--- /dev/null
+
+ NOTES FOR DEBIAN USERS
+ ======================
+
+Package is local-only at this moment, but brings other binaries relevant
+to agent and server installations too so it is possible to switch from
+local to agent/server with manipulation of ossec-control symlink.
+
+OSSEC expects to be installed in "/var/ossec". To make it FHS-compliant
+would require certain code changes, and a complete removal of its chroot
+functionality.
+
+ -- Dinko Korunic <kreator@carnet.hr> Tue, 23 Feb 2010 14:58:23 +0100
--- /dev/null
+ossec-hids (2.5.1-3) stable; urgency=low
+
+ * lintian overrides
+
+ -- Dinko Korunic <kreator@carnet.hr> Sat, 23 Apr 2011 22:55:04 +0200
+
+ossec-hids (2.5.1-2) stable; urgency=low
+
+ * #19996: popravljeni bugovi iz lintian reporta (Valentin Vidic)
+
+ -- Dinko Korunic <kreator@carnet.hr> Mon, 21 Mar 2011 12:43:23 +0100
+
+ossec-hids (2.5.1-1) stable; urgency=low
+
+ * new upstream release (2.5.1)
+ * update copyright according to upstream changes
+
+ -- Dinko Korunic <kreator@carnet.hr> Thu, 24 Feb 2011 20:09:45 +0100
+
+ossec-hids (2.3-1) stable; urgency=low
+
+ * new upstream release (2.3)
+ * add README.Debian
+ * revert to pure upstream version
+ * #10233: amd64 buildanje
+ * #10232: lintian provjera
+ * #10234: debian/rules clean
+ * #10324: instalacija
+ * #10413: brisanje paketa
+ * #10434: brisanje korisnika
+
+ -- Dinko Korunic <kreator@carnet.hr> Thu, 11 Mar 2010 19:26:33 +0100
+
+ossec-hids (2.0-1) stable; urgency=low
+
+ * new upstream release (2.0)
+
+ -- Dinko Korunic <kreator@carnet.hr> Sun, 24 May 2009 15:15:42 +0200
+
+ossec-hids (1.5-1) stable; urgency=low
+
+ * new upstream release (1.5)
+ * patch source to do HELO localhost instead of bogus notify.ossec.net
+ * patch source to use static pidfile names instead of appending PID to name
+
+ -- Dinko Korunic <kreator@carnet.hr> Wed, 18 Jun 2008 17:13:52 +0200
+
+ossec-hids (1.3-1) stable; urgency=low
+
+ * initial Debian package
+
+ -- Dinko Korunic <kreator@carnet.hr> Wed, 19 Sep 2007 22:06:15 +0200
--- /dev/null
+/var/ossec/rules/local_rules.xml
+/var/ossec/etc/ossec.conf
+/var/ossec/etc/internal_options.conf
--- /dev/null
+Source: ossec-hids
+Section: admin
+Priority: extra
+Maintainer: Dinko Korunic <kreator@carnet.hr>
+Build-Depends: debhelper (>= 7)
+Standards-Version: 3.9.1
+
+Package: ossec-hids
+Architecture: any
+Depends: postfix | mail-transport-agent, expect (>= 5.43.0-17),
+ adduser (>= 3.110), ${misc:Depends}, ${shlibs:Depends}
+Priority: extra
+Section: admin
+Description: OSSEC HIDS
+ OSSEC is a scalable, multi-platform, open source Host-based Intrusion
+ Detection System (HIDS). It has a powerful correlation and analysis
+ engine, integrating log analysis, file integrity checking, Windows
+ registry monitoring, centralized policy enforcement, rootkit detection,
+ real-time alerting and active response.
+ .
+ It runs on most operating systems, including Linux, OpenBSD, FreeBSD,
+ MacOS, Solaris and Windows.
+ .
+ More information on OSSEC is available at: http://www.ossec.net/ .
--- /dev/null
+This package was debianized by Dinko Korunic <kreator@carnet.hr> on
+Mon, 01 Mar 2010 17:37:28 +0100.
