# Notes # agent - read local files (syslog, snort, etc) and forward # server - above + notifications + remote agents # local - do everything server does, but not recieve messages # server # e-mail notification # enter email addy # it does an MX lookup? # integrity check # rootkit setup # active response # shunning w/ hosts.deny + iptables (alerts 6 and above) # whitelists (loop) # enable remote syslog acceptance (514 UDP) # sets files to monitor # -- /var/log/messages # -- /var/log/secure # -- /var/log/maillog # -- /var/log/httpd/error_log (apache log) # -- /var/log/httpd/access_log (apache log) # -- /etc/httpd/logs/access_log (apache log) # -- /etc/httpd/logs/error_log (apache log) %define prg ossec %define ver 0.9 %define rev 3 Summary: An Open Source Host-based Intrusion Detection System Name: ossec-hids Version: 1.0 Release: 1 License: GPL Group: Applications/System Source0: http://www.%{prg}.net/files/%{name}-%{version}.tar.gz Source1: %{name}-find-requires Source2: %{name}.init Patch0: %{name}-build.patch URL: http://www.%{prg}.net/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Vendor: http://www.ossec.net Packager: Scott R. Shinn Provides: %{name}.pp ossec Prereq: coreutils glibc make shadow-utils BuildPrereq: coreutils glibc-devel gcc make BuildPrereq: openssl-devel ExclusiveOS: linux %description OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. %package client Summary: The OSSEC HIDS Client Group: Applications/System Provides: %{name}-client.pp Requires: %{name} = %{version}-%{release} %{name}.pp Conflicts: %{name}-server %package server Summary: The OSSEC HIDS Server Group: Applications/System Provides: %{name}-server.pp Requires: %{name} = %{version}-%{release} %{name}.pp Conflicts: %{name}-client %description client The %{name}-client package contains the client part of the OSSEC HIDS. Install this package on every client to be monitored. %description server The %{name}-server package contains the server part of the OSSEC HIDS. Install this package on a central machine for log collection and alerting. %prep %setup -q %patch0 -p1 # Prepare for docs chmod -x contrib/* %build pushd src make all make build popd # Generate the ossec-init.conf template echo "DIRECTORY=\"%{_localstatedir}/%{prg}\"" > %{prg}-init.conf echo "VERSION=\"%{version}\"" >> %{prg}-init.conf echo "DATE=\"`date`\"" >> %{prg}-init.conf # Do not strip, only compress documentation %define __os_install_post /usr/lib/rpm/brp-compress # Exclude from requires %define _use_internal_dependency_generator 0 %define __find_requires %{SOURCE1} %install [ -n "${RPM_BUILD_ROOT}" -a "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT} mkdir -p ${RPM_BUILD_ROOT}%{_initrddir} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/{bin,stats,rules,tmp} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/logs/{archives,alerts,firewall} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/queue/{alerts,%{prg},fts,syscheck,rootcheck,agent-info,rids} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/var/run mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc/shared mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/active-response/bin mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/logs/{archives,alerts,firewall} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/queue/{alerts,%{prg},fts,syscheck,rootcheck,agent-info,rids} mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/var/run mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc/shared mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/active-response/bin install -m 0600 %{prg}-init.conf ${RPM_BUILD_ROOT}%{_sysconfdir} install -m 0644 etc/%{prg}.conf ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc/%{prg}.conf.sample install -m 0644 etc/%{prg}-{agent,server}.conf ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc install -m 0644 etc/*.xml ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc install -m 0644 etc/internal_options* ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc install -m 0644 etc/rules/* ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/rules install -m 0550 bin/* ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/bin install -m 0755 active-response/*.sh ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/active-response/bin install -m 0644 src/rootcheck/db/*.txt ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc/shared install -m 0755 %{SOURCE2} ${RPM_BUILD_ROOT}%{_initrddir}/%{name} install -m 0550 src/init/%{prg}-{client,server}.sh ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/bin %pre if ! id -g %{prg} > /dev/null 2>&1; then groupadd -r %{prg} fi if ! id -u %{prg} > /dev/null 2>&1; then useradd -g %{prg} -G %{prg} \ -d %{_localstatedir}/%{prg} \ -r -s /sbin/nologin %{prg} fi %pre server if ! id -u %{prg}m > /dev/null 2>&1; then useradd -g %{prg} -G %{prg} \ -d %{_localstatedir}/%{prg} \ -r -s /sbin/nologin %{prg}m fi if ! id -u %{prg}e > /dev/null 2>&1; then useradd -g %{prg} -G %{prg} \ -d %{_localstatedir}/%{prg} \ -r -s /sbin/nologin %{prg}e fi if ! id -u %{prg}r > /dev/null 2>&1; then useradd -g %{prg} -G %{prg} \ -d %{_localstatedir}/%{prg} \ -r -s /sbin/nologin %{prg}r fi %post client if [ $1 = 1 ]; then chkconfig --add %{name} chkconfig %{name} on fi echo "TYPE=\"agent\"" >> %{_sysconfdir}/%{prg}-init.conf ln -sf %{prg}-agent.conf %{_localstatedir}/%{prg}/etc/%{prg}.conf ln -sf %{prg}-client.sh %{_localstatedir}/%{prg}/bin/%{prg}-control touch %{_localstatedir}/%{prg}/logs/ossec.log chown %{prg}:%{prg} %{_localstatedir}/%{prg}/logs/ossec.log chmod 0664 %{_localstatedir}/%{prg}/logs/ossec.log if [ -f %{_localstatedir}/lock/subsys/%{name} ]; then %{_initrddir}/%{name} restart fi %post server if [ $1 = 1 ]; then chkconfig --add %{name} chkconfig %{name} on fi echo "TYPE=\"server\"" >> %{_sysconfdir}/%{prg}-init.conf ln -sf %{prg}-server.conf %{_localstatedir}/%{prg}/etc/%{prg}.conf ln -sf %{prg}-server.sh %{_localstatedir}/%{prg}/bin/%{prg}-control touch %{_localstatedir}/%{prg}/logs/ossec.log chown %{prg}:%{prg} %{_localstatedir}/%{prg}/logs/ossec.log chmod 0664 %{_localstatedir}/%{prg}/logs/ossec.log if [ -f %{_localstatedir}/lock/subsys/%{name} ]; then %{_initrddir}/%{name} restart fi %preun client if [ $1 = 0 ]; then chkconfig %{name} off chkconfig --del %{name} if [ -f %{_localstatedir}/lock/subsys/%{name} ]; then %{_initrddir}/%{name} stop fi rm -f %{_localstatedir}/%{prg}/etc/localtime rm -f %{_localstatedir}/%{prg}/etc/%{prg}.conf rm -f %{_localstatedir}/%{prg}/bin/%{prg}-control fi %preun server if [ $1 = 0 ]; then chkconfig %{name} off chkconfig --del %{name} if [ -f %{_localstatedir}/lock/subsys/%{name} ]; then %{_initrddir}/%{name} stop fi rm -f %{_localstatedir}/%{prg}/etc/localtime rm -f %{_localstatedir}/%{prg}/etc/%{prg}.conf rm -f %{_localstatedir}/%{prg}/bin/%{prg}-control fi %triggerin -- glibc [ -r %{_sysconfdir}/localtime ] && cp -fpL %{_sysconfdir}/localtime %{_localstatedir}/%{prg}/etc %clean [ -n "${RPM_BUILD_ROOT}" -a "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT} %files %defattr(-,root,root) %doc BUGS CONFIG CONTRIB INSTALL* README %doc %dir contrib doc %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg} %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/active-response %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/active-response/bin %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/bin %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/etc %attr(770,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/etc/shared %attr(750,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/logs %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/queue %attr(770,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/queue/alerts %attr(770,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/queue/%{prg} %attr(700,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/queue/syscheck %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/var %attr(770,root,%{prg}) %dir %{_localstatedir}/%{prg}/var/run %files client %defattr(-,root,root) %attr(600,root,root) %verify(not md5 size mtime) %{_sysconfdir}/%{prg}-init.conf %{_initrddir}/* %config(noreplace) %{_localstatedir}/%{prg}/etc/%{prg}-agent.conf %config(noreplace) %{_localstatedir}/%{prg}/etc/internal_options* %config(noreplace) %{_localstatedir}/%{prg}/etc/shared/* %{_localstatedir}/%{prg}/etc/*.sample %{_localstatedir}/%{prg}/active-response/bin/* %{_localstatedir}/%{prg}/bin/%{prg}-client.sh %{_localstatedir}/%{prg}/bin/%{prg}-agentd %{_localstatedir}/%{prg}/bin/%{prg}-logcollector %{_localstatedir}/%{prg}/bin/%{prg}-syscheckd %{_localstatedir}/%{prg}/bin/%{prg}-execd %{_localstatedir}/%{prg}/bin/manage_client %attr(755,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/queue/rids %files server %defattr(-,root,root) %attr(600,root,root) %verify(not md5 size mtime) %{_sysconfdir}/%{prg}-init.conf %{_initrddir}/* %config(noreplace) %{_localstatedir}/%{prg}/etc/%{prg}-server.conf %config(noreplace) %{_localstatedir}/%{prg}/etc/internal_options* %config(noreplace) %{_localstatedir}/%{prg}/etc/*.xml %config(noreplace) %{_localstatedir}/%{prg}/etc/shared/* %{_localstatedir}/%{prg}/etc/*.sample %{_localstatedir}/%{prg}/active-response/bin/* %{_localstatedir}/%{prg}/bin/%{prg}-server.sh %{_localstatedir}/%{prg}/bin/%{prg}-agentd %{_localstatedir}/%{prg}/bin/%{prg}-analysisd %{_localstatedir}/%{prg}/bin/%{prg}-execd %{_localstatedir}/%{prg}/bin/%{prg}-logcollector %{_localstatedir}/%{prg}/bin/%{prg}-maild %{_localstatedir}/%{prg}/bin/%{prg}-monitord %{_localstatedir}/%{prg}/bin/%{prg}-remoted %{_localstatedir}/%{prg}/bin/%{prg}-syscheckd %{_localstatedir}/%{prg}/bin/list_agents %{_localstatedir}/%{prg}/bin/manage_agents %{_localstatedir}/%{prg}/bin/syscheck_update %{_localstatedir}/%{prg}/bin/clear_stats %attr(750,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/logs/archives %attr(750,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/logs/alerts %attr(750,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/logs/firewall %attr(755,%{prg}r,%{prg}) %dir %{_localstatedir}/%{prg}/queue/agent-info %attr(755,%{prg}r,%{prg}) %dir %{_localstatedir}/%{prg}/queue/rids %attr(700,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/queue/fts %attr(700,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/queue/rootcheck %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/rules %config(noreplace) %{_localstatedir}/%{prg}/rules/* %attr(750,%{prg},%{prg}) %dir %{_localstatedir}/%{prg}/stats %attr(550,root,%{prg}) %dir %{_localstatedir}/%{prg}/tmp %changelog * Tue Mar 6 2007 Scott R. Shinn - 1.0-2 - configuration change for ASL * Wed Jan 17 2007 Scott R. Shinn - 1.0 - updated to 1.0 - new version (0.9-2) * Thu Sep 07 2006 peter.pramberger@member.fsf.org - new version (0.9-1a) * Thu Aug 24 2006 peter.pramberger@member.fsf.org - new version (0.9-1) * Wed Jul 26 2006 peter.pramberger@member.fsf.org - new version (0.9) * Fri Jul 14 2006 peter.pramberger@member.fsf.org - some bugfixes * Fri Jul 07 2006 peter.pramberger@member.fsf.org - created