Page 1 of 1
ossec - install.sh script
Posted: Mon Sep 27, 2010 12:09 pm
by danipolo
RHEL 5.5 x86_64
I added the atomicorp yum repository to my RHEL server, then installed ossec-hids from the repo. However, I don't know what to do next. If I installed it from source, I would get an installation script (install.sh). I don't see that installing this way. Am I missing something obvious? Also, the report adds ossec to init.d, but when I try to start the 'service' I get an error " ERROR: Authentication key file '/var/ossec/etc/client.keys' not found". I am assuming this ties back to the install script. Help please!
(I searched the forums and Google before posting, if I missed the thread/answer I apologize).
Thank you,
Daniel
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 12:24 pm
by scott
Theres an ossec configuration utility you can run here: /var/ossec/bin/ossec-configure
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 12:32 pm
by danipolo
scott wrote:Theres an ossec configuration utility you can run here: /var/ossec/bin/ossec-configure
[root@X bin]# ls
manage_agents ossec-agentd ossec-control ossec-execd ossec-logcollector ossec-syscheckd
[root@X bin]#
I don't have ossec-configure
[root@X bin]# find / -name ossec-configure
[root@X bin]#
Can I add ossec-configure manually? or another package?
after installing atomicorp repo (wget -q -O -
http://www.atomicorp.com/installers/atomic | sh) I just ran 'yum install ossec-hids'
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 12:42 pm
by scott
[root@atlas havp]# rpm -qf /var/ossec/bin/ossec-configure
ossec-hids-2.5-0.6.el5.art
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 12:45 pm
by danipolo
scott wrote:[root@atlas havp]# rpm -qf /var/ossec/bin/ossec-configure
ossec-hids-2.5-0.6.el5.art
[root@X bin]# rpm -qa | grep ossec
ossec-hids-2.4-1.el5.art
Well looks like thats part of my problem, I have 2.4.x instead of 2.5.x. However thats what I got from atomicorp repo.. is there a way to upgrade w/out breaking the ability to update/patch with yum later?
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 12:50 pm
by scott
yeah pull it from the testing repo with: yum --enablrepo=atomic-testing <commands>
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 1:15 pm
by danipolo
I still appear to be pulling the older ossec-hids version. i tried using the command 'install ossec-hids.ossec-hids-2.5-0.8.el5.art" but I got the message no package available. I also tried disabling 'atomic' and enabling 'atomic-testing' in the yum.repos.d file, and just running 'yum install ossec-hids' but that failed also.
Code: Select all
[root@fs1 yum.repos.d]# yum --enablerepo=atomic-testing install ossec-hids.x86_64
Loaded plugins: rhnplugin, security
atomic | 1.9 kB 00:00
atomic-testing | 1.9 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.4-1.el5.art set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================
Package Arch Version Repository Size
=============================================================================================
Installing:
ossec-hids x86_64 2.4-1.el5.art atomic 51 k
Transaction Summary
=============================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 51 k
Is this ok [y/N]:
Re: ossec - install.sh script
Posted: Mon Sep 27, 2010 5:26 pm
by danipolo
Just wanted to point out the ossec-configure script is not asking for the server IP address and its not moving ossec.conf.new to ossec.conf (maybe thats on purpose). but the ossec.conf.file is incomplete.
Notice <alerts is missing the ">".
<alerts
<log_alert_level>1</log_alert_level>
</alerts>
Not asking for server IP, such as install.sh asks.
Code: Select all
2- Setting up the configuration environment.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [Default: y]: n
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: n
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
-- /var/log/messages (syslog)
-- /var/log/auth.log (syslog)
-- /var/log/secure (syslog)
-- /var/log/maillog (syslog)
mv: missing destination file operand after `/var/ossec//etc/ossec.conf.new'
Try `mv --help' for more information.
Configuration complete.
Code: Select all
[root@auth1 etc]# service ossec start
Starting OSSEC: 2010/09/27 17:25:09 ossec-agentd(4105): ERROR: No valid server IP found.
2010/09/27 17:25:09 ossec-agentd(1215): ERROR: No client configured. Exiting.
Re: ossec - install.sh script
Posted: Wed Sep 29, 2010 7:06 pm
by lavermil
danipolo wrote:Just wanted to point out the ossec-configure script is not asking for the server IP address and its not moving ossec.conf.new to ossec.conf (maybe thats on purpose). but the ossec.conf.file is incomplete.
Notice <alerts is missing the ">".
<alerts
<log_alert_level>1</log_alert_level>
</alerts>
Not asking for server IP, such as install.sh asks.
Code: Select all
2- Setting up the configuration environment.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [Default: y]: n
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: n
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
-- /var/log/messages (syslog)
-- /var/log/auth.log (syslog)
-- /var/log/secure (syslog)
-- /var/log/maillog (syslog)
mv: missing destination file operand after `/var/ossec//etc/ossec.conf.new'
Try `mv --help' for more information.
Configuration complete.
Code: Select all
[root@auth1 etc]# service ossec start
Starting OSSEC: 2010/09/27 17:25:09 ossec-agentd(4105): ERROR: No valid server IP found.
2010/09/27 17:25:09 ossec-agentd(1215): ERROR: No client configured. Exiting.
I agree that the > is missing at line 205 in src.rpm "ossec-hids-2.5-0.8.art.src.rpm". There are alos some other issues. Here they are.
*Note: I prefer to use ${variable} instead of $variable. ${variable} is able to be passed to sed/awk easily.
vi /usr/source/redhat/SOURCES/ossec-configure
-<number> means remove line number
+<number> means add line at line number
-205
echo " <alerts" >> $OSSEC_CONF_FILE.new
+205
echo " <alerts>" >> ${OSSEC_CONF_FILE}.new
-304
mv $OSSEC_CONF_FILE.new $OSSEC_CONF
-303
mv $OSSEC_CONF_FILE $OSSEC_CONF_FILE.bak
+303
if [ -f ${OSSEC_CONF_FILE} ]; then
mv ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
fi
mv ${OSSEC_CONF_FILE}.new ${OSSEC_CONF_FILE}
Re: ossec - install.sh script
Posted: Thu Sep 30, 2010 10:27 am
by scott
awesome, thanks for the patch. Its going into ossec-hids 2.5-1 now. Feel free to post any other patches here. Much appreciated!