+
+It was downloaded from http://www.ossec.net/
+
+Upstream Authors: Daniel B. Cid
+
+Copyright:
+
+ Copyright (C) 2010 Trend Micro Inc. All rights reserved.
+
+ OSSEC HIDS is a free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License (version 2) as
+ published by the FSF - Free Software Foundation.
+
+ Note that this license applies to the source code, as well as
+ decoders, rules and any other data file included with OSSEC (unless
+ otherwise specified).
+
+ For the purpose of this license, we consider an application to constitute a
+ "derivative work" or a work based on this program if it does any of the
+ following (list not exclusive):
+
+ * Integrates source code/data files from OSSEC.
+ * Includes OSSEC copyrighted material.
+ * Includes/integrates OSSEC into a proprietary executable installer.
+ * Links to a library or executes a program that does any of the above.
+
+ This list is not exclusive, but just a clarification of our interpretation
+ of derived works. These restrictions only apply if you actually redistribute
+ OSSEC (or parts of it).
+
+ We don't consider these to be added restrictions on top of the GPL,
+ but just a clarification of how we interpret "derived works" as it
+ applies to OSSEC. This is similar to the way Linus Torvalds has
+ announced his interpretation of how "derived works" applies to Linux kernel
+ modules. Our interpretation refers only to OSSEC - we don't speak
+ for any other GPL products.
+
+ OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ FITNESS FOR A PARTICULAR PURPOSE.
+ See the GNU General Public License Version 3 below for more details.
+
+
+On Debian systems, a copy of the GNU General Public License Version 3 may be
+found in /usr/share/common-licenses/GPL-3.
+
--- /dev/null
+BUGS
+CONTRIBUTORS
+CONFIG
+README
+doc/README.config
+doc/nmap.txt
+doc/rule_ids.txt
+doc/active-response-internal.txt
+doc/logs.txt
+doc/rules.txt
+doc/active-response.txt
+doc/manager.txt
+doc/rootcheck.txt
+contrib
--- /dev/null
+ossec-hids: embedded-zlib ./var/ossec/bin/agent_control
+ossec-hids: embedded-zlib ./var/ossec/bin/clear_stats
+ossec-hids: embedded-zlib ./var/ossec/bin/list_agents
+ossec-hids: embedded-zlib ./var/ossec/bin/manage_agents
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-agentd
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-analysisd
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-logtest
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-makelists
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-monitord
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-regex
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-remoted
+ossec-hids: embedded-zlib ./var/ossec/bin/ossec-reportd
+ossec-hids: embedded-zlib ./var/ossec/bin/rootcheck_control
+ossec-hids: embedded-zlib ./var/ossec/bin/syscheck_control
+ossec-hids: embedded-zlib ./var/ossec/bin/syscheck_update
+ossec-hids: embedded-zlib ./var/ossec/bin/verify-agent-conf
+ossec-hids: non-etc-file-marked-as-conffile /var/ossec/etc/internal_options.conf
+ossec-hids: non-etc-file-marked-as-conffile /var/ossec/etc/ossec.conf
+ossec-hids: non-etc-file-marked-as-conffile /var/ossec/rules/local_rules.xml
+ossec-hids: non-standard-dir-in-var var/ossec/
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/disable-account.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/firewall-drop.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/host-deny.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/ipfw.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/ipfw_mac.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/ossec-tweeter.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/pf.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/restart-ossec.sh
+ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/route-null.sh
+ossec-hids: file-in-unusual-dir var/ossec/agentless/main.exp
+ossec-hids: file-in-unusual-dir var/ossec/agentless/register_host.sh
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh.exp
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_asa-fwsmconfig_diff
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_foundry_diff
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_generic_diff
