf_group}_PUSHED_OPTIONS)
@${CAT} ${WRKDIR}/${TEMPL_PUSHED_DISABLED_HEADER} > ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
. if !empty(${conf_group}_PUSHED_OPTIONS_DISABLED)
. for option in ${${conf_group}_PUSHED_OPTIONS}
. if ${${conf_group}_PUSHED_OPTIONS_DISABLED:M${option}}
. if !empty(${option}_TEMPLATE)
@${ECHO_CMD} "<!-- Disabled ${${option}_OPTION}_P -->" >> ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
@${SH} ${TEMPL_TO_AGENT} ${WRKDIR}/${${option}_TEMPLATE} >> ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
@${ECHO_CMD} >> ${AGENT_LOCAL_CONF_DIR}/${${conf_group}_LOCAL_CONF}
. endif
. endif
. endfor
. endif
. endif
.endfor
do-install: ossec-dirs ossec-scripts ossec-rules ossec-conf-managed ossec-conf-local ossec-conf-sample agent-conf-managed agent-conf-local
ossec-permissions:
@${CHMOD} -R 550 ${OSSEC_DIR}
@${CHMOD} 640 ${COMMAND_CONF} ${OSSEC_CONF_DIR}/* ${OSSEC_LOCAL_CONF_DIR}/*
@${CHMOD} 550 ${OSSEC_CONF_DIR} ${OSSEC_LOCAL_CONF_DIR}
.if ${OSSEC_TYPE} != agent
@${CHMOD} 640 ${RULES_DIR}/*
.endif
.if ${OSSEC_TYPE} == server
@${CHMOD} 640 ${AGENT_CONF_DIR}/* ${AGENT_LOCAL_CONF_DIR}/*
@${CHMOD} 550 ${AGENT_CONF_DIR} ${AGENT_LOCAL_CONF_DIR}
.endif
.if defined(MAINTAINER_MODE)
@${CHOWN} -R ${USER}:${OSSEC_GROUP} ${OSSEC_DIR}
@${CHOWN} -R ${USER}:${GROUP} ${BIN_DIR}
.endif
post-install: ossec-permissions
@${ECHO_CMD} -n > ${PKGMESSAGE}
.for file_name in ${PKGMSG_FILES}
@${CAT} ${WRKDIR}/${file_name} >> ${PKGMESSAGE}
@${ECHO_CMD} >> ${PKGMESSAGE}
.endfor
.if defined(MAINTAINER_MODE)
plist: makeplist
@${SCRIPTDIR}/plist.sh ${OSSEC_TYPE} ${OSSEC_HOME} ${PLIST} ${WRKDIR} ${STAGEDIR}
rules: extract
@${SCRIPTDIR}/rules.sh ${FILESDIR}/${RULES_DEFAULT_TEMPLATE}.in ${WRKSRC}
.endif
.include <bsd.port.post.mk>

3
security/ossec-hids-local-config/distinfo Normal file
View File

@ -0,0 +1,3 @@
TIMESTAMP = 1539459620
SHA256 (ossec-ossec-hids-3.1.0_GH0.tar.gz) = e0e2987751badb95c2bf618531c7853b2289c910f796da85ff394c0faea43f50
SIZE (ossec-ossec-hids-3.1.0_GH0.tar.gz) = 1886469

33
security/ossec-hids-local-config/files/agent-conf.in Normal file
View File

@ -0,0 +1,33 @@
#!/bin/sh
ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%OSSEC_HOME%%"
agent_conf_dir="${ossec_home}/etc/agent.conf.d"
agent_conf_files="${agent_conf_dir}/*.conf"
select_elements() {
local element="$1"
sed -n "/<${element}.*>/,/<\/${element}>/p"
}
remove_comments() {
# Comments must be on separate lines i.e. not next to uncommented code
awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
}
remove_empty_lines() {
sed '/^\s*$/d'
}
agent_conf() {
echo "<!-- OSSEC HIDS %%VERSION%% -->"
echo
echo "<!-- DO NOT EDIT - file generated automatically - edit \"agent.conf.d/900.local.conf\" instead -->"
echo
cat $@ | remove_comments | select_elements "agent_config" | remove_empty_lines
}
agent_conf "${agent_conf_files}"

8
security/ossec-hids-local-config/files/command-last-logins.sh.in Normal file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# This script is part of FreeBSD port - report any issues to the port MAINTAINER
ossec_home="%%OSSEC_HOME%%"
. "${ossec_home}/etc/command.conf"
last -n ${last_logins}

19
security/ossec-hids-local-config/files/command-open-ports.sh.in Normal file
View File

@ -0,0 +1,19 @@
#!/bin/sh
# This script is part of FreeBSD port - report any issues to the port MAINTAINER
family=$1
protocol=$2
ports=$3
if [ -z "${ports}" ]; then
privileged_ports="1-$((`sysctl -n net.inet.ip.portrange.first` - 1))"
ossec_home="%%OSSEC_HOME%%"
. "${ossec_home}/etc/command.conf"
ports="privileged_${protocol}_ports"
eval ports=\$${ports}
fi
sockstat -l -${family} -P ${protocol} -p ${ports} | grep -Eo '[^[:space:]]+:[0-9]+' | sort -u

6
security/ossec-hids-local-config/files/command.conf.in Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
last_logins=5
privileged_tcp_ports=${privileged_ports},10050-10051
privileged_udp_ports=${privileged_ports}

32
security/ossec-hids-local-config/files/merge-config.sh.in Normal file
View File

@ -0,0 +1,32 @@
#!/bin/sh
# This script is part of FreeBSD port - report any issues to the port MAINTAINER
ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%OSSEC_HOME%%"
ossec_rc="%%OSSEC_RC%%"
ACTION=$1
USER=$2
IP=$3
LOCAL=`dirname $0`;
cd $LOCAL
cd ../../tmp
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"
case ${ACTION} in
add)
"${ossec_rc}" merge_config
exit 0
;;
delete)
exit 0
;;
*)
echo "$0: invalid action: ${ACTION}"
exit 1
;;
esac

3
security/ossec-hids-local-config/files/message-agent-conf.in Normal file
View File

@ -0,0 +1,3 @@
The "agent.conf" must no longer be used for configuration. It will be
overwritten by merged "*.conf" files from the configuration directory:
%%OSSEC_HOME%%/etc/agent.conf.d

3
security/ossec-hids-local-config/files/message-ossec-conf.in Normal file
View File

@ -0,0 +1,3 @@
The "ossec.conf" must no longer be used for configuration. It will be
overwritten by merged "*.conf" files from the configuration directory:
%%OSSEC_HOME%%/etc/ossec.conf.d

4
security/ossec-hids-local-config/files/message-pf.in Normal file
View File

@ -0,0 +1,4 @@
Add the ossec_fwtable to /etc/pf.conf if using "firewall-drop" active response:
table <ossec_fwtable> persist
block in quick from <ossec_fwtable> to any
block out quick from any to <ossec_fwtable>

60
security/ossec-hids-local-config/files/ossec-conf.in Normal file
View File

@ -0,0 +1,60 @@
#!/bin/sh
ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%OSSEC_HOME%%"
ossec_conf_dir="${ossec_home}/etc/ossec.conf.d"
ossec_conf_files="${ossec_conf_dir}/*.conf"
select_elements_content() {
local element="$1"
sed -n "/<${element}>/,/<\/${element}>/{ /<${element}>/d; /<\/${element}>/d; p; }"
}
remove_elements() {
local element="$1"
sed -e "/<${element}>/,/<\/${element}>/d"
}
remove_comments() {
# Comments must be on separate lines i.e. not next to uncommented code
awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
}
remove_empty_lines() {
sed '/^\s*$/d'
}
ossec_conf() {
echo "<!-- OSSEC HIDS %%VERSION%% -->"
echo
echo "<!-- DO NOT EDIT - file generated automatically - edit \"ossec.conf.d/900.local.conf\" instead -->"
echo
echo "<ossec_config>"
if [ "${ossec_type}" != "agent" ]; then
if cat $@ | remove_comments | grep -q "<rules>"; then
echo " <rules>"
cat $@ | remove_comments | select_elements_content "rules" | remove_empty_lines
echo " </rules>"
fi
fi
if cat $@ | remove_comments | grep -q "<rootcheck>"; then
echo " <rootcheck>"
cat $@ | remove_comments | select_elements_content "rootcheck" | remove_empty_lines
echo " </rootcheck>"
fi
if cat $@ | remove_comments | grep -q "<syscheck>"; then
echo " <syscheck>"
cat $@ | remove_comments | select_elements_content "syscheck" | remove_empty_lines
echo " </syscheck>"
fi
cat $@ | remove_comments | select_elements_content "ossec_config" | remove_elements "rules" | remove_elements "rootcheck" | remove_elements "syscheck" | remove_empty_lines
echo "</ossec_config>"
}
ossec_conf "${ossec_conf_files}"

10
security/ossec-hids-local-config/files/pkg-deinstall.in Normal file
View File

@ -0,0 +1,10 @@
#!/bin/sh
ossec_home="%%OSSEC_HOME%%"
ossec_conf="${ossec_home}/etc/ossec.conf"
agent_conf="${ossec_home}/etc/shared/agent.conf"
if [ "$2" == "DEINSTALL" ]; then
rm -f "${ossec_conf}"
rm -f "${agent_conf}"
fi

32
security/ossec-hids-local-config/files/pkg-install.in Normal file
View File

@ -0,0 +1,32 @@
#!/bin/sh
ossec_home="%%OSSEC_HOME%%"
ar_bin_dir="${ossec_home}/active-response/bin"
ossec_conf="${ossec_home}/etc/ossec.conf"
ossec_conf_bak="${ossec_conf}.bak"
agent_conf="${ossec_home}/etc/shared/agent.conf"
agent_conf_bak="${ossec_home}/etc/agent.conf.bak"
if [ "$2" == "POST-INSTALL" ]; then
ln -f "${ar_bin_dir}/%%FW_DROP%%" "${ar_bin_dir}/firewall-drop.sh"
if [ -e "${ossec_conf}" ]; then
mv -f "${ossec_conf}" "${ossec_conf_bak}"
echo
echo "WARNING:"
echo " Existing \"${ossec_conf}\" has been saved to \"${ossec_conf_bak}\"."
echo
fi
case "$1" in
ossec-hids-server*)
if [ -e "${agent_conf}" ]; then
mv -f "${agent_conf}" "${agent_conf_bak}"
echo
echo "WARNING:"
echo " Existing \"${agent_conf}\" has been saved to \"${agent_conf_bak}\"."
echo
fi
;;
esac
fi

67
security/ossec-hids-local-config/files/rules-cmdout.xml.in Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<group name="ossec,">
<rule id="56041" level="1">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-last-logins'</match>
<check_diff />
<description>List of the last logged in users.</description>
</rule>
<rule id="56042" level="1">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-tcp4-all'</match>
<check_diff />
<description>Listening IPv4 TCP port opened or closed.</description>
</rule>
<rule id="56043" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-tcp4'</match>
<check_diff />
<description>Listening IPv4 TCP port opened or closed.</description>
</rule>
<rule id="56044" level="1">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-tcp6-all'</match>
<check_diff />
<description>Listening IPv6 TCP port opened or closed.</description>
</rule>
<rule id="56045" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-tcp6'</match>
<check_diff />
<description>Listening IPv6 TCP port opened or closed.</description>
</rule>
<rule id="56046" level="1">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-udp4-all'</match>
<check_diff />
<description>Listening IPv4 UDP port opened or closed.</description>
</rule>
<rule id="56047" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-udp4'</match>
<check_diff />
<description>Listening IPv4 UDP port opened or closed.</description>
</rule>
<rule id="56048" level="1">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-udp6-all'</match>
<check_diff />
<description>Listening IPv6 UDP port opened or closed.</description>
</rule>
<rule id="56049" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'freebsd-open-ports-udp6'</match>
<check_diff />
<description>Listening IPv6 UDP port opened or closed.</description>
</rule>
</group>

52
security/ossec-hids-local-config/files/rules-config.xml.in Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<group name="ossec,">
<rule id="56001" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>%%OSSEC_HOME%%/etc/ossec.conf.d</match>
<description>ossec.conf.d has been modified</description>
</rule>
<rule id="56002" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>%%OSSEC_HOME%%/etc/ossec.conf</match>
<description>ossec.conf has been modified</description>
</rule>
<rule id="56003" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/ossec.conf.d</match>
<description>ossec.conf.d has been modified</description>
</rule>
<rule id="56004" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/ossec.conf</match>
<description>ossec.conf has been modified</description>
</rule>
<rule id="56021" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>%%OSSEC_HOME%%/etc/agent.conf.d</match>
<description>agent.conf.d has been modified</description>
</rule>
<rule id="56022" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>%%OSSEC_HOME%%/etc/shared/agent.conf</match>
<description>agent.conf has been modified</description>
</rule>
<rule id="56023" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/agent.conf.d</match>
<description>agent.conf.d has been modified</description>
</rule>
<rule id="56024" level="10" ignore="10">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/shared/agent.conf</match>
<description>agent.conf has been modified</description>
</rule>
</group>

38
security/ossec-hids-local-config/files/template-ar-cmds-default.xml.in Normal file
View File

@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
</template_config>

10
security/ossec-hids-local-config/files/template-ar-cmds-merge.xml.in Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<command>
<name>merge-config</name>
<executable>merge-config.sh</executable>
<expect></expect>
</command>
</template_config>

13
security/ossec-hids-local-config/files/template-ar-fwdrop.xml.in Normal file
View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<active-response>
<!-- Block the IP on the firewall. -->
<!-- See: http://www.ossec.net/docs/syntax/head_ossec_config.active-response.html#active-response-options -->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
</template_config>

12
security/ossec-hids-local-config/files/template-ar-hostdeny.xml.in Normal file
View File

@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<active-response>
<!-- Deny the IP in "/etc/hosts.allow" or "/etc/hosts.deny". -->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
</template_config>

11
security/ossec-hids-local-config/files/template-ar-merge.xml.in Normal file
View File

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<active-response>
<!-- Create "ossec.conf" and "agent.conf" if "ossec.conf.d/*" or "agent.conf.d/*" files change. -->
<command>merge-config</command>
<location>local</location>
<rules_id>56001,56003,56021,56023</rules_id>
</active-response>
</template_config>

11
security/ossec-hids-local-config/files/template-ar-restart.xml.in Normal file
View File

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<active-response>
<!-- Restart OSSEC if "ossec.conf" or "agent.conf" changes. -->
<command>restart-ossec</command>
<location>local</location>
<rules_id>56002,56004,56022,56024</rules_id>
</active-response>
</template_config>

10
security/ossec-hids-local-config/files/template-cmdout-last-logins.xml.in Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/last-logins.sh</command>
<alias>freebsd-last-logins</alias>
</localfile>
</template_config>

28
security/ossec-hids-local-config/files/template-cmdout-open-ports-tcp.xml.in Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 tcp 1-65535</command>
<alias>freebsd-open-ports-tcp4-all</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 tcp</command>
<alias>freebsd-open-ports-tcp4</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 tcp 1-65535</command>
<alias>freebsd-open-ports-tcp6-all</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 tcp</command>
<alias>freebsd-open-ports-tcp6</alias>
</localfile>
</template_config>

28
security/ossec-hids-local-config/files/template-cmdout-open-ports-udp.xml.in Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 udp 1-65535</command>
<alias>freebsd-open-ports-udp4-all</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 4 udp</command>
<alias>freebsd-open-ports-udp4</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 udp 1-65535</command>
<alias>freebsd-open-ports-udp6-all</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>%%OSSEC_HOME%%/bin/command/open-ports.sh 6 udp</command>
<alias>freebsd-open-ports-udp6</alias>
</localfile>
</template_config>

10
security/ossec-hids-local-config/files/template-header-disabled.xml.in Normal file
View File

@ -0,0 +1,10 @@
<!-- OSSEC HIDS %%VERSION%% -->
<!-- DO NOT EDIT - file generated automatically using disabled port options -->
<!--
You can indirectly edit this file by copying it to the parent directory.
The copied file will not be deleted or modified during port removal or
upgrades.
-->

4
security/ossec-hids-local-config/files/template-header-enabled.xml.in Normal file
View File

@ -0,0 +1,4 @@
<!-- OSSEC HIDS %%VERSION%% -->
<!-- DO NOT EDIT - file generated automatically using enabled port options -->

1
security/ossec-hids-local-config/files/template-header-sample.xml.in Normal file
View File

