RPM building leads to a tmp script that makes no sense.

[James Dough]

I'm trying to build the OSSEC RPM with the most recent version, using my own custom preloaded vars. 

I'm using the default spec file, modified to match the tar that I've chosen.

Here's the error I get.

+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd ossec
/var/tmp/rpm-tmp.CtNG72: line 36: cd: ossec: No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.CtNG72 (%prep)

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.CtNG72 (%prep)

The tmp file has the follow code which is causing it to fail: (It deletes an ossec directory, then tries to cd into it.)

cd '/root/rpmbuild/BUILD'
rm -rf 'ossec'
/usr/bin/gzip -dc '/root/rpmbuild/SOURCES/ossec.tar.gz' | /usr/bin/tar -xvvf -
STATUS=$?
if [ $STATUS -ne 0 ]; then
  exit $STATUS
fi
cd 'ossec'
/usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .

I can't seem to find what generates this code. But I can't see why it specifies to rm the ossec directory and then immediately CD into it. Any suggestions? 

[James Dough]

Never mind guys. I figured it out. Just some issues with naming my junk. 

[Jose Luis Ruiz]

Hi James, 

can you show your spec file? 

 Part of the initialization of %install. also you maybe have this code in your spec?

%install

# Clean BUILDROOT

rm -fr %{buildroot}

or 

%clean

rm -fr %{buildroot}

this is why your directory ossec is deleted. Is a standard method to clean the rpm from bads previously compilations.

On the other hand please review your “ossec.tar.gz", if you extract this file, you need to have a folder called “ossec" with the source inside, if the folder has different name you need to modify the name to ossec and tar again the folder.

-----------------------
Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[James Dough]

Jose, 

Thank you, I took your advice and have made it past that error. I'm new to RPMs and OSSEC so this is a bit of a challenge to me. Thank you for your help. 

I'm on to a new error which is as follows. Do you mind helping me fix this spec file? I'm still highly confused on what to do. :

+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd ossec

+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.Dj8YHy
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd ossec
+ /bin/cp /usr/local/src/OSSEC-RPM/agent/preloaded-vars.conf /root/rpmbuild/BUILD/ossec/etc/
/bin/cp: cannot stat '/usr/local/src/OSSEC-RPM/agent/preloaded-vars.conf': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.Dj8YHy (%build)

The new spec file is: 

Summary: Open Source Host-based Intrusion Detection System (Server)
Name: ossec-hids-agent-FC7
Version: 2.8.3
Release: 1
License: GPLv2
Group: Applications/Security
URL: http://www.ossec.net
Packager: Michael Williams (mave...@maverick.org)
Source: http://www.ossec.net/files/ossec.tar.gz
Requires: /usr/sbin/useradd, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/userdel, /sbin/service, /sbin/chkconfig
%description
OSSEC is an Open Source Host-based Intrusion
Detection System. It performs log analysis,
integrity checking, Windows registry monitoring,
rootkit detection, real-time alerting and active
response.

%prep
%setup -n ossec
%build
/bin/cp /usr/local/src/OSSEC-RPM/agent/preloaded-vars.conf ${RPM_BUILD_DIR}/ossec/etc/
./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
%pre
################################################################################
# Create OSSEC group
#
if ! grep "^ossec" /etc/group > /dev/null ; then
  /usr/sbin/groupadd ossec
fi

################################################################################
# Create OSSEC users
#
for USER in ossec ; do
  if ! grep "^${USER}" /etc/passwd > /dev/null ; then
    /usr/sbin/useradd -d /var/ossec -s /bin/false -g ossec ${USER}
  fi
done
%post


################################################################################
# Create OSSEC /etc/init.d/ossec file
#
cat <<EOF >> /etc/init.d/ossec
#!/bin/bash
#
# ossec Starts ossec
#
#
# chkconfig: 2345 12 88
# description: OSSEC is an open source host based IDS
### BEGIN INIT INFO
# Provides: $ossec
### END INIT INFO
# Source function library.
. /etc/init.d/functions
[ -f /var/ossec/bin/ossec-control ] || exit 0
RETVAL=0
umask 077
case "\$1" in
  start)
        /var/ossec/bin/ossec-control start
        ;;
  stop)
        /var/ossec/bin/ossec-control stop
        ;;
  status)
        /var/ossec/bin/ossec-control status
        ;;
  restart|reload)
        /var/ossec/bin/ossec-control restart
        ;;
  *)
        echo "Usage: /var/ossec/bin/ossec-control {start|stop|status|restart}"
        exit 1
esac
EOF
/bin/chown root.root /etc/init.d/ossec
/bin/chmod 755 /etc/init.d/ossec
################################################################################
# Set configuration so OSSEC starts on reboot
#
/sbin/chkconfig --add ossec
/sbin/chkconfig ossec on
%postun
# Run service command, make sure OSSEC is stopped
/sbin/service ossec stop
# Run chkconfig, stop ossec from starting on boot
/sbin/chkconfig ossec off
/sbin/chkconfig --del ossec
# Remove init.d file
[ -f /etc/init.d/ossec ] && rm /etc/init.d/ossec
# Remove ossec users
for USER in ossec ossecm ossecr ; do
  if grep "^${USER}" /etc/passwd > /dev/null ; then
    /usr/sbin/userdel -r ${USER}
  fi
done
# Remove ossec group
if grep "^ossec" /etc/group > /dev/null ; then
  /usr/sbin/groupdel ossec
fi

