system/ossec-local: Added (Open Source Host-based IDS).

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
Mario Preksavec 2016-10-14 13:45:14 +07:00 committed by Willy Sudiarto Raharjo
parent 2a16520e1a
commit 5e6a573b5a
No known key found for this signature in database
GPG Key ID: 887B8374D7333381
8 changed files with 462 additions and 0 deletions

View File

@ -0,0 +1,3 @@
OSSEC is an Open Source Host-based Intrusion Detection System that performs log
analysis, file integrity checking, policy monitoring, rootkit detection,
real-time alerting and active response.

View File

@ -0,0 +1,15 @@
You may wish to add these lines to /etc/rc.d/rc.local to start the service:
if [ -x /etc/rc.d/rc.ossec ]; then
/etc/rc.d/rc.ossec start
fi
You may also add these lines to /etc/rc.d/rc.local_shutdown:
if [ -x /etc/rc.d/rc.ossec ]; then
/etc/rc.d/rc.ossec stop
fi
Remember to give executable permission to /etc/rc.d/rc.local_shutdown:
chmod 0755 /etc/rc.d/rc.local_shutdown

View File

@ -0,0 +1,29 @@
config() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
# toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
}
preserve_perms() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
if [ -e $OLD ]; then
cp -a $OLD ${NEW}.incoming
cat $NEW > ${NEW}.incoming
mv ${NEW}.incoming $NEW
fi
config $NEW
}
preserve_perms etc/rc.d/rc.ossec.new
config etc/ossec-init.conf.new
config etc/logrotate.d/ossec.new
find var/ossec/etc var/ossec/rules -type f -name '*.new' \
| while read new ; do config $new ; done

View File

@ -0,0 +1,152 @@
#!/bin/sh
# Slackware build script for ossec-local
# Copyright 2016 Mario Preksavec, Zagreb, Croatia
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PRGNAM=ossec-local
VERSION=${VERSION:-2.9rc3}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
SRCNAM=ossec-hids
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) ARCH=i586 ;;
arm*) ARCH=arm ;;
*) ARCH=$( uname -m ) ;;
esac
fi
CWD=$(pwd)
TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
if [ "$ARCH" = "i586" ]; then
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
USERID=${USERID:-333}
USERID_MAIL=${USERID_MAIL:-334}
USERID_REMOTE=${USERID_REMOTE:-335}
GROUPID=${GROUPID:-333}
if ! grep ^ossec: /etc/group 2>&1 > /dev/null \
|| ! grep -E '^(ossec|ossecm|ossecr):' /etc/passwd 2>&1 > /dev/null; then
echo -e "\n You must have ossec users and a group to run this script\n"
fi
if ! grep ^ossec: /etc/group 2>&1 > /dev/null; then
echo " # groupadd -g $GROUPID ossec"
fi
if ! grep ^ossec: /etc/passwd 2>&1 > /dev/null; then
echo " # useradd -u $USERID -d /var/ossec -s /bin/false -g ossec ossec"
echo " # passwd -l ossec"
fi
if ! grep ^ossecm: /etc/passwd 2>&1 > /dev/null; then
echo " # useradd -u $USERID_MAIL -d /var/ossec -s /bin/false -g ossec ossecm"
echo " # passwd -l ossecm"
fi
if ! grep ^ossecr: /etc/passwd 2>&1 > /dev/null; then
echo " # useradd -u $USERID_REMOTE -d /var/ossec -s /bin/false -g ossec ossecr"
echo " # passwd -l ossecr"
fi
if ! grep ^ossec: /etc/group 2>&1 > /dev/null \
|| ! grep -E '^(ossec|ossecm|ossecr):' /etc/passwd 2>&1 > /dev/null; then
echo
exit
fi
set -e
rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $SRCNAM-$VERSION
tar xvf $CWD/$SRCNAM-$VERSION.tar.gz
cd $SRCNAM-$VERSION
chown -R root:root .
find -L . \
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
-o -perm 511 \) -exec chmod 755 {} \; -o \
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
# Makefile fixes
sed -e 's|\(./init/adduser.sh.*\)|#\1|' \
-e 's|\(DEFINES+=-DDEFAULTDIR=\).*|\1\\"/var/ossec\\"|' \
-i src/Makefile
# There is no configure script and install.sh is a bit limited
( cd src
make PREFIX=$PKG/var/ossec TARGET=local build
make PREFIX=$PKG/var/ossec TARGET=local install
)
# Prepare system /etc
mkdir -p $PKG/etc/{logrotate.d,rc.d}
cat << EOF > $PKG/etc/ossec-init.conf.new
DIRECTORY="/var/ossec"
VERSION="$(cat src/VERSION)"
DATE="$(date)"
TYPE="local"
EOF
chmod 600 $PKG/etc/ossec-init.conf.new
cat src/init/ossec-hids.init > $PKG/etc/rc.d/rc.ossec.new
cat $CWD/ossec.logrotate > $PKG/etc/logrotate.d/ossec.new
# Stock ossec.conf is just an example - we prefer our own
mv $PKG/var/ossec/etc/ossec.conf $PKG/var/ossec/etc/ossec.conf.example
cat $CWD/ossec-local.conf > $PKG/var/ossec/etc/ossec.conf.new
chmod 640 $PKG/var/ossec/etc/ossec.conf.new
chown root:ossec $PKG/var/ossec/etc/ossec.conf.new
for i in $PKG/var/ossec/etc/*.{conf,keys,xml} ; do mv $i $i.new ; done
mv $PKG/var/ossec/rules/local_rules.xml $PKG/var/ossec/rules/local_rules.xml.new
find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a BUGS CHANGELOG CONFIG CONTRIBUTORS LICENSE README.md doc/{*.txt,README.*} \
$CWD/README.SLACKWARE $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}