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_integrity_check_bsd
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_integrity_check_linux
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_nopass.exp
+ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_pixconfig_diff
+ossec-hids: file-in-unusual-dir var/ossec/agentless/sshlogin.exp
+ossec-hids: file-in-unusual-dir var/ossec/agentless/su.exp
+ossec-hids: file-in-unusual-dir var/ossec/bin/agent_control
+ossec-hids: file-in-unusual-dir var/ossec/bin/clear_stats
+ossec-hids: file-in-unusual-dir var/ossec/bin/list_agents
+ossec-hids: file-in-unusual-dir var/ossec/bin/manage_agents
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-agentd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-agentlessd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-analysisd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-client.sh
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-control
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-csyslogd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-dbd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-execd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-local.sh
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-logcollector
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-logtest
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-maild
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-makelists
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-monitord
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-regex
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-remoted
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-reportd
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-server.sh
+ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-syscheckd
+ossec-hids: file-in-unusual-dir var/ossec/bin/rootcheck_control
+ossec-hids: file-in-unusual-dir var/ossec/bin/syscheck_control
+ossec-hids: file-in-unusual-dir var/ossec/bin/syscheck_update
+ossec-hids: file-in-unusual-dir var/ossec/bin/verify-agent-conf
+ossec-hids: file-in-unusual-dir var/ossec/etc/decoder.xml
+ossec-hids: file-in-unusual-dir var/ossec/etc/internal_options.conf
+ossec-hids: file-in-unusual-dir var/ossec/etc/ossec-agent.conf
+ossec-hids: file-in-unusual-dir var/ossec/etc/ossec-local.conf
+ossec-hids: file-in-unusual-dir var/ossec/etc/ossec-server.conf
+ossec-hids: file-in-unusual-dir var/ossec/etc/ossec.conf
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/cis_debian_linux_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/cis_rhel_linux_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/rootkit_files.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/rootkit_trojans.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/system_audit_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/win_applications_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/win_audit_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/etc/shared/win_malware_rcl.txt
+ossec-hids: file-in-unusual-dir var/ossec/rules/apache_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/arpwatch_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/asterisk_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/attack_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/cimserver_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/cisco-ios_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/courier_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/dovecot_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/firewall_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ftpd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/hordeimp_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ids_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/imapd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/local_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/mailscanner_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/mcafee_av_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ms-exchange_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ms-se_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