OSSEC RPM

[Joe S]

I few people have mentioned that they were working on making RPMs for
OSSEC, given the issues with the Atomic RPMs linked on the OSSEC
download page. Have you had any success? Do you have a SPEC file you
can share?

[Stephane Rossan]

I created my own RPM for OSSEC. What I did, I downloaded the latest
snapshot from mercurial, and run the install.sh on a test machine.
Once installed, I created a tarball of the ossec directory and used it to
create a RPM.
In my case, the application has to be under /apps.
Here is my spec file:
%define name ossec
%define release 2
%define version 26
%define prg ossec
%define appsdir /apps

BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Summary: Ossec agent
License: GPL
Name: %{name}
Version: %{version}
Release: %{release}
Source: %{name}-%{version}.tar.gz
Prefix: /
Autoreq: 0
Group: Development/Tools
Vendor: http://www.ossec.net
Packager: InfoSec
Provides: ossec
ExclusiveOS: linux

%description
OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It
performs log analysis, integrity checking, rootkit detection, time-based
alerting and active response.

%prep
%setup -q

%build
%define debug_package %{nil}
%define __strip /bin/true

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT
cp -r * $RPM_BUILD_ROOT

%pre
if ! id -g %{prg} > /dev/null 2>&1; then
groupadd -r %{prg}
fi
if ! id -u %{prg} > /dev/null 2>&1; then
useradd -g %{prg} -G %{prg} \
-d %{appsdir}/%{prg} \
-r -s /sbin/nologin %{prg}
fi

%post
# Generate the ossec-init.conf template
echo "DIRECTORY=\"%{appsdir}/%{prg}\"" >
%{appsdir}/%{prg}/etc/%{prg}-init.conf
echo "VERSION=\"v2.6\"" >>
%{appsdir}/%{prg}/etc/%{prg}-init.conf
echo "DATE=\"`date`\"" >>
%{appsdir}/%{prg}/etc/%{prg}-init.conf
echo "TYPE=\"agent\"" >>
%{appsdir}/%{prg}/etc/%{prg}-init.conf

# Symlink
ln -sf %{appsdir}/%{prg}/etc/%{prg}-init.conf
%{_sysconfdir}/%{prg}-init.conf

# Enable service
chkconfig --add %{name}
chkconfig %{name} off

%files
%defattr(-,root,root)
/etc/rc.d/init.d/ossec
%defattr(-,root,%{prg})
/apps/ossec/*
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/active-response
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/active-response/bin
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/bin
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/etc
%attr(770,%{prg},%{prg}) %dir %{appsdir}/%{prg}/etc/shared
%attr(750,%{prg},%{prg}) %dir %{appsdir}/%{prg}/logs
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/queue
%attr(750,%{prg},%{prg}) %dir %{appsdir}/%{prg}/queue/syscheck
%attr(770,%{prg},%{prg}) %dir %{appsdir}/%{prg}/queue/ossec
%attr(755,%{prg},%{prg}) %dir %{appsdir}/%{prg}/queue/rids
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/var
%attr(770,root,%{prg}) %dir %{appsdir}/%{prg}/var/run

So far, it has been working very well for me. I can use this RPM to be
deployed through our puppet infrastructure.
And with 2.6, autoregistration is a very nice feature to have.

I created RPM for x86_64 and i386 RHEL/CentOS 5 machines.

I hope it helps.

-Stephane

[Joe S]

That does help. I'm trying to do the same thing.

[Jason 'XenoPhage' Frisvold]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2012 01:21 AM, Joe S wrote:
> That does help. I'm trying to do the same thing.

You can find the SRPM I created on my site :

http://godshell.com/software

- --
- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------

"Any sufficiently advanced magic is indistinguishable from technology.\"
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8GGTgACgkQO80o6DJ8UvnpugCcD3R0QPGsauqHOmNGwNZrWBFJ
NWsAn1mTnFB8V1FnITfSaCc8TMelXTdI
=Sec2
-----END PGP SIGNATURE-----

[treydock]

I've created a fork of Jason's SRPM. Mostly the changes involve
adding ability to deploy with agent.conf usage and also refining it to
be almost duplicate to the source install as far as permissions go.

