Database support Solaris 10

[Adam]

Hello,

 

I was trying to reinstall OSSEC with database support (for postgreSQL) on Solaris 10.

 

After making ./src/setdb I ran the install script and got the following error:

 

*** Making os_dbd ***

Compiling DB support with:
gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\"  -DSOLARIS -DHIGHFIRST     -DARGV0=\"ossec-dbd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl -lresolv  -I/usr/sfw/include/mysql -xstrconst -mt -R/usr/sfw/lib -R/usr/sfw/lib/mysql -L/usr/sfw/lib -L/usr/sfw/lib/mysql -lmysqlclient -lz -lposix4 -lcrypt -lgen -lsocket -lnsl -lm -DDBD -DUMYSQL -I/usr/include/pgsql -I/usr/include/pgsql -L/usr/lib -L/usr/lib -lpq -DDBD -DUPOSTGRES *.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-dbd
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
gcc: language strconst not recognized
ld: fatal: file alert.c: unknown file type
ld: fatal: file processing errors. No output written to ossec-dbd
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `default'
Current working directory ~/OSSEC/ossec-hids-2.7/src/os_dbd

Error Making os_dbd
*** Error code 1
The following command caused the error:
/bin/sh ./Makeall all
make: Fatal error: Command failed for target `all'

 Error 0x5.
 Building error. Unable to finish the installation.

 

I then tried the fix for ubuntu (https://groups.google.com/forum/?fromgroups#!searchin/ossec-list/db$20support/ossec-list/qqWzQTEP7kc/w3GZjy5u2AIJ) and got the following

 

 *** Making os_dbd ***

Compiling DB support with:
gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\"  -DSOLARIS -DHIGHFIRST     -DARGV0=\"ossec-dbd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl -lresolv  *.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -I/usr/sfw/include/mysql -xstrconst -mt -R/usr/sfw/lib -R/usr/sfw/lib/mysql -L/usr/sfw/lib -L/usr/sfw/lib/mysql -lmysqlclient -lz -lposix4 -lcrypt -lgen -lsocket -lnsl -lm -DDBD -DUMYSQL -I/usr/include/pgsql -I/usr/include/pgsql -L/usr/lib -L/usr/lib -lpq -DDBD -DUPOSTGRES -o ossec-dbd
cc1: error: invalid option `t'
cc1: error: invalid option `t'
cc1: error: invalid option `t'
cc1: error: invalid option `t'
cc1: error: invalid option `t'
cc1: error: invalid option `t'
cc1: error: invalid option `t'
*** Error code 1
make: Fatal error: Command failed for target `default'
Current working directory ~/OSSEC/ossec-hids-2.7/src/os_dbd

Error Making os_dbd
*** Error code 1
The following command caused the error:
/bin/sh ./Makeall all
make: Fatal error: Command failed for target `all'

 Error 0x5.
 Building error. Unable to finish the installation.

 

Has anyone had this before?

 

[dan (ddp)]

On Thu, Jun 13, 2013 at 12:45 PM, Adam <thenak...@gmail.com> wrote:
> Hello,
>
> I was trying to reinstall OSSEC with database support (for postgreSQL) on
> Solaris 10.
>
> After making ./src/setdb I ran the install script and got the following
> error:
>
>>
>> *** Making os_dbd ***
>>
>> Compiling DB support with:
>> gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/var/ossec\" -DSOLARIS
>> -DHIGHFIRST -DARGV0=\"ossec-dbd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket
>> -lnsl -lresolv -I/usr/sfw/include/mysql -xstrconst -mt -R/usr/sfw/lib
>> -R/usr/sfw/lib/mysql -L/usr/sfw/lib -L/usr/sfw/lib/mysql -lmysqlclient -lz
>> -lposix4 -lcrypt -lgen -lsocket -lnsl -lm -DDBD -DUMYSQL
>> -I/usr/include/pgsql -I/usr/include/pgsql -L/usr/lib -L/usr/lib -lpq -DDBD
>> -DUPOSTGRES *.c ../config/lib_config.a ../shared/lib_shared.a
>> ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-dbd
>> gcc: language strconst not recognized
>> gcc: language strconst not recognized
>> gcc: language strconst not recognized

Check the src/os_dbd/Makefile for "-xstrconst" If it isn't in there,
try to find out where it's getting set. This might help us track it
down. (it doesn't appear on my non-solaris systems)

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Adam]

The following line apears in ./src/Config.OS

 

CDB=-I/usr/sfw/include/mysql -xstrconst -mt -R/usr/sfw/lib -R/usr/sfw/lib/mysql -L/usr/sfw/lib -L/usr/sfw/lib/mysql -lmysqlclient -lz -lposix4 -lcrypt -lgen -lsocket -lnsl -lm -DDBD -DUMYSQL -I/usr/include/pgsql -I/usr/include/pgsql -L/usr/lib -L/usr/lib -lpq -DDBD -DUPOSTGRES

 

all the paths seem to be correct for mysql and pgsql directories on solaris...