@ -0,0 +1 @@
<!-- Place customized configuration here - it will not be overwritten during upgrades. -->

28
security/ossec-hids-local-config/files/template-logs-apache.xml.in Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%LOGS_APACHE_PROFILE%%">
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd-error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd-access.log</location>
</localfile>
</template_config>
<template_config os="Linux" profile="%%LOGS_APACHE_PROFILE%%">
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</template_config>

68
security/ossec-hids-local-config/files/template-logs-basic.xml.in Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%LOGS_BASIC_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/security</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/userlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
</template_config>
<template_config os="Linux" profile="%%LOGS_BASIC_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
</template_config>

28
security/ossec-hids-local-config/files/template-logs-nginx.xml.in Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%LOGS_NGINX_PROFILE%%">
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
</template_config>
<template_config os="Linux" profile="%%LOGS_NGINX_PROFILE%%">
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
</template_config>

18
security/ossec-hids-local-config/files/template-logs-ossec.xml.in Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%LOGS_OSSEC_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>%%OSSEC_HOME%%/logs/active-responses.log</location>
</localfile>
</template_config>
<template_config os="Linux" profile="%%LOGS_OSSEC_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</template_config>

18
security/ossec-hids-local-config/files/template-logs-radius.xml.in Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%LOGS_RADIUS_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/radius.log</location>
</localfile>
</template_config>
<template_config os="Linux" profile="%%LOGS_RADIUS_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/freeradius/radius.log</location>
</localfile>
</template_config>

18
security/ossec-hids-local-config/files/template-logs-vsftpd.xml.in Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%LOGS_VSFTPD_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vsftpd.log</location>
</localfile>
</template_config>
<template_config os="Linux" profile="%%LOGS_VSFTPD_PROFILE%%">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vsftpd.log</location>
</localfile>
</template_config>

22
security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in Normal file
View File

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%ROOTCHECK_BASIC_PROFILE%%">
<rootcheck>
<rootkit_files>%%OSSEC_HOME%%/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>%%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>%%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt</system_audit>
</rootcheck>
</template_config>
<template_config os="Linux" profile="%%ROOTCHECK_BASIC_PROFILE%%">
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
</rootcheck>
</template_config>

9
security/ossec-hids-local-config/files/template-rootcheck-cis-l1.xml.in Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="Linux" profile="%%ROOTCHECK_CIS_L1_PROFILE%%">
<rootcheck>
<system_audit>/var/ossec/etc/shared/cis_debianlinux7-8_L1_rcl.txt</system_audit>
</rootcheck>
</template_config>

9
security/ossec-hids-local-config/files/template-rootcheck-cis-l2.xml.in Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="Linux" profile="%%ROOTCHECK_CIS_L2_PROFILE%%">
<rootcheck>
<system_audit>/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt</system_audit>
</rootcheck>
</template_config>

9
security/ossec-hids-local-config/files/template-rootcheck-cis.xml.in Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="Linux" profile="%%ROOTCHECK_CIS_PROFILE%%">
<rootcheck>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
</rootcheck>
</template_config>

8
security/ossec-hids-local-config/files/template-rules-cmdout.xml.in Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<rules>
<include>freebsd_cmdout_rules.xml</include>
</rules>
</template_config>

8
security/ossec-hids-local-config/files/template-rules-config.xml.in Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<rules>
<include>freebsd_config_rules.xml</include>
</rules>
</template_config>

87
security/ossec-hids-local-config/files/template-rules-default.xml.in Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<rules>
<include>rules_config.xml</include>
<include>ossec_rules.xml</include>
<include>syslog_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>postfix_rules.xml</include>
<include>spamd_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>courier_rules.xml</include>
<include>firewall_rules.xml</include>
<include>pix_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>pam_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>sshd_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>named_rules.xml</include>
<include>exim_rules.xml</include>
<include>smbd_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>ms-se_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>ms_ipsec_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ids_rules.xml</include>
<include>apache_rules.xml</include>
<include>web_rules.xml</include>
<include>zeus_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>squid_rules.xml</include>
<include>attack_rules.xml</include>
<include>systemd_rules.xml</include>
<include>firewalld_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>apparmor_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>openbsd-dhcpd_rules.xml</include>
<include>nsd_rules.xml</include>
<include>owncloud_rules.xml</include>
<include>proxmox-ve_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>dnsmasq_rules.xml</include>
<include>linux_usbdetect_rules.xml</include>
<include>ms1016_usbdetect_rules.xml</include>
<include>ms_firewall_rules.xml</include>
<include>psad_rules.xml</include>
<include>unbound_rules.xml</include>
<include>local_rules.xml</include>
<!-- Files not included by default -->
<!--<include>policy_rules.xml</include>-->
</rules>
</template_config>

14
security/ossec-hids-local-config/files/template-sample-agent.xml.in Normal file
View File

@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<client>
<!-- Specify the IP address of the %%PORTNAME%% server. -->
<server-ip>1.2.3.4</server-ip>
<!-- Alternatively, specify the hostname of the %%PORTNAME%% server. -->
<!-- <server-hostname>example.com</server-hostname> -->
<!-- Specifies the agent.conf profiles to be used by the agent. Multiple profiles can be included, separated by a comma and a space. -->
<!-- <config-profile>%%CONFIG_PROFILES%%</config-profile> -->
</client>
</template_config>

12
security/ossec-hids-local-config/files/template-sample-database.xml.in Normal file
View File

@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<!-- Run "%%OSSEC_HOME%%/bin/ossec-control enable database" to enable ossec-dbd. -->
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>secret</password>
<database>ossec</database>
<type>%%DB_TYPE%%</type>
</database_output>
</template_config>

17
security/ossec-hids-local-config/files/template-sample-local.xml.in Normal file
View File

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<global>
<!-- Uncomment to enable email notifications. -->
<!--
<email_notification>yes</email_notification>
<email_to>example@example.com</email_to>
<smtp_server>smtp.example.com</smtp_server>
<email_from>ossecm@example.com</email_from>
-->
<!-- List of IP addresses that should never be blocked by the active response (one per element). -->
<white_list>127.0.0.1</white_list>
</global>
</template_config>

23
security/ossec-hids-local-config/files/template-sample-server.xml.in Normal file
View File

@ -0,0 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<remote>
<connection>secure</connection>
<!-- OSSEC server listens on all interfacees by default. -->
<!-- <local_ip>1.2.3.4</local_ip> -->
</remote>
<global>
<!-- Uncomment to enable email notifications. -->
<!--
<email_notification>yes</email_notification>
<email_to>example@example.com</email_to>
<smtp_server>smtp.example.com</smtp_server>
<email_from>ossecm@example.com</email_from>
-->
<!-- List of IP addresses that should never be blocked by the active response (one per element). -->
<white_list>127.0.0.1</white_list>
</global>
</template_config>

18
security/ossec-hids-local-config/files/template-syscheck-basic.xml.in Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%SYSCHECK_BASIC_PROFILE%%">
<syscheck>
<directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories>
<directories realtime="yes" check_all="yes">/etc,%%PREFIX%%/etc</directories>
</syscheck>
</template_config>
<template_config os="Linux" profile="%%SYSCHECK_BASIC_PROFILE%%">
<syscheck>
<directories realtime="yes" check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories>
<directories realtime="yes" check_all="yes">/etc,/usr/local/etc</directories>
</syscheck>
</template_config>

16
security/ossec-hids-local-config/files/template-syscheck-hostdeny.xml.in Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD">
<syscheck>
<ignore>/etc/hosts.allow</ignore>
</syscheck>
</template_config>
<template_config os="Linux">
<syscheck>
<ignore>/etc/hosts.deny</ignore>
</syscheck>
</template_config>

16
security/ossec-hids-local-config/files/template-syscheck-newfiles.xml.in Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD">
<syscheck>
<alert_new_files>yes</alert_new_files>
</syscheck>
</template_config>
<template_config os="Linux">
<syscheck>
<alert_new_files>yes</alert_new_files>
</syscheck>
</template_config>

16
security/ossec-hids-local-config/files/template-syscheck-noauto.xml.in Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD">
<syscheck>
<auto_ignore>no</auto_ignore>
</syscheck>
</template_config>
<template_config os="Linux">
<syscheck>
<auto_ignore>no</auto_ignore>
</syscheck>
</template_config>

18
security/ossec-hids-local-config/files/template-syscheck-ossec.xml.in Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%SYSCHECK_OSSEC_PROFILE%%">
<syscheck>
<directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_BIN_DIRS%%</directories>
<directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_ETC_DIRS%%</directories>
</syscheck>
</template_config>
<template_config os="Linux" profile="%%SYSCHECK_OSSEC_PROFILE%%">
<syscheck>
<directories realtime="yes" check_all="yes">/var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless</directories>
<directories realtime="yes" check_all="yes">/var/ossec/etc,/var/ossec/rules</directories>
</syscheck>
</template_config>

46
security/ossec-hids-local-config/opt-ar.mk Normal file
View File

@ -0,0 +1,46 @@
AR_MANAGED_CONF= 110.active-response.conf
AR_LOCAL_CONF= 510.active-response.local.conf
AR_DESC= Active Response
# Default commands
AR_CMDS_DEFAULT_OPTION= DEFAULT_C
AR_CMDS_DEFAULT_DESC= Commands provided by OSSEC
AR_CMDS_DEFAULT_DEFINE= server local
AR_CMDS_DEFAULT_DEFAULT=server local
AR_OPTIONS+= AR_CMDS_DEFAULT
# Config merge commands
AR_CMDS_MERGE_OPTION= MERGE_C
AR_CMDS_MERGE_DESC= Commands to merge configuration files
AR_CMDS_MERGE_DEFINE= server local
AR_CMDS_MERGE_DEFAULT= server local
AR_OPTIONS+= AR_CMDS_MERGE
# Config merge active response
AR_MERGE_OPTION= MERGE_AR
AR_MERGE_DESC= Merge configuration files when they change
AR_MERGE_DEFINE= server local
AR_MERGE_DEFAULT= server local
AR_OPTIONS+= AR_MERGE
# OSSEC restart active response
AR_RESTART_OPTION= RESTART_AR
AR_RESTART_DESC= Restart OSSEC when main configuration files change
AR_RESTART_DEFINE= server local
AR_RESTART_DEFAULT= server local
AR_OPTIONS+= AR_RESTART
# Host deny active response
AR_HOSTDENY_OPTION= HOSTDENY_AR
AR_HOSTDENY_DESC= Block the attacker's IP using access control files
AR_HOSTDENY_DEFINE= server local
AR_HOSTDENY_DEFAULT=
AR_OPTIONS+= AR_HOSTDENY
# Firewall drop active response
AR_FWDROP_OPTION= FWDROP_AR
AR_FWDROP_DESC= Block the attacker's IP on the firewall
AR_FWDROP_DEFINE= server local
AR_FWDROP_DEFAULT=
AR_OPTIONS+= AR_FWDROP

27
security/ossec-hids-local-config/opt-cmdout.mk Normal file
View File

@ -0,0 +1,27 @@
CMDOUT_MANAGED_CONF= 140.command-output.conf
CMDOUT_LOCAL_CONF= 540.command-output.local.conf
CMDOUT_DESC= Command Output Monitoring
CMDOUT_SCRIPTS= last-logins open-ports
# Last logins
CMDOUT_LAST_LOGINS_OPTION= LOGINS
CMDOUT_LAST_LOGINS_DESC= Last logins
CMDOUT_LAST_LOGINS_DEFINE= server local agent
CMDOUT_LAST_LOGINS_DEFAULT= server local agent
CMDOUT_OPTIONS+= CMDOUT_LAST_LOGINS
# Open TCP ports
CMDOUT_OPEN_PORTS_TCP_OPTION= PORTS_TCP
CMDOUT_OPEN_PORTS_TCP_DESC= Open TCP ports
CMDOUT_OPEN_PORTS_TCP_DEFINE= server local agent
CMDOUT_OPEN_PORTS_TCP_DEFAULT= server local agent
CMDOUT_OPTIONS+= CMDOUT_OPEN_PORTS_TCP
# Open UDP ports
CMDOUT_OPEN_PORTS_UDP_OPTION= PORTS_UDP
CMDOUT_OPEN_PORTS_UDP_DESC= Open UDP ports
CMDOUT_OPEN_PORTS_UDP_DEFINE= server local agent
CMDOUT_OPEN_PORTS_UDP_DEFAULT= server local agent
CMDOUT_OPTIONS+= CMDOUT_OPEN_PORTS_UDP

52
security/ossec-hids-local-config/opt-logs.mk Normal file
View File

@ -0,0 +1,52 @@
LOGS_MANAGED_CONF= 150.logs.conf
LOGS_LOCAL_CONF= 550.logs.local.conf
LOGS_DESC= Log Monitoring
# Default logs support
LOGS_BASIC_OPTION= BASIC
LOGS_BASIC_PROFILE= basic
LOGS_BASIC_DESC= Default system logs
LOGS_BASIC_DEFINE= server local agent pushed
LOGS_BASIC_DEFAULT= server local pushed
LOGS_OPTIONS+= LOGS_BASIC
# Active response log support
LOGS_OSSEC_OPTION= OSSEC
LOGS_OSSEC_PROFILE= ossec
LOGS_OSSEC_DESC= Active response logs
LOGS_OSSEC_DEFINE= server local agent pushed
LOGS_OSSEC_DEFAULT= server local pushed
LOGS_OPTIONS+= LOGS_OSSEC
# Apache logs support
LOGS_APACHE_OPTION= APACHE
LOGS_APACHE_PROFILE= apache
LOGS_APACHE_DESC= Apache logs
LOGS_APACHE_DEFINE= server local agent pushed
LOGS_APACHE_DEFAULT= pushed
LOGS_OPTIONS+= LOGS_APACHE
# Nginx logs support
LOGS_NGINX_OPTION= NGINX
LOGS_NGINX_PROFILE= nginx
LOGS_NGINX_DESC= Nginx logs
LOGS_NGINX_DEFINE= server local agent pushed
LOGS_NGINX_DEFAULT= pushed
LOGS_OPTIONS+= LOGS_NGINX
# Radius logs support
LOGS_RADIUS_OPTION= RADIUS
LOGS_RADIUS_PROFILE= radius
LOGS_RADIUS_DESC= FreeRADIUS logs
LOGS_RADIUS_DEFINE= server local agent pushed
LOGS_RADIUS_DEFAULT= pushed
LOGS_OPTIONS+= LOGS_RADIUS
# Vsftpd logs support
LOGS_VSFTPD_OPTION= VSFTPD
LOGS_VSFTPD_PROFILE= vsftpd
LOGS_VSFTPD_DESC= Vsftpd logs
LOGS_VSFTPD_DEFINE= server local agent pushed
LOGS_VSFTPD_DEFAULT= pushed
LOGS_OPTIONS+= LOGS_VSFTPD

36
security/ossec-hids-local-config/opt-rootcheck.mk Normal file
View File

@ -0,0 +1,36 @@
ROOTCHECK_MANAGED_CONF= 120.rootcheck.conf
ROOTCHECK_LOCAL_CONF= 520.rootcheck.local.conf
ROOTCHECK_DESC= System Audit and Rootkit Detection (rootcheck)
# Basic
ROOTCHECK_BASIC_OPTION= BASIC_RC
ROOTCHECK_BASIC_PROFILE= basic
ROOTCHECK_BASIC_DESC= Basic audit and rootkits
ROOTCHECK_BASIC_DEFINE= server local agent pushed
ROOTCHECK_BASIC_DEFAULT= server local pushed
ROOTCHECK_OPTIONS+= ROOTCHECK_BASIC
# CIS default
ROOTCHECK_CIS_OPTION= CIS_RC
ROOTCHECK_CIS_PROFILE= cis
ROOTCHECK_CIS_DESC= CIS benchmark - Legacy
ROOTCHECK_CIS_DEFINE= pushed
ROOTCHECK_CIS_DEFAULT= pushed
ROOTCHECK_OPTIONS+= ROOTCHECK_CIS
# CIS level 1
ROOTCHECK_CIS_L1_OPTION= CIS_L1_RC
ROOTCHECK_CIS_L1_PROFILE= cis-level1
ROOTCHECK_CIS_L1_DESC= CIS benchmark - Level 1
ROOTCHECK_CIS_L1_DEFINE= pushed
ROOTCHECK_CIS_L1_DEFAULT= pushed
ROOTCHECK_OPTIONS+= ROOTCHECK_CIS_L1
# CIS level 2
ROOTCHECK_CIS_L2_OPTION= CIS_L2_RC
ROOTCHECK_CIS_L2_PROFILE= cis-level2
ROOTCHECK_CIS_L2_DESC= CIS benchmark - Level 2
ROOTCHECK_CIS_L2_DEFINE= pushed
ROOTCHECK_CIS_L2_DEFAULT= pushed
ROOTCHECK_OPTIONS+= ROOTCHECK_CIS_L2

