New ossec-hids 2.8 RPMs are missing logcollector and syschec

[elatov]

Today I updated my ossec-hids packages on my Fedora 20 machine to the latest version from the atomic repository. Here are the RPMs I currently have:

Code: Select all

elatov@fed:~$rpm -qa | grep ossec
ossec-hids-2.8-44.fc20.art.x86_64
ossec-hids-client-2.8-44.fc20.art.x86_64

I noticed upon starting the daemon, it actually fails now:

Code: Select all

elatov@fed:~$sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-execd...
2014/05/10 09:59:01 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
/var/ossec/bin/ossec-control: line 144: /var/ossec/bin/ossec-logcollector: No such file or directory
ossec-logcollector did not start

I downloaded the RPMs manually:

Code: Select all

wget https://www6.atomicorp.com/channels/atomic/fedora/20/x86_64/RPMS/ossec-hids-client-2.8-44.fc20.art.x86_64

and checked out the contents of the RPM:

Code: Select all

elatov@fed:~$rpm -qpl ossec-hids-client-2.8-44.fc20.art.x86_64.rpm 
warning: ossec-hids-client-2.8-44.fc20.art.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 4520afa9: NOKEY
/etc/ossec-init.conf
/etc/rc.d/init.d/ossec-hids
/var/ossec/bin/agent-auth
/var/ossec/bin/ossec-agentd
/var/ossec/bin/ossec-client.sh
/var/ossec/bin/ossec-execd
/var/ossec/etc/internal_options.conf
/var/ossec/etc/ossec-agent.conf
/var/ossec/etc/ossec.conf.sample
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/queue/alerts
/var/ossec/queue/rids
/var/ossec/queue/syscheck

Here is the 2.7 RPM that I had for a previous install:

Code: Select all

elatov@fed:~$rpm -qpl apps/ossec-hids-client-2.7.1-36.fc19.art.x86_64.rpm 
/etc/ossec-init.conf
/etc/rc.d/init.d/ossec-hids
/var/ossec/bin/agent-auth
/var/ossec/bin/client-logcollector
/var/ossec/bin/client-syscheckd
/var/ossec/bin/manage_client
/var/ossec/bin/ossec-agentd
/var/ossec/bin/ossec-client.sh
/var/ossec/bin/ossec-execd
/var/ossec/etc/internal_options.conf
/var/ossec/etc/internal_options.conf.orig
/var/ossec/etc/ossec-agent.conf
/var/ossec/etc/ossec.conf.sample
/var/ossec/etc/shared/agent.conf
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/queue/alerts
/var/ossec/queue/rids
/var/ossec/queue/syscheck

Notice that one has the following binaries:

Code: Select all

/var/ossec/bin/client-logcollector
/var/ossec/bin/client-syscheckd

Looking for those files in the yum repository, I saw the following:

Code: Select all

elatov@fed:~$sudo yum provides '*/bin/*logcollector'
Loaded plugins: langpacks, refresh-packagekit, remove-with-leaves
ossec-hids-server-2.8-44.fc20.art.x86_64 : The OSSEC HIDS Server
Repo        : atomic
Matched from:
Filename    : /var/ossec/bin/ossec-logcollector

But if I try to install that package, I get the following error:

Code: Select all

sudo yum install ossec-hids-server
...
...
--> Finished Dependency Resolution
Error: ossec-hids-client conflicts with ossec-hids-server-2.8-44.fc20.art.x86_64
Error: ossec-hids-server conflicts with ossec-hids-client-2.8-44.fc20.art.x86_64
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

I tried to look for any changes regarding 2.8, but I couldn't find anything about those daemons no longer in use. I grabbed the source code for the 2.8 beta:

Code: Select all

wget http://www.ossec.net/files/ossec-hids-2.8-beta-1.tar.gz

Then installed it under /tmp/ossec:

Code: Select all

elatov@fed:~/ossec-hids-2.8-beta-1$sudo ./install.sh 
...
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
 
 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).
  - System: Linux fed.local.com 3.14.2-200.fc20.x86_64
  - User: root
  - Host: fed.local.com
  -- Press ENTER to continue or Ctrl-C to abort. --
 - You already have OSSEC installed. Do you want to update it? (y/n): n

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
Choose where to install the OSSEC HIDS [/var/ossec]: /tmp/ossec
3.2 Do you want to run the integrity check daemon? (y/n) [y]: y
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
 3.4 - Do you want to enable active response? (y/n) [y]: y
...
...
 - System is Redhat Linux.
 - Init script modified to start OSSEC HIDS during boot.
 - Configuration finished properly.
 - To start OSSEC HIDS:
		/tmp/ossec/bin/ossec-control start
 - To stop OSSEC HIDS:
		/tmp/ossec/bin/ossec-control stop
 - The configuration can be viewed or modified at /tmp/ossec/etc/ossec.conf

No errors were see during the compile, I am attaching the full build results, just in case (ossec-compile.zip). Looking over the /tmp/ossec install, I do see those binaries:

Code: Select all

elatov@fed:~$ls /tmp/ossec/bin/
agent-auth     ossec-agentd   ossec-execd         ossec-lua   ossec-syscheckd
manage_agents  ossec-control  ossec-logcollector  ossec-luac  util.sh

For reference here are the contents of /var/ossec/bin:

Code: Select all

elatov@fed:~$ls /var/ossec/bin
agent-auth  ossec-agentd  ossec-client.sh  ossec-control  ossec-execd

Should I remove the ossec-hids-client package and install the ossec-hids-server package and just configure it as an agent? Or is there another RPM that I should be using for the ossec client/agent configuration?

Thank you for your time.
-Karim

[scott]

2.8 will be going through some major architecture changes, at this point I've only worked up the server parts for rule QA.

[elatov]

BTW the centos-6 RPM looks good:

Code: Select all

elatov@m2:~$lsb_release -a
LSB Version:	:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 6.5 (Final)
Release:	6.5
Codename:	Final
elatov@m2:~$rpm -ql ossec-hids-client-2.8-44.1.el6.art.x86_64 | grep -E 'client-logcollector|client-syscheckd'
/var/ossec/bin/client-logcollector
/var/ossec/bin/client-syscheckd

-K

[scott]

Very good to hear! I hadnt had a chance to test the client installs yet. Assuming there are no other problems we'll push all these to the atomic and asl-4.0 channels on monday.

And thanks a lot for the follow up, this kind of input really helps with the development process. Nothing beats 3rd party testing

[elatov]

Looks like the 2.8-45 version fixes the issue:

Code: Select all

elatov@fed:~$rpm -q ossec-hids-client
ossec-hids-client-2.8-45.fc20.art.x86_64
elatov@fed:~$rpm -ql ossec-hids-client-2.8-45.fc20.art.x86_64 | grep bin
/var/ossec/bin/agent-auth
/var/ossec/bin/client-logcollector
/var/ossec/bin/client-syscheckd
/var/ossec/bin/manage_client
/var/ossec/bin/ossec-agentd
/var/ossec/bin/ossec-client.sh
/var/ossec/bin/ossec-execd

Thanks for all the help,
-K