#!/bin/sh # postinst script for ossec-hids set -e case "$1" in configure) DIR="/var/ossec/" USER="ossec" USER_MAIL="ossecm" USER_REM="ossecr" GROUP="ossec" OSSEC_HIDS_TMP_DIR="/tmp/ossec-hids" OSMYSHELL="/sbin/nologin" if [ ! -f ${OSMYSHELL} ]; then if [ -f "/bin/false" ]; then OSMYSHELL="/bin/false" fi fi if ! getent group | grep -q "^ossec" then addgroup --system ossec fi if ! getent passwd | grep -q "^ossec" then adduser --system --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER} > /dev/null 2>&1 fi if ! getent passwd | grep -q "^ossecm" then adduser --system --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER_MAIL} > /dev/null 2>&1 fi if ! getent passwd | grep -q "^ossecr" then adduser --system --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER_REM} > /dev/null 2>&1 fi # Default for all directories chmod -R 550 ${DIR} chown -R root:${GROUP} ${DIR} # AnalysisD needs to write to alerts: log, mail and cmds chown -R ${USER}:${GROUP} ${DIR}/queue/alerts chmod -R 770 ${DIR}/queue/alerts # To the ossec queue (default for analysisd to read) chown -R ${USER}:${GROUP} ${DIR}/queue/ossec chmod -R 770 ${DIR}/queue/ossec # To the ossec fts queue chown -R ${USER}:${GROUP} ${DIR}/queue/fts chmod -R 750 ${DIR}/queue/fts chmod 740 ${DIR}/queue/fts/* > /dev/null 2>&1 || true # To the ossec syscheck/rootcheck queue chown -R ${USER}:${GROUP} ${DIR}/queue/syscheck chmod -R 750 ${DIR}/queue/syscheck chmod 740 ${DIR}/queue/syscheck/* > /dev/null 2>&1 || true chown -R ${USER}:${GROUP} ${DIR}/queue/rootcheck chmod -R 750 ${DIR}/queue/rootcheck chmod 740 ${DIR}/queue/rootcheck/* > /dev/null 2>&1 || true chown -R ${USER}:${GROUP} ${DIR}/queue/diff chmod -R 750 ${DIR}/queue/diff chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true chown -R ${USER_REM}:${GROUP} ${DIR}/queue/agent-info chmod -R 755 ${DIR}/queue/agent-info chmod 744 ${DIR}/queue/agent-info/* > /dev/null 2>&1 || true chown -R ${USER_REM}:${GROUP} ${DIR}/queue/rids chmod -R 755 ${DIR}/queue/rids chmod 744 ${DIR}/queue/rids/* > /dev/null 2>&1 || true chown -R ${USER}:${GROUP} ${DIR}/queue/agentless chmod -R 755 ${DIR}/queue/agentless chmod 744 ${DIR}/queue/agentless/* > /dev/null 2>&1 || true # For the stats directory chown -R ${USER}:${GROUP} ${DIR}/stats chmod -R 750 ${DIR}/stats # For the logging user chown -R ${USER}:${GROUP} ${DIR}/logs chmod -R 750 ${DIR}/logs touch ${DIR}/logs/ossec.log chown ${USER}:${GROUP} ${DIR}/logs/ossec.log chmod 664 ${DIR}/logs/ossec.log # Backup previous rules if [ -d ${DIR}/rules/ ]; then mkdir ${DIR}/rules/backup-rules.$$ cp -pr ${DIR}/rules/*.xml ${DIR}/rules/backup-rules.$$/ fi # Restore the local rules if [ -f ${OSSEC_HIDS_TMP_DIR}/local_rules.xml ]; then mv ${OSSEC_HIDS_TMP_DIR}/local_rules.xml ${DIR}/rules/local_rules.xml fi chown -R root:${GROUP} ${DIR}/rules chmod -R 550 ${DIR}/rules # For the etc dir chmod 550 ${DIR}/etc chown -R root:${GROUP} ${DIR}/etc if [ -f /etc/localtime ]; then cp -pL /etc/localtime ${DIR}/etc/; chmod 555 ${DIR}/etc/localtime chown root:${GROUP} ${DIR}/etc/localtime fi if [ -f /etc/TIMEZONE ]; then cp -p /etc/TIMEZONE ${DIR}/etc/; chmod 555 ${DIR}/etc/TIMEZONE fi # For the /var/run chmod 770 ${DIR}/var/run chown root:${GROUP} ${DIR}/var/run # More files chown root:${GROUP} ${DIR}/etc/decoder.xml chown root:${GROUP} ${DIR}/etc/local_decoder.xml >/dev/null 2>&1 || true chown root:${GROUP} ${DIR}/etc/internal_options.conf chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1 || true chown root:${GROUP} ${DIR}/etc/shared/* chown root:${GROUP} ${DIR}/agentless/* chown ${USER}:${GROUP} ${DIR}/.ssh chmod 440 ${DIR}/etc/decoder.xml chmod 660 ${DIR}/etc/local_decoder.xml >/dev/null 2>&1 || true chmod 440 ${DIR}/etc/internal_options.conf chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true chmod 550 ${DIR}/etc chmod 770 ${DIR}/etc/shared chmod 660 ${DIR}/etc/shared/* chmod 550 ${DIR}/agentless/* chmod 700 ${DIR}/.ssh rm ${DIR}/etc/shared/merged.mg >/dev/null 2>&1 || true chmod 755 ${DIR}/active-response/bin/* chown root:${GROUP} ${DIR}/active-response/bin/* chown root:${GROUP} ${DIR}/bin/* chmod 550 ${DIR}/bin/* chown root:${GROUP} ${DIR}/etc/ossec.conf chmod 660 ${DIR}/etc/ossec.conf # Sticky bit for /var/ossec/tmp chmod +t ${DIR}/tmp # Debconf . /usr/share/debconf/confmodule db_input high ossec-hids/email_notification || true db_go db_get ossec-hids/email_notification EMAIL_NOTIFICATION=$RET if [ ${EMAIL_NOTIFICATION} = "yes" ]; then sed -i 's/[^<]\+<\/email_notification>/yes<\/email_notification>/' ${DIR}/etc/ossec.conf db_input high ossec-hids/email_to || true db_go db_input high ossec-hids/email_from || true db_go db_input high ossec-hids/smtp_server || true db_go db_get ossec-hids/email_to EMAIL_TO=$RET db_get ossec-hids/email_from EMAIL_FROM=$RET db_get ossec-hids/smtp_server SMTP_SERVER=$RET sed -i "s/[^<]\+<\/email_to>/${EMAIL_TO}<\/email_to>/" ${DIR}/etc/ossec.conf sed -i "s/[^<]\+<\/email_from>/${EMAIL_FROM}<\/email_from>/" ${DIR}/etc/ossec.conf sed -i "s/[^<]\+<\/smtp_server>/${SMTP_SERVER}<\/smtp_server>/" ${DIR}/etc/ossec.conf else sed -i 's/[^<]\+<\/email_notification>/no<\/email_notification>/' ${DIR}/etc/ossec.conf fi db_stop # ossec-init.conf if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then if [ -e /etc/ossec-init.conf ]; then rm -f /etc/ossec-init.conf fi ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf fi # init.d/ossec file if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then if [ -e /etc/init.d/ossec ]; then rm -f /etc/init.d/ossec fi ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec fi # Service if [ -x /etc/init.d/ossec ]; then update-rc.d -f ossec defaults service ossec restart fi # Delete tmp directory if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then rm -r ${OSSEC_HIDS_TMP_DIR} fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >22 exit 1 ;; esac exit 0