View File

@ -0,0 +1,229 @@
<!-- OSSEC Slackware example config -->
<!-- Written by Mario Preksavec <mario at slackware dot hr> -->
<ossec_config>
<global>
<email_notification>no</email_notification>
<email_to>root@example.com</email_to>
<smtp_server>smtp.example.com</smtp_server>
<email_from>ossecm@ossec.example.com</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>apparmor_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>systemd_rules.xml</include>
<include>firewalld_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>unbound_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>72000</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/ntp/drift</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>::1</white_list>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/debug</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/cron</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/spooler</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan | grep LISTEN | grep -v 127.0.0.1 | sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>lastb -n 5</command>
</localfile>
</ossec_config>

View File

@ -0,0 +1,10 @@
PRGNAM="ossec-local"
VERSION="2.9rc3"
HOMEPAGE="http://ossec.github.io/"
DOWNLOAD="https://github.com/ossec/ossec-hids/archive/2.9rc3/ossec-hids-2.9rc3.tar.gz"
MD5SUM="a4ce5872f32c0ab045215017198eb5a3"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES=""
MAINTAINER="Mario Preksavec"
EMAIL="mario at slackware dot hr"

View File

@ -0,0 +1,5 @@
/var/ossec/logs/active-responses.log /var/ossec/logs/ossec.log {
missingok
notifempty
copytruncate
}

View File

@ -0,0 +1,19 @@
# HOW TO EDIT THIS FILE:
# The "handy ruler" below makes it easier to edit a package description.
# Line up the first '|' above the ':' following the base package name, and
# the '|' on the right side marks the last column you can put a character in.
# You must make exactly 11 lines for the formatting to be correct. It's also
# customary to leave one space after the ':' except on otherwise blank lines.
|-----handy-ruler------------------------------------------------------|
ossec-local: ossec-local (Open Source Host-based Intrusion Detection System)
ossec-local:
ossec-local: OSSEC is an Open Source Host-based Intrusion Detection System that
ossec-local: performs log analysis, file integrity checking, policy monitoring,
ossec-local: rootkit detection, real-time alerting and active response.
ossec-local:
ossec-local: Homepage: http://ossec.github.io/
ossec-local:
ossec-local:
ossec-local:
ossec-local: