From: Dinko Korunic Date: Thu, 15 Aug 2013 17:33:08 +0000 (+0200) Subject: Merge tag 'upstream/2.7' X-Git-Tag: debian/2.7-1~6 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=commitdiff_plain;h=ff0e686ac67bbd82b60c277eb324910dbc60f65f;hp=6ef2f786c6c8ead94841b5f93baf9f43421f08c8 Merge tag 'upstream/2.7' Upstream version 2.7 --- diff --git a/README.Debian b/README.Debian new file mode 100644 index 0000000..109bffb --- /dev/null +++ b/README.Debian @@ -0,0 +1,13 @@ + + NOTES FOR DEBIAN USERS + ====================== + +Package is local-only at this moment, but brings other binaries relevant +to agent and server installations too so it is possible to switch from +local to agent/server with manipulation of ossec-control symlink. + +OSSEC expects to be installed in "/var/ossec". To make it FHS-compliant +would require certain code changes, and a complete removal of its chroot +functionality. + + -- Dinko Korunic Tue, 23 Feb 2010 14:58:23 +0100 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..511f795 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,52 @@ +ossec-hids (2.5.1-3) stable; urgency=low + + * lintian overrides + + -- Dinko Korunic Sat, 23 Apr 2011 22:55:04 +0200 + +ossec-hids (2.5.1-2) stable; urgency=low + + * #19996: popravljeni bugovi iz lintian reporta (Valentin Vidic) + + -- Dinko Korunic Mon, 21 Mar 2011 12:43:23 +0100 + +ossec-hids (2.5.1-1) stable; urgency=low + + * new upstream release (2.5.1) + * update copyright according to upstream changes + + -- Dinko Korunic Thu, 24 Feb 2011 20:09:45 +0100 + +ossec-hids (2.3-1) stable; urgency=low + + * new upstream release (2.3) + * add README.Debian + * revert to pure upstream version + * #10233: amd64 buildanje + * #10232: lintian provjera + * #10234: debian/rules clean + * #10324: instalacija + * #10413: brisanje paketa + * #10434: brisanje korisnika + + -- Dinko Korunic Thu, 11 Mar 2010 19:26:33 +0100 + +ossec-hids (2.0-1) stable; urgency=low + + * new upstream release (2.0) + + -- Dinko Korunic Sun, 24 May 2009 15:15:42 +0200 + +ossec-hids (1.5-1) stable; urgency=low + + * new upstream release (1.5) + * patch source to do HELO localhost instead of bogus notify.ossec.net + * patch source to use static pidfile names instead of appending PID to name + + -- Dinko Korunic Wed, 18 Jun 2008 17:13:52 +0200 + +ossec-hids (1.3-1) stable; urgency=low + + * initial Debian package + + -- Dinko Korunic Wed, 19 Sep 2007 22:06:15 +0200 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..41eff52 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1,3 @@ +/var/ossec/rules/local_rules.xml +/var/ossec/etc/ossec.conf +/var/ossec/etc/internal_options.conf diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..4af5ace --- /dev/null +++ b/debian/control @@ -0,0 +1,24 @@ +Source: ossec-hids +Section: admin +Priority: extra +Maintainer: Dinko Korunic +Build-Depends: debhelper (>= 7) +Standards-Version: 3.9.1 + +Package: ossec-hids +Architecture: any +Depends: postfix | mail-transport-agent, expect (>= 5.43.0-17), + adduser (>= 3.110), ${misc:Depends}, ${shlibs:Depends} +Priority: extra +Section: admin +Description: OSSEC HIDS + OSSEC is a scalable, multi-platform, open source Host-based Intrusion + Detection System (HIDS). It has a powerful correlation and analysis + engine, integrating log analysis, file integrity checking, Windows + registry monitoring, centralized policy enforcement, rootkit detection, + real-time alerting and active response. + . + It runs on most operating systems, including Linux, OpenBSD, FreeBSD, + MacOS, Solaris and Windows. + . + More information on OSSEC is available at: http://www.ossec.net/ . diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..7f89f04 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,48 @@ +This package was debianized by Dinko Korunic on +Mon, 01 Mar 2010 17:37:28 +0100. + +It was downloaded from http://www.ossec.net/ + +Upstream Authors: Daniel B. Cid + +Copyright: + + Copyright (C) 2010 Trend Micro Inc. All rights reserved. + + OSSEC HIDS is a free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License (version 2) as + published by the FSF - Free Software Foundation. + + Note that this license applies to the source code, as well as + decoders, rules and any other data file included with OSSEC (unless + otherwise specified). + + For the purpose of this license, we consider an application to constitute a + "derivative work" or a work based on this program if it does any of the + following (list not exclusive): + + * Integrates source code/data files from OSSEC. + * Includes OSSEC copyrighted material. + * Includes/integrates OSSEC into a proprietary executable installer. + * Links to a library or executes a program that does any of the above. + + This list is not exclusive, but just a