ms_dhcp_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ms_ftpd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/msauth_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/mysql_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/named_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/netscreenfw_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/nginx_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/ossec_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/pam_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/php_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/pix_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/policy_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/postfix_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/postgresql_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/proftpd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/pure-ftpd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/racoon_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/roundcube_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/rules_config.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/sendmail_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/smbd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/solaris_bsm_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/sonicwall_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/spamd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/squid_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/sshd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/symantec-av_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/symantec-ws_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/syslog_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/telnetd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/trend-osce_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/vmpop3d_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/vmware_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/vpn_concentrator_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/vpopmail_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/vsftpd_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/web_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/wordpress_rules.xml
+ossec-hids: file-in-unusual-dir var/ossec/rules/zeus_rules.xml
--- /dev/null
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ configure)
+ # continue below
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ exit 0
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# users and group names
+OSSEC_USER="ossec"
+OSSEC_USER_MAIL="ossecm"
+OSSEC_USER_EXEC="ossece"
+OSSEC_USER_REM="ossecr"
+OSSEC_GROUP="ossec"
+
+# get installation directory
+. /etc/ossec-init.conf
+if [ "X${DIRECTORY}" = "X" ]; then
+ DIRECTORY="/var/ossec"
+fi
+
+# create group
+if ! getent group $OSSEC_GROUP >/dev/null; then
+ addgroup --system $OSSEC_GROUP
+fi
+
+# create/modify users
+if ! getent passwd $OSSEC_USER >/dev/null; then
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER >/dev/null 2>&1
+fi
+if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER_MAIL >/dev/null 2>&1
+fi
+if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER_EXEC >/dev/null 2>&1
+fi
+if ! getent passwd $OSSEC_USER_REM >/dev/null; then
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER_REM >/dev/null 2>&1
+fi
+
+# fix ownership
+chown -R root:$OSSEC_GROUP $DIRECTORY
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/alerts
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/ossec
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/fts
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/syscheck
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/rootcheck
+chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/agent-info
+chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/rids
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/stats
+chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs
+chown -R root:$OSSEC_GROUP $DIRECTORY/etc
+touch $DIRECTORY/logs/ossec.log
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs/ossec.log
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