27
security/ossec-hids-local-config/opt-rules.mk Normal file
View File

@ -0,0 +1,27 @@
RULES_MANAGED_CONF= 100.rules.conf
RULES_LOCAL_CONF= 500.rules.local.conf
RULES_DESC= Alerting Rules
RULES_FILES= config cmdout
# Default rules
RULES_DEFAULT_OPTION= DEFAULT_R
RULES_DEFAULT_DESC= Rules provided by OSSEC
RULES_DEFAULT_DEFINE= server local
RULES_DEFAULT_DEFAULT= server local
RULES_OPTIONS+= RULES_DEFAULT
# Config rules
RULES_CONFIG_OPTION= CONFIG_R
RULES_CONFIG_DESC= Alert changes of the OSSEC main configuration files
RULES_CONFIG_DEFINE= server local
RULES_CONFIG_DEFAULT= server local
RULES_OPTIONS+= RULES_CONFIG
# Command output rules
RULES_CMDOUT_OPTION= CMDOUT_R
RULES_CMDOUT_DESC= Alert changes of output of the monitored commands
RULES_CMDOUT_DEFINE= server local
RULES_CMDOUT_DEFAULT= server local
RULES_OPTIONS+= RULES_CMDOUT

42
security/ossec-hids-local-config/opt-syscheck.mk Normal file
View File

@ -0,0 +1,42 @@
SYSCHECK_MANAGED_CONF= 130.syscheck.conf
SYSCHECK_LOCAL_CONF= 530.syscheck.local.conf
SYSCHECK_DESC= File Integrity Checking (syscheck)
# Default direcotries
SYSCHECK_BASIC_OPTION= BASIC_SC
SYSCHECK_BASIC_PROFILE= basic
SYSCHECK_BASIC_DESC= "bin", "sbin" and "etc"
SYSCHECK_BASIC_DEFINE= server local agent pushed
SYSCHECK_BASIC_DEFAULT= server local pushed
SYSCHECK_OPTIONS+= SYSCHECK_BASIC
# OSSEC directories
SYSCHECK_OSSEC_OPTION= OSSEC_SC
SYSCHECK_OSSEC_PROFILE= ossec
SYSCHECK_OSSEC_DESC= OSSEC directories
SYSCHECK_OSSEC_DEFINE= server local agent pushed
SYSCHECK_OSSEC_DEFAULT= server local pushed
SYSCHECK_OPTIONS+= SYSCHECK_OSSEC
# Alert new files
SYSCHECK_NEWFILES_OPTION= NEWFILES_SC
SYSCHECK_NEWFILES_DESC= Alert on new files created
SYSCHECK_NEWFILES_DEFINE= server local
SYSCHECK_NEWFILES_DEFAULT= server local
SYSCHECK_OPTIONS+= SYSCHECK_NEWFILES
# Disable auto_ignore
SYSCHECK_NOAUTO_OPTION= NOAUTO_SC
SYSCHECK_NOAUTO_DESC= Disable auto_ignore feature
SYSCHECK_NOAUTO_DEFINE= server local
SYSCHECK_NOAUTO_DEFAULT= server local
SYSCHECK_OPTIONS+= SYSCHECK_NOAUTO
# Ignore /etc/hosts.allow
SYSCHECK_HOSTDENY_DEPENDS= AR_HOSTDENY
SYSCHECK_HOSTDENY_OPTION= HOSTDENY_SC
SYSCHECK_HOSTDENY_DESC= Ignore access control files
SYSCHECK_HOSTDENY_DEFINE= server local agent pushed
SYSCHECK_HOSTDENY_DEFAULT= server local pushed
SYSCHECK_OPTIONS+= SYSCHECK_HOSTDENY

9
security/ossec-hids-local-config/pkg-descr Normal file
View File

@ -0,0 +1,9 @@
OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection
System (HIDS). It has a powerful correlation and analysis engine, integrating
log analysis, file integrity checking, Windows registry monitoring, centralized
policy enforcement, rootkit detection, real-time alerting and active response.
This package adds the configuration overlay with samples, additional rules,
commands, scripts and support for multiple configuration files.
WWW: https://ossec.github.io

29
security/ossec-hids-local-config/pkg-help-agent Normal file
View File

@ -0,0 +1,29 @@
Unless stated otherwise, every option here corresponds to certain configuration
block which would be placed in one of the configuration files in "ossec.conf.d"
directory. Disabled options will do the same, but for "ossec.conf.d/disabled"
directory. All "*.conf" files from the "ossec.conf.d" directory will be merged
into "ossec.conf" in alphabetic order. If you are not satisfied with the
generated configuration, you can disable the corresponding option and use files
from "ossec.conf.d/disabled" directory as samples.
Most of the options are disabled by default, because it is expected that the
server will push the agent configuration using "agent.conf". FreeBSD port of
OSSEC server extended with similar "config" port does this by default. If this
is the case, then the "ossec.conf" should only enable required profiles.
Files generated by the port will be overwritten during port upgrades so any
additional configuration should be put in separate files.
Command Output Monitoring:
Adds additional commands, the output of which can be monitored. To actually
send alerts about the changing output, the proper rules need to be configured
on the server as well. For security reasons commands cannot be pushed by the
server and thus must be configured locally on every agent.
These commands can be tweaked in "command.conf".
Active Response Firewall:
Creates "firewall-drop.sh" hardlink to one of the scripts shipped with OSSEC.
This option is only meaningful if this OSSEC instance will be the target of
"firewall-drop" active response (configured on the server).

31
security/ossec-hids-local-config/pkg-help-local Normal file
View File

@ -0,0 +1,31 @@
Unless stated otherwise, every option here corresponds to certain configuration
block which would be placed in one of the configuration files in "ossec.conf.d"
directory. Disabled options will do the same, but for "ossec.conf.d/disabled"
directory. All "*.conf" files from the "ossec.conf.d" directory will be merged
into "ossec.conf" in alphabetic order. If you are not satisfied with the
generated configuration, you can disable the corresponding option and use files
from "ossec.conf.d/disabled" directory as samples.
Files generated by the port will be overwritten during port upgrades so any
additional configuration should be put in separate files.
File Integrity Checking:
NOAUTO_SC:
OSSEC by default will ignore files that change too often (after the third
change). This option disables this feature. Files that change too often
as a result of correct system operation should better be added to ignore
list manually.
Command Output Monitoring:
Adds additional commands, the output of which can be monitored. To actually
send alerts about the changing output, the proper rules need to be configured
as well (see CMDOUT_R option).
These commands can be tweaked in "command.conf".
Active Response Firewall:
Creates "firewall-drop.sh" hardlink to one of the scripts shipped with OSSEC.
This option is only meaningful if "firewall-drop" active response will be
enabled in the configuration.

46
security/ossec-hids-local-config/pkg-help-server Normal file
View File

@ -0,0 +1,46 @@
Unless stated otherwise, every option here corresponds to certain configuration
block which would be placed in one of the configuration files in "ossec.conf.d"
directory. Disabled options will do the same, but for "ossec.conf.d/disabled"
directory. All "*.conf" files from the "ossec.conf.d" directory will be merged
into "ossec.conf" in alphabetic order. If you are not satisfied with the
generated configuration, you can disable the corresponding option and use files
from "ossec.conf.d/disabled" directory as samples.
The "pushed" sections (*_P options) relate to configuration pushed to agents
using "agent.conf". The generated configuration blocks will be placed in
"agent.conf.d" and "agent.conf.d/disabled" directories.
Note that the agent needs to enable proper profile to benefit from "agent.conf"
configuration pushed by the server. This also means that profiles not enabled
on the agent are ignored. This is why all "pushed" options are enabled by
default. The port currently contains configuration templates for the following
agent systems:
- FreeBSD
- Debian Linux
Consider contributing to the port by contacting the maintainer and providing
configuration templates for other operating systems runnig OSSEC agents.
Files generated by the port will be overwritten during port upgrades so any
additional configuration should be put in separate files.
File Integrity Checking:
NOAUTO_SC:
OSSEC by default will ignore files that change too often (after the third
change). This option disables this feature. Files that change too often
as a result of correct system operation should better be added to ignore
list manually.
Command Output Monitoring:
Adds additional commands, the output of which can be monitored. To actually
send alerts about the changing output, the proper rules need to be configured
as well (see CMDOUT_R option).
These commands can be tweaked in "command.conf".
Active Response Firewall:
Creates "firewall-drop.sh" hardlink to one of the scripts shipped with OSSEC.
This option is only meaningful if this OSSEC instance will be the target of
"firewall-drop" active response.

23
security/ossec-hids-local-config/pkg-plist-agent Normal file
View File

@ -0,0 +1,23 @@
@dir(,ossec,0550) %%OSSEC_HOME%%
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response/bin
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/merge-config.sh
@dir(,,0550) %%OSSEC_HOME%%/bin
@dir(,,0550) %%OSSEC_HOME%%/bin/command
@(,,0550) %%OSSEC_HOME%%/bin/command/last-logins.sh
@(,,0550) %%OSSEC_HOME%%/bin/command/open-ports.sh
@dir(,,0550) %%OSSEC_HOME%%/bin/config
@(,,0550) %%OSSEC_HOME%%/bin/config/ossec-conf
@dir(,ossec,0550) %%OSSEC_HOME%%/etc
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/command.conf.sample
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/ossec.conf.d
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/120.rootcheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/130.syscheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/140.command-output.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/150.logs.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/900.local.conf.sample
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/520.rootcheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/530.syscheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/540.command-output.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/550.logs.local.conf

30
security/ossec-hids-local-config/pkg-plist-local Normal file
View File

@ -0,0 +1,30 @@
@dir(,ossec,0550) %%OSSEC_HOME%%
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response/bin
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/merge-config.sh
@dir(,,0550) %%OSSEC_HOME%%/bin
@dir(,,0550) %%OSSEC_HOME%%/bin/command
@(,,0550) %%OSSEC_HOME%%/bin/command/last-logins.sh
@(,,0550) %%OSSEC_HOME%%/bin/command/open-ports.sh
@dir(,,0550) %%OSSEC_HOME%%/bin/config
@(,,0550) %%OSSEC_HOME%%/bin/config/ossec-conf
@dir(,ossec,0550) %%OSSEC_HOME%%/etc
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/command.conf.sample
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/ossec.conf.d
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/100.rules.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/110.active-response.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/120.rootcheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/130.syscheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/140.command-output.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/150.logs.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/900.local.conf.sample
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/500.rules.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/510.active-response.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/520.rootcheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/530.syscheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/540.command-output.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/550.logs.local.conf
@dir(,ossec,0550) %%OSSEC_HOME%%/rules
@(,ossec,0640) %%OSSEC_HOME%%/rules/freebsd_cmdout_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/freebsd_config_rules.xml

39
security/ossec-hids-local-config/pkg-plist-server Normal file
View File

@ -0,0 +1,39 @@
@dir(,ossec,0550) %%OSSEC_HOME%%
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response/bin
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/merge-config.sh
@dir(,,0550) %%OSSEC_HOME%%/bin
@dir(,,0550) %%OSSEC_HOME%%/bin/command
@(,,0550) %%OSSEC_HOME%%/bin/command/last-logins.sh
@(,,0550) %%OSSEC_HOME%%/bin/command/open-ports.sh
@dir(,,0550) %%OSSEC_HOME%%/bin/config
@(,,0550) %%OSSEC_HOME%%/bin/config/agent-conf
@(,,0550) %%OSSEC_HOME%%/bin/config/ossec-conf
@dir(,ossec,0550) %%OSSEC_HOME%%/etc
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/agent.conf.d
@(,ossec,0640) %%OSSEC_HOME%%/etc/agent.conf.d/120.rootcheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/agent.conf.d/130.syscheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/agent.conf.d/150.logs.conf
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/agent.conf.d/disabled
@(,ossec,0640) %%OSSEC_HOME%%/etc/agent.conf.d/disabled/520.rootcheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/agent.conf.d/disabled/530.syscheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/agent.conf.d/disabled/550.logs.local.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/command.conf.sample
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/ossec.conf.d
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/100.rules.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/110.active-response.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/120.rootcheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/130.syscheck.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/140.command-output.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/150.logs.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/900.local.conf.sample
@dir(,ossec,0550) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/500.rules.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/510.active-response.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/520.rootcheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/530.syscheck.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/540.command-output.local.conf
@(,ossec,0640) %%OSSEC_HOME%%/etc/ossec.conf.d/disabled/550.logs.local.conf
@dir(,ossec,0550) %%OSSEC_HOME%%/rules
@(,ossec,0640) %%OSSEC_HOME%%/rules/freebsd_cmdout_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/freebsd_config_rules.xml

113
security/ossec-hids-local-config/scripts/plist.sh Normal file
View File

@ -0,0 +1,113 @@
#!/bin/sh
# Script generates entries for pkg-plist.
# Do not use it directly. Use the following command instead:
#
# make MAINTAINER_MODE=yes clean plist
OSSEC_TYPE=$1
OSSEC_HOME=$2
PLIST=$3
WORKDIR=$4
STAGEDIR=$5
staged_plist="${WORKDIR}/.staged-plist"
fixed_lines=""
skip_lines=""
skip_paths=""
sample_paths="/etc/command.conf.sample /etc/ossec.conf.d/900.local.conf.sample /etc/agent.conf.d/900.local.conf.sample"
print_path() {
local path="$1"
local command="$2"
local full_path="${STAGEDIR}${OSSEC_HOME}${path}"
if [ -z "${command}" ]; then
command="@"
if [ -d "${full_path}" ]; then
command="@dir"
fi
fi
local user=`stat -f "%Su" "${full_path}"`
if [ "${user}" == "${USER}" ]; then
user=""
fi
local group=`stat -f "%Sg" "${full_path}"`
if [ "${group}" == "${GROUP}" ]; then
group=""
fi
local mode=`stat -f "%p" "${full_path}" | tail -c 5`
echo -e "${command}(${user},${group},${mode}) %%OSSEC_HOME%%${path}" >> "${PLIST}"
}
echo -n > "${PLIST}"
print_path
done_paths=""
while read line; do
skip_line=""
for e in ${skip_lines}; do
if [ "${e}" == "${line}" ]; then
skip_line="${e}"
break
fi
done
if [ -z "${skip_line}" ]; then
path=""
case $line in
"@dir %%OSSEC_HOME%%"*)
path=`echo "${line}" | sed -e "s|@dir %%OSSEC_HOME%%||g"`
;;
"%%OSSEC_HOME%%"*)
path=`echo "${line}" | sed -e "s|%%OSSEC_HOME%%||g"`
;;
"%%"*)
unchanged_lines="${unchanged_lines} ${line}"
;;
esac
if [ -n "${path}" ]; then
segments=`echo "${path}" | tr "/" "\n"`
path=""
for segment in ${segments}; do
path="${path}/${segment}"
skip_path=""
for e in ${skip_paths}; do
if [ "${e}" == "${path}" ]; then
skip_path="${e}"
break
fi
done
if [ -n "${skip_path}" ]; then
break
fi
done_path=""
for e in ${done_paths}; do
if [ "${e}" == "${path}" ]; then
done_path="${e}"
break
fi
done
if [ -z "${done_path}" ]; then
done_paths="${done_paths} ${path}"
sample_path=""
for e in ${sample_paths}; do
if [ "${e}" == "${path}" ]; then
sample_path="${e}"
break
fi
done
if [ -n "${sample_path}" ]; then
print_path "${path}" @sample
else
print_path "${path}"
fi
fi
done
fi
fi
done < "${staged_plist}"
unchanged_lines="${unchanged_lines} ${fixed_lines}"
for line in ${unchanged_lines}; do
echo "${line}" >> "${PLIST}"
done