 

 

I found this: http://bugs.mysql.com/bug.php?id=22430: using a general web search, xstrconst bugs, but it's a fairly old version of mysql....

 

For solaris 10u11 I have:

# mysql --version

mysql  Ver 12.22 Distrib 4.0.31, for pc-solaris2.10 (i386)

[Adam]

As a small aside:

 

What OS are the test systems you use for developing OSSEC? as on a previous thread you said it was hard to get solaris testers. I'm currently setting up a VM as a dedicated OSSEC server, and could easily swap to CentOS or Ubuntu for this, if this will be quicker/more robust.

 

Some agents would be required on solaris boxes, but do you need to add DB support on agents or just the server?

If so for these I could possibly go agentless, I've modified ssh_integrity_check_linux to perform agentless checks on solaris, using:

# as SSH_integrity_check_linux

send "echo \"INFO: Starting.\"; for i in `find  $args 2>/dev/null`;do tail \$i>/dev/null 2>&1 && md5=`digest -a md5 \$i` && sha1=`digest -a sha1 \$i` && fileInf=`ls -ldAn \$i | awk '{ printf \"%d:%s:%d:%d\", \$5, \$1, \$3,\$4 }'` && echo FWD: \$fileInf:\$md5:\$sha1 \$i ; done; exit\r"

 

(cant figure out a way to get octal permissions to fully replace stat... but ossec seems to pick up diffs on string permissions and notify of changes.)

 

I also made a seperate script to pass logs to the server based on yesterdays date (so only really runable every 24 hours) which seems to work.

# as SSH_integrity_check_linux

# calculate date as expect variable and pass to bash
set ymonth [clock format [clock scan "2 days ago"] -format "%b"]
set yday [clock format [clock scan "2 days ago"] -format "%e"]
set yesterday [format "%s %d" $ymonth $yday]

# altered this file to make it use LOG:

send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail \$i>/dev/null 2>&1 && while read line; do ValidLine=`echo \$line|grep \"$yesterday\"` && echo LOG: \$ValidLine; done <\$i;done; exit\r"

send "exit\r"

[Adam]

Hi,

 

I tired to remove the -xstrconst and -mt. The MySQL libraries still wouldn't compile as certain variables weren't defined.

 

I then removed mysql from PATH and recompiled with just postgres, and apart from the mysql client lib errors when I ran make setdb, install.sh compiled everything else..

I get the following for # /var/ossec/bin/ossec-dbd -v

OSSEC HIDS v2.7 - Trend Micro Inc.
Compiled with PostgreSQL support.

The psql db is set up as required (I've managed to get this working on a CentOS VM happily, so i'm fairly sure I've not got anything different between OS... still persisting with solaris)

 

I've ossec-control enable database

 

I get  "ossec-dbd: Connected to database 'ossecdb' at '127.0.0.1'." in the ossec.log, with no other error (e.g. a timeout or permission error, as I got whilst trying to configure under CentOS.)

 

But when I run ossec-control status, the ossec-dbd is not running, and the DB is not being populated, except for the signature table.

 

 

[Adam]

Amendment:

 

Agent, alert data and location don’t get data added to the database

 

Category, server, signature and signature_category_mapping all seem to get data when I do a ossec-control restart

[Michael Barrett]

Is there a way to setup ossec agents to failover to another server?

We have a single management server (RH OSSEC 2.7)

The server is virtual, in the event of a disaster we would like to migrate the server over to our co-location facility.

In my test I found that the agent could not talk to the server once it's IP address had changed (we used the name in the config and changed DNS to point to new location)

I was able to get the agent to talk to the server once I generated a new key and pushed it out to the agent.


Is there a way to set this up without having to re-issue keys to all my agents?



Thanks!
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.

[dan (ddp)]

Welcome back.

On Mon, Jun 17, 2013 at 3:33 PM, Michael Barrett
<Michael...@mgic.com> wrote:
> Is there a way to setup ossec agents to failover to another server?
>
> We have a single management server (RH OSSEC 2.7)
>
> The server is virtual, in the event of a disaster we would like to migrate
> the server over to our co-location facility.
>
> In my test I found that the agent could not talk to the server once it's IP
> address had changed (we used the name in the config and changed DNS to point
> to new location)
>
> I was able to get the agent to talk to the server once I generated a new key
> and pushed it out to the agent.
>
>
> Is there a way to set this up without having to re-issue keys to all my
> agents?
>

I believe the way to set it up is to add another server-ip entry to
the agent, and copy the client.keys from the first server to the
second. (restart agent processes and second server processes)

>
>
> Thanks!
> ____________________________________________
> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
> Insurance Corporation
> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael...@MGIC.com
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
>

[dan (ddp)]

On Fri, Jun 14, 2013 at 6:42 AM, Adam <thenak...@gmail.com> wrote:
> As a small aside:
>
> What OS are the test systems you use for developing OSSEC? as on a previous
> thread you said it was hard to get solaris testers. I'm currently setting up
> a VM as a dedicated OSSEC server, and could easily swap to CentOS or Ubuntu
> for this, if this will be quicker/more robust.
>

I can't speak for anyone else, but I generally use OpenBSD. I
occasionally use various linuxes and rarely boot the Solaris VMs.