+chown -R root:$OSSEC_GROUP $DIRECTORY/rules
+chown root:$OSSEC_GROUP $DIRECTORY/etc/decoder.xml
+chown root:$OSSEC_GROUP $DIRECTORY/etc/internal_options.conf
+chown root:$OSSEC_GROUP $DIRECTORY/etc/client.keys >/dev/null 2>&1 || true
+chown root:$OSSEC_GROUP $DIRECTORY/agentless/*
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
+chown -R root:$OSSEC_GROUP $DIRECTORY/etc/shared
+chown root:$OSSEC_GROUP $DIRECTORY/var/run
+chown root:$OSSEC_GROUP $DIRECTORY/active-response/bin/*
+chown root:$OSSEC_GROUP $DIRECTORY/bin/*
+chown root:$OSSEC_GROUP $DIRECTORY/etc/ossec.conf
+
+# fix perms
+chmod -R 550 $DIRECTORY
+chmod -R 770 $DIRECTORY/queue/alerts
+chmod -R 770 $DIRECTORY/queue/ossec
+chmod -R 750 $DIRECTORY/queue/fts
+chmod -R 750 $DIRECTORY/queue/syscheck
+chmod -R 750 $DIRECTORY/queue/rootcheck
+chmod -R 750 $DIRECTORY/queue/diff
+chmod -R 755 $DIRECTORY/queue/agent-info
+chmod -R 755 $DIRECTORY/queue/rids
+chmod -R 755 $DIRECTORY/queue/agentless
+chmod -R 750 $DIRECTORY/stats
+chmod -R 750 $DIRECTORY/logs
+chmod -R 550 $DIRECTORY/rules
+chmod 770 $DIRECTORY/var/run
+chmod 550 $DIRECTORY/etc
+chmod 440 $DIRECTORY/etc/internal_options.conf
+chmod -R 770 $DIRECTORY/etc/shared
+chmod 700 $DIRECTORY/.ssh
+chmod 755 $DIRECTORY/active-response/bin/*
+chmod 550 $DIRECTORY/bin/*
+chmod 440 $DIRECTORY/etc/ossec.conf
+
+# fixups: no need for execute bits on files there
+find $DIRECTORY/rules -type f -exec chmod ugo-x '{}' ';'
+find $DIRECTORY/etc -type f -exec chmod ugo-x '{}' ';'
+
+# copy timezone and localtime
+if [ -e /etc/timezone ]; then
+ cmp -s /etc/timezone $DIRECTORY/etc/timezone || \
+ cp -a /etc/timezone $DIRECTORY/etc/timezone
+fi
+if [ -e /etc/localtime ]; then
+ cmp -s /etc/localtime $DIRECTORY/etc/localtime || \
+ cp -a /etc/localtime $DIRECTORY/etc/localtime
+fi
+
+# update system v init links
+update-rc.d ossec-hids defaults >/dev/null
+
+# and start the service
+if [ -x /usr/sbin/invoke-rc.d ]; then
+ invoke-rc.d ossec-hids restart
+else
+ /etc/init.d/ossec-hids restart
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#! /bin/sh
+
+set -e
+
+case "$1" in
+ purge)
+ # continue below
+ ;;
+
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ exit 0
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# cleanup leftovers
+rm -rf /var/ossec/etc /var/ossec/queue /var/ossec/stats
+
+# chown ossec mail directory back to root
+chown -Rh root:root /var/ossec
+
+# users and group names
+OSSEC_USER="ossec"
+OSSEC_USER_MAIL="ossecm"
+OSSEC_USER_EXEC="ossece"
+OSSEC_USER_REM="ossecr"
+OSSEC_GROUP="ossec"
+
+# delete users/groups
+if getent passwd $OSSEC_USER >/dev/null; then
+ deluser $OSSEC_USER
+fi
+if getent passwd $OSSEC_USER_MAIL >/dev/null; then
+ deluser $OSSEC_USER_MAIL
+fi
+if getent passwd $OSSEC_USER_EXEC >/dev/null; then
+ deluser $OSSEC_USER_EXEC
+fi
+if getent passwd $OSSEC_USER_REM >/dev/null; then
+ deluser $OSSEC_USER_REM
+fi
+if getent group $OSSEC_GROUP >/dev/null; then
+ delgroup --quiet $OSSEC_GROUP
+fi
+
+# update system v init links
+update-rc.d -f ossec-hids remove
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ purge|remove)
+ # continue below
+ ;;
+
+ *)
+ exit 0
+ ;;
+esac
+
+# stop the service
+if [ -x /usr/sbin/invoke-rc.d ]; then
+ invoke-rc.d ossec-hids stop
+else
+ /etc/init.d/ossec-hids stop
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/usr/bin/make -f
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+# Directories
+SRCDIR = $(CURDIR)/src
+PKGDIR = $(CURDIR)/debian/ossec-hids
+DESTDIR = $(PKGDIR)/var/ossec
+
+# OSSEC INSTALL SUBDIRS
+SUBDIRS = .ssh active-response active-response/bin agentless bin etc etc/shared logs logs/alerts logs/archives logs/firewall queue queue/agent-info queue/agentless queue/alerts queue/diff queue/fts queue/ossec queue/rids queue/rootcheck queue/syscheck rules stats tmp var var/run
+
+###################### main ######################
+
+build: build-stamp
+build-stamp:
+ dh_testdir
+ dh_clean
+
+ $(MAKE) -C $(SRCDIR) setlocal all build
+
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp
+
+ # Add here commands to clean up after the build process.
+ $(MAKE) -C $(SRCDIR) clean
+
+ # additional clean
+ rm -f $(SRCDIR)/Config.OS \
