4 ; standard NSIS includes
5 !include "LogicLib.nsh"
9 !addincludedir "nsProcess"
10 !addplugindir "nsProcess"
11 !include "nsProcess.nsh"
14 !addplugindir "SimpleSC"
17 !include "FileFunc.nsh"
22 !define OutFile "ossec-win32-agent.exe"
26 !define MUI_ICON favicon.ico
27 !define MUI_UNICON ossec-uninstall.ico
28 !define VERSION "3.3.0"
29 !define NAME "OSSEC HIDS"
30 !define SERVICE "OssecSvc"
32 Name "${NAME} Windows Agent v${VERSION}"
33 BrandingText "Copyright (C) 2003 - 2014 Trend Micro Inc."
36 InstallDir "$PROGRAMFILES\ossec-agent"
37 InstallDirRegKey HKLM Software\OSSEC ""
39 ; show (un)installation details
41 ShowUninstDetails show
43 ; do not close details pages immediately
44 !define MUI_FINISHPAGE_NOAUTOCLOSE
45 !define MUI_UNFINISHPAGE_NOAUTOCLOSE
48 !define MUI_ABORTWARNING
51 !define MUI_WELCOMEPAGE_TITLE_3LINES
52 !define MUI_WELCOMEPAGE_TEXT "This wizard will guide you through the install of ${Name}.\r\n\r\nClick next to continue."
53 !define MUI_FINISHPAGE_TITLE_3LINES
54 !define MUI_FINISHPAGE_RUN "$INSTDIR\win32ui.exe"
55 !define MUI_FINISHPAGE_RUN_TEXT "Run OSSEC Agent Manager"
57 ; page for choosing components
58 !define MUI_COMPONENTSPAGE_TEXT_TOP "Select the options you want to be executed. Click next to continue."
59 !define MUI_COMPONENTSPAGE_NODESC
61 ; pages to display to user
62 !insertmacro MUI_PAGE_WELCOME
63 !insertmacro MUI_PAGE_LICENSE "LICENSE.txt"
64 !insertmacro MUI_PAGE_COMPONENTS
65 !insertmacro MUI_PAGE_DIRECTORY
66 !insertmacro MUI_PAGE_INSTFILES
67 !insertmacro MUI_PAGE_FINISH
69 ; these have to be defined again to work with the uninstall pages
70 !define MUI_WELCOMEPAGE_TITLE_3LINES
71 !define MUI_FINISHPAGE_TITLE_3LINES
72 !insertmacro MUI_UNPAGE_WELCOME
73 !insertmacro MUI_UNPAGE_CONFIRM
74 !insertmacro MUI_UNPAGE_INSTFILES
75 !insertmacro MUI_UNPAGE_FINISH
78 !insertmacro MUI_LANGUAGE "English"
80 ; function to stop OSSEC service if running
83 SimpleSC::ExistsService "${SERVICE}"
86 SimpleSC::ServiceIsStopped "${SERVICE}"
91 MessageBox MB_OKCANCEL "${NAME} is already installed and the ${SERVICE} service is running. \
92 It will be stopped before continuing." /SD IDOK IDOK ServiceStop
97 SimpleSC::StopService "${SERVICE}" 1 30
100 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
101 Failure stopping the ${SERVICE} service ($0).$\r$\n$\r$\n\
102 Click Abort to stop the installation,$\r$\n\
103 Retry to try again, or$\r$\n\
104 Ignore to skip this file." /SD IDABORT IDIGNORE ServiceStopped IDRETRY ServiceStop
111 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
112 Failure checking status of the ${SERVICE} service ($0).$\r$\n$\r$\n\
113 Click Abort to stop the installation,$\r$\n\
114 Retry to try again, or$\r$\n\
115 Ignore to skip this file." /SD IDABORT IDIGNORE ServiceStopped IDRETRY ServiceStop
124 ; main install section
125 Section "OSSEC Agent (required)" MainSec
126 ; set install type and cwd
133 ; use real date modified times
136 ; overwrite existing files
139 ; create necessary directories
