OpenBSD 6 - Real Monitoring

[R0me0 ***]

Hello guys.

I'm trying to use real monitoring.

I have installed inotify-tools from OpenBSD packages 

Initially I guess something related with run_realtime.c and I point inotify.h path.

But I still without be able to use Real monitoring with the follow error in ossec.conf

( OpenBSD - OSSEC AGENT )

ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/etc/pf'.

Anyone has this setup working ? Any directions will be really appreciated

Thanks in advance,

[dan (ddp)]

I spent some time messing with it awhile back, but never got it working. There are some Makefile changes you have to make, as well as possible src changes.

>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Victor Fernandez]

Hello,

I've never done this on OpenBSD, but try to force the inotify support with Make:

cd src
make TARGET=agent USE_INOTIFY=yes

Hope it helps.
Regards.

[R0me0 ***]

@dann I already set CFLAGS including include directory of inotify.h without success

@Victor without success

:( 

I'll keep researching 

Thank you guys 

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Fri, Sep 30, 2016 at 9:49 AM, R0me0 *** <knigh...@gmail.com> wrote:
> @dann I already set CFLAGS including include directory of inotify.h without
> success
>

I've gotten it to compile and not give me errors, but I also don't see
any realtime alerts.
I'll have to find a simple inotify testing program or something to see
if it even works.

[R0me0 ***]

Taking a better look within Makeall file the flag to compile is: cho "EEXTRA=-DUSEINOTIFY" >> Config.OS

tmp/ossec-hids-2.8.3/src/syscheckd/run_realtime.c:172: undefined reference to `inotify_add_watch'
collect2: ld returned 1 exit status
*** Error 1 in syscheckd (Makefile:15 'syscheck')

>> email to ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Fri, Sep 30, 2016 at 11:07 AM, R0me0 *** <knigh...@gmail.com> wrote:
> Taking a better look within Makeall file the flag to compile is: cho
> "EEXTRA=-DUSEINOTIFY" >> Config.OS
>
> tmp/ossec-hids-2.8.3/src/syscheckd/run_realtime.c:172: undefined reference
> to `inotify_add_watch'
> collect2: ld returned 1 exit status
> *** Error 1 in syscheckd (Makefile:15 'syscheck')
>

I'm using MASTER from github, but here are the changes I made to get
it to compile:
https://github.com/ddpbsd/ossec-hids/commits/openbsd_inotify

[R0me0 ***]

I am using 2.8.3 version and is a little bit different. Anyway I have made all changes in sources files without success.

Another very interesting point is: 

report_changes=yes

isnt reporting the diff's just sum changes.

Thank you guys ! really really appreciated your help ! 

:)

 

>> >> email to ossec-list+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to ossec-list+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[R0me0 ***]

Dan I haved cloned openbsd_inotify

and isnt compile

+ -I/usr/local/include/inotify 

ifeq (${uname_S},OpenBSD)
#               DEFINES+=-DOpenBSD
               DEFINES+=-pthread
               LUA_PLAT=posix
               CFLAGS+=-I/usr/local/include -I/usr/local/include/inotify
               OSSEC_LDFLAGS+=-L/usr/local/lib

shared.a(validate_op.o): In function `OS_IsValidIP':
validate_op.c:(.text+0xa9b): warning: warning: strcpy() is almost always misused, please use strlcpy()
shared.a(hash_op.o): In function `OSHash_setSize':
hash_op.c:(.text+0x366): warning: warning: random() may return deterministic values, is that what you want?
syscheckd/run_realtime.o: In function `realtime_start':
run_realtime.c:(.text+0x5e): undefined reference to `inotify_init'
syscheckd/run_realtime.o: In function `realtime_adddir':
run_realtime.c:(.text+0x131): undefined reference to `inotify_add_watch'

collect2: ld returned 1 exit status

gmake: *** [Makefile:975: ossec-syscheckd] Error 1

Error 0x5.
Building error. Unable to finish the installation.

same error from OSSEC 2.9 RC3

From OpenBSD 6.0 AMD64 Pkg's ->   /var/db/pkg/libinotify-20160503

[dan (ddp)]

