Date: Sat, 2 Jun 2007 12:21:39 -0500 (CDT) From: Paul Schmehl <pauls@utdallas.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/113259: security/ossec-hids-server, multiple critical problems Message-ID: <20070602172139.8DEA126183A@utd59514.utdallas.edu> Resent-Message-ID: <200706021730.l52HU8vt023920@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 113259
>Category: ports
>Synopsis: security/ossec-hids-server, multiple critical problems
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 02 17:30:08 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Paul Schmehl
>Release: FreeBSD 6.0-SECURITY i386
>Organization:
The University of Texas at Dallas
>Environment:
System: FreeBSD hostname.utdallas.edu 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Wed Feb 14 12:22:36 UTC 2007 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The startup script for this port doesn't work, the pkg-plist is incomplete
and generates tons of errors if the daemons have been started once, and
the Makefile incorrectly handles the slave ports. Patches attached to this
PR correct the problems with the master port. A separate PR will be submitted
to correct problems with one of the slave ports. I also added a pkg-message
file to provide some basic information for the installer.
The Makefile has been patched to properly handle the slave ports, remove unnecessary
elements and provide the appropriate conf file based on which port is installed.
PORTDOCS were also added to the Makefile, as well as the pkg-message.
The pkg-plist has been edited to use @dirrmtry instead of @dirrm, because after the
daemons have been started once, multiple new directories and files are created in
the ossec-hids subdirectories, none of which the port can know about at installation
time. Some file removals have been added to remove install files that were missed
by the original submitter. It now correctly removes all files if the daemons have
never been run and leaves the directory structure in place if they have been run,
removing only those files that were installed originally.
The startup script has been edited to correct the path to the command that starts all
the original daemons and to correct the path to the ossec.conf file. Since the path
to that file is hardcoded during the build, the conf file cannot be placed in the
standard location of ${PREFIX}/etc.
PLEASE NOTE: the pkg-plist.client included in this port should be removed. A separate
PR for the client slave port will be provided with a pkg-plist.client file called by
its Makefile.
>How-To-Repeat:
>Fix:
Without these patches none of the ports work at all
--- patch-Makefile begins here ---
--- Makefile.orig Fri Jun 1 19:12:51 2007
+++ Makefile Sat Jun 2 02:03:08 2007
@@ -18,6 +18,11 @@
USE_RC_SUBR= ossec-hids
+SUB_LIST= PORTNAME=${PORTNAME}
+SUB_FILES= pkg-message
+PLIST_SUB= PORTNAME=${PORTNAME}
+PORTDOCS= BUGS CONFIG CONTRIB INSTALL LICENSE README
+
.include <bsd.port.pre.mk>
.if defined(CLIENT_ONLY)