140 CreateDirectory "$INSTDIR\bookmarks"
141 CreateDirectory "$INSTDIR\rids"
142 CreateDirectory "$INSTDIR\syscheck"
143 CreateDirectory "$INSTDIR\shared"
144 CreateDirectory "$INSTDIR\active-response"
145 CreateDirectory "$INSTDIR\active-response\bin"
146 CreateDirectory "$INSTDIR\tmp"
152 File ossec-agent-eventchannel.exe
154 File default-ossec.conf
155 File manage_agents.exe
156 File /oname=win32ui.exe os_win32ui.exe
157 File ossec-rootcheck.exe
158 File internal_options.conf
159 File default-local_internal_options.conf
160 File setup-windows.exe
161 File setup-syscheck.exe
164 File /oname=shared\rootkit_trojans.txt ../rootcheck/db/rootkit_trojans.txt
165 File /oname=shared\rootkit_files.txt ../rootcheck/db/rootkit_files.txt
166 File add-localfile.exe
168 File /oname=shared\win_applications_rcl.txt ../rootcheck\db\win_applications_rcl.txt
169 File /oname=shared\win_malware_rcl.txt ../rootcheck\db\win_malware_rcl.txt
170 File /oname=shared\win_audit_rcl.txt ../rootcheck\db\win_audit_rcl.txt
173 File /oname=active-response\bin\route-null.cmd route-null.cmd
174 File /oname=active-response\bin\restart-ossec.cmd restart-ossec.cmd
176 ; use appropriate version of "ossec-agent.exe"
177 ${If} ${AtLeastWinVista}
178 Delete "$INSTDIR\ossec-agent.exe"
179 Rename "$INSTDIR\ossec-agent-eventchannel.exe" "$INSTDIR\ossec-agent.exe"
181 Delete "$INSTDIR\ossec-agent-eventchannel.exe"
184 ; write registry keys
185 WriteRegStr HKLM SOFTWARE\ossec "Install_Dir" "$INSTDIR"
186 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "DisplayName" "${NAME} ${VERSION}"
187 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "DisplayVersion" "${VERSION}"
188 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "DisplayIcon" "${MUI_ICON}"
189 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "HelpLink" "http://www.ossec.net/main/support/"
190 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "URLInfoAbout" "http://www.ossec.net"
191 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\ossec" "UninstallString" '"$INSTDIR\uninstall.exe"'
192 WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\ossec" "NoModify" 1
193 WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\ossec" "NoRepair" 1
194 WriteUninstaller "uninstall.exe"
196 ; get current local time
197 ${GetTime} "" "L" $0 $1 $2 $3 $4 $5 $6
198 var /global CURRENTTIME
199 StrCpy $CURRENTTIME "$2-$1-$0 $4:$5:$6"
201 ; write version and install information
203 FileOpen $0 "$INSTDIR\VERSION.txt" w
204 FileWrite $0 "${NAME} v${VERSION} - Installed on $CURRENTTIME"
206 IfErrors VersionError VersionComplete
208 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
209 Failure saving version to file.$\r$\n$\r$\n\
210 File:$\r$\n$\r$\n$INSTDIR\VERSION.txt$\r$\n$\r$\n\
211 Click Abort to stop the installation,$\r$\n\
212 Retry to try again, or$\r$\n\
213 Ignore to skip this file." /SD IDABORT IDIGNORE VersionComplete IDRETRY VersionInstall
223 IfFileExists "$INSTDIR\ossec.log" LogComplete
224 FileOpen $0 "$INSTDIR\ossec.log" w
226 IfErrors LogError LogComplete