89
security/ossec-hids-local-config/scripts/rules.sh Normal file
View File

@ -0,0 +1,89 @@
#!/bin/sh
# Script generates entries for template-rules-default.xml.in.
# Do not use it directly. Use the following command instead:
#
# make MAINTAINER_MODE=yes rules
rules_template=$1
src_dir=$2
skip_files="policy_rules.xml local_rules.xml"
append_files="local_rules.xml"
rules=""
for file in `find "${src_dir}/etc/rules" -depth 1 -name "*.xml"`; do
file_name="${file##*/}"
skip_file=""
for e in ${skip_files}; do
if [ "${e}" == "${file_name}" ]; then
skip_file="${e}"
break
fi
done
if [ -z "${skip_file}" ]; then
rule_ids=`sed -Ene 's|^.*<rule[[:space:]]+id="([0-9]+)".*$|\1|p' "${file}"`
if [ -n "${rule_ids}" ]; then
min_rule_id=`echo "${rule_ids}" | sort -n | head -n 1`
ref_rule_ids=`sed -Ene 's|^.*<if_sid>([0-9,]+)</if_sid>.*$|\1|p' "${file}" | tr ',' '\n'`
for ref_rule_id in ${ref_rule_ids}; do
found_rule_id=""
for rule_id in ${rule_ids}; do
if [ "${ref_rule_id}" = "${rule_id}" ]; then
found_rule_id="${rule_id}"
break
fi
done
if [ -z "${found_rule_id}" ]; then
# The referenced rule id is not present in this file so it must come from another
if [ ${ref_rule_id} -gt ${min_rule_id} ]; then
# Ordering by referenced rule id doesn't need to give proper results, but let's hope it does
min_rule_id=$((ref_rule_id + 1))
fi
fi
done
rules="${rules}${min_rule_id} ${file_name}
"
fi
fi
done
echo -n "${rules}" | sort -n
if [ -n "${rules_template}" ]; then
rules=`echo -n "${rules}" | sort -n | cut -d' ' -f2`
for file_name in ${append_files}; do
rules="${rules}
${file_name}"
done
echo '<?xml version="1.0" encoding="UTF-8"?>
<template_config>
<rules>' > "${rules_template}"
for rule in ${rules}; do
echo " <include>${rule}</include>" >> "${rules_template}"
done
echo '
<!-- Files not included by default -->' >> "${rules_template}"
for skip_file in ${skip_files}; do
append_file=""
for e in ${append_files}; do
if [ "${e}" == "${skip_file}" ]; then
append_file="${e}"
break
fi
done
if [ -z "${append_file}" ]; then
echo " <!--<include>${skip_file}</include>-->" >> "${rules_template}"
fi
done
echo ' </rules>
</template_config>' >> "${rules_template}"
fi

33
security/ossec-hids-local-config/scripts/template-to-agent.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/sh
if [ $# -lt 3 ]; then
echo "Too few arguments"
echo "Usage: `basename $0` <ossec_type> <ossec_prefix> <ossec_file>"
exit 1
fi
ossec_type="$1"
ossec_prefix="$2"
ossec_file="$3"
if [ ! -f "${ossec_file}" ]; then
echo "File \"${ossec_file}\" does not exist"
exit 1
fi
ossec_syscheck_bin_dirs="${ossec_prefix}/bin,${ossec_prefix}/active-response"
ossec_syscheck_etc_dirs="${ossec_prefix}/etc"
replace() {
sed -e 's|<template_config \(.*\)>|<agent_config \1>|' \
-e 's|</template_config>|</agent_config>|' \
-e "s|%%OSSEC_SYSCHECK_BIN_DIRS%%|${ossec_syscheck_bin_dirs}|" \
-e "s|%%OSSEC_SYSCHECK_ETC_DIRS%%|${ossec_syscheck_etc_dirs}|" \
"${ossec_file}"
}
extract() {
sed -n '/^<agent_config .*>$/,/^<\/agent_config>$/p'
}
replace | extract

45
security/ossec-hids-local-config/scripts/template-to-ossec.sh Normal file
View File

@ -0,0 +1,45 @@
#!/bin/sh
if [ $# -lt 3 ]; then
echo "Too few arguments"
echo "Usage: `basename $0` <ossec_type> <ossec_prefix> <ossec_file>"
exit 1
fi
ossec_type="$1"
ossec_prefix="$2"
ossec_file="$3"
if [ ! -f "${ossec_file}" ]; then
echo "File \"${ossec_file}\" does not exist"
exit 1
fi
ossec_syscheck_bin_dirs="${ossec_prefix}/bin,${ossec_prefix}/active-response"
ossec_syscheck_etc_dirs="${ossec_prefix}/etc"
if [ "${ossec_type}" != "agent" ]; then
ossec_syscheck_bin_dirs="${ossec_syscheck_bin_dirs},${ossec_prefix}/agentless"
ossec_syscheck_etc_dirs="${ossec_syscheck_etc_dirs},${ossec_prefix}/rules"
fi
replace() {
if grep -q "<template_config>" "${ossec_file}"; then
sed -e 's|<template_config>|<ossec_config>|' \
-e 's|</template_config>|</ossec_config>|' \
-e "s|%%OSSEC_SYSCHECK_BIN_DIRS%%|${ossec_syscheck_bin_dirs}|" \
-e "s|%%OSSEC_SYSCHECK_ETC_DIRS%%|${ossec_syscheck_etc_dirs}|" \
"${ossec_file}"
else
sed -e 's|<template_config .*os="FreeBSD".*>|<ossec_config>|' \
-e 's|</template_config>|</ossec_config>|' \
-e "s|%%OSSEC_SYSCHECK_BIN_DIRS%%|${ossec_syscheck_bin_dirs}|" \
-e "s|%%OSSEC_SYSCHECK_ETC_DIRS%%|${ossec_syscheck_etc_dirs}|" \
"${ossec_file}"
fi
}
extract() {
sed -n '/^<ossec_config.*>$/,/^<\/ossec_config>$/p'
}
replace | extract

249
security/ossec-hids-local/Makefile
View File

@ -1,11 +1,248 @@
# Created by: Valerio Daelli <valerio.daelli@gmail.com>
# $FreeBSD$
PORTREVISION= 1
COMMENT= Client and server (local) port of ossec-hids
PORTNAME= ossec-hids
PORTVERSION= 3.1.0
PORTREVISION=
CATEGORIES= security
PKGNAMESUFFIX= -${OSSEC_TYPE}
LOCAL_ONLY= yes
MAINTAINER= dominik.lisiak@bemsoft.pl
COMMENT= Security tool to monitor and check logs and intrusions
MASTERDIR= ${.CURDIR}/../ossec-hids-server
LICENSE= GPLv2
LICENSE_FILE= ${WRKSRC}/LICENSE
.include "${MASTERDIR}/Makefile"
USES= gmake readline ssl
OSSEC_TYPE?= local
.if ${OSSEC_TYPE} == local
CONFLICTS_INSTALL= ossec-hids-client-* \
ossec-hids-agent-* \
ossec-hids-server-*
.elif ${OSSEC_TYPE} == agent
CONFLICTS_INSTALL= ossec-hids-client-* \
ossec-hids-local-* \
ossec-hids-server-*
.elif ${OSSEC_TYPE} == server
CONFLICTS_INSTALL= ossec-hids-client-* \
ossec-hids-agent-* \
ossec-hids-local-*
.endif
.if ${OSSEC_TYPE} != agent
RUN_DEPENDS= expect:lang/expect
.endif
GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP
INOTIFY_LIB_DEPENDS= libinotify.so:devel/libinotify
PRELUDE_LIB_DEPENDS= libprelude.so:security/libprelude
ZEROMQ_LIB_DEPENDS= libczmq.so:net/czmq
MYSQL_USE= mysql
PGSQL_USES= pgsql
USE_GITHUB= yes
GH_ACCOUNT= ossec
USE_RC_SUBR= ossec-hids
.if ${OSSEC_TYPE} != agent
USES+= shebangfix
SHEBANG_LANG= expect
expect_OLD_CMD= "/usr/bin/env expect"
expect_CMD= ${LOCALBASE}/bin/expect
SHEBANG_FILES= src/agentlessd/scripts/main.exp \
src/agentlessd/scripts/ssh.exp \
src/agentlessd/scripts/ssh_asa-fwsmconfig_diff \
src/agentlessd/scripts/ssh_foundry_diff \
src/agentlessd/scripts/ssh_generic_diff \
src/agentlessd/scripts/ssh_integrity_check_bsd \
src/agentlessd/scripts/ssh_integrity_check_linux \
src/agentlessd/scripts/ssh_nopass.exp \
src/agentlessd/scripts/ssh_pixconfig_diff \
src/agentlessd/scripts/sshlogin.exp \
src/agentlessd/scripts/su.exp
.endif
OPTIONS_SUB= yes
OPTIONS_DEFINE= DOCS INOTIFY
.if ${OSSEC_TYPE} != agent
OPTIONS_DEFINE+= GEOIP PRELUDE ZEROMQ
OPTIONS_RADIO= DATABASE
OPTIONS_RADIO_DATABASE= MYSQL PGSQL
.endif
OPTIONS_DEFAULT= INOTIFY
INOTIFY_DESC= Kevent based real time monitoring
PRELUDE_DESC= Sensor support from Prelude SIEM
ZEROMQ_DESC= ZeroMQ support (experimental)
DATABASE_DESC= Database output
GEOIP_VARS= OSSEC_ARGS+=USE_GEOIP=yes
INOTIFY_VARS= OSSEC_ARGS+=USE_INOTIFY=yes
PRELUDE_VARS= OSSEC_ARGS+=USE_PRELUDE=yes
ZEROMQ_VARS= OSSEC_ARGS+=USE_ZEROMQ=yes
MYSQL_VARS= OSSEC_ARGS+=DATABASE=mysql PKGMSG_FILES+=message-database DB_TYPE=mysql DB_SCHEMA=mysql.schema
PGSQL_VARS= OSSEC_ARGS+=DATABASE=pgsql PKGMSG_FILES+=message-database DB_TYPE=postgresql DB_SCHEMA=postgresql.schema
OSSEC_ARGS+= TARGET=${OSSEC_TYPE}
.if ${OSSEC_TYPE} == agent
STRIP_FILES= agent-auth \
manage_agents \
ossec-agentd \
ossec-execd \
ossec-logcollector \
ossec-lua \
ossec-luac \
ossec-syscheckd
.else
STRIP_FILES= agent_control \
clear_stats \
list_agents \
manage_agents \
ossec-agentlessd \
ossec-analysisd \
ossec-authd \
ossec-csyslogd \
ossec-dbd \
ossec-execd \
ossec-logcollector \
ossec-logtest \
ossec-lua \
ossec-luac \
ossec-maild \
ossec-makelists \
ossec-monitord \
ossec-regex \
ossec-remoted \
ossec-reportd \
ossec-syscheckd \
rootcheck_control \
syscheck_control \
syscheck_update \
verify-agent-conf
.endif
.if defined(MAINTAINER_MODE)
OSSEC_HOME= ${PREFIX}/${PORTNAME}
.else
OSSEC_HOME?= ${PREFIX}/${PORTNAME}
.endif
OSSEC_RC= ${PREFIX}/etc/rc.d/ossec-hids
FIREWALL_DROP_BIN= ${OSSEC_HOME}/active-response/bin/firewall-drop.sh
IPFILTER_BIN= ${OSSEC_HOME}/active-response/bin/ipfilter.sh
RESTART_OSSEC_BIN= ${OSSEC_HOME}/active-response/bin/restart-ossec.sh
SHARED_DIR= ${OSSEC_HOME}/etc/shared
INTERNAL_OPTS_CONF= ${OSSEC_HOME}/etc/local_internal_options.conf
.if empty(USER)
USER=$$(${ID} -un)
.endif
.if empty(GROUP)
GROUP=$$(${ID} -gn)
.endif
.if !defined(MAINTAINER_MODE)
USER_ARGS+= OSSEC_GROUP=${GROUP} \
OSSEC_USER=${USER} \
OSSEC_USER_MAIL=${USER} \
OSSEC_USER_REM=${USER}
.endif
OSSEC_USER= ossec
OSSEC_GROUP= ossec
USERS= ${OSSEC_USER} ossecm ossecr
GROUPS= ${OSSEC_GROUP}
SUB_LIST+= PORTNAME=${PORTNAME} \
CATEGORY=${CATEGORIES:[1]} \
OSSEC_TYPE=${OSSEC_TYPE} \
OSSEC_HOME=${OSSEC_HOME} \
VERSION=${PORTVERSION} \
DB_TYPE=${DB_TYPE} \
DB_SCHEMA=${DOCSDIR}/${DB_SCHEMA} \
USER=${USER} \
OSSEC_USER=${OSSEC_USER} \
OSSEC_GROUP=${OSSEC_GROUP} \
OSSEC_RC=${OSSEC_RC}
SUB_FILES= pkg-install \
pkg-deinstall \
${PKGMSG_FILES} \
restart-ossec.sh
.if defined(MAINTAINER_MODE)
PLIST_SUB= OSSEC_HOME=${PORTNAME}
.else
PLIST_SUB= OSSEC_HOME=${OSSEC_HOME}
.endif
PLIST= ${PKGDIR}/pkg-plist-${OSSEC_TYPE}
DOCSFILES= BUGS CHANGELOG CONTRIBUTORS LICENSE README.md SUPPORT.md
PKGHELP= ${PKGDIR}/pkg-help-${OSSEC_TYPE}
PKGMESSAGE= ${WRKDIR}/pkg-message
PKGMSG_FILES= message-header
CFLAGS+= -I${LOCALBASE}/include
BUILD_ARGS+= ${MAKE_ARGS} ${OSSEC_ARGS} PREFIX=${OSSEC_HOME}
INSTALL_ARGS+= ${USER_ARGS} ${OSSEC_ARGS} PREFIX=${STAGEDIR}${OSSEC_HOME}
.include <bsd.port.pre.mk>
PKGMSG_FILES+= message-firewall message-config
post-patch:
@${REINPLACE_CMD} -e 's|-DLUA_USE_LINUX|& ${CPPFLAGS}|' \
-e 's|-lreadline|& ${LDFLAGS}|' \
${WRKSRC}/src/external/lua/src/Makefile
do-build:
@cd ${WRKSRC}/src; ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${BUILD_ARGS} build
do-install:
@cd ${WRKSRC}/src; ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${INSTALL_ARGS} install
post-install:
@${MV} -f ${STAGEDIR}${INTERNAL_OPTS_CONF} ${STAGEDIR}${INTERNAL_OPTS_CONF}.sample
@${MV} -f ${STAGEDIR}${FIREWALL_DROP_BIN} ${STAGEDIR}${IPFILTER_BIN}
@${CP} ${WRKDIR}/restart-ossec.sh ${STAGEDIR}${RESTART_OSSEC_BIN}
@${CHMOD} 550 ${STAGEDIR}${RESTART_OSSEC_BIN}
.if defined(MAINTAINER_MODE)
@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${RESTART_OSSEC_BIN}
.endif
.if ${OSSEC_TYPE} == agent
.if defined(MAINTAINER_MODE)
@for file_name in $$(find "${STAGEDIR}${SHARED_DIR}" -type f); do ${CHMOD} 0644 $${file_name}; ${CHOWN} ${OSSEC_USER}:${OSSEC_GROUP} $${file_name}; done
.else
@for file_name in $$(find "${STAGEDIR}${SHARED_DIR}" -type f); do ${CHMOD} 0644 $${file_name}; done
.endif
.endif
@${ECHO_CMD} -n > ${PKGMESSAGE}
.for file_name in ${PKGMSG_FILES}
@${CAT} ${WRKDIR}/${file_name} >> ${PKGMESSAGE}
@${ECHO_CMD} >> ${PKGMESSAGE}
.endfor
.for file_name in ${STRIP_FILES}
@${STRIP_CMD} ${STAGEDIR}${OSSEC_HOME}/bin/${file_name}
.endfor
.if defined(MAINTAINER_MODE)
plist: makeplist
@${SCRIPTDIR}/plist.sh ${OSSEC_TYPE} ${OSSEC_HOME} ${PLIST} ${WRKDIR} ${STAGEDIR}
.endif
post-install-DOCS-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} ${DOCSFILES} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} etc/ossec-${OSSEC_TYPE}.conf ${STAGEDIR}${DOCSDIR}/ossec.conf.sample
post-install-MYSQL-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/${DB_SCHEMA} ${STAGEDIR}${DOCSDIR}
post-install-PGSQL-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/${DB_SCHEMA} ${STAGEDIR}${DOCSDIR}
.include <bsd.port.post.mk>

3
security/ossec-hids-local/distinfo Normal file
View File

@ -0,0 +1,3 @@
TIMESTAMP = 1539457911
SHA256 (ossec-ossec-hids-3.1.0_GH0.tar.gz) = e0e2987751badb95c2bf618531c7853b2289c910f796da85ff394c0faea43f50
SIZE (ossec-ossec-hids-3.1.0_GH0.tar.gz) = 1886469

5
security/ossec-hids-local/files/message-config.in Normal file
View File

@ -0,0 +1,5 @@
Consider installing "%%CATEGORY%%/%%PORTNAME%%-%%OSSEC_TYPE%%-config" to ease
OSSEC configuration.
For additional help execute:
# %%PREFIX%%/etc/rc.d/ossec-hids help

8
security/ossec-hids-local/files/message-database.in Normal file
View File

@ -0,0 +1,8 @@
The database schema file:
%%DB_SCHEMA%%
To enable database output execute:
# %%OSSEC_HOME%%/bin/ossec-control enable database
For further steps see the documentation:
https://www.ossec.net/docs/syntax/head_ossec_config.database_output.html

12
security/ossec-hids-local/files/message-firewall.in Normal file
View File

@ -0,0 +1,12 @@
If you intend to use "firewall-drop" active response on this OSSEC instance
create the script:
%%OSSEC_HOME%%/active-response/bin/firewall-drop.sh
You can copy or hard link (symbolic link is not supported) one of the scripts
already provided by OSSEC:
%%OSSEC_HOME%%/active-response/bin/ipfilter.sh
%%OSSEC_HOME%%/active-response/bin/ipfw.sh
%%OSSEC_HOME%%/active-response/bin/pf.sh
For further steps see the documentation:
https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html

10
security/ossec-hids-local/files/message-header.in Normal file
View File

@ -0,0 +1,10 @@
All the files related to OSSEC have been installed in:
%%OSSEC_HOME%%
You need to create main configuration file:
%%OSSEC_HOME%%/etc/ossec.conf
For information on proper configuration see:
https://www.ossec.net/docs/syntax/ossec_config.html
To enable the startup script add ossec_hids_enable="YES" to /etc/rc.conf.