+ $(SRCDIR)/analysisd/compiled_rules/compiled_rules.h \
+ $(SRCDIR)/analysisd/ossec-logtest \
+ $(SRCDIR)/isbigendian \
+ $(SRCDIR)/isbigendian.c \
+ $(SRCDIR)/analysisd/ossec-makelists
+ rm -rf $(CURDIR)/bin
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_prep
+ dh_installdirs
+
+ # ugly directory creation
+ for i in $(SUBDIRS); do \
+ mkdir -p -m 700 $(DESTDIR)/$$i; \
+ done
+
+ # various files installation
+ install -m 644 etc/internal_options.conf $(DESTDIR)/etc
+ install -m 644 etc/decoder.xml $(DESTDIR)/etc
+ install -m 644 src/rootcheck/db/*.txt $(DESTDIR)/etc/shared
+ if [ -e ossec-debian.conf ]; then \
+ install -m 440 ossec-debian.conf $(DESTDIR)/etc/ossec.conf; \
+ else \
+ install -m 440 etc/ossec-local.conf $(DESTDIR)/etc/ossec.conf; \
+ fi
+ install -m 440 etc/ossec-*.conf $(DESTDIR)/etc
+ cp -r etc/rules/* $(DESTDIR)/rules
+ install -m 750 src/agentlessd/scripts/* $(DESTDIR)/agentless
+ install -s -m 755 bin/* $(DESTDIR)/bin
+ install -m 755 src/init/ossec-*.sh $(DESTDIR)/bin
+ ln -s ossec-local.sh $(DESTDIR)/bin/ossec-control
+ install -m 755 active-response/*.sh $(DESTDIR)/active-response/bin
+ install -m 755 active-response/firewalls/*.sh \
+ $(DESTDIR)/active-response/bin
+
+ # attrs
+ chmod -R 550 $(DESTDIR)
+ chmod -R 770 $(DESTDIR)/queue/alerts
+ chmod -R 770 $(DESTDIR)/queue/ossec
+ chmod -R 750 $(DESTDIR)/queue/fts
+ chmod -R 750 $(DESTDIR)/queue/syscheck
+ chmod -R 750 $(DESTDIR)/queue/rootcheck
+ chmod -R 750 $(DESTDIR)/queue/diff
+ chmod -R 755 $(DESTDIR)/queue/agent-info
+ chmod -R 755 $(DESTDIR)/queue/rids
+ chmod -R 755 $(DESTDIR)/queue/agentless
+ chmod -R 750 $(DESTDIR)/stats
+ chmod -R 750 $(DESTDIR)/logs
+ chmod -R 550 $(DESTDIR)/rules
+ chmod 770 $(DESTDIR)/var/run
+ chmod 550 $(DESTDIR)/etc
+ chmod 440 $(DESTDIR)/etc/internal_options.conf
+ chmod -R 770 $(DESTDIR)/etc/shared
+ chmod 700 $(DESTDIR)/.ssh
+ chmod 755 $(DESTDIR)/active-response/bin/*
+ chmod 550 $(DESTDIR)/bin/*
+ chmod 440 $(DESTDIR)/etc/ossec.conf
+
+ # fixups: no need for execute bits on files there
+ find $(DESTDIR)/rules -type f -exec chmod ugo-x '{}' ';'
+ find $(DESTDIR)/etc -type f -exec chmod ugo-x '{}' ';'
+
+ # system init script
+ mkdir -p $(PKGDIR)/etc/init.d
+ if [ -e ossec-hids-debian.init ]; then \
+ install -m 755 ossec-hids-debian.init \
+ $(PKGDIR)/etc/init.d/ossec-hids; \
+ else \
+ install -m 755 src/init/ossec-hids.init \
+ $(PKGDIR)/etc/init.d/ossec-hids; \
+ fi
+
+ # system ossec-init
+ echo "DIRECTORY=\"/var/ossec\"" > $(PKGDIR)/etc/ossec-init.conf
+ echo "VERSION=\"`cat src/VERSION`\"" >> $(PKGDIR)/etc/ossec-init.conf
+ echo "DATE=\"$(shell date --utc -d "$(shell dpkg-parsechangelog | sed -ne 's/Date: //p')")\"" >> $(PKGDIR)/etc/ossec-init.conf
+ echo "TYPE=\"local\"" >> $(PKGDIR)/etc/ossec-init.conf
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+# dh_installexamples
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installcatalogs
+# dh_installpam
+# dh_installmime
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+# dh_undocumented
+ dh_lintian
+ dh_installman
+ dh_link
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_python
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
--- /dev/null
+<ossec_config>
+ <global>
+ <email_notification>yes</email_notification>
+ <email_to>root@localhost</email_to>
+ <smtp_server>127.0.0.1</smtp_server>
+ <email_from>ossecm@localhost</email_from>
+ </global>
+
+ <rules>
+ <include>rules_config.xml</include>
+ <include>pam_rules.xml</include>
+ <include>sshd_rules.xml</include>
+ <include>telnetd_rules.xml</include>
+ <include>syslog_rules.xml</include>
+ <include>arpwatch_rules.xml</include>
+ <include>symantec-av_rules.xml</include>
+ <include>symantec-ws_rules.xml</include>
+ <include>pix_rules.xml</include>
+ <include>named_rules.xml</include>
+ <include>smbd_rules.xml</include>
+ <include>vsftpd_rules.xml</include>
+ <include>pure-ftpd_rules.xml</include>
+ <include>proftpd_rules.xml</include>
+ <include>ms_ftpd_rules.xml</include>
+ <include>ftpd_rules.xml</include>
+ <include>hordeimp_rules.xml</include>
+ <include>roundcube_rules.xml</include>
+ <include>wordpress_rules.xml</include>
+ <include>vpopmail_rules.xml</include>