clarification of our interpretation + of derived works. These restrictions only apply if you actually redistribute + OSSEC (or parts of it). + + We don't consider these to be added restrictions on top of the GPL, + but just a clarification of how we interpret "derived works" as it + applies to OSSEC. This is similar to the way Linus Torvalds has + announced his interpretation of how "derived works" applies to Linux kernel + modules. Our interpretation refers only to OSSEC - we don't speak + for any other GPL products. + + OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + FITNESS FOR A PARTICULAR PURPOSE. + See the GNU General Public License Version 3 below for more details. + + +On Debian systems, a copy of the GNU General Public License Version 3 may be +found in /usr/share/common-licenses/GPL-3. + diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..24721fe --- /dev/null +++ b/debian/docs @@ -0,0 +1,14 @@ +BUGS +CONTRIBUTORS +CONFIG +README +doc/README.config +doc/nmap.txt +doc/rule_ids.txt +doc/active-response-internal.txt +doc/logs.txt +doc/rules.txt +doc/active-response.txt +doc/manager.txt +doc/rootcheck.txt +contrib diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000..45cc7b7 --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,154 @@ +ossec-hids: embedded-zlib ./var/ossec/bin/agent_control +ossec-hids: embedded-zlib ./var/ossec/bin/clear_stats +ossec-hids: embedded-zlib ./var/ossec/bin/list_agents +ossec-hids: embedded-zlib ./var/ossec/bin/manage_agents +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-agentd +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-analysisd +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-logtest +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-makelists +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-monitord +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-regex +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-remoted +ossec-hids: embedded-zlib ./var/ossec/bin/ossec-reportd +ossec-hids: embedded-zlib ./var/ossec/bin/rootcheck_control +ossec-hids: embedded-zlib ./var/ossec/bin/syscheck_control +ossec-hids: embedded-zlib ./var/ossec/bin/syscheck_update +ossec-hids: embedded-zlib ./var/ossec/bin/verify-agent-conf +ossec-hids: non-etc-file-marked-as-conffile /var/ossec/etc/internal_options.conf +ossec-hids: non-etc-file-marked-as-conffile /var/ossec/etc/ossec.conf +ossec-hids: non-etc-file-marked-as-conffile /var/ossec/rules/local_rules.xml +ossec-hids: non-standard-dir-in-var var/ossec/ +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/disable-account.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/firewall-drop.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/host-deny.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/ipfw.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/ipfw_mac.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/ossec-tweeter.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/pf.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/restart-ossec.sh +ossec-hids: file-in-unusual-dir var/ossec/active-response/bin/route-null.sh +ossec-hids: file-in-unusual-dir var/ossec/agentless/main.exp +ossec-hids: file-in-unusual-dir var/ossec/agentless/register_host.sh +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh.exp +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_asa-fwsmconfig_diff +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_foundry_diff +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_generic_diff +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_integrity_check_bsd +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_integrity_check_linux +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_nopass.exp +ossec-hids: file-in-unusual-dir var/ossec/agentless/ssh_pixconfig_diff +ossec-hids: file-in-unusual-dir var/ossec/agentless/sshlogin.exp +ossec-hids: file-in-unusual-dir var/ossec/agentless/su.exp +ossec-hids: file-in-unusual-dir var/ossec/bin/agent_control +ossec-hids: file-in-unusual-dir var/ossec/bin/clear_stats +ossec-hids: file-in-unusual-dir var/ossec/bin/list_agents +ossec-hids: file-in-unusual-dir var/ossec/bin/manage_agents +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-agentd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-agentlessd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-analysisd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-client.sh +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-control +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-csyslogd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-dbd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-execd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-local.sh +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-logcollector +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-logtest +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-maild +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-makelists +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-monitord +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-regex +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-remoted +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-reportd +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-server.sh +ossec-hids: file-in-unusual-dir var/ossec/bin/ossec-syscheckd +ossec-hids: file-in-unusual-dir var/ossec/bin/rootcheck_control +ossec-hids: file-in-unusual-dir var/ossec/bin/syscheck_control +ossec-hids: file-in-unusual-dir var/ossec/bin/syscheck_update +ossec-hids: file-in-unusual-dir var/ossec/bin/verify-agent-conf +ossec-hids: file-in-unusual-dir var/ossec/etc/decoder.xml +ossec-hids: file-in-unusual-dir var/ossec/etc/internal_options.conf +ossec-hids: file-in-unusual-dir var/ossec/etc/ossec-agent.conf +ossec-hids: file-in-unusual-dir var/ossec/etc/ossec-local.conf +ossec-hids: file-in-unusual-dir var/ossec/etc/ossec-server.conf +ossec-hids: file-in-unusual-dir var/ossec/etc/ossec.conf +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/cis_debian_linux_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/cis_rhel5_linux_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/cis_rhel_linux_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/rootkit_files.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/rootkit_trojans.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/system_audit_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/win_applications_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/win_audit_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/etc/shared/win_malware_rcl.txt +ossec-hids: file-in-unusual-dir var/ossec/rules/apache_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/arpwatch_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/asterisk_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/attack_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/cimserver_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/cisco-ios_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/courier_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/dovecot_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/firewall_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ftpd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/hordeimp_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ids_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/imapd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/local_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/mailscanner_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/mcafee_av_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ms-exchange_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ms-se_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ms_dhcp_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ms_ftpd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/msauth_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/mysql_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/named_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/netscreenfw_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/nginx_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/ossec_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/pam_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/php_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/pix_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/policy_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/postfix_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/postgresql_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/proftpd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/pure-ftpd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/racoon_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/roundcube_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/rules_config.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/sendmail_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/smbd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/solaris_bsm_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/sonicwall_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/spamd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/squid_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/sshd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/symantec-av_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/symantec-ws_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/syslog_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/telnetd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_da.