537
security/ossec-hids-local/files/ossec-hids.in Normal file
View File

@ -0,0 +1,537 @@
#!/bin/sh
#
# PROVIDE: ossec_hids
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown
# ossec_hids_enable (bool): Set it to YES to enable %%PORTNAME%%.
# Default: NO
# ossec_hids_clear_log (bool): Set it to YES to clear ossec.log before %%PORTNAME%% startup.
# Default: NO
# ossec_hids_clear_ar_log (bool): Set it to YES to clear active-responses.log before %%PORTNAME%% startup.
# Default: NO
# ossec_hids_fetch_connect_time (int): Time in seconds to wait for the download of the shared configuration to start.
# Used only by agent installation.
# Default: 30
# ossec_hids_fetch_read_time (int): Time in seconds to wait for subsequent download chunks of the shared configuration.
# Used only by agent installation.
# Default: 10
. /etc/rc.subr
name="ossec_hids"
rcvar=ossec_hids_enable
load_rc_config $name
: ${ossec_hids_enable="NO"}
: ${ossec_hids_clear_log="NO"}
: ${ossec_hids_clear_ar_log="NO"}
: ${ossec_hids_fetch_connect_time=30}
: ${ossec_hids_fetch_read_time=10}
ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%OSSEC_HOME%%"
ossec_conf="${ossec_home}/etc/ossec.conf"
ossec_conf_dir="${ossec_home}/etc/ossec.conf.d"
ossec_conf_bin="${ossec_home}/bin/config/ossec-conf"
agent_conf="${ossec_home}/etc/shared/agent.conf"
agent_conf_dir="${ossec_home}/etc/agent.conf.d"
agent_conf_bin="${ossec_home}/bin/config/agent-conf"
ossec_client_keys="${ossec_home}/etc/client.keys"
ossec_ar_tmp="${ossec_home}/active-response"
ossec_log="${ossec_home}/logs/ossec.log"
ossec_ar_log="${ossec_home}/logs/active-responses.log"
ossec_merged="${ossec_home}/etc/shared/merged.mg"
ossec_local_time="/etc/localtime"
extra_commands="help status reload ossec_conf"
case ${ossec_type} in
server)
extra_commands="${extra_commands} agent_conf manage_agent reset_counter"
;;
agent)
extra_commands="${extra_commands} agent_conf manage_agent reset_counter config_profile fetch_config"
;;
esac
if [ -x "${ossec_conf_bin}" ]; then
extra_commands="${extra_commands} merge_config"
fi
ossec_rc_command=$1
shift 1
help_cmd="ossec_hids_help $@"
start_cmd="ossec_hids_command start $@"
stop_cmd="ossec_hids_command stop $@"
restart_cmd="ossec_hids_command restart $@"
status_cmd="ossec_hids_command status $@"
reload_cmd="ossec_hids_command reload $@"
manage_agent_cmd="ossec_hids_manage_agent $@"
reset_counter_cmd="ossec_hids_reset_counter $@"
config_profile_cmd="ossec_hids_config_profile $@"
fetch_config_cmd="ossec_hids_fetch_config $@"
merge_config_cmd="ossec_hids_create_config force $@"
ossec_conf_cmd="ossec_hids_ossec_conf $@"
agent_conf_cmd="ossec_hids_agent_conf $@"
start_precmd="ossec_hids_create_env && ossec_hids_create_config && ossec_hids_clean && ossec_hids_check"
restart_precmd="${start_precmd}"
reload_precmd="ossec_hids_create_env && ossec_hids_create_config"
config_profile_precmd="ossec_hids_check"
fetch_config_precmd="${start_precmd}"
agent_ids_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'"
agent_names_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*Name:[[:space:]]*([^,]+).*|\1|p'"
ossec_hids_help() {
local indent=" "
echo "Additional commands:"
echo
for command in ${extra_commands}; do
case ${command} in
ossec_conf)
echo "${command}"
if [ -x "${ossec_conf_bin}" ]; then
echo "${indent}Displays the \"ossec.conf\" as it would have been produced"
echo "${indent}by merging files from \"ossec.conf.d\" directory."
echo "${indent}Does not overwrite the actual \"ossec.conf\"."
else
echo "${indent}Displays the current \"ossec.conf\"."
fi
echo
;;
agent_conf)
echo "${command}"
if [ -x "${agent_conf_bin}" ]; then
echo "${indent}Displays the \"agent.conf\" as it would have been produced"
echo "${indent}by merging files from \"agent.conf.d\" directory."
echo "${indent}Does not overwrite the actual \"agent.conf\"."
else
echo "${indent}Displays the current \"agent.conf\"."
fi
echo
;;
manage_agent)
echo "${command} [...]"
echo "${indent}Executes OSSEC Agent Manager."
echo "${indent}Any additional arguments will be passed along (-h for help)."
echo "${indent}Use this command to export and import agent keys."
echo
;;
reset_counter)
case ${ossec_type} in
server)
echo "${command} <agent_name>"
echo "${indent}Stops the OSSEC and resets (removes) the replay attack prevention counter(s)."
echo "${indent}Only the counter for the given <agent_name> is reset."
echo "${indent}If the <agent_name> is \"-\", then counters for all agents are reset."
;;
agent)
echo "${command}"
echo "${indent}Stops the OSSEC and resets (removes) the replay attack prevention counter."
;;
esac
echo "${indent}Use this command on both the server and the agent to bring back connectivity."
echo "${indent}The typical scenario for desynchronization of counters is one of the OSSEC"
echo "${indent}instances has been restored from backup."
echo "${indent}Use the following procedure:"
echo "${indent}1. Reset counter on the agent."
echo "${indent}2. Reset counter on the server for that specific agent."
echo "${indent}3. Start the server."
echo "${indent}4. Start the agent."
echo
;;
config_profile)
echo "${command}"
echo "${indent}Displays a list (i.e. union of sets) of applicable (to this agent) configuration"
echo "${indent}profiles sent by the server (current \"agent.conf\") merged with configuration"
echo "${indent}profiles enabled on this agent (current \"ossec.conf\"). Each entry on the list"
echo "${indent}is marked with one of the following markers:"
echo "${indent}(+) - The profile is sent by the server and is enabled on this agent."
echo "${indent}(-) - The profile is sent by the server and is applicable for this agent, but is"
echo "${indent} not enabled in the \"ossec.conf\"."
echo "${indent}(?) - The profile is enabled on this agent, but is not sent by the server or is"
echo "${indent} not applicable to this agent."
echo
;;
fetch_config)
echo "${command}"
echo "${indent}(Re)starts the agent with a fresh copy of server shared configuration (including"
echo "${indent}\"agent.conf\"). Command can also be used to ensure server connectivity."
echo
;;
merge_config)
echo "${command}"
echo "${indent}Creates \"ossec.conf\" by merging files from \"ossec.conf.d\" directory."
case ${ossec_type} in
server)
echo "${indent}Creates \"agent.conf\" by merging files from \"agent.conf.d\" directory."
;;
esac
echo "${indent}Usually you do not need to run this command, because configuration files will"
echo "${indent}be merged before OSSEC startup if any of them has been modified/created/deleted"
echo "${indent}since the last merging. This command, however, does merging unconditionally."
echo
;;
esac
done
echo "To avoid problems with this script and the port in general, keep your XML-like"
echo "configuration pretty printed. Place element tags in single and separate lines."
echo "Comments can span on multiple but still separate lines."
echo "Do NOT use the following formatting:"
echo
echo "${indent}<elementA"
echo "${indent}${indent}attribute=\"value\"><!-- I am a long and"
echo "${indent}${indent}${indent}descriptive comment -->"
echo "${indent}${indent}<elementB>"
echo "${indent}${indent}${indent}Some content"
echo "${indent}${indent}</elementB><elementC>"
echo "${indent}${indent}${indent}Another content</elementC>"
echo "${indent}</elementA>"
echo
echo "Use instead:"
echo
echo "${indent}<elementA attribute=\"value\">"
echo "${indent}${indent}<!-- I am a long and"
echo "${indent}${indent}descriptive comment -->"
echo "${indent}${indent}<elementB>Some content</elementB>"
echo "${indent}${indent}<elementC>Another content</elementC>"
echo "${indent}</elementA>"
echo
}
ossec_hids_create_file() {
local path=$1
local owner=$2
local mode=$3
if [ ! -e "${path}" ]; then
touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}"
fi
}
ossec_hids_check() {
case ${ossec_type} in
server)
if [ ! -s "${ossec_client_keys}" ]; then
echo "WARNING: There are no client keys created - remote connections will be disabled."
echo
fi
;;
agent)
if [ ! -s "${ossec_client_keys}" ]; then
echo "WARNING: There are is no client key imported - connection to server not possible."
echo
else
if [ $(eval ${agent_ids_cmd} | wc -l) -gt 1 ]; then
echo "ERROR: There are multiple client keys imported - only one is allowed."
echo
return 1
fi
fi
;;
esac
return 0
}
ossec_hids_inline_content() {
local element="$1"
sed -En "s|.*<${element}>(.*)</${element}>.*|\1|p"
}
ossec_hids_remove_comments() {
# Comments must be on separate lines i.e. not next to uncommented code
awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
}
ossec_hids_config_profile() {
if [ ! -f "${ossec_conf}" ]; then
echo -n "ERROR: The \"${ossec_conf}\" is missing."
if [ -x "${ossec_conf_bin}" ]; then
echo " Run:"
echo "$(realpath $0) merge_config"
else
echo
fi
echo
return 1
fi
if [ ! -f "${agent_conf}" ]; then
echo "ERROR: The \"${agent_conf}\" is missing. Run:"
echo "$(realpath $0) fetch_config"
echo
return 1
fi
local os="FreeBSD"
local name=$(eval ${agent_names_cmd})
local server_profiles=`ossec_hids_remove_comments < "${agent_conf}" | sed -En \
-e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+os=\"${os}\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+os=\"${os}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+name=\"${name}\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+name=\"${name}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+os=\"${os}\"[[:space:]]+name=\"${name}\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+name=\"${name}\"[[:space:]]+os=\"${os}\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+os=\"${os}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+name=\"${name}\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+os=\"${os}\"[[:space:]]+name=\"${name}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+name=\"${name}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+os=\"${os}\"[[:space:]]*>.*|\1|p" \
-e "s|.*<agent_config[[:space:]]+name=\"${name}\"[[:space:]]+os=\"${os}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \
| sort -u`
local agent_profiles=$(ossec_hids_remove_comments < "${ossec_conf}" | ossec_hids_inline_content "config-profile" | sed -E 's|[[:space:]]*,[[:space:]]*| |g')
local output=""
for server_profile in ${server_profiles}; do
local matching_profile=""
for agent_profile in ${agent_profiles}; do
if [ "${agent_profile}" == "${server_profile}" ]; then
matching_profile="${agent_profile}"
break
fi
done
if [ -n "${matching_profile}" ]; then
output="${output}(+) ${server_profile}
"
else
output="${output}(-) ${server_profile}
"
fi
done
for agent_profile in ${agent_profiles}; do
local matching_profile=""
for server_profile in ${server_profiles}; do
if [ "${server_profile}" == "${agent_profile}" ]; then
matching_profile="${server_profile}"
break
fi
done
if [ -z "${matching_profile}" ]; then
output="${output}(?) ${agent_profile}
"
fi
done
echo -n "${output}" | sort -k 2
}
ossec_hids_config_is_outdated() {
local dst_file="$1"
local src_dir="$2"
if [ ! -e "${dst_file}" ]; then
return 0
fi
if [ "${src_dir}" -nt "${dst_file}" ]; then
return 0
fi
for src_file in $(find "${src_dir}" -maxdepth 1 -type f -name "*.conf"); do
if [ "${src_file}" -nt "${dst_file}" ]; then
return 0
fi
done
return 1
}
ossec_hids_create_config() {
case ${ossec_type} in
server)
if [ -x "${agent_conf_bin}" ]; then
# Merge agent.conf.d files into agent.conf
if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${agent_conf}" "${agent_conf_dir}"; then
ossec_hids_create_file "${agent_conf}" %%USER%%:%%OSSEC_GROUP%% 0640
"${agent_conf_bin}" > "${agent_conf}"
fi
fi
;;
esac
if [ -x "${ossec_conf_bin}" ]; then
# Merge ossec.conf.d files into ossec.conf
if [ "$1" == "force" ] || ossec_hids_config_is_outdated "${ossec_conf}" "${ossec_conf_dir}"; then
ossec_hids_create_file "${ossec_conf}" %%USER%%:%%OSSEC_GROUP%% 0640
"${ossec_conf_bin}" > "${ossec_conf}"
fi
fi
return 0
}
ossec_hids_create_env() {
# Copy required files from outside of home directory
if [ ! -e "${ossec_local_time}" ]; then
echo "ERROR: Missing \"${ossec_local_time}\". Run command \"tzsetup\"."
echo
return 1
fi
install -o %%USER%% -g %%OSSEC_GROUP%% -m 0440 "${ossec_local_time}" "${ossec_home}${ossec_local_time}"
return 0
}
ossec_hids_clean() {
if [ "${ossec_type}" == "server" ]; then
rm -f "${ossec_merged}"
fi
if checkyesno ossec_hids_clear_log && [ -e "${ossec_log}" ]; then
echo -n > "${ossec_log}"
fi
if checkyesno ossec_hids_clear_ar_log && [ -e "${ossec_ar_log}" ]; then
echo -n > "${ossec_ar_log}"
fi
return 0
}
ossec_hids_reset_counter() {
local agent_name="$1"
ossec_hids_command stop
sleep 1
echo
case ${ossec_type} in
server)
if [ -z "${agent_name}" ]; then
echo "ERROR: Specify agent name to reset counter for this agent or \"-\" to reset counters for all agents."
echo
return 1
fi
local agent_counter=0
if [ "${agent_name}" == "-" ]; then
for agent_id in $(eval ${agent_ids_cmd}); do
if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then
rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1))
fi
done
else
local agent_id=`${ossec_home}/bin/manage_agents -l | sed -En -e "s|.*ID:[[:space:]]*([[:digit:]]+),[[:space:]]*Name:[[:space:]]${agent_name},.*|\1|p"`
if [ -n "${agent_id}" ]; then
if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then
rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1))
fi
fi
fi
echo "Removed ${agent_counter} counter(s)."
echo
;;
agent)
local agent_counter=0
for agent_id in $(eval ${agent_ids_cmd}); do
# Should be executed only once
if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then
rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1))
fi
done
echo "Removed ${agent_counter} counter(s)."
echo
;;
esac
return 0
}
ossec_hids_fetch_config() {
ossec_hids_command stop
sleep 1
echo
rm -f "${ossec_merged}"
ossec_hids_command start || return 1
echo
echo "Waiting ${ossec_hids_fetch_connect_time} seconds for the shared configuration download to start."
sleep ${ossec_hids_fetch_connect_time}
if [ ! -s "${ossec_merged}" ]; then
echo "ERROR: Failed to download shared configuration from the OSSEC server."
echo
local ossec_log_tail=$(tail "${ossec_log}")
echo "Portion of the \"${ossec_log}\":"
echo "${ossec_log_tail}"
echo
if echo "${ossec_log_tail}" | grep -q "ERROR: Unable to send message to"; then
echo "Check if your configuration contains the correct server address in \"server-ip\" option."
echo
else
local ossec_rc_path="$(realpath $0)"
echo "Is the imported agent key correct? To import it run:"
echo "${ossec_rc_path} manage_agent"
echo
echo "If you are certain the imported agent key is correct, then run:"
echo "${ossec_rc_path} reset_counter"
echo "${ossec_rc_path} fetch_config"
echo
echo "If this does't help, you need to reset counter on the server."
echo "If the server runs FreeBSD port of OSSEC, run:"
echo "On the agent:"
echo "${ossec_rc_path} reset_counter"
echo "On the server:"
echo "${ossec_rc_path} reset_counter $(eval ${agent_names_cmd})"
echo "${ossec_rc_path} start"
echo "On the agent:"
echo "${ossec_rc_path} fetch_config"
echo
fi
ossec_hids_command stop
return 1
else
# The download has started
while true; do
local current_time=$(date +%s)
local modification_time=$(stat -f %m "${ossec_merged}")
if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then
echo "Download finished."
echo
ossec_hids_command restart || return 1
break;
else
echo "Download in progress..."
sleep ${ossec_hids_fetch_read_time}
fi
done
fi
return 0
}
ossec_hids_ossec_conf() {
if [ -x "${ossec_conf_bin}" ]; then
"${ossec_conf_bin}"
elif [ -f "${ossec_conf}" ]; then
cat "${ossec_conf}"
fi
}
ossec_hids_agent_conf() {
if [ -x "${agent_conf_bin}" ]; then
"${agent_conf_bin}"
elif [ -f "${agent_conf}" ]; then
cat "${agent_conf}"
fi
}
ossec_hids_manage_agent() {
"${ossec_home}/bin/manage_agents" $@
return $?
}
ossec_hids_command() {
"${ossec_home}/bin/ossec-control" $1
return $?
}
run_rc_command "${ossec_rc_command}"

