diff options
-rw-r--r-- | .SRCINFO | 21 | ||||
-rw-r--r-- | PKGBUILD | 58 | ||||
-rw-r--r-- | config | 51 | ||||
-rw-r--r-- | ossec.install | 24 | ||||
-rw-r--r-- | ossec.service | 10 |
5 files changed, 164 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..138a1d9d97b0 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,21 @@ +pkgbase = ossec-hids + pkgdesc = Open Source Host-based Intrusion Detection System + pkgver = 2.9.1 + pkgrel = 1 + url = https://ossec.github.io/ + install = ossec.install + arch = i686 + arch = x86_64 + license = GPL2 + depends = openssl + options = emptydirs + backup = var/ossec/etc/ossec.conf + source = https://github.com/ossec/ossec-hids/archive/2.9.1.tar.gz + source = ossec.service + source = config + sha256sums = ed5bc3483d5e864a8f8283f57127d1251b458c184e5b263be8be4c89f4cf85c3 + sha256sums = be5f6fe7e10603a0897c2502e0e6913fbb544a66f59674aaaef87d0f31d09eb9 + sha256sums = bf47f0919a2470f199cf731e68063939a59a31541c0ae3ebe87a561760f5f3f2 + +pkgname = ossec-hids + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..f907e36496ee --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,58 @@ +# Maintainer: Tony C <crt@archlinux.email> +# Former Maintainer: Lukas Jirkovsky <l.jirkovsky@gmail.com> +pkgname=ossec-hids +pkgver=2.9.1 +pkgrel=1 +pkgdesc="Open Source Host-based Intrusion Detection System" +arch=('i686' 'x86_64') +url="https://ossec.github.io/" +license=('GPL2') +depends=('openssl') +backup=('var/ossec/etc/ossec.conf') +install=ossec.install +options=('emptydirs') +source=(https://github.com/ossec/$pkgname/archive/$pkgver.tar.gz \ + ossec.service + config) +sha256sums=('ed5bc3483d5e864a8f8283f57127d1251b458c184e5b263be8be4c89f4cf85c3' + 'be5f6fe7e10603a0897c2502e0e6913fbb544a66f59674aaaef87d0f31d09eb9' + 'bf47f0919a2470f199cf731e68063939a59a31541c0ae3ebe87a561760f5f3f2') + +_instdir=/var/ossec + +_preparevars() { + export USER_NO_STOP=yes + export USER_DIR=$_instdir + export USER_BINARYINSTALL=x +} + +build() { + cd "$srcdir/$pkgname-$pkgver" + + _preparevars + . "$srcdir/config" # load configuration + +# fix placement of ossec-init.conf +sed -i "s|^OSSEC_INIT.*|OSSEC_INIT=\"$pkgdir/etc/ossec-init.conf\"|" src/init/shared.sh +} + +package() { + cd "$srcdir/$pkgname-$pkgver" + + _preparevars + . "$srcdir/config" # load configuration + + mkdir -p $pkgdir/etc + + ./install.sh + + # install systemd service + install -Dm0644 "$srcdir"/ossec.service "$pkgdir"/usr/lib/systemd/system/ossec.service + + # change the users + find "$pkgdir" -user nobody -exec chown 524 '{}' ';' + find "$pkgdir" -user mail -exec chown 525 '{}' ';' + find "$pkgdir" -user daemon -exec chown 526 '{}' ';' + # change the groups + find "$pkgdir" -group nobody -exec chgrp 525 '{}' ';' +} diff --git a/config b/config new file mode 100644 index 000000000000..35ac775436c3 --- /dev/null +++ b/config @@ -0,0 +1,51 @@ +#!/bin/sh + +# What type of install is this? (server, agent, local, hybrid?): +export USER_INSTALL_TYPE=server + +# User Language: +export USER_LANGUAGE=en + +# Do you want e-mail notification? (y/n) [y]: +export USER_ENABLE_EMAIL=yes +# What's your e-mail address? +export USER_EMAIL_ADDRESS=foo@example.com +# What's your SMTP server ip/host? +export USER_EMAIL_SMTP=localhost + +# Do you want to run the integrity check daemon? (y/n) [y]: +export USER_ENABLE_SYSCHECK=y + +#Do you want to run the rootkit detection engine? (y/n) [y]: +export USER_ENABLE_ROOTCHECK=y + +# Active response allows you to execute a specific +# command based on the events received. For example, +# you can block an IP address or disable access for +# a specific user. +# More information at: +# http://www.ossec.net/en/manual.html#active-response +# +# - Do you want to enable active response? (y/n) [y]: +export USER_ENABLE_ACTIVE_RESPONSE=y + +# - By default, we can enable the host-deny and the +# firewall-drop responses. The first one will add +# a host to the /etc/hosts.deny and the second one +# will block the host on iptables (if linux) or on +# ipfilter (if Solaris, FreeBSD or NetBSD). +# - They can be used to stop SSHD brute force scans, +# portscans and some other forms of attacks. You can +# also add them to block on snort events, for example. +# +# - Do you want to enable the firewall-drop response? (y/n) [y]: +export USER_ENABLE_FIREWALL_RESPONSE=y + +# Do you want to add more IPs to the white list? (y/n)? [n]: +# if set to y, installer will ask you to enter the list of IPs +# if you want to use this feature, you must also export USER_NO_STOP=no +export USER_WHITE_LIST=n + +# Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: +export USER_ENABLE_SYSLOG=n + diff --git a/ossec.install b/ossec.install new file mode 100644 index 000000000000..477b6ac46397 --- /dev/null +++ b/ossec.install @@ -0,0 +1,24 @@ +# arg 1: the new package version +pre_install() { + getent group ossec >/dev/null || usr/sbin/groupadd -g 525 ossec + getent passwd ossec >/dev/null || usr/sbin/useradd -u 524 -g ossec -d '/var/ossec' -s /bin/false ossec + getent passwd ossecm >/dev/null || usr/sbin/useradd -u 525 -g ossec -d '/var/ossec' -s /bin/false ossecm + getent passwd ossecr >/dev/null || usr/sbin/useradd -u 526 -g ossec -d '/var/ossec' -s /bin/false ossecr + usr/bin/passwd -l ossec &>/dev/null + usr/bin/passwd -l ossecm &>/dev/null + usr/bin/passwd -l ossecr &>/dev/null +} + +post_upgrade() { + pre_install $1 +} + +# arg 1: the old package version +post_remove() { + usr/sbin/userdel ossec &>/dev/null + usr/sbin/userdel ossecm &>/dev/null + usr/sbin/userdel ossecr &>/dev/null + usr/sbin/groupdel ossec &>/dev/null +} + +# vim:set ts=2 sw=2 et: diff --git a/ossec.service b/ossec.service new file mode 100644 index 000000000000..ceff8dfb70e6 --- /dev/null +++ b/ossec.service @@ -0,0 +1,10 @@ +[Unit] +Description=OSSEC Host-based Intrusion Detection System + +[Service] +Type=forking +ExecStart=/var/ossec/bin/ossec-control start +ExecStop=/var/ossec/bin/ossec-control stop + +[Install] +WantedBy=basic.target |