I'll post here in next few days once it's finished.

- Trey

On Jan 5, 3:42 pm, Jason 'XenoPhage' Frisvold <xenoph...@godshell.com>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/05/2012 01:21 AM, Joe S wrote:
>
> > That does help. I'm trying to do the same thing.
>
> You can find the SRPM I created on my site :
>
> http://godshell.com/software
>
> - --
> - ---------------------------
> Jason 'XenoPhage' Frisvold

> xenoph...@godshell.com

> - ---------------------------
>
> "Any sufficiently advanced magic is indistinguishable from technology.\"
> - - Niven's Inverse of Clarke's Third Law
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)

> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/

[dan (ddp)]

On Thu, Jan 5, 2012 at 4:42 PM, Jason 'XenoPhage' Frisvold
<xeno...@godshell.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/05/2012 01:21 AM, Joe S wrote:
>> That does help. I'm trying to do the same thing.
>
> You can find the SRPM I created on my site :
>
> http://godshell.com/software
>

Any idea if ossec-authd works with your rpm?

[Jason 'XenoPhage' Frisvold]

On Jan 6, 2012, at 9:22 AM, dan (ddp) wrote:
> Any idea if ossec-authd works with your rpm?

It's a standard compile, so it's there. However, I haven't played with that yet. Though I very much want to .. I would LOVE to find a way to compress time so I can do all the things I need to do .. :P

---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com

[Jason 'XenoPhage' Frisvold]

On Jan 6, 2012, at 1:13 AM, treydock wrote:
> I've created a fork of Jason's SRPM. Mostly the changes involve
> adding ability to deploy with agent.conf usage and also refining it to
> be almost duplicate to the source install as far as permissions go.

Hrm.. I'm intrigued. Are there problems with the permissions?

> I'll post here in next few days once it's finished.

Yes, PLEEZE!

> - Trey

---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com

[dan (ddp)]

On Fri, Jan 6, 2012 at 10:54 AM, Jason 'XenoPhage' Frisvold
<xeno...@godshell.com> wrote:
> On Jan 6, 2012, at 9:22 AM, dan (ddp) wrote:
>> Any idea if ossec-authd works with your rpm?
>
>
> It's a standard compile, so it's there.  However, I haven't played with that yet.  Though I very much want to ..  I would LOVE to find a way to compress time so I can do all the things I need to do ..  :P
>

That was one of the big problems with the atomic RPMs. authd didn't work.

[Stephane Rossan]

In my RPM, ossec-authd works, it just generates a lot of defunct
processes, a restart of the daemon, on a regular basis, fixes that.

[dan (ddp)]

On Fri, Jan 6, 2012 at 2:12 PM, Stephane Rossan <sro...@netflix.com> wrote:
> In my RPM, ossec-authd works, it just generates a lot of defunct
> processes, a restart of the daemon, on a regular basis, fixes that.
>

But your RPM is weird. And I don't think you should be having an issue
like that.

[treydock]

I finally got some time and have uploaded my latest SRPM here,
http://itscblog.tamu.edu/ossec-2-6-rpms-for-centos/#srpms. I've only
tested it on CentOS 6.0 - 6.2 as that's all I have in house.

- Trey

My next venture will be to add options for those who wish to roll
their own RPMs to change a define to set their OSSEC server IP during
the build process.

On Jan 6, 9:54 am, Jason 'XenoPhage' Frisvold <xenoph...@godshell.com>
wrote:

> On Jan 6, 2012, at 1:13 AM, treydock wrote:
>
> > I've created a fork of Jason's SRPM.  Mostly the changes involve
> > adding ability to deploy with agent.conf usage and also refining it to
> > be almost duplicate to the source install as far as permissions go.
>
> Hrm..  I'm intrigued.  Are there problems with the permissions?
>
> > I'll post here in next few days once it's finished.
>
> Yes, PLEEZE!
>
> > - Trey
>
> ---------------------------
> Jason 'XenoPhage' Frisvold

> xenoph...@godshell.com