10
security/ossec-hids-local/files/patch-src_Makefile Normal file
View File

@ -0,0 +1,10 @@
--- src/Makefile.orig 2018-10-11 22:25:16 UTC
+++ src/Makefile
@@ -406,7 +406,6 @@ endif
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/diff
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc
- install -m 0440 -o root -g ${OSSEC_GROUP} /etc/localtime ${PREFIX}/etc
install -d -m 1550 -o root -g ${OSSEC_GROUP} ${PREFIX}/tmp

18
security/ossec-hids-local/files/pkg-deinstall.in Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
ossec_home="%%OSSEC_HOME%%"
ar_conf="${ossec_home}/etc/shared/ar.conf"
merged_mg="${ossec_home}/etc/shared/merged.mg"
client_keys="${ossec_home}/etc/client.keys"
firewall_drop="${ossec_home}/active-response/bin/firewall-drop.sh"
local_time="${ossec_home}/etc/localtime"
if [ "$2" == "DEINSTALL" ]; then
rm -f "${ar_conf}"
rm -f "${merged_mg}"
if [ ! -s "${client_keys}" ]; then
rm -f "${client_keys}"
fi
rm -f "${firewall_drop}"
rm -f "${local_time}"
fi

23
security/ossec-hids-local/files/pkg-install.in Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
ossec_home="%%OSSEC_HOME%%"
client_keys="${ossec_home}/etc/client.keys"
create_file() {
local path=$1
local owner=$2
local mode=$3
if [ ! -e "${path}" ]; then
touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}"
fi
}
if [ "$2" == "POST-INSTALL" ]; then
pw usermod %%OSSEC_USER%% -d "${ossec_home}"
pw usermod ossecm -d "${ossec_home}"
pw usermod ossecr -d "${ossec_home}"
chown %%USER%%:%%OSSEC_GROUP%% "${ossec_home}"
create_file "${client_keys}" root:ossec 0640
fi

32
security/ossec-hids-local/files/restart-ossec.sh.in Normal file
View File

@ -0,0 +1,32 @@
#!/bin/sh
# This script is part of FreeBSD port - report any issues to the port MAINTAINER
ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%OSSEC_HOME%%"
ossec_rc="%%OSSEC_RC%%"
ACTION=$1
USER=$2
IP=$3
LOCAL=`dirname $0`;
cd $LOCAL
cd ../../tmp
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"
case ${ACTION} in
add)
"${ossec_rc}" restart
exit 0
;;
delete)
exit 0
;;
*)
echo "$0: invalid action: ${ACTION}"
exit 1
;;
esac

6
security/ossec-hids-local/pkg-descr Normal file
View File

@ -0,0 +1,6 @@
OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection
System (HIDS). It has a powerful correlation and analysis engine, integrating
log analysis, file integrity checking, Windows registry monitoring, centralized
policy enforcement, rootkit detection, real-time alerting and active response.
WWW: https://ossec.github.io

79
security/ossec-hids-local/pkg-plist-agent Normal file
View File

@ -0,0 +1,79 @@
@dir(,ossec,0550) %%OSSEC_HOME%%
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response/bin
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/disable-account.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/firewalld-drop.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/host-deny.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ip-customblock.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfilter.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfw.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfw_mac.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/npf.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-pagerduty.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-slack.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-tweeter.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/pf.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/restart-ossec.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/route-null.sh
@dir(,,0550) %%OSSEC_HOME%%/bin
@(,,0550) %%OSSEC_HOME%%/bin/agent-auth
@(,,0550) %%OSSEC_HOME%%/bin/manage_agents
@(,,0550) %%OSSEC_HOME%%/bin/ossec-agentd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-control
@(,,0550) %%OSSEC_HOME%%/bin/ossec-execd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-logcollector
@(,,0550) %%OSSEC_HOME%%/bin/ossec-lua
@(,,0550) %%OSSEC_HOME%%/bin/ossec-luac
@(,,0550) %%OSSEC_HOME%%/bin/ossec-syscheckd
@(,,0550) %%OSSEC_HOME%%/bin/util.sh
@dir(,ossec,0550) %%OSSEC_HOME%%/etc
@(,ossec,0640) %%OSSEC_HOME%%/etc/internal_options.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/local_internal_options.conf.sample
@dir(,ossec,0770) %%OSSEC_HOME%%/etc/shared
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/acsc_office2016_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_apache2224_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_debian_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_debianlinux7-8_L1_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_debianlinux7-8_L2_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_community_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_rhel5_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_rhel6_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_rhel7_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_rhel_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_sles11_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_sles12_linux_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win10_enterprise_L1_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win10_enterprise_L2_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL1_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL2_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL1_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL2_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2016_domainL1_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2016_domainL2_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2016_memberL1_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/cis_win2016_memberL2_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/rootkit_files.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/win_applications_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/win_audit_rcl.txt
@(ossec,ossec,0644) %%OSSEC_HOME%%/etc/shared/win_malware_rcl.txt
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs
@dir(,ossec,0550) %%OSSEC_HOME%%/queue
@dir(ossec,ossec,0770) %%OSSEC_HOME%%/queue/alerts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/diff
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/ossec
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/rids
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/syscheck
@dir(,ossec,1550) %%OSSEC_HOME%%/tmp
@dir(,ossec,0550) %%OSSEC_HOME%%/var
@dir(,ossec,0770) %%OSSEC_HOME%%/var/run
%%PORTDOCS%%%%DOCSDIR%%/BUGS
%%PORTDOCS%%%%DOCSDIR%%/CHANGELOG
%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
%%PORTDOCS%%%%DOCSDIR%%/LICENSE
%%PORTDOCS%%%%DOCSDIR%%/README.md
%%PORTDOCS%%%%DOCSDIR%%/SUPPORT.md
%%PORTDOCS%%%%DOCSDIR%%/ossec.conf.sample

200
security/ossec-hids-local/pkg-plist-local Normal file
View File

@ -0,0 +1,200 @@
@dir(,ossec,0550) %%OSSEC_HOME%%
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response/bin
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/disable-account.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/firewalld-drop.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/host-deny.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ip-customblock.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfilter.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfw.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfw_mac.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/npf.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-pagerduty.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-slack.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-tweeter.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/pf.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/restart-ossec.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/route-null.sh
@dir(,ossec,0550) %%OSSEC_HOME%%/agentless
@(,ossec,0550) %%OSSEC_HOME%%/agentless/main.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/register_host.sh
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_asa-fwsmconfig_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_foundry_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_generic_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_bsd
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_linux
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_nopass.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_pixconfig_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/sshlogin.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/su.exp
@dir(,,0550) %%OSSEC_HOME%%/bin
@(,,0550) %%OSSEC_HOME%%/bin/agent_control
@(,,0550) %%OSSEC_HOME%%/bin/clear_stats
@(,,0550) %%OSSEC_HOME%%/bin/list_agents
@(,,0550) %%OSSEC_HOME%%/bin/manage_agents
@(,,0550) %%OSSEC_HOME%%/bin/ossec-agentlessd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-analysisd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-authd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-control
@(,,0550) %%OSSEC_HOME%%/bin/ossec-csyslogd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-dbd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-execd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-logcollector
@(,,0550) %%OSSEC_HOME%%/bin/ossec-logtest
@(,,0550) %%OSSEC_HOME%%/bin/ossec-lua
@(,,0550) %%OSSEC_HOME%%/bin/ossec-luac
@(,,0550) %%OSSEC_HOME%%/bin/ossec-maild
@(,,0550) %%OSSEC_HOME%%/bin/ossec-makelists
@(,,0550) %%OSSEC_HOME%%/bin/ossec-monitord
@(,,0550) %%OSSEC_HOME%%/bin/ossec-regex
@(,,0550) %%OSSEC_HOME%%/bin/ossec-remoted
@(,,0550) %%OSSEC_HOME%%/bin/ossec-reportd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-syscheckd
@(,,0550) %%OSSEC_HOME%%/bin/rootcheck_control
@(,,0550) %%OSSEC_HOME%%/bin/syscheck_control
@(,,0550) %%OSSEC_HOME%%/bin/syscheck_update
@(,,0550) %%OSSEC_HOME%%/bin/util.sh
@(,,0550) %%OSSEC_HOME%%/bin/verify-agent-conf
@dir(,ossec,0550) %%OSSEC_HOME%%/etc
@(,ossec,0640) %%OSSEC_HOME%%/etc/decoder.xml
@(,ossec,0640) %%OSSEC_HOME%%/etc/internal_options.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/local_internal_options.conf.sample
@dir(,ossec,0770) %%OSSEC_HOME%%/etc/shared
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/acsc_office2016_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_apache2224_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_debian_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_debianlinux7-8_L1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_debianlinux7-8_L2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_community_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel5_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel6_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel7_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_sles11_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_sles12_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win10_enterprise_L1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win10_enterprise_L2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_domainL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_domainL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_memberL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_memberL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/rootkit_files.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/win_applications_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/win_audit_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/win_malware_rcl.txt
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs
@dir(,ossec,0550) %%OSSEC_HOME%%/rules
@(,ossec,0640) %%OSSEC_HOME%%/rules/apache_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/apparmor_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/arpwatch_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/asterisk_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/attack_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/cimserver_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/cisco-ios_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/clam_av_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/courier_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/dnsmasq_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/dovecot_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/dropbear_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/exim_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/firewall_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/firewalld_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/hordeimp_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ids_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/imapd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/linux_usbdetect_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/local_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/mailscanner_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/mcafee_av_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms-exchange_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms-se_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms1016_usbdetect_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_dhcp_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_firewall_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_ftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_ipsec_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/msauth_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/mysql_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/named_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/netscreenfw_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/nginx_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/nsd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/openbsd-dhcpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/openbsd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/opensmtpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ossec_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/owncloud_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/pam_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/php_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/pix_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/policy_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/postfix_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/postgresql_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/proftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/proxmox-ve_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/psad_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/pure-ftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/racoon_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/roundcube_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/rules_config.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sendmail_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/smbd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/solaris_bsm_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sonicwall_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/spamd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/squid_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sshd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/symantec-av_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/symantec-ws_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/syslog_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sysmon_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/systemd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/telnetd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/trend-osce_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/unbound_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vmpop3d_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vmware_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vpn_concentrator_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vpopmail_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vsftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/web_appsec_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/web_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/wordpress_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/zeus_rules.xml
@dir(,ossec,0700) %%OSSEC_HOME%%/.ssh
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs/alerts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs/archives
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs/firewall
@dir(,ossec,0550) %%OSSEC_HOME%%/queue
@dir(ossecr,ossec,0750) %%OSSEC_HOME%%/queue/agent-info
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/agentless
@dir(ossec,ossec,0770) %%OSSEC_HOME%%/queue/alerts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/diff
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/fts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/ossec
@dir(ossecr,ossec,0750) %%OSSEC_HOME%%/queue/rids
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/rootcheck
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/syscheck
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/stats
@dir(,ossec,1550) %%OSSEC_HOME%%/tmp
@dir(,ossec,0550) %%OSSEC_HOME%%/var
@dir(,ossec,0770) %%OSSEC_HOME%%/var/run
%%PORTDOCS%%%%DOCSDIR%%/BUGS
%%PORTDOCS%%%%DOCSDIR%%/CHANGELOG
%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
%%PORTDOCS%%%%DOCSDIR%%/LICENSE
%%PORTDOCS%%%%DOCSDIR%%/README.md
%%PORTDOCS%%%%DOCSDIR%%/SUPPORT.md
%%PORTDOCS%%%%DOCSDIR%%/ossec.conf.sample
%%MYSQL%%%%DOCSDIR%%/mysql.schema
%%PGSQL%%%%DOCSDIR%%/postgresql.schema

