ossec - install.sh script

[danipolo]

RHEL 5.5 x86_64

I added the atomicorp yum repository to my RHEL server, then installed ossec-hids from the repo. However, I don't know what to do next. If I installed it from source, I would get an installation script (install.sh). I don't see that installing this way. Am I missing something obvious? Also, the report adds ossec to init.d, but when I try to start the 'service' I get an error " ERROR: Authentication key file '/var/ossec/etc/client.keys' not found". I am assuming this ties back to the install script. Help please!

(I searched the forums and Google before posting, if I missed the thread/answer I apologize).

Thank you,
Daniel

[scott]

Theres an ossec configuration utility you can run here: /var/ossec/bin/ossec-configure

[danipolo]

Theres an ossec configuration utility you can run here: /var/ossec/bin/ossec-configure

[root@X bin]# ls
manage_agents ossec-agentd ossec-control ossec-execd ossec-logcollector ossec-syscheckd
[root@X bin]#

I don't have ossec-configure

[root@X bin]# find / -name ossec-configure
[root@X bin]#

Can I add ossec-configure manually? or another package?

after installing atomicorp repo (wget -q -O - http://www.atomicorp.com/installers/atomic | sh) I just ran 'yum install ossec-hids'

[scott]

[root@atlas havp]# rpm -qf /var/ossec/bin/ossec-configure
ossec-hids-2.5-0.6.el5.art

[danipolo]

[root@atlas havp]# rpm -qf /var/ossec/bin/ossec-configure
ossec-hids-2.5-0.6.el5.art

[root@X bin]# rpm -qa | grep ossec
ossec-hids-2.4-1.el5.art

Well looks like thats part of my problem, I have 2.4.x instead of 2.5.x. However thats what I got from atomicorp repo.. is there a way to upgrade w/out breaking the ability to update/patch with yum later?

[scott]

yeah pull it from the testing repo with: yum --enablrepo=atomic-testing <commands>

[danipolo]

I still appear to be pulling the older ossec-hids version. i tried using the command 'install ossec-hids.ossec-hids-2.5-0.8.el5.art" but I got the message no package available. I also tried disabling 'atomic' and enabling 'atomic-testing' in the yum.repos.d file, and just running 'yum install ossec-hids' but that failed also.

Code: Select all

[root@fs1 yum.repos.d]# yum --enablerepo=atomic-testing install ossec-hids.x86_64
Loaded plugins: rhnplugin, security
atomic                                                                | 1.9 kB     00:00
atomic-testing                                                        | 1.9 kB     00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.4-1.el5.art set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package               Arch              Version                     Repository         Size
=============================================================================================
Installing:
 ossec-hids            x86_64            2.4-1.el5.art               atomic             51 k

Transaction Summary
=============================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 51 k
Is this ok [y/N]:

[danipolo]

Just wanted to point out the ossec-configure script is not asking for the server IP address and its not moving ossec.conf.new to ossec.conf (maybe thats on purpose). but the ossec.conf.file is incomplete.

Notice <alerts is missing the ">".

<alerts
<log_alert_level>1</log_alert_level>
</alerts>

Not asking for server IP, such as install.sh asks.

Code: Select all

2- Setting up the configuration environment.

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [Default: y]: n

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       http://www.ossec.net/en/manual.html#active-response


   - Do you want to enable active response? (y/n) [y]: n

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y

    -- /var/log/messages (syslog)
    -- /var/log/auth.log (syslog)
    -- /var/log/secure (syslog)
    -- /var/log/maillog (syslog)
mv: missing destination file operand after `/var/ossec//etc/ossec.conf.new'
Try `mv --help' for more information.
Configuration complete.

Code: Select all

[root@auth1 etc]# service ossec start
Starting OSSEC: 2010/09/27 17:25:09 ossec-agentd(4105): ERROR: No valid server IP found.
2010/09/27 17:25:09 ossec-agentd(1215): ERROR: No client configured. Exiting.

[lavermil]

Just wanted to point out the ossec-configure script is not asking for the server IP address and its not moving ossec.conf.new to ossec.conf (maybe thats on purpose). but the ossec.conf.file is incomplete.

Notice <alerts is missing the ">".

<alerts
<log_alert_level>1</log_alert_level>
</alerts>

Not asking for server IP, such as install.sh asks.

Code: Select all

2- Setting up the configuration environment.

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [Default: y]: n

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       http://www.ossec.net/en/manual.html#active-response


   - Do you want to enable active response? (y/n) [y]: n

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y

    -- /var/log/messages (syslog)
    -- /var/log/auth.log (syslog)
    -- /var/log/secure (syslog)
    -- /var/log/maillog (syslog)
mv: missing destination file operand after `/var/ossec//etc/ossec.conf.new'
Try `mv --help' for more information.
Configuration complete.

Code: Select all

[root@auth1 etc]# service ossec start
Starting OSSEC: 2010/09/27 17:25:09 ossec-agentd(4105): ERROR: No valid server IP found.
2010/09/27 17:25:09 ossec-agentd(1215): ERROR: No client configured. Exiting.

I agree that the > is missing at line 205 in src.rpm "ossec-hids-2.5-0.8.art.src.rpm". There are alos some other issues. Here they are.
*Note: I prefer to use ${variable} instead of $variable. ${variable} is able to be passed to sed/awk easily.

vi /usr/source/redhat/SOURCES/ossec-configure
-<number> means remove line number
+<number> means add line at line number
-205
echo " <alerts" >> $OSSEC_CONF_FILE.new
+205
echo " <alerts>" >> ${OSSEC_CONF_FILE}.new
-304
mv $OSSEC_CONF_FILE.new $OSSEC_CONF
-303
mv $OSSEC_CONF_FILE $OSSEC_CONF_FILE.bak
+303
if [ -f ${OSSEC_CONF_FILE} ]; then
mv ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
fi
mv ${OSSEC_CONF_FILE}.new ${OSSEC_CONF_FILE}

[scott]

awesome, thanks for the patch. Its going into ossec-hids 2.5-1 now. Feel free to post any other patches here. Much appreciated!