228 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
229 Failure creating the ossec.log file.$\r$\n$\r$\n\
230 File:$\r$\n$\r$\n$INSTDIR\ossec.log$\r$\n$\r$\n\
231 Click Abort to stop the installation,$\r$\n\
232 Retry to try again, or$\r$\n\
233 Ignore to skip this file." /SD IDABORT IDIGNORE LogComplete IDRETRY LogInstall
240 ; rename local_internal_options.conf if it does not already exist
243 IfFileExists "$INSTDIR\local_internal_options.conf" ConfPresentInternal
244 Rename "$INSTDIR\default-local_internal_options.conf" "$INSTDIR\local_internal_options.conf"
245 IfErrors ConfErrorInternal ConfPresentInternal
247 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
248 Failure renaming configuration file.$\r$\n$\r$\n\
250 $INSTDIR\default-local_internal_options.conf$\r$\n$\r$\n\
252 $INSTDIR\local_internal_options.conf$\r$\n$\r$\n\
253 Click Abort to stop the installation,$\r$\n\
254 Retry to try again, or$\r$\n\
255 Ignore to skip this file." /SD IDABORT IDIGNORE ConfPresentInternal IDRETRY ConfInstallInternal
262 ; rename ossec.conf if it does not already exist
265 IfFileExists "$INSTDIR\ossec.conf" ConfPresentOSSEC
266 Rename "$INSTDIR\default-ossec.conf" "$INSTDIR\ossec.conf"
267 IfErrors ConfErrorOSSEC ConfPresentOSSEC
269 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
270 Failure renaming configuration file.$\r$\n$\r$\n\
272 $INSTDIR\default-ossec.conf$\r$\n$\r$\n\
274 $INSTDIR\ossec.conf$\r$\n$\r$\n\
275 Click Abort to stop the installation,$\r$\n\
276 Retry to try again, or$\r$\n\
277 Ignore to skip this file." /SD IDABORT IDIGNORE ConfPresentOSSEC IDRETRY ConfInstallOSSEC
285 ; http://nsis.sourceforge.net/Shortcuts_removal_fails_on_Windows_Vista
286 SetShellVarContext all
289 Delete "$SMPROGRAMS\OSSEC\Edit.lnk"
290 Delete "$SMPROGRAMS\OSSEC\Uninstall.lnk"
291 Delete "$SMPROGRAMS\OSSEC\Documentation.lnk"
292 Delete "$SMPROGRAMS\OSSEC\Edit Config.lnk"
293 Delete "$SMPROGRAMS\OSSEC\*.*"
294 RMDir "$SMPROGRAMS\OSSEC"
297 CreateDirectory "$SMPROGRAMS\OSSEC"
298 CreateShortCut "$SMPROGRAMS\OSSEC\Manage Agent.lnk" "$INSTDIR\win32ui.exe" "" "$INSTDIR\win32ui.exe" 0
299 CreateShortCut "$SMPROGRAMS\OSSEC\Documentation.lnk" "$INSTDIR\doc.html" "" "$INSTDIR\doc.html" 0
300 CreateShortCut "$SMPROGRAMS\OSSEC\Edit Config.lnk" "$INSTDIR\ossec.conf" "" "$INSTDIR\ossec.conf" 0
301 CreateShortCut "$SMPROGRAMS\OSSEC\Uninstall.lnk" "$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
303 ; install OSSEC service
305 nsExec::ExecToLog '"$INSTDIR\ossec-agent.exe" install-service'
308 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
309 Failure setting up the ${SERVICE} service.$\r$\n$\r$\n\
310 Check the details for information about the error.$\r$\n$\r$\n\
311 Click Abort to stop the installation,$\r$\n\
312 Retry to try again, or$\r$\n\
313 Ignore to skip this file." /SD IDABORT IDIGNORE ServiceInstallComplete IDRETRY ServiceInstall
318 ServiceInstallComplete:
322 nsExec::ExecToLog '"$INSTDIR\setup-windows.exe" "$INSTDIR"'