200
security/ossec-hids-local/pkg-plist-server Normal file
View File

@ -0,0 +1,200 @@
@dir(,ossec,0550) %%OSSEC_HOME%%
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response
@dir(,ossec,0550) %%OSSEC_HOME%%/active-response/bin
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/disable-account.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/firewalld-drop.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/host-deny.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ip-customblock.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfilter.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfw.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ipfw_mac.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/npf.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-pagerduty.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-slack.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/ossec-tweeter.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/pf.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/restart-ossec.sh
@(,ossec,0550) %%OSSEC_HOME%%/active-response/bin/route-null.sh
@dir(,ossec,0550) %%OSSEC_HOME%%/agentless
@(,ossec,0550) %%OSSEC_HOME%%/agentless/main.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/register_host.sh
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_asa-fwsmconfig_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_foundry_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_generic_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_bsd
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_integrity_check_linux
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_nopass.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/ssh_pixconfig_diff
@(,ossec,0550) %%OSSEC_HOME%%/agentless/sshlogin.exp
@(,ossec,0550) %%OSSEC_HOME%%/agentless/su.exp
@dir(,,0550) %%OSSEC_HOME%%/bin
@(,,0550) %%OSSEC_HOME%%/bin/agent_control
@(,,0550) %%OSSEC_HOME%%/bin/clear_stats
@(,,0550) %%OSSEC_HOME%%/bin/list_agents
@(,,0550) %%OSSEC_HOME%%/bin/manage_agents
@(,,0550) %%OSSEC_HOME%%/bin/ossec-agentlessd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-analysisd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-authd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-control
@(,,0550) %%OSSEC_HOME%%/bin/ossec-csyslogd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-dbd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-execd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-logcollector
@(,,0550) %%OSSEC_HOME%%/bin/ossec-logtest
@(,,0550) %%OSSEC_HOME%%/bin/ossec-lua
@(,,0550) %%OSSEC_HOME%%/bin/ossec-luac
@(,,0550) %%OSSEC_HOME%%/bin/ossec-maild
@(,,0550) %%OSSEC_HOME%%/bin/ossec-makelists
@(,,0550) %%OSSEC_HOME%%/bin/ossec-monitord
@(,,0550) %%OSSEC_HOME%%/bin/ossec-regex
@(,,0550) %%OSSEC_HOME%%/bin/ossec-remoted
@(,,0550) %%OSSEC_HOME%%/bin/ossec-reportd
@(,,0550) %%OSSEC_HOME%%/bin/ossec-syscheckd
@(,,0550) %%OSSEC_HOME%%/bin/rootcheck_control
@(,,0550) %%OSSEC_HOME%%/bin/syscheck_control
@(,,0550) %%OSSEC_HOME%%/bin/syscheck_update
@(,,0550) %%OSSEC_HOME%%/bin/util.sh
@(,,0550) %%OSSEC_HOME%%/bin/verify-agent-conf
@dir(,ossec,0550) %%OSSEC_HOME%%/etc
@(,ossec,0640) %%OSSEC_HOME%%/etc/decoder.xml
@(,ossec,0640) %%OSSEC_HOME%%/etc/internal_options.conf
@sample(,ossec,0640) %%OSSEC_HOME%%/etc/local_internal_options.conf.sample
@dir(,ossec,0770) %%OSSEC_HOME%%/etc/shared
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/acsc_office2016_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_apache2224_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_debian_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_debianlinux7-8_L1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_debianlinux7-8_L2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_community_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel5_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel6_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel7_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_rhel_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_sles11_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_sles12_linux_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win10_enterprise_L1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win10_enterprise_L2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_domainL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2012r2_memberL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_domainL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_domainL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_memberL1_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/cis_win2016_memberL2_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/rootkit_files.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/rootkit_trojans.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/system_audit_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/system_audit_ssh.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/win_applications_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/win_audit_rcl.txt
@(ossec,ossec,0640) %%OSSEC_HOME%%/etc/shared/win_malware_rcl.txt
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs
@dir(,ossec,0550) %%OSSEC_HOME%%/rules
@(,ossec,0640) %%OSSEC_HOME%%/rules/apache_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/apparmor_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/arpwatch_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/asterisk_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/attack_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/cimserver_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/cisco-ios_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/clam_av_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/courier_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/dnsmasq_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/dovecot_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/dropbear_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/exim_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/firewall_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/firewalld_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/hordeimp_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ids_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/imapd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/linux_usbdetect_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/local_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/mailscanner_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/mcafee_av_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms-exchange_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms-se_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms1016_usbdetect_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_dhcp_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_firewall_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_ftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ms_ipsec_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/msauth_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/mysql_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/named_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/netscreenfw_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/nginx_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/nsd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/openbsd-dhcpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/openbsd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/opensmtpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/ossec_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/owncloud_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/pam_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/php_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/pix_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/policy_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/postfix_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/postgresql_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/proftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/proxmox-ve_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/psad_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/pure-ftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/racoon_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/roundcube_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/rules_config.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sendmail_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/smbd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/solaris_bsm_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sonicwall_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/spamd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/squid_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sshd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/symantec-av_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/symantec-ws_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/syslog_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/sysmon_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/systemd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/telnetd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/trend-osce_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/unbound_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vmpop3d_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vmware_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vpn_concentrator_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vpopmail_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/vsftpd_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/web_appsec_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/web_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/wordpress_rules.xml
@(,ossec,0640) %%OSSEC_HOME%%/rules/zeus_rules.xml
@dir(,ossec,0700) %%OSSEC_HOME%%/.ssh
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs/alerts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs/archives
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/logs/firewall
@dir(,ossec,0550) %%OSSEC_HOME%%/queue
@dir(ossecr,ossec,0750) %%OSSEC_HOME%%/queue/agent-info
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/agentless
@dir(ossec,ossec,0770) %%OSSEC_HOME%%/queue/alerts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/diff
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/fts
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/ossec
@dir(ossecr,ossec,0750) %%OSSEC_HOME%%/queue/rids
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/rootcheck
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/queue/syscheck
@dir(ossec,ossec,0750) %%OSSEC_HOME%%/stats
@dir(,ossec,1550) %%OSSEC_HOME%%/tmp
@dir(,ossec,0550) %%OSSEC_HOME%%/var
@dir(,ossec,0770) %%OSSEC_HOME%%/var/run
%%PORTDOCS%%%%DOCSDIR%%/BUGS
%%PORTDOCS%%%%DOCSDIR%%/CHANGELOG
%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
%%PORTDOCS%%%%DOCSDIR%%/LICENSE
%%PORTDOCS%%%%DOCSDIR%%/README.md
%%PORTDOCS%%%%DOCSDIR%%/SUPPORT.md
%%PORTDOCS%%%%DOCSDIR%%/ossec.conf.sample
%%MYSQL%%%%DOCSDIR%%/mysql.schema
%%PGSQL%%%%DOCSDIR%%/postgresql.schema

119
security/ossec-hids-local/scripts/plist.sh Normal file
View File

@ -0,0 +1,119 @@
#!/bin/sh
# Script generates entries for pkg-plist.
# Do not use it directly. Use the following command instead:
#
# make MAINTAINER_MODE=yes clean plist
OSSEC_TYPE=$1
OSSEC_HOME=$2
PLIST=$3
WORKDIR=$4
STAGEDIR=$5
staged_plist="${WORKDIR}/.staged-plist"
fixed_lines=""
if [ "${OSSEC_TYPE}" != "agent" ]; then
fixed_lines="${fixed_lines} %%MYSQL%%%%DOCSDIR%%/mysql.schema %%PGSQL%%%%DOCSDIR%%/postgresql.schema"
fi
skip_lines="%%PORTDOCS%%%%DOCSDIR%%/mysql.schema %%PORTDOCS%%%%DOCSDIR%%/postgresql.schema"
skip_paths="/etc/ossec.conf /etc/client.keys /logs/active-responses.log /logs/ossec.log /lua"
sample_paths="/etc/local_internal_options.conf.sample"
if [ "${OSSEC_TYPE}" == "agent" ]; then
skip_paths="${skip_paths} /rules /agentless /.ssh"
fi
print_path() {
local path="$1"
local command="$2"
local full_path="${STAGEDIR}${OSSEC_HOME}${path}"
if [ -z "${command}" ]; then
command="@"
if [ -d "${full_path}" ]; then
command="@dir"
fi
fi
local user=`stat -f "%Su" "${full_path}"`
if [ "${user}" == "${USER}" ]; then
user=""
fi
local group=`stat -f "%Sg" "${full_path}"`
if [ "${group}" == "${GROUP}" ]; then
group=""
fi
local mode=`stat -f "%p" "${full_path}" | tail -c 5`
echo -e "${command}(${user},${group},${mode}) %%OSSEC_HOME%%${path}" >> "${PLIST}"
}
echo -n > "${PLIST}"
print_path
done_paths=""
while read line; do
skip_line=""
for e in ${skip_lines}; do
if [ "${e}" == "${line}" ]; then
skip_line="${e}"
break
fi
done
if [ -z "${skip_line}" ]; then
path=""
case $line in
"@dir %%OSSEC_HOME%%"*)
path=`echo "${line}" | sed -e "s|@dir %%OSSEC_HOME%%||g"`
;;
"%%OSSEC_HOME%%"*)
path=`echo "${line}" | sed -e "s|%%OSSEC_HOME%%||g"`
;;
"%%"*)
unchanged_lines="${unchanged_lines} ${line}"
;;
esac
if [ -n "${path}" ]; then
segments=`echo "${path}" | tr "/" "\n"`
path=""
for segment in ${segments}; do
path="${path}/${segment}"
skip_path=""
for e in ${skip_paths}; do
if [ "${e}" == "${path}" ]; then
skip_path="${e}"
break
fi
done
if [ -n "${skip_path}" ]; then
break
fi
done_path=""
for e in ${done_paths}; do
if [ "${e}" == "${path}" ]; then
done_path="${e}"
break
fi
done
if [ -z "${done_path}" ]; then
done_paths="${done_paths} ${path}"
sample_path=""
for e in ${sample_paths}; do
if [ "${e}" == "${path}" ]; then
sample_path="${e}"
break
fi
done
if [ -n "${sample_path}" ]; then
print_path "${path}" @sample
else
print_path "${path}"
fi
fi
done
fi
fi
done < "${staged_plist}"
unchanged_lines="${unchanged_lines} ${fixed_lines}"
for line in ${unchanged_lines}; do
echo "${line}" >> "${PLIST}"
done

7
security/ossec-hids-server-config/Makefile Normal file
View File

@ -0,0 +1,7 @@
# $FreeBSD$
OSSEC_TYPE= server
MASTERDIR= ${.CURDIR}/../ossec-hids-local-config
.include "${MASTERDIR}/Makefile"

147
security/ossec-hids-server/Makefile
View File

@ -1,148 +1,7 @@
# Created by: Valerio Daelli <valerio.daelli@gmail.com>
# $FreeBSD$
PORTNAME= ossec-hids
PORTVERSION= 2.8.3
DISTVERSIONPREFIX= v
PORTREVISION?= 3
CATEGORIES= security
PKGNAMESUFFIX= -server
OSSEC_TYPE= server
MAINTAINER= dominik.lisiak@bemsoft.pl
COMMENT?= Security tool to monitor and check logs and intrusions
MASTERDIR= ${.CURDIR}/../ossec-hids-local
USE_GITHUB= yes
GH_ACCOUNT= ossec
USE_RC_SUBR= ossec-hids
CFLAGS+= -ferror-limit=0
USES= readline ssl
.if defined(MAINTAINER_MODE)
UID_FILES+= ../../UIDs
GID_FILES+= ../../GIDs
.endif
USERS= ossec ossecm ossecr
GROUPS= ossec
.if !defined(CLIENT_ONLY)
OPTIONS_DEFINE= MYSQL PGSQL
MYSQL_VARS= WITH_DB=yes
MYSQL_USE= MYSQL=client
MYSQL_PORTDOCS= mysql.schema
PGSQL_VARS= WITH_DB=yes
PGSQL_USES= pgsql
PGSQL_PORTDOCS= postgresql.schema
RUN_DEPENDS= expect:lang/expect
USES+= shebangfix
SHEBANG_LANG= expect
expect_OLD_CMD= "/usr/bin/env expect"
expect_CMD= ${LOCALBASE}/bin/expect
SHEBANG_FILES= src/agentlessd/scripts/main.exp \
src/agentlessd/scripts/ssh.exp \
src/agentlessd/scripts/ssh_asa-fwsmconfig_diff \
src/agentlessd/scripts/ssh_foundry_diff \
src/agentlessd/scripts/ssh_generic_diff \
src/agentlessd/scripts/ssh_integrity_check_bsd \
src/agentlessd/scripts/ssh_integrity_check_linux \
src/agentlessd/scripts/ssh_nopass.exp \
src/agentlessd/scripts/ssh_pixconfig_diff \
src/agentlessd/scripts/sshlogin.exp \
src/agentlessd/scripts/su.exp
.endif
OPTIONS_DEFINE+= DOCS
SUB_LIST= PORTNAME=${PORTNAME}
SUB_FILES= pkg-message
PLIST_SUB= PORTNAME=${PORTNAME}
DOCSFILES= BUGS CONFIG CONTRIBUTORS INSTALL LICENSE
PORTDOCS= ${DOCSFILES}
BROKEN_aarch64= Fails to compile: error: use of undeclared identifier __LDPGSZ
.include <bsd.port.pre.mk>
STRIP_FILES= ossec-luac agent_control ossec-lua ossec-dbd ossec-regex ossec-monitord ossec-makelists verify-agent-conf ossec-analysisd ossec-agentlessd syscheck_control ossec-execd manage_agents ossec-csyslogd ossec-syscheckd ossec-logtest ossec-authd ossec-logcollector list_agents ossec-maild clear_stats ossec-remoted ossec-reportd rootcheck_control syscheck_update
.if defined(CLIENT_ONLY)
SUB_LIST+= PRECMD=:
PKGNAMESUFFIX= -client
CONFLICTS_INSTALL= ossec-hids-server-[0-9]* ossec-hids-local-[0-9]*
STRIP_FILES= agent-auth manage_agents ossec-agentd ossec-execd ossec-logcollector ossec-lua ossec-luac ossec-syscheckd
.elif defined(LOCAL_ONLY)
SUB_LIST+= PRECMD=ossechids_start_precmd
PKGNAMESUFFIX= -local
CONFLICTS_INSTALL= ossec-hids-client-[0-9]* ossec-hids-server-[0-9]*
.else
SUB_LIST+= PRECMD=ossechids_start_precmd
CONFLICTS_INSTALL= ossec-hids-client-[0-9]* ossec-hids-local-[0-9]*
.endif
post-patch:
@${REINPLACE_CMD} 's|PREFIX|${PREFIX}/${PORTNAME}|' ${WRKSRC}/src/headers/defs.h
@${ECHO} "DIR=\"${STAGEDIR}${PREFIX}/${PORTNAME}\"" > ${WRKSRC}/src/LOCATION
@${REINPLACE_CMD} -e 's|-DLUA_USE_LINUX|& ${CPPFLAGS}|' \
-e 's|-lreadline|& ${LDFLAGS}|' \
${WRKSRC}/src/external/lua-5.2.3/src/Makefile
@${REINPLACE_CMD} -e 's|OPENSSLCMD=|OPENSSLCMD=-L${OPENSSLLIB} |' \
${WRKSRC}/src/Makeall
do-build:
.if defined(WITH_DB)
.if defined(CLIENT_ONLY)
@cd ${WRKSRC}/src;${MAKE} setagent;${MAKE} all;${MAKE} build
.elif defined(LOCAL_ONLY)
@cd ${WRKSRC}/src;${MAKE} setlocal;${MAKE} setdb;${MAKE} all;${MAKE} build
.else
@cd ${WRKSRC}/src;${MAKE} setdb;${MAKE} all;${MAKE} build
.endif
.else
.if defined(CLIENT_ONLY)
@cd ${WRKSRC}/src;${MAKE} setagent;${MAKE} all;${MAKE} build; \
${MAKE} unsetdb
.elif defined(LOCAL_ONLY)
@cd ${WRKSRC}/src;${MAKE} setlocal;${MAKE} all;${MAKE} build; \
${MAKE} unsetdb
.else
@cd ${WRKSRC}/src;${MAKE} all;${MAKE} build;${MAKE} unsetdb
.endif
.endif
do-install:
.if defined(CLIENT_ONLY)
@cd ${WRKSRC}/src; ${MAKE} agent
.elif defined(LOCAL_ONLY)
@cd ${WRKSRC}/src; ${MAKE} local
.else
@cd ${WRKSRC}/src; ${MAKE} server
.endif
@${MKDIR} ${STAGEDIR}${PREFIX}/${PORTNAME}/etc
.for file in ${STRIP_FILES}
${STRIP_CMD} ${STAGEDIR}${PREFIX}/ossec-hids/bin/${file}
.endfor
.if defined(CLIENT_ONLY)
@${CP} ${WRKSRC}/etc/ossec-agent.conf ${STAGEDIR}${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
.elif defined(LOCAL_ONLY)
${CP} ${WRKSRC}/etc/ossec-local.conf ${STAGEDIR}${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
.else
${CP} ${WRKSRC}/etc/ossec-server.conf ${STAGEDIR}${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
.endif
post-install-DOCS-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} ${DOCSFILES} ${STAGEDIR}${DOCSDIR}
post-install-MYSQL-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/mysql.schema ${STAGEDIR}${DOCSDIR}
post-install-PGSQL-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/postgresql.schema ${STAGEDIR}${DOCSDIR}
.include <bsd.port.post.mk>
.include "${MASTERDIR}/Makefile"

2
security/ossec-hids-server/distinfo
View File

@ -1,2 +0,0 @@
SHA256 (ossec-ossec-hids-v2.8.3_GH0.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
SIZE (ossec-ossec-hids-v2.8.3_GH0.tar.gz) = 1642095