@@ -34,8 +39,6 @@
@${REINPLACE_CMD} 's|PREFIX|${PREFIX}/${PORTNAME}|' ${WRKSRC}/src/LOCATION
@${REINPLACE_CMD} 's|PREFIX|${PREFIX}/${PORTNAME}|' ${WRKSRC}/src/headers/defs.h
-do-configure:
-
do-build:
@cd ${WRKSRC}/src;${MAKE} all;${MAKE} build
@@ -51,12 +54,27 @@
.endif
post-install:
+.if defined(CLIENT_ONLY)
+ ${CP} ${WRKSRC}/etc/ossec-agent.conf ${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
+ @if [ ! -f ${PREFIX}/${PORTNAME}/etc/ossec.conf ]; then \
+ ${CP} ${WRKSRC}/etc/ossec-agent.conf ${PREFIX}/${PORTNAME}/etc/ossec.conf; \
+ fi
+.elif defined(LOCAL_ONLY)
+ ${CP} ${WRKSRC}/etc/ossec-local.conf ${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
@if [ ! -f ${PREFIX}/${PORTNAME}/etc/ossec.conf ]; then \
- ${CP} ${PREFIX}/${PORTNAME}/etc/ossec.conf.sample ${PREFIX}/${PORTNAME}/etc/ossec.conf ; \
+ ${CP} ${WRKSRC}/etc/ossec-local.conf ${PREFIX}/${PORTNAME}/etc/ossec.conf; \
fi
+.else
+ @if [ ! -f ${PREFIX}/${PORTNAME}/etc/ossec.conf ]; then \
+ ${CP} ${WRKSRC}/etc/ossec-server.conf ${PREFIX}/${PORTNAME}/etc/ossec.conf; \
+ fi
+.endif
-.if defined(CLIENT_ONLY)
-PLIST=${PKGDIR}/pkg-plist.client
+.if !defined(NOPORTDOCS)
+ @${MKDIR} ${DOCSDIR}
+ cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR}
.endif
+
+ @${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
--- patch-Makefile ends here ---
--- patch-pkg-plist begins here ---
--- pkg-plist.orig Fri Jun 1 20:06:29 2007
+++ pkg-plist Sat Jun 2 00:45:22 2007
@@ -1,85 +1,85 @@
-ossec-hids/active-response/bin/disable-account.sh
-ossec-hids/active-response/bin/firewall-drop.sh
-ossec-hids/active-response/bin/host-deny.sh
-ossec-hids/active-response/bin/route-null.sh
-ossec-hids/bin/clear_stats
-ossec-hids/bin/list_agents
-ossec-hids/bin/manage_agents
-ossec-hids/bin/ossec-agentd
-ossec-hids/bin/ossec-analysisd
-ossec-hids/bin/ossec-control
-ossec-hids/bin/ossec-execd
-ossec-hids/bin/ossec-logcollector
-ossec-hids/bin/ossec-maild
-ossec-hids/bin/ossec-monitord
-ossec-hids/bin/ossec-remoted
-ossec-hids/bin/ossec-syscheckd
-ossec-hids/bin/syscheck_update
-ossec-hids/etc/decoder.xml
-ossec-hids/etc/internal_options.conf
-@unexec if cmp -s %D/ossec-hids/etc/ossec.conf.sample %D/ossec-hids/etc/ossec.conf; then rm -f %D/ossec-hids/etc/ossec.conf; fi
-ossec-hids/etc/ossec.conf.sample
-@exec if [ ! -f %D/ossec-hids/etc/ossec.conf ] ; then cp -p %D/ossec-hids/etc/ossec.conf.sample %D/ossec-hids/etc/orbit.conf; fi
-ossec-hids/etc/shared/rootkit_files.txt
-ossec-hids/etc/shared/rootkit_trojans.txt
-ossec-hids/logs/ossec.log
-ossec-hids/rules/apache_rules.xml
-ossec-hids/rules/arpwatch_rules.xml
-ossec-hids/rules/attack_rules.xml
-ossec-hids/rules/firewall_rules.xml
-ossec-hids/rules/ftpd_rules.xml
-ossec-hids/rules/hordeimp_rules.xml
-ossec-hids/rules/ids_rules.xml
-ossec-hids/rules/imapd_rules.xml
-ossec-hids/rules/local_rules.xml
-ossec-hids/rules/mailscanner_rules.xml
-ossec-hids/rules/ms-exchange_rules.xml
-ossec-hids/rules/ms_ftpd_rules.xml