325 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
326 Failure running setup-windows.exe.$\r$\n$\r$\n\
327 Check the details for information about the error.$\r$\n$\r$\n\
328 Click Abort to stop the installation,$\r$\n\
329 Retry to try again, or$\r$\n\
330 Ignore to skip this file." /SD IDABORT IDIGNORE SetupComplete IDRETRY Setup
339 Section "Scan and monitor IIS logs (recommended)" IISLogs
340 nsExec::ExecToLog '"$INSTDIR\setup-iis.exe" "$INSTDIR"'
343 ; add integrity checking
344 Section "Enable integrity checking (recommended)" IntChecking
345 nsExec::ExecToLog '"$INSTDIR\setup-syscheck.exe" "$INSTDIR" "enable"'
350 ; uninstall the services
351 ; this also stops the service as well so it should be done early
353 nsExec::ExecToLog '"$INSTDIR\ossec-agent.exe" uninstall-service'
356 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
357 Failure uninstalling the ${SERVICE} service.$\r$\n$\r$\n\
358 Check the details for information about the error.$\r$\n$\r$\n\
359 Click Abort to stop the installation,$\r$\n\
360 Retry to try again, or$\r$\n\
361 Ignore to skip this file." /SD IDABORT IDIGNORE ServiceUninstallComplete IDRETRY ServiceUninstall
366 ServiceUninstallComplete:
368 ; make sure manage_agents.exe is not running
370 ${nsProcess::FindProcess} "manage_agents.exe" $0
372 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
373 Found manage_agents.exe is still running.$\r$\n$\r$\n\
374 Please close it before continuing.$\r$\n$\r$\n\
375 Click Abort to stop the installation,$\r$\n\
376 Retry to try again, or$\r$\n\
377 Ignore to skip this file." /SD IDABORT IDIGNORE ManageAgentsClosed IDRETRY ManageAgents
385 ; make sure win32ui.exe is not running
387 ${nsProcess::FindProcess} "win32ui.exe" $0
389 MessageBox MB_ABORTRETRYIGNORE|MB_ICONSTOP "$\r$\n\
390 Found win32ui.exe is still running.$\r$\n$\r$\n\
391 Please close it before continuing.$\r$\n$\r$\n\
392 Click Abort to stop the installation,$\r$\n\
393 Retry to try again, or$\r$\n\
394 Ignore to skip this file." /SD IDABORT IDIGNORE win32uiClosed IDRETRY win32ui
405 ; remove registry keys
406 DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC"
407 DeleteRegKey HKLM SOFTWARE\OSSEC
409 ; remove files and uninstaller
410 Delete "$INSTDIR\ossec-agent.exe"
411 ;Delete "$INSTDIR\ossec-lua.exe"
412 ;Delete "$INSTDIR\ossec-luac.exe"
413 Delete "$INSTDIR\manage_agents.exe"
414 Delete "$INSTDIR\ossec.conf"
415 Delete "$INSTDIR\uninstall.exe"
417 Delete "$INSTDIR\bookmarks\*"
418 Delete "$INSTDIR\rids\*"
419 Delete "$INSTDIR\syscheck\*"
420 Delete "$INSTDIR\shared\*"
421 Delete "$INSTDIR\active-response\bin\*"
422 Delete "$INSTDIR\active-response\*"
423 Delete "$INSTDIR\tmp\*"
427 SetShellVarContext all
428 Delete "$SMPROGRAMS\OSSEC\*.*"
429 Delete "$SMPROGRAMS\OSSEC\*"
430 RMDir "$SMPROGRAMS\OSSEC"
432 ; remove directories used
433 RMDir "$INSTDIR\shared"
434 RMDir "$INSTDIR\syscheck"
435 RMDir "$INSTDIR\bookmarks"
436 RMDir "$INSTDIR\rids"
437 RMDir "$INSTDIR\active-response\bin"
438 RMDir "$INSTDIR\active-response"