65
security/ossec-hids-server/files/ossec-hids.in
View File

@ -1,65 +0,0 @@
#!/bin/sh
#
# PROVIDE: ossechids
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown
. /etc/rc.subr
name="ossechids"
rcvar=ossechids_enable
load_rc_config $name
: ${ossechids_enable="NO"}
: ${ossechids_user="ossec"}
: ${ossechids_group="ossec"}
start_precmd=%%PRECMD%%
start_cmd="ossechids_command start"
stop_cmd="ossechids_command stop"
restart_cmd="ossechids_command restart"
status_cmd="ossechids_command status"
reload_cmd="ossechids_command reload"
command="%%PREFIX%%/%%PORTNAME%%/bin/ossec-control"
required_files="%%PREFIX%%/%%PORTNAME%%/etc/ossec.conf"
extra_commands="reload"
fts_queue=%%PREFIX%%/%%PORTNAME%%/queue/fts/fts-queue
ig_queue=%%PREFIX%%/%%PORTNAME%%/queue/fts/ig-queue
ossec_log=%%PREFIX%%/%%PORTNAME%%/logs/ossec.log
active_responses_log=%%PREFIX%%/%%PORTNAME%%/logs/active-responses.log
ossechids_start_precmd() {
# These files are not created by the daemons with the correct
# ownership, so create them here before starting up the system,
# if they don't already exist. This is only done for the "local" and
# "server" installation types.
if [ ! -e ${fts_queue} ]; then
touch ${fts_queue}
chown ${ossechids_user}:${ossechids_group} ${fts_queue}
chmod 640 ${fts_queue}
fi
if [ ! -e ${ig_queue} ]; then
touch ${ig_queue}
chown ${ossechids_user}:${ossechids_group} ${ig_queue}
chmod 640 ${ig_queue}
fi
# Ensure logfiles are created with the correct ownership and mode
for log in ${ossec_log} ${active_responses_log}; do
if [ ! -e ${log} ]; then
touch ${log}
chown ${ossechids_user}:${ossechids_group} ${log}
chmod 660 ${log}
fi
done
}
ossechids_command() {
${command} ${rc_arg}
}
run_rc_command "$1"

123
security/ossec-hids-server/files/patch-src__InstallAgent.sh
View File

@ -1,123 +0,0 @@
--- src/InstallAgent.sh.orig 2015-10-12 21:21:06 UTC
+++ src/InstallAgent.sh
@@ -37,11 +37,11 @@ fi
# Creating groups/users
if [ "$UNAME" = "FreeBSD" -o "$UNAME" = "DragonFly" ]; then
- grep "^${USER}" /etc/passwd > /dev/null 2>&1
- if [ ! $? = 0 ]; then
- /usr/sbin/pw groupadd ${GROUP}
- /usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
- fi
+ #grep "^${USER}" /etc/passwd > /dev/null 2>&1
+ #if [ ! $? = 0 ]; then
+ #/usr/sbin/pw groupadd ${GROUP}
+ #/usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+ #fi
elif [ "$UNAME" = "SunOS" ]; then
grep "^${USER}" /etc/passwd > /dev/null 2>&1
@@ -106,22 +106,17 @@ for i in ${subdirs}; do
done
# Default for all directories
-chmod -R 550 ${DIR}
-chown -R root:${GROUP} ${DIR}
+chmod -R 750 ${DIR}
# To the ossec queue (default for agentd to read)
-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
chmod -R 770 ${DIR}/queue/ossec
# For the logging user
-chown -R ${USER}:${GROUP} ${DIR}/logs
chmod -R 750 ${DIR}/logs
chmod -R 775 ${DIR}/queue/rids
touch ${DIR}/logs/ossec.log
-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
chmod 664 ${DIR}/logs/ossec.log
-chown -R ${USER}:${GROUP} ${DIR}/queue/diff
chmod -R 750 ${DIR}/queue/diff
chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
@@ -131,8 +126,7 @@ chmod 1550 ${DIR}/tmp
# For the etc dir
-chmod 550 ${DIR}/etc
-chown -R root:${GROUP} ${DIR}/etc
+chmod 750 ${DIR}/etc
ls /etc/localtime > /dev/null 2>&1
if [ $? = 0 ]; then
@@ -144,13 +138,11 @@ if [ "$UNAME" = "SunOS" ]; then
mkdir -p ${DIR}/usr/share/lib/zoneinfo/
chmod -R 555 ${DIR}/usr/
cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
- chown -R root:${GROUP} ${DIR}/usr/
fi
ls /etc/TIMEZONE > /dev/null 2>&1
if [ $? = 0 ]; then
cp -p /etc/TIMEZONE ${DIR}/etc/;
- chown root:${GROUP} ${DIR}/etc/TIMEZONE
chmod 555 ${DIR}/etc/TIMEZONE
fi
@@ -170,25 +162,17 @@ cp -pr ../etc/local_internal_options.con
cp -pr ../etc/client.keys ${DIR}/etc/ > /dev/null 2>&1
cp -pr agentlessd/scripts/* ${DIR}/agentless/
-chown root:${GROUP} ${DIR}/etc/internal_options.conf
-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/client.keys > /dev/null 2>&1
-chown root:${GROUP} ${DIR}/agentless/*
-chown ${USER}:${GROUP} ${DIR}/.ssh
-chown -R root:${GROUP} ${DIR}/etc/shared
-
-chmod 550 ${DIR}/etc
+chmod 750 ${DIR}/etc
chmod 440 ${DIR}/etc/internal_options.conf
chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
-chmod 550 ${DIR}/agentless/*
+chmod 750 ${DIR}/agentless/*
chmod 700 ${DIR}/.ssh
# For the /var/run
chmod 770 ${DIR}/var/run
-chown root:${GROUP} ${DIR}/var/run
# Moving the binary files
@@ -202,7 +186,6 @@ cp -pr addagent/manage_agents ${DIR}/bin
cp -pr ../contrib/util.sh ${DIR}/bin/
cp -pr external/lua/src/ossec-lua ${DIR}/bin/
cp -pr external/lua/src/ossec-luac ${DIR}/bin/
-chown root:${GROUP} ${DIR}/bin/util.sh
chmod +x ${DIR}/bin/util.sh
# Copying active response modules
@@ -210,10 +193,8 @@ sh ./init/fw-check.sh execute > /dev/nul
cp -pr ../active-response/*.sh ${DIR}/active-response/bin/
cp -pr ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
chmod 755 ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/bin/*
-chmod 550 ${DIR}/bin/*
+chmod 750 ${DIR}/bin/*
# Moving the config file
@@ -229,7 +210,6 @@ if [ $? = 0 ]; then
else
cp -pr ../etc/ossec-agent.conf ${DIR}/etc/ossec.conf
fi
-chown root:${GROUP} ${DIR}/etc/ossec.conf
chmod 440 ${DIR}/etc/ossec.conf

208
security/ossec-hids-server/files/patch-src__InstallServer.sh
View File

@ -1,208 +0,0 @@
--- src/InstallServer.sh.orig 2015-10-12 21:21:06 UTC
+++ src/InstallServer.sh
@@ -44,13 +44,13 @@ fi
# Creating groups/users
if [ "$UNAME" = "FreeBSD" -o "$UNAME" = "DragonFly" ]; then
- grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
- if [ ! $? = 0 ]; then
- /usr/sbin/pw groupadd ${GROUP}
- /usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
- /usr/sbin/pw useradd ${USER_MAIL} -d ${DIR} -s /sbin/nologin -g ${GROUP}
- /usr/sbin/pw useradd ${USER_REM} -d ${DIR} -s /sbin/nologin -g ${GROUP}
- fi
+# grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
+# if [ ! $? = 0 ]; then
+# /usr/sbin/pw groupadd ${GROUP}
+# /usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+# /usr/sbin/pw useradd ${USER_MAIL} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+# /usr/sbin/pw useradd ${USER_REM} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+# fi
elif [ "$UNAME" = "SunOS" ]; then
grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
@@ -121,66 +121,49 @@ for i in ${subdirs}; do
done
# Default for all directories
-chmod 550 ${DIR}
-chmod 550 ${DIR}/*
-chown root:${GROUP} ${DIR}
-chown root:${GROUP} ${DIR}/*
+chmod 750 ${DIR}
+chmod 750 ${DIR}/*
# AnalysisD needs to write to alerts: log, mail and cmds
-chown -R ${USER}:${GROUP} ${DIR}/queue/alerts
chmod -R 770 ${DIR}/queue/alerts
# To the ossec queue (default for analysisd to read)
-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
chmod -R 770 ${DIR}/queue/ossec
# To the ossec fts queue
-chown -R ${USER}:${GROUP} ${DIR}/queue/fts
chmod -R 750 ${DIR}/queue/fts
chmod 750 ${DIR}/queue/fts/* > /dev/null 2>&1
# To the ossec syscheck/rootcheck queue
-chown -R ${USER}:${GROUP} ${DIR}/queue/syscheck
chmod -R 750 ${DIR}/queue/syscheck
chmod 740 ${DIR}/queue/syscheck/* > /dev/null 2>&1
-chown -R ${USER}:${GROUP} ${DIR}/queue/rootcheck
chmod -R 750 ${DIR}/queue/rootcheck
chmod 740 ${DIR}/queue/rootcheck/* > /dev/null 2>&1
-chown ${USER}:${GROUP} ${DIR}/queue/diff
-chown ${USER}:${GROUP} ${DIR}/queue/diff/* > /dev/null 2>&1
chmod 750 ${DIR}/queue/diff
chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
-chown -R ${USER_REM}:${GROUP} ${DIR}/queue/agent-info
chmod -R 750 ${DIR}/queue/agent-info
chmod 740 ${DIR}/queue/agent-info/* > /dev/null 2>&1
-chown -R ${USER_REM}:${GROUP} ${DIR}/queue/rids
chmod -R 750 ${DIR}/queue/rids
chmod 740 ${DIR}/queue/rids/* > /dev/null 2>&1
-chown -R ${USER}:${GROUP} ${DIR}/queue/agentless
chmod -R 750 ${DIR}/queue/agentless
chmod 740 ${DIR}/queue/agentless/* > /dev/null 2>&1
-chown -R root:${GROUP} ${DIR}/tmp
-chmod 1550 ${DIR}/tmp
+chmod 1750 ${DIR}/tmp
# For the stats directory
-chown -R ${USER}:${GROUP} ${DIR}/stats
chmod -R 750 ${DIR}/stats
# For the logging user
-chown -R ${USER}:${GROUP} ${DIR}/logs
chmod -R 750 ${DIR}/logs
touch ${DIR}/logs/ossec.log
-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
chmod 660 ${DIR}/logs/ossec.log
touch ${DIR}/logs/active-responses.log
-chown ${USER}:${GROUP} ${DIR}/logs/active-responses.log
chmod 660 ${DIR}/logs/active-responses.log
# For the rules directory
@@ -198,7 +181,7 @@ if [ $? = 0 ]; then
fi
fi
-cp -pr ../etc/rules/* ${DIR}/rules/
+cp -pr ../etc/rules/*.xml ${DIR}/rules/
find ${DIR}/rules/ -type f -exec chmod 440 {} \;
# If the local_rules is saved, moved it back
@@ -207,37 +190,33 @@ if [ $? = 0 ]; then
mv ${DIR}/rules/saved_local_rules.xml.$$ ${DIR}/rules/local_rules.xml
fi
-chown -R root:${GROUP} ${DIR}/rules
-chmod -R 550 ${DIR}/rules
+chmod -R 750 ${DIR}/rules
# For the etc dir
-chmod 550 ${DIR}/etc
-chown -R root:${GROUP} ${DIR}/etc
+chmod 750 ${DIR}/etc
ls /etc/localtime > /dev/null 2>&1
if [ $? = 0 ]; then
cp -pL /etc/localtime ${DIR}/etc/;
chmod 440 ${DIR}/etc/localtime
- chown root:${GROUP} ${DIR}/etc/localtime
fi
# Solaris Needs some extra files
if [ "$UNAME" = "SunOS" ]; then
mkdir -p ${DIR}/usr/share/lib/zoneinfo/
- chmod -R 550 ${DIR}/usr/
+ chmod -R 750 ${DIR}/usr/
cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
fi
ls /etc/TIMEZONE > /dev/null 2>&1
if [ $? = 0 ]; then
cp -p /etc/TIMEZONE ${DIR}/etc/;
- chmod 550 ${DIR}/etc/TIMEZONE
+ chmod 750 ${DIR}/etc/TIMEZONE
fi
# For the /var/run
chmod 770 ${DIR}/var/run
-chown root:${GROUP} ${DIR}/var/run
# Moving the binary files
cp -pr addagent/manage_agents agentlessd/ossec-agentlessd \
@@ -260,7 +239,6 @@ cp -pr util/rootcheck_control ${DIR}/bin
cp -pr external/lua/src/ossec-lua ${DIR}/bin/
cp -pr external/lua/src/ossec-luac ${DIR}/bin/
cp -pr ../contrib/util.sh ${DIR}/bin/
-chown root:${GROUP} ${DIR}/bin/util.sh
chmod +x ${DIR}/bin/util.sh
# Local install chosen
@@ -290,23 +268,15 @@ fi
cp -pr ../etc/internal_options.conf ${DIR}/etc/
cp -pr rootcheck/db/*.txt ${DIR}/etc/shared/
-chown root:${GROUP} ${DIR}/etc/decoder.xml
-chown root:${GROUP} ${DIR}/etc/local_decoder.xml >/dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/internal_options.conf
-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/shared/*
-chown root:${GROUP} ${DIR}/agentless/*
-chown ${USER}:${GROUP} ${DIR}/.ssh
chmod 440 ${DIR}/etc/decoder.xml
chmod 440 ${DIR}/etc/local_decoder.xml >/dev/null 2>&1
chmod 440 ${DIR}/etc/internal_options.conf
chmod 440 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1
chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1
-chmod 550 ${DIR}/etc
+chmod 750 ${DIR}/etc
chmod 770 ${DIR}/etc/shared
chmod 440 ${DIR}/etc/shared/*
-chmod 550 ${DIR}/agentless/*
+chmod 750 ${DIR}/agentless/*
rm ${DIR}/etc/shared/merged.mg >/dev/null 2>&1
chmod 700 ${DIR}/.ssh
@@ -316,11 +286,9 @@ sh ./init/fw-check.sh execute > /dev/nul
cp -p ../active-response/*.sh ${DIR}/active-response/bin/
cp -p ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
-chmod 550 ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/active-response/bin/*
+chmod 750 ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/bin/*
-chmod 550 ${DIR}/bin/*
+chmod 750 ${DIR}/bin/*
# Moving the config file
@@ -331,12 +299,11 @@ fi
ls ../etc/ossec.mc > /dev/null 2>&1
if [ $? = 0 ]; then
- cp -pr ../etc/ossec.mc ${DIR}/etc/ossec.conf
+ cp -pr ../etc/ossec.mc ${DIR}/etc/ossec.conf.sample
else
- cp -pr ../etc/ossec-server.conf ${DIR}/etc/ossec.conf
+ cp -pr ../etc/ossec-server.conf ${DIR}/etc/ossec.conf.sample
fi
-chown root:${GROUP} ${DIR}/etc/ossec.conf
-chmod 440 ${DIR}/etc/ossec.conf
+chmod 640 ${DIR}/etc/ossec.conf.sample

5
security/ossec-hids-server/files/patch-src__LOCATION
View File

@ -1,5 +0,0 @@
--- src/LOCATION.orig 2015-10-12 21:21:06 UTC
+++ src/LOCATION
@@ -1 +1 @@
-DIR="/var/ossec"
+DIR="/usr/ports/security/ossec-hids-server/work/stage/usr/local/ossec-hids"

11
security/ossec-hids-server/files/patch-src__headers__defs.h
View File

@ -1,11 +0,0 @@
--- src/headers/defs.h.orig 2015-10-12 21:21:06 UTC
+++ src/headers/defs.h
@@ -98,7 +98,7 @@ http://www.ossec.net/main/license/\n"
#endif
#ifndef DEFAULTDIR
- #define DEFAULTDIR "/var/ossec"
+ #define DEFAULTDIR "/usr/local/ossec-hids"
#endif

11
security/ossec-hids-server/files/patch-src_os__dbd_mysql.schema
View File

@ -1,11 +0,0 @@
--- src/os_dbd/mysql.schema.orig 2015-10-12 21:21:06 UTC
+++ src/os_dbd/mysql.schema
@@ -45,7 +45,7 @@ CREATE TABLE server
last_contact INT UNSIGNED NOT NULL,
version VARCHAR(32) NOT NULL,
hostname VARCHAR(64) NOT NULL UNIQUE,
- information VARCHAR(128) NOT NULL,
+ information TEXT NOT NULL,
PRIMARY KEY (id)
);

11
security/ossec-hids-server/files/patch-src_os__dbd_postgresql.schema
View File

@ -1,11 +0,0 @@
--- src/os_dbd/postgresql.schema.orig 2015-10-12 21:21:06 UTC
+++ src/os_dbd/postgresql.schema
@@ -47,7 +47,7 @@ CREATE TABLE server
last_contact INT8 NOT NULL,
version VARCHAR(32) NOT NULL,
hostname VARCHAR(64) NOT NULL UNIQUE,
- information VARCHAR(128) NOT NULL,
+ information TEXT NOT NULL,
PRIMARY KEY (id)
);

Some files were not shown because too many files have changed in this diff Show More