-ossec-hids/rules/msauth_rules.xml
-ossec-hids/rules/named_rules.xml
-ossec-hids/rules/netscreenfw_rules.xml
-ossec-hids/rules/ossec_rules.xml
-ossec-hids/rules/pam_rules.xml
-ossec-hids/rules/pix_rules.xml
-ossec-hids/rules/policy_rules.xml
-ossec-hids/rules/postfix_rules.xml
-ossec-hids/rules/proftpd_rules.xml
-ossec-hids/rules/pure-ftpd_rules.xml
-ossec-hids/rules/racoon_rules.xml
-ossec-hids/rules/rules_config.xml
-ossec-hids/rules/sendmail_rules.xml
-ossec-hids/rules/smbd_rules.xml
-ossec-hids/rules/spamd_rules.xml
-ossec-hids/rules/squid_rules.xml
-ossec-hids/rules/sshd_rules.xml
-ossec-hids/rules/symantec-av_rules.xml
-ossec-hids/rules/syslog_rules.xml
-ossec-hids/rules/telnetd_rules.xml
-ossec-hids/rules/vpn_concentrator_rules.xml
-ossec-hids/rules/vpopmail_rules.xml
-ossec-hids/rules/vsftpd_rules.xml
-ossec-hids/rules/web_rules.xml
-ossec-hids/rules/zeus_rules.xml
-@dirrm ossec-hids/var/run
-@dirrm ossec-hids/var
-@dirrm ossec-hids/tmp
-@dirrm ossec-hids/stats
-@dirrm ossec-hids/rules
-@dirrm ossec-hids/queue/syscheck
-@dirrm ossec-hids/queue/rootcheck
-@dirrm ossec-hids/queue/rids
-@dirrm ossec-hids/queue/ossec
-@dirrm ossec-hids/queue/fts
-@dirrm ossec-hids/queue/alerts
-@dirrm ossec-hids/queue/agent-info
-@dirrm ossec-hids/queue
-@dirrm ossec-hids/logs/firewall
-@dirrm ossec-hids/logs/archives
-@dirrm ossec-hids/logs/alerts
-@dirrm ossec-hids/logs
-@dirrm ossec-hids/etc/shared
-@dirrm ossec-hids/etc
-@dirrm ossec-hids/bin
-@dirrm ossec-hids/active-response/bin
-@dirrm ossec-hids/active-response
-@dirrm ossec-hids
+%%PORTNAME%%/active-response/bin/disable-account.sh
+%%PORTNAME%%/active-response/bin/firewall-drop.sh
+%%PORTNAME%%/active-response/bin/host-deny.sh
+%%PORTNAME%%/active-response/bin/route-null.sh
+%%PORTNAME%%/bin/clear_stats
+%%PORTNAME%%/bin/list_agents
+%%PORTNAME%%/bin/manage_agents
+%%PORTNAME%%/bin/ossec-agentd
+%%PORTNAME%%/bin/ossec-analysisd
+%%PORTNAME%%/bin/ossec-control
+%%PORTNAME%%/bin/ossec-execd
+%%PORTNAME%%/bin/ossec-logcollector
+%%PORTNAME%%/bin/ossec-maild
+%%PORTNAME%%/bin/ossec-monitord
+%%PORTNAME%%/bin/ossec-remoted
+%%PORTNAME%%/bin/ossec-syscheckd
+%%PORTNAME%%/bin/syscheck_update
+%%PORTNAME%%/etc/decoder.xml
+%%PORTNAME%%/etc/internal_options.conf
+@unexec if cmp -s %D/%%PORTNAME%%/etc/ossec.conf %D/%%PORTNAME%%/etc/ossec.conf.sample; then rm -f %D/%%PORTNAME%%/etc/ossec.conf; fi
+%%PORTNAME%%/etc/ossec.conf.sample
+%%PORTNAME%%/etc/localtime
+%%PORTNAME%%/etc/shared/rootkit_files.txt
+%%PORTNAME%%/etc/shared/rootkit_trojans.txt
+%%PORTNAME%%/logs/ossec.log
+%%PORTNAME%%/rules/apache_rules.xml
+%%PORTNAME%%/rules/arpwatch_rules.xml
+%%PORTNAME%%/rules/attack_rules.xml
+%%PORTNAME%%/rules/firewall_rules.xml
+%%PORTNAME%%/rules/ftpd_rules.xml
+%%PORTNAME%%/rules/hordeimp_rules.xml
+%%PORTNAME%%/rules/ids_rules.xml
+%%PORTNAME%%/rules/imapd_rules.xml
+%%PORTNAME%%/rules/local_rules.xml
+%%PORTNAME%%/rules/mailscanner_rules.xml
+%%PORTNAME%%/rules/ms-exchange_rules.xml