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_de.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_en.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_es.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_it.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_no.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/trend-osce_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/vmpop3d_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/vmware_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/vpn_concentrator_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/vpopmail_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/vsftpd_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/web_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/wordpress_rules.xml +ossec-hids: file-in-unusual-dir var/ossec/rules/zeus_rules.xml diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..51a3d12 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,151 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + # continue below + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# users and group names +OSSEC_USER="ossec" +OSSEC_USER_MAIL="ossecm" +OSSEC_USER_EXEC="ossece" +OSSEC_USER_REM="ossecr" +OSSEC_GROUP="ossec" + +# get installation directory +. /etc/ossec-init.conf +if [ "X${DIRECTORY}" = "X" ]; then + DIRECTORY="/var/ossec" +fi + +# create group +if ! getent group $OSSEC_GROUP >/dev/null; then + addgroup --system $OSSEC_GROUP +fi + +# create/modify users +if ! getent passwd $OSSEC_USER >/dev/null; then + adduser --quiet --system --no-create-home \ + --ingroup $OSSEC_GROUP \ + --home $DIRECTORY --shell /bin/false $OSSEC_USER +else + usermod -g $OSSEC_GROUP -s /bin/false \ + -d $DIRECTORY $OSSEC_USER >/dev/null 2>&1 +fi +if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then + adduser --quiet --system --no-create-home \ + --ingroup $OSSEC_GROUP \ + --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL +else + usermod -g $OSSEC_GROUP -s /bin/false \ + -d $DIRECTORY $OSSEC_USER_MAIL >/dev/null 2>&1 +fi +if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then + adduser --quiet --system --no-create-home \ + --ingroup $OSSEC_GROUP \ + --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC +else + usermod -g $OSSEC_GROUP -s /bin/false \ + -d $DIRECTORY $OSSEC_USER_EXEC >/dev/null 2>&1 +fi +if ! getent passwd $OSSEC_USER_REM >/dev/null; then + adduser --quiet --system --no-create-home \ + --ingroup $OSSEC_GROUP \ + --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM +else + usermod -g $OSSEC_GROUP -s /bin/false \ + -d $DIRECTORY $OSSEC_USER_REM >/dev/null 2>&1 +fi + +# fix ownership +chown -R root:$OSSEC_GROUP $DIRECTORY +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/alerts +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/ossec +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/fts +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/syscheck +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/rootcheck +chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/agent-info +chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/rids +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/stats +chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs +chown -R root:$OSSEC_GROUP $DIRECTORY/etc +touch $DIRECTORY/logs/ossec.log +chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs/ossec.log +chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh +chown -R root:$OSSEC_GROUP $DIRECTORY/rules +chown root:$OSSEC_GROUP $DIRECTORY/etc/decoder.xml +chown root:$OSSEC_GROUP $DIRECTORY/etc/internal_options.conf +chown root:$OSSEC_GROUP $DIRECTORY/etc/client.keys >/dev/null 2>&1 || true +chown root:$OSSEC_GROUP $DIRECTORY/agentless/* +chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh +chown -R root:$OSSEC_GROUP $DIRECTORY/etc/shared +chown root:$OSSEC_GROUP $DIRECTORY/var/run +chown root:$OSSEC_GROUP $DIRECTORY/active-response/bin/* +chown root:$OSSEC_GROUP $DIRECTORY/bin/* +chown root:$OSSEC_GROUP $DIRECTORY/etc/ossec.conf + +# fix perms +chmod -R 550 $DIRECTORY +chmod -R 770 $DIRECTORY/queue/alerts +chmod -R 770 $DIRECTORY/queue/ossec +chmod -R 750 $DIRECTORY/queue/fts +chmod -R 750 $DIRECTORY/queue/syscheck +chmod -R 750 $DIRECTORY/queue/rootcheck +chmod -R 750 $DIRECTORY/queue/diff +chmod -R 755 $DIRECTORY/queue/agent-info +chmod -R 755 $DIRECTORY/queue/rids +chmod -R 755 $DIRECTORY/queue/agentless +chmod -R 750 $DIRECTORY/stats +chmod -R 750 $DIRECTORY/logs +chmod -R 550 $DIRECTORY/rules +chmod 770 $DIRECTORY/var/run +chmod 550 $DIRECTORY/etc +chmod 440 $DIRECTORY/etc/internal_options.conf +chmod -R 770 $DIRECTORY/etc/shared +chmod 700 $DIRECTORY/.ssh +chmod 