OSSEC on IPCop
Michael Starks
environment, so after a bit of Googling I came across this:
http://www.greatchief.plus.com/smoothwall/gnu_compilers.txt. After
copying over the which and make binaries, things were looking pretty
good. That is, until it got to the point of compiling remoted. This is
the error I am getting:
----------------------------------------------------------
*** Making remoted ***
make[1]: Entering directory `/root/ossec-hids-0.9-3/src/remoted'
gcc -Wall -I../ -I../headers -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
-DARGV0=\"ossec-remoted\" -DXML_VAR=\"var\" -DOSSECHIDS *.c
../config/*.c ../os_zlib/os_zlib.c ../external/libz.a
../shared/lib_shared.a ../os_net/os_net.a ../os_xml/os_xml.a
../os_regex/os_regex.a ../os_crypto/os_crypto.a -pthread -o ossec-remoted
/usr/gnu/lib/gcc-lib/i386-redhat-linux/3.3.5/../../../../i386-redhat-linux/bin/ld:
cannot find -lpthread
collect2: ld returned 1 exit status
make[1]: *** [remoted] Error 1
make[1]: Leaving directory `/root/ossec-hids-0.9-3/src/remoted'
Error Making remoted
make: *** [all] Error 1
Error 0x5.
Building error. Unable to finish the installation.
----------------------------------------------------------
Looking closely at the above, notice the 'os_crypto/os_crypto.a
-pthread'. The original makefile has -lpthread, but that wasn't
included in the build environment, so I hacked at src/Makeall to make it
use -pthread instead. But it still fails, because ld is still looking
for lpthread.
If I can get past these issues and have it work reliably, I'd be happy
to write it up for the Wiki. Having OSSEC on IPCop would have several
benefits..
-Push out active response to the front line
-Monitor Snort and Squid logs which are already there
-Monitor the firewall itself for intrusion
Thanks in advance.
Black CryptoKnight
If you could get RedHat system setup with similar kernel version to that of the IPCop system then you could give that approach a shot.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Michael Starks
> I think when the smoothwall and IPCop guys are doing their mods, many do
> their builds on a Redhat system with similar kernel etc. to the
> Smoothwall or IPCop systems (on which these distros are based) then
> transfer the binaries to the smoothwall or IPCop environment. Maybe that
> could work with OSSEC as well I think. There is a procedure for doing
> "binary installs" of OSSEC detailed on the wiki -
> http://www.ossec.net/wiki/index.php/Know_How:Binary_Install
>
> If you could get RedHat system setup with similar kernel version to that
> of the IPCop system then you could give that approach a shot.
Thanks for the response. I actually first tried to compile it on my
Ubuntu Edgy system and copy over the /var/ossec directory. I had
problems with GLIBC being too recent on Edgy, so I figured I'd try a
direct compile.
I agree that not compiling on a production system is a best-practice,
however I believe the risk to be low, particularly if the build
environment is removed afterwards. I didn't even know about the binary
install option. From the link you provided, I found all kinds of good
stuff on the Wiki which I had missed before. Perhaps there should be
direct links from the front page.
I suppose a CentOS III machine might work. It has a similar Kernel
version and older binaries. There should be a VMWare image out there.
I'll give that a shot.
Daniel Cid
I don't know much about IPCop, but you are missing the glibc-dev libraries
in there. If IPCop uses RPM, you can try installing glibc-devel and
compat-libstdc.
For the binary install to work, you need to make sure that both systems (the
build and the production one) have the same glibc/gcc major version and share
the same architecture (i386 or amd64, etc)...
Hope it helps...
--
Daniel B. Cid
dcid ( at ) ossec.net
Michael Starks
> I don't know much about IPCop, but you are missing the glibc-dev libraries
> in there. If IPCop uses RPM, you can try installing glibc-devel and
> compat-libstdc.
>
> For the binary install to work, you need to make sure that both systems
> (the
> build and the production one) have the same glibc/gcc major version and
> share
> the same architecture (i386 or amd64, etc)...
I did get it to run on IPCop and that's pretty cool, but it wasn't
without a bit of pain.
First, I wanted to find a compatible build environment. Looking at the
Kernel version of IPCop and running ldd on /var/ossec/bin/* led me to
CentOS III. It was a pretty close match for the kernel and shared
libraries.
So, I read the INSTALL document and chose the option to simply make
clean && make all. That seemed to go OK so I copied everything over to
the IPCop box. I ran ./install.sh binary-install and answered the
questions, but it failed to copy the binaries. I noticed that the
binaries had not been copied into the /bin directory by the Makefile so
I copied them there and tried again. Everything seemed to go OK this time.
Because of limited space on this box, I had to install to /var/log/ossec
instead of /var/ossec (I'm afraid of cached events filling the very
small partition). Upon starting OSSEC it was looking for some files in
/var/ossec. OK, so I made some symlinks, but I seem to have hit a brick
wall with ossec-syscheckd. This message repeats: 2007/01/07 00:15:02
ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible.
It seems as if the binaries have the default location hardcoded in at
compile-time. Is there a way to pass the install location to the
Makefile?
In the end, I installed it to the /var/log/ossec location on the build
box, then copied everything over. That seems to work OK.
-Mike
Daniel Cid
Ossec by default will be configured to use /var/ossec, but you can modify
that during compilation time by editing the file src/Config.OS (on the build
box). To have ossec on /var/log/ossec, just add the following:
CEXTRA= -DDEFAULTDIR=\"/var/log/ossec\"
And make sure to set the preloaded-vars.conf file properly (for the binary
install):
USER_BINARYINSTALL="y"
USER_DIR="/var/log/ossec"
*This work is only necessary on binary installs. For everyone else, just
using the install.sh script should be fibe.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Michael Starks
> Ossec by default will be configured to use /var/ossec, but you can modify
> that during compilation time by editing the file src/Config.OS (on the
> build
> box). To have ossec on /var/log/ossec, just add the following:
>
> CEXTRA= -DDEFAULTDIR=\"/var/log/ossec\"
>
> And make sure to set the preloaded-vars.conf file properly (for the binary
> install):
>
> USER_BINARYINSTALL="y"
> USER_DIR="/var/log/ossec"
This worked just about perfectly. The only manual step I had to perform
was to copy the binaries into the ../bin directory. I've started a
write-up for the Wiki and will get it posted when I get a chance.
Thanks again.
Dennis Borkhus-Veto
I would be very interested in the details on how you did this.
Dennis
Michael Starks
> I only have a limited knowledge of IP cop and am planning to deploy it. Could this not be out as a add on module for IP cop?
> I would be very interested in the details on how you did this.
> Dennis
I'm sure it could be a module, but I am more of a systems guy so I'm not
the one to code it. But it's pretty easy to install locally once you
know how to do the binary install. I'll finish the write-up this
weekend, hopefully.