%files
%doc README BUGS CONFIG CONTRIB INSTALL LICENSE
%dir /var/ossec/
%attr(550, root, ossec) /var/ossec/
%dir /var/ossec/var
%attr(550, root, ossec) /var/ossec/var
%dir /var/ossec/var/run
%attr(770, root, ossec) /var/ossec/var/run
%dir /var/ossec/active-response
%attr(550, root, ossec) /var/ossec/active-response
%dir /var/ossec/active-response/bin
%attr(550, root, ossec) /var/ossec/active-response/bin
/var/ossec/active-response/bin/route-null.sh
%attr(755, root, ossec) /var/ossec/active-response/bin/route-null.sh
/var/ossec/active-response/bin/host-deny.sh
%attr(755, root, ossec) /var/ossec/active-response/bin/host-deny.sh
/var/ossec/active-response/bin/firewall-drop.sh
%attr(755, root, ossec) /var/ossec/active-response/bin/firewall-drop.sh
%dir /var/ossec/active-response/bin/firewalls
%attr(755, root, ossec) /var/ossec/active-response/bin/firewalls
/var/ossec/active-response/bin/firewalls/pf.sh
/var/ossec/active-response/bin/firewalls/ipfw.sh
/var/ossec/active-response/bin/firewalls/ipfw_mac.sh
/var/ossec/active-response/bin/disable-account.sh
%attr(755, root, ossec) /var/ossec/active-response/bin/disable-account.sh
%dir /var/ossec/bin
%attr(550, root, ossec) /var/ossec/bin
/var/ossec/bin/ossec-agentd
%attr(550, root, ossec) /var/ossec/bin/ossec-agentd
/var/ossec/bin/ossec-logcollector
%attr(550, root, ossec) /var/ossec/bin/ossec-logcollector
/var/ossec/bin/ossec-control
%attr(550, root, ossec) /var/ossec/bin/ossec-control
/var/ossec/bin/ossec-syscheckd
%attr(550, root, ossec) /var/ossec/bin/ossec-syscheckd
/var/ossec/bin/manage_agents
%attr(550, root, ossec) /var/ossec/bin/manage_agents
/var/ossec/bin/ossec-execd
%attr(550, root, ossec) /var/ossec/bin/ossec-execd
%dir /var/ossec/etc
%attr(550, root, ossec) /var/ossec/etc
/var/ossec/etc/internal_options.conf
%attr(440, root, ossec) /var/ossec/etc/internal_options.conf
/var/ossec/etc/localtime
%attr(644, root, root) /var/ossec/etc/localtime
%dir /var/ossec/etc/shared
%attr(770, root, ossec) /var/ossec/etc/shared
/var/ossec/etc/shared/win_malware_rcl.txt
%attr(770, root, ossec) /var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
%attr(770, root, ossec) /var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
%attr(770, root, ossec) /var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
%attr(770, root, ossec) /var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
%attr(770, root, ossec) /var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/ossec.conf
%attr(440, root, ossec) /var/ossec/etc/ossec.conf
%dir /var/ossec/logs
%attr(750, ossec, ossec) /var/ossec/logs
/var/ossec/logs/ossec.log
%attr(664, ossec, ossec) /var/ossec/logs/ossec.log
%dir /var/ossec/queue
%attr(550, root, ossec) /var/ossec/queue
%dir /var/ossec/queue/rids
%attr(775, root, ossec) /var/ossec/queue/rids
%dir /var/ossec/queue/alerts
%attr(550, root, ossec) /var/ossec/queue/alerts
%dir /var/ossec/queue/syscheck
%attr(550, root, ossec) /var/ossec/queue/syscheck
%dir /var/ossec/queue/ossec
%attr(770, ossec, ossec) /var/ossec/queue/ossec
 

[Jose Luis Ruiz]

Hi James,

A couple things

You should NEVER create your packages as the root user. Building RPM's as root is dangerous, because the binary files are installed on the system before being packaged, thus you must always build as normal user so you won't accidentally pollute your system.

All files need to be in SOURCES, included your preloaded-vars.conf

 %_builddir. This is often implemented by running some variation of "./configure && make” not to run install.sh, install.sh need to be executed by root permissions.

To create the wazuh RPMs i followed the next links

https://fedoraproject.org/wiki/How_to_create_an_RPM_package

https://rpmbuildtut.wordpress.com

however if you would like me to help you, please send to me your preloaded-vars.conf and for what Ossec version do you like to build the rpm and i can give you the spec file and a few instructions to create the rpm

 

This is easier than explain all process by mail

Delete your personal information from the preloaded-vars.conf :)