755 $DIRECTORY/active-response/bin/* +chmod 550 $DIRECTORY/bin/* +chmod 440 $DIRECTORY/etc/ossec.conf + +# fixups: no need for execute bits on files there +find $DIRECTORY/rules -type f -exec chmod ugo-x '{}' ';' +find $DIRECTORY/etc -type f -exec chmod ugo-x '{}' ';' + +# copy timezone and localtime +if [ -e /etc/timezone ]; then + cmp -s /etc/timezone $DIRECTORY/etc/timezone || \ + cp -a /etc/timezone $DIRECTORY/etc/timezone +fi +if [ -e /etc/localtime ]; then + cmp -s /etc/localtime $DIRECTORY/etc/localtime || \ + cp -a /etc/localtime $DIRECTORY/etc/localtime +fi + +# update system v init links +update-rc.d ossec-hids defaults >/dev/null + +# and start the service +if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d ossec-hids restart +else + /etc/init.d/ossec-hids restart +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..cc661bc --- /dev/null +++ b/debian/postrm @@ -0,0 +1,58 @@ +#! /bin/sh + +set -e + +case "$1" in + purge) + # continue below + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + exit 0 + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# cleanup leftovers +rm -rf /var/ossec/etc /var/ossec/queue /var/ossec/stats + +# chown ossec mail directory back to root +chown -Rh root:root /var/ossec + +# users and group names +OSSEC_USER="ossec" +OSSEC_USER_MAIL="ossecm" +OSSEC_USER_EXEC="ossece" +OSSEC_USER_REM="ossecr" +OSSEC_GROUP="ossec" + +# delete users/groups +if getent passwd $OSSEC_USER >/dev/null; then + deluser $OSSEC_USER +fi +if getent passwd $OSSEC_USER_MAIL >/dev/null; then + deluser $OSSEC_USER_MAIL +fi +if getent passwd $OSSEC_USER_EXEC >/dev/null; then + deluser $OSSEC_USER_EXEC +fi +if getent passwd $OSSEC_USER_REM >/dev/null; then + deluser $OSSEC_USER_REM +fi +if getent group $OSSEC_GROUP >/dev/null; then + delgroup --quiet $OSSEC_GROUP +fi + +# update system v init links +update-rc.d -f ossec-hids remove + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 0000000..5bcb011 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,27 @@ +#!/bin/sh + +set -e + +case "$1" in + purge|remove) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# stop the service +if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d ossec-hids stop +else + /etc/init.d/ossec-hids stop +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..1c328d4 --- /dev/null +++ b/debian/rules @@ -0,0 +1,153 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# Directories +SRCDIR = $(CURDIR)/src +PKGDIR = $(CURDIR)/debian/ossec-hids +DESTDIR = $(PKGDIR)/var/ossec + +# OSSEC INSTALL SUBDIRS +SUBDIRS = .ssh active-response active-response/bin agentless bin etc etc/shared logs logs/alerts logs/archives logs/firewall queue queue/agent-info queue/agentless queue/alerts queue/diff queue/fts queue/ossec queue/rids queue/rootcheck queue/syscheck rules stats tmp var var/run + +###################### main ###################### + +build: build-stamp +build-stamp: + dh_testdir + dh_clean + + $(MAKE) -C $(SRCDIR) setlocal all build + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + $(MAKE) -C $(SRCDIR) clean + + # additional clean + rm -f $(SRCDIR)/Config.OS \ + $(SRCDIR)/analysisd/compiled_rules/compiled_rules.h \ + $(SRCDIR)/analysisd/ossec-logtest \ + $(SRCDIR)/isbigendian \ + $(SRCDIR)/isbigendian.c \ + $(SRCDIR)/analysisd/ossec-makelists + rm -rf $(CURDIR)/bin + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_prep + dh_installdirs + + # ugly directory creation + for i in $(SUBDIRS); do \ + mkdir -p -m 700 $(DESTDIR)/$$i; \ + done + + # various files installation + install -m 644 etc/internal_options.conf $(DESTDIR)/etc + install -m 644 etc/decoder.xml $(DESTDIR)/etc + install -m 644 src/rootcheck/db/*.txt $(DESTDIR)/etc/shared + if [ -e ossec-debian.conf ]; then \ + install -m 440 ossec-debian.conf $(DESTDIR)/etc/ossec.conf; \ + else \ + install -m 440 etc/ossec-local.conf $(DESTDIR)/etc/ossec.conf; \ + fi + install -m 440 etc/ossec-*.conf $(DESTDIR)/etc + cp -r etc/rules/* $(DESTDIR)/rules + install -m 750 src/agentlessd/scripts/* $(DESTDIR)/agentless + install -s -m 755 bin/* $(DESTDIR)/bin + install -m 755 src/init/ossec-*.sh $(DESTDIR)/bin + ln -s ossec-local.sh $(DESTDIR)/bin/ossec-control + install -m 755 active-response/*.sh $(DESTDIR)/active-response/bin + install -m 755 active-response/firewalls/*.sh \ + $(DESTDIR)/active-response/bin + + # attrs + chmod -R 550 $(DESTDIR) + chmod -R 770 $(DESTDIR)/queue/alerts + chmod -R 770 $(DESTDIR)/queue/ossec + chmod -R 750 $(DESTDIR)/queue/fts + chmod -R 750 $(DESTDIR)/queue/syscheck + chmod -R 750 $(DESTDIR)/queue/rootcheck + chmod -R 750 $(DESTDIR)/queue/diff + chmod -R 755 $(DESTDIR)/queue/agent-info + chmod -R 755 $(DESTDIR)/queue/rids + chmod -R 755 $(DESTDIR)/queue/agentless + chmod -R 750 $(DESTDIR)/stats + chmod -R 750 $(DESTDIR)/logs + chmod -R 550 $(DESTDIR)/rules + chmod 770 $(DESTDIR)/var/run + chmod 550 $(DESTDIR)/etc + chmod 440 $(DESTDIR)/etc/internal_options.conf + chmod -R 770 $(DESTDIR)/etc/shared + chmod 700 $(DESTDIR)/.ssh + chmod 755 $(DESTDIR)/active-response/bin/* + chmod 550 $(DESTDIR)/bin/* + chmod 440 $(DESTDIR)/etc/ossec.conf + + # fixups: no need for execute bits on files there + find $(DESTDIR)/rules -type f -exec chmod ugo-x '{}' ';' + find $(DESTDIR)/etc -type f -exec chmod ugo-x '{}' ';' + + # system init script + mkdir -p $(PKGDIR)/etc/init.d + if [ -e ossec-hids-debian.init ]; then \ + install -m 755 ossec-hids-debian.init \ + $(PKGDIR)/etc/init.d/ossec-hids; \ + else \ + install -m 755 src/init/ossec-hids.init \ + $(PKGDIR)/etc/init.d/ossec-hids; \ + fi + + # system ossec-init + echo "DIRECTORY=\"/var/ossec\"" > $(PKGDIR)/etc/ossec-init.conf + echo "VERSION=\"`cat src/VERSION`\"" >> $(PKGDIR)/etc/ossec-init.conf + echo "DATE=\"$(shell date --utc -d "$(shell dpkg-parsechangelog | sed -ne 's/Date: //p')")\"" >> $(PKGDIR)/etc/ossec-init.conf + echo "TYPE=\"local\"" >> $(PKGDIR)/etc/ossec-init.conf + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs +# dh_installexamples +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installcatalogs +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo +# dh_undocumented + dh_lintian + dh_installman + dh_link + dh_compress + dh_fixperms +# dh_perl +# dh_python + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/ossec-debian.conf b/ossec-debian.conf new file mode 100644 index 0000000..76ff99a --- /dev/null +++ b/ossec-debian.conf @@ -0,0 +1,158 @@ + + + yes + root@localhost + 127.0.0.1 + ossecm@localhost + + + + rules_config.xml + pam_rules.xml + sshd_rules.xml + telnetd_rules.xml + syslog_rules.xml + arpwatch_rules.xml + symantec-av_rules.xml + symantec-ws_rules.xml + pix_rules.xml + named_rules.xml + smbd_rules.xml + vsftpd_rules.xml + pure-ftpd_rules.xml + proftpd_rules.xml + ms_ftpd_rules.xml + ftpd_rules.xml + hordeimp_rules.xml + roundcube_rules.xml + wordpress_rules.xml + vpopmail_rules.xml + vmpop3d_rules.xml + courier_rules.xml + web_rules.xml + apache_rules.xml + nginx_rules.xml + php_rules.xml + mysql_rules.xml + postgresql_rules.xml + ids_rules.xml + squid_rules.xml + firewall_rules.xml + cisco-ios_rules.xml + netscreenfw_rules.xml + sonicwall_rules.xml + postfix_rules.xml + sendmail_rules.xml + imapd_rules.xml + mailscanner_rules.xml + dovecot_rules.xml + ms-exchange_rules.xml + racoon_rules.xml + vpn_concentrator_rules.xml + spamd_rules.xml + msauth_rules.xml + mcafee_av_rules.xml + trend-osce_rules.xml + + zeus_rules.xml + solaris_bsm_rules.xml + vmware_rules.xml + ms_dhcp_rules.xml + asterisk_rules.xml + ossec_rules.xml + attack_rules.xml + local_rules.xml + + + + + 79200 + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin + + + /etc/mtab + /etc/mnttab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + + + + /var/ossec/etc/shared/rootkit_files.txt + /var/ossec/etc/shared/rootkit_trojans.txt + /var/ossec/etc/shared/system_audit_rcl.txt + /var/ossec/etc/shared/cis_debian_linux_rcl.txt + /var/ossec/etc/shared/cis_rhel_linux_rcl.txt + /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt + + + + yes + + + + 1 + 7 + + + + + syslog + /var/log/messages + + + + syslog + /var/log/auth.log + + + + syslog + /var/log/syslog + + + + syslog + /var/log/xferlog + + + + syslog + /var/log/vsftpd.log + + + + syslog + /var/log/mail.info + + + + syslog + /var/log/maillog + + + + syslog + /var/log/dpkg.log + + + + apache + /var/log/apache2/error.log + + + + apache + /var/log/apache2/access.log + + diff --git a/ossec-hids-debian.init b/ossec-hids-debian.init new file mode 100644 index 0000000..0842549 --- /dev/null +++ b/ossec-hids-debian.init @@ -0,0 +1,64 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: ossec-hids +# Required-Start: $local_fs $remote_fs $syslog +# Required-Stop: $local_fs $remote_fs $syslog +# Should-Start: $all +# Should-Stop: $all +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: OSSEC HIDS init script +# Description: Init script for OSSEC HIDS services +### END INIT INFO + +# OSSEC Controls OSSEC HIDS +# Author: Daniel B. Cid +# Modified for slackware by Jack S. Lai +# Modified for Debian package by Dinko Korunic + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +. /etc/ossec-init.conf +if [ "X${DIRECTORY}" = "X" ]; then + DIRECTORY="/var/ossec" +fi + + +start() { + ${DIRECTORY}/bin/ossec-control start +} + +stop() { + ${DIRECTORY}/bin/ossec-control stop +} + +status() { + ${DIRECTORY}/bin/ossec-control status +} + + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + force-reload) + stop + start + ;; + status) + status + ;; + *) + echo "*** Usage: $0 {start|stop|restart|status}" + exit 1 +esac + +exit 0