+ <include>vmpop3d_rules.xml</include>
+ <include>courier_rules.xml</include>
+ <include>web_rules.xml</include>
+ <include>apache_rules.xml</include>
+ <include>nginx_rules.xml</include>
+ <include>php_rules.xml</include>
+ <include>mysql_rules.xml</include>
+ <include>postgresql_rules.xml</include>
+ <include>ids_rules.xml</include>
+ <include>squid_rules.xml</include>
+ <include>firewall_rules.xml</include>
+ <include>cisco-ios_rules.xml</include>
+ <include>netscreenfw_rules.xml</include>
+ <include>sonicwall_rules.xml</include>
+ <include>postfix_rules.xml</include>
+ <include>sendmail_rules.xml</include>
+ <include>imapd_rules.xml</include>
+ <include>mailscanner_rules.xml</include>
+ <include>dovecot_rules.xml</include>
+ <include>ms-exchange_rules.xml</include>
+ <include>racoon_rules.xml</include>
+ <include>vpn_concentrator_rules.xml</include>
+ <include>spamd_rules.xml</include>
+ <include>msauth_rules.xml</include>
+ <include>mcafee_av_rules.xml</include>
+ <include>trend-osce_rules.xml</include>
+ <!-- <include>policy_rules.xml</include> -->
+ <include>zeus_rules.xml</include>
+ <include>solaris_bsm_rules.xml</include>
+ <include>vmware_rules.xml</include>
+ <include>ms_dhcp_rules.xml</include>
+ <include>asterisk_rules.xml</include>
+ <include>ossec_rules.xml</include>
+ <include>attack_rules.xml</include>
+ <include>local_rules.xml</include>
+ </rules>
+
+ <syscheck>
+ <!-- Frequency that syscheck is executed - default to every 22 hours -->
+ <frequency>79200</frequency>
+
+ <!-- Directories to check (perform all possible verifications) -->
+ <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes">/bin,/sbin</directories>
+
+ <!-- Files/directories to ignore -->
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/mnttab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ </syscheck>
+
+ <rootcheck>
+ <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+ <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+ <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
+ <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
+ <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
+ </rootcheck>
+
+ <active-response>
+ <disabled>yes</disabled>
+ </active-response>
+
+ <alerts>
+ <log_alert_level>1</log_alert_level>
+ <email_alert_level>7</email_alert_level>
+ </alerts>
+ <!-- Files to monitor (localfiles) -->
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/messages</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/auth.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/syslog</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/xferlog</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/vsftpd.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/mail.info</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/maillog</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/dpkg.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>apache</log_format>
+ <location>/var/log/apache2/error.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>apache</log_format>
+ <location>/var/log/apache2/access.log</location>
+ </localfile>
+</ossec_config>
--- /dev/null
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: ossec-hids
+# Required-Start: $local_fs $remote_fs $syslog
+# Required-Stop: $local_fs $remote_fs $syslog
+# Should-Start: $all
+# Should-Stop: $all
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: OSSEC HIDS init script
+# Description: Init script for OSSEC HIDS services
+### END INIT INFO
+
+# OSSEC Controls OSSEC HIDS
+# Author: Daniel B. Cid <dcid@ossec.net>
+# Modified for slackware by Jack S. Lai
+# Modified for Debian package by Dinko Korunic <kreator@carnet.hr>
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+. /etc/ossec-init.conf
+if [ "X${DIRECTORY}" = "X" ]; then
+ DIRECTORY="/var/ossec"
+fi
+
+
+start() {
+ ${DIRECTORY}/bin/ossec-control start
+}
+
+stop() {
+ ${DIRECTORY}/bin/ossec-control stop
+}
+
+status() {
+ ${DIRECTORY}/bin/ossec-control status
+}
+
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ stop
+ start
+ ;;
+ force-reload)
+ stop
+ start
+ ;;
+ status)
+ status
+ ;;
+ *)
+ echo "*** Usage: $0 {start|stop|restart|status}"
+ exit 1
+esac
+
+exit 0