On Sep 30, 2016 3:44 PM, "R0me0 ***" <knigh...@gmail.com> wrote:
>
> Dan I haved cloned openbsd_inotify
>
> and isnt compile
>
> + -I/usr/local/include/inotify 
>
>
>
>
> ifeq (${uname_S},OpenBSD)
> #               DEFINES+=-DOpenBSD
>                DEFINES+=-pthread
>                LUA_PLAT=posix
>                CFLAGS+=-I/usr/local/include -I/usr/local/include/inotify
>                OSSEC_LDFLAGS+=-L/usr/local/lib
>
>
>
>
>
> shared.a(validate_op.o): In function `OS_IsValidIP':
> validate_op.c:(.text+0xa9b): warning: warning: strcpy() is almost always misused, please use strlcpy()
> shared.a(hash_op.o): In function `OSHash_setSize':
> hash_op.c:(.text+0x366): warning: warning: random() may return deterministic values, is that what you want?
> syscheckd/run_realtime.o: In function `realtime_start':
> run_realtime.c:(.text+0x5e): undefined reference to `inotify_init'
> syscheckd/run_realtime.o: In function `realtime_adddir':
> run_realtime.c:(.text+0x131): undefined reference to `inotify_add_watch'
> collect2: ld returned 1 exit status
> gmake: *** [Makefile:975: ossec-syscheckd] Error 1
>
> Error 0x5.
> Building error. Unable to finish the installation.
>
>
>
> same error from OSSEC 2.9 RC3
>
>
> From OpenBSD 6.0 AMD64 Pkg's ->   /var/db/pkg/libinotify-20160503
>
>

Make aure libinotify ahows up when you `ldconfig -r`

Other than that, I'll have to take a closer look later

>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[R0me0 ***]

 latest stable 2.8.3 neither openbsd_initify from your repository compiles.

ldconfig -r | fgrep inotify 

linotify.2.0 => /usr/local/lib/inotify/libinotify.so.2.0

Thank you

If you need anything else let me know

>>> >> >> email to ossec-list+unsubscribe@googlegroups.com.

>>> >> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it, send
>>> >> > an

>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to the Google Groups
>>> >> "ossec-list" group.
>>> >> To unsubscribe from this group and stop receiving emails from it, send an

>>> >> email to ossec-list+unsubscribe@googlegroups.com.

>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send an

>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups "ossec-list" group.

>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Fri, Sep 30, 2016 at 6:19 PM, R0me0 *** <knigh...@gmail.com> wrote:
> latest stable 2.8.3 neither openbsd_initify from your repository compiles.
>
> ldconfig -r | fgrep inotify
>
> linotify.2.0 => /usr/local/lib/inotify/libinotify.so.2.0
>

How did you try to build it (MASTER from github)? I'm trying with a
TARGET=server, and it's working for me.
Try adding:
V=1
to the Makefile. That might provide more information.

[R0me0 ***]

Hello Dan,

I tried to compile the last OSSEC stable release https://github.com/ossec/ossec-hids/archive/v2.8.3.tar.gz 

Also I have cloned https://github.com/ddpbsd/ossec-hids ( openbsd_inotify ) branch 

Tried the pre-release of OSSEC ( https://github.com/ossec/ossec-hids/archive/2.9rc3.tar.gz )

All of them fail to compile witrh inotify

Note: I am trying to compile OSSEC AGENT with inotify support under OpenBSD 6.0 stable  branch all patches applied until 009 

Inotify from: http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/

pkg_add inotify-tools-3.14pl0.tgz dependency is libinotify-20160503.tgz

Thanks 

[dan (ddp)]

On Mon, Oct 3, 2016 at 12:51 PM, R0me0 *** <knigh...@gmail.com> wrote:
> Hello Dan,
>
> I tried to compile the last OSSEC stable release
> https://github.com/ossec/ossec-hids/archive/v2.8.3.tar.gz
> Also I have cloned https://github.com/ddpbsd/ossec-hids ( openbsd_inotify )
> branch
> Tried the pre-release of OSSEC (
> https://github.com/ossec/ossec-hids/archive/2.9rc3.tar.gz )
> All of them fail to compile witrh inotify
>
> Note: I am trying to compile OSSEC AGENT with inotify support under OpenBSD
> 6.0 stable branch all patches applied until 009
>
> Inotify from: http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
>
> pkg_add inotify-tools-3.14pl0.tgz dependency is libinotify-20160503.tgz
>

Ok, I haven't tried an agent build yet.

>
> Thanks
>
>
>
>
>
> 2016-10-03 8:37 GMT-03:00 dan (ddp) <ddp...@gmail.com>:
>>
>> On Fri, Sep 30, 2016 at 6:19 PM, R0me0 *** <knigh...@gmail.com> wrote:
>> > latest stable 2.8.3 neither openbsd_initify from your repository
>> > compiles.
>> >
>> > ldconfig -r | fgrep inotify
>> >
>> > linotify.2.0 => /usr/local/lib/inotify/libinotify.so.2.0
>> >
>>
>> How did you try to build it (MASTER from github)? I'm trying with a
>> TARGET=server, and it's working for me.
>> Try adding:
>> V=1
>> to the Makefile. That might provide more information.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+...@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+...@googlegroups.com.

[dan (ddp)]

Found the issue, looks like I forgot to commit a few bits. It should work now.

[R0me0 ***]

Dan , Just have take a look what you changed and I already did it.

Just for curiosity I will clone and try to compile 

:)

>>> email to ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Mon, Oct 3, 2016 at 1:16 PM, R0me0 *** <knigh...@gmail.com> wrote:
> Dan , Just have take a look what you changed and I already did it.
>
> Just for curiosity I will clone and try to compile
>
> :)
>

It Compiles for Me (TM)

>> >>> email to ossec-list+...@googlegroups.com.

>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >> an

>> >> email to ossec-list+...@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+...@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+...@googlegroups.com.

[R0me0 ***]

Hey dannn ! compiled

+ DEFINED+=-DINOTIFY_ENABLED

It was i didn 't :P

tail /var/ossec/logs/ossec.log  | fgrep "real time" 

2016/10/03 14:22:51 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'. 

I am waiting diff to populate and I will check if real time it really working

back soon :) Thank you so much !

>> >>> email to ossec-list+unsubscribe@googlegroups.com.

>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >> an

>> >> email to ossec-list+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[R0me0 ***]

Hello dan !

Real monitoring still not working, but it could be regarding my ossec server running 2.8.3. After I upgraded agent to 2.9 ( which is that cloned ) it stopped to make sums ( md5 sha1 ) so I think is regarding update  that real monitor isn't working . 

I will need to configure a lab with current branch of ossec and perform all possible tests like report_changes , check_sum ( which at moment isnt working properly with current version I running ) I ran a lot of OpenBSD 

Thank you so much your time, attention , need to pay a beer for u. 

Regards,

[dan (ddp)]

On Mon, Oct 3, 2016 at 6:07 PM, R0me0 *** <knigh...@gmail.com> wrote:
> Hello dan !
>
> Real monitoring still not working, but it could be regarding my ossec server
> running 2.8.3. After I upgraded agent to 2.9 ( which is that cloned ) it
> stopped to make sums ( md5 sha1 ) so I think is regarding update that real
> monitor isn't working .
>

It's not really working for me either, but I haven't had time to
figure out if libinotify isn't working, or if it's actually OSSEC.

>>> >> >>> email to ossec-list+...@googlegroups.com.

>>> >> >>> For more options, visit https://groups.google.com/d/optout.
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >>
>>> >> >> ---
>>> >> >> You received this message because you are subscribed to the Google
>>> >> >> Groups
>>> >> >> "ossec-list" group.
>>> >> >> To unsubscribe from this group and stop receiving emails from it,
>>> >> >> send
>>> >> >> an

>>> >> >> email to ossec-list+...@googlegroups.com.

>>> >> >> For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to the Google
>>> >> Groups
>>> >> "ossec-list" group.
>>> >> To unsubscribe from this group and stop receiving emails from it, send
>>> >> an

>>> >> email to ossec-list+...@googlegroups.com.

>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an

>>> > email to ossec-list+...@googlegroups.com.

>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an

>>> email to ossec-list+...@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+...@googlegroups.com.