> Some agents would be required on solaris boxes, but do you need to add DB
> support on agents or just the server?

The DB stuff is server only.

> If so for these I could possibly go agentless, I've modified
> ssh_integrity_check_linux to perform agentless checks on solaris, using:
>>
>> # as SSH_integrity_check_linux
>>
>> send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail
>> \$i>/dev/null 2>&1 && md5=`digest -a md5 \$i` && sha1=`digest -a sha1 \$i`
>> && fileInf=`ls -ldAn \$i | awk '{ printf \"%d:%s:%d:%d\", \$5, \$1, \$3,\$4
>> }'` && echo FWD: \$fileInf:\$md5:\$sha1 \$i ; done; exit\r"
>
>
> (cant figure out a way to get octal permissions to fully replace stat... but
> ossec seems to pick up diffs on string permissions and notify of changes.)
>
> I also made a seperate script to pass logs to the server based on yesterdays
> date (so only really runable every 24 hours) which seems to work.
>>
>> # as SSH_integrity_check_linux
>>
>> # calculate date as expect variable and pass to bash
>> set ymonth [clock format [clock scan "2 days ago"] -format "%b"]
>> set yday [clock format [clock scan "2 days ago"] -format "%e"]
>> set yesterday [format "%s %d" $ymonth $yday]
>>
>> # altered this file to make it use LOG:
>>
>> send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail
>> \$i>/dev/null 2>&1 && while read line; do ValidLine=`echo \$line|grep
>> \"$yesterday\"` && echo LOG: \$ValidLine; done <\$i;done; exit\r"
>> send "exit\r"
>

[dan (ddp)]

I don't use dbd, but you could try either running
`/var/ossec/bin/ossec-dbd -d` or using something like gdb to try and
see what's going wrong.

I have to admit, I'd be surprised if the postgresql support even
works. Changes were made and the mysql junk was updated, but I don't
think the postgresql stuff was touched.

[Michael Barrett]

Thanks for the reply

Just a point of clarification

The fail-over server is the same server, it is virtual so it is actually the same server with a different IP address the client.keys file is the same.

I configured the client to use name not IP so I don't know why it didn't work, if what your saying is that it should work.

So there is nothing in the key itself that ties it to the server?  As long as the agent and the server have the same client.keys file it should work?

____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.

> For more options, visit https://urldefense.proofpoint.com/v1/url?u=https://groups.google.com/groups/opt_out&k=jBZCcUEtecsEqEpqTUdgJg%3D%3D%0A&r=kQFULLplNJvezX1OsQ4ZMnCtACpvbx%2B78GdKWTp7g4U%3D%0A&m=zZ6ZhGBwOrgqTFLV5YJ%2B3u3l6%2FUKOtcO3tY%2BAbbq3f8%3D%0A&s=241a2e83bf76bfdda763fd35bb433bf3217859df1d869259c4b50905bf4d4dda.

>
>

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://urldefense.proofpoint.com/v1/url?u=https://groups.google.com/groups/opt_out&k=jBZCcUEtecsEqEpqTUdgJg%3D%3D%0A&r=kQFULLplNJvezX1OsQ4ZMnCtACpvbx%2B78GdKWTp7g4U%3D%0A&m=zZ6ZhGBwOrgqTFLV5YJ%2B3u3l6%2FUKOtcO3tY%2BAbbq3f8%3D%0A&s=241a2e83bf76bfdda763fd35bb433bf3217859df1d869259c4b50905bf4d4dda.

[Michael Barrett]

Do I need to be concerned with these errors?  I don't seem to see it on other machines

RH Linux ossec ver 2.6


2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/win_audit_rcl.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/win_malware_rcl.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/rootkit_files.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/cis_rhel5_linux_rcl.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/cis_debian_linux_rcl.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/rootkit_trojans.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/win_applications_rcl.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/cis_rhel_linux_rcl.txt'.
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared/system_audit_rcl.txt'.

[dan (ddp)]

On Fri, Jun 21, 2013 at 12:23 PM, Michael Barrett
<Michael...@mgic.com> wrote:
> Do I need to be concerned with these errors? I don't seem to see it on
> other machines
>
> RH Linux ossec ver 2.6
>
>
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/win_audit_rcl.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/win_malware_rcl.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/rootkit_files.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/cis_rhel5_linux_rcl.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/cis_debian_linux_rcl.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/rootkit_trojans.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/win_applications_rcl.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/cis_rhel_linux_rcl.txt'.
> 2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
> '/etc/shared/system_audit_rcl.txt'.
>

They're probably worth investigating. I'd start by checking the
permissions/ownership of /var/ossec/etc/shared/merged.mg/and the files
listed above.

> ____________________________________________
> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
> Insurance Corporation
> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael...@MGIC.com
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
>