+%%PORTNAME%%/rules/ms_ftpd_rules.xml
+%%PORTNAME%%/rules/msauth_rules.xml
+%%PORTNAME%%/rules/named_rules.xml
+%%PORTNAME%%/rules/netscreenfw_rules.xml
+%%PORTNAME%%/rules/ossec_rules.xml
+%%PORTNAME%%/rules/pam_rules.xml
+%%PORTNAME%%/rules/pix_rules.xml
+%%PORTNAME%%/rules/policy_rules.xml
+%%PORTNAME%%/rules/postfix_rules.xml
+%%PORTNAME%%/rules/proftpd_rules.xml
+%%PORTNAME%%/rules/pure-ftpd_rules.xml
+%%PORTNAME%%/rules/racoon_rules.xml
+%%PORTNAME%%/rules/rules_config.xml
+%%PORTNAME%%/rules/sendmail_rules.xml
+%%PORTNAME%%/rules/smbd_rules.xml
+%%PORTNAME%%/rules/spamd_rules.xml
+%%PORTNAME%%/rules/squid_rules.xml
+%%PORTNAME%%/rules/sshd_rules.xml
+%%PORTNAME%%/rules/symantec-av_rules.xml
+%%PORTNAME%%/rules/syslog_rules.xml
+%%PORTNAME%%/rules/telnetd_rules.xml
+%%PORTNAME%%/rules/vpn_concentrator_rules.xml
+%%PORTNAME%%/rules/vpopmail_rules.xml
+%%PORTNAME%%/rules/vsftpd_rules.xml
+%%PORTNAME%%/rules/web_rules.xml
+%%PORTNAME%%/rules/zeus_rules.xml
+@dirrmtry %%PORTNAME%%/var/run
+@dirrmtry %%PORTNAME%%/var
+@dirrmtry %%PORTNAME%%/tmp
+@dirrmtry %%PORTNAME%%/stats
+@dirrmtry %%PORTNAME%%/rules
+@dirrmtry %%PORTNAME%%/queue/syscheck
+@dirrmtry %%PORTNAME%%/queue/rootcheck
+@dirrmtry %%PORTNAME%%/queue/rids
+@dirrmtry %%PORTNAME%%/queue/ossec
+@dirrmtry %%PORTNAME%%/queue/fts
+@dirrmtry %%PORTNAME%%/queue/alerts
+@dirrmtry %%PORTNAME%%/queue/agent-info
+@dirrmtry %%PORTNAME%%/queue
+@dirrmtry %%PORTNAME%%/logs/firewall
+@dirrmtry %%PORTNAME%%/logs/archives
+@dirrmtry %%PORTNAME%%/logs/alerts
+@dirrmtry %%PORTNAME%%/logs
+@dirrmtry %%PORTNAME%%/etc/shared
+@dirrmtry %%PORTNAME%%/etc
+@dirrmtry %%PORTNAME%%/bin
+@dirrmtry %%PORTNAME%%/active-response/bin
+@dirrmtry %%PORTNAME%%/active-response
+@dirrmtry %%PORTNAME%%
--- patch-pkg-plist ends here ---
--- patch-files-ossec-hids.in begins here ---
--- files/ossec-hids.in.orig Fri Jun 1 22:32:31 2007
+++ files/ossec-hids.in Sat Jun 2 00:12:21 2007
@@ -20,8 +20,8 @@
restart_cmd=${name}_restart
status_cmd=${name}_status
-command="%%PREFIX%%/bin/ossec-control"
-required_files="%%PREFIX%%/etc/ossec.conf"
+command="%%PREFIX%%/%%PORTNAME%%/bin/ossec-control"
+required_files="%%PREFIX%%/%%PORTNAME%%/etc/ossec.conf"
ossechids_start() {
$command start
--- patch-files-ossec-hids.in ends here ---
--- pkg-message.in begins here ---
After installation, you need to edit the ossec.conf file to reflect the correct settings
for your environment. All the files related to %%PORTNAME%% have been installed in
%%PREFIX%%/%%PORTNAME%% and its subdirectories.
For information on proper configuration, see http://www.ossec.net/.
To enable the startup script, add ossec-hids_enable="YES" to /etc/rc.conf.
When you deinstall this port after starting the daemons once, many directories that are
created by the daemons will remain. To fully remove the port you need to delete those
directories manually.
--- pkg-message.in ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070602172139.8DEA126183A>