Opened 10 years ago

Last modified 9 years ago

#42533 new submission

[NEW] ossec

Reported by: jul_bsd@… Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.2.1
Keywords: Cc:
Port: ossec

Description

host-based intrusion detection system

  • work in progress
  • 2.7.1
  • build and run on default variant
  • other variants to review

Attachments (8)

patch-ossec-src (567 bytes) - added by jul_bsd@… 10 years ago.
patch-ossec-src-Config.os.diff (323 bytes) - added by jul_bsd@… 10 years ago.
patch-ossec-src-LOCATION.diff (244 bytes) - added by jul_bsd@… 10 years ago.
local_rules_mac.xml (22.7 KB) - added by jul_bsd@… 10 years ago.
decoder_local_mac.xml (5.8 KB) - added by jul_bsd@… 10 years ago.
Portfile (15.2 KB) - added by jul_bsd@… 9 years ago.
2.8.1
ossec.conf (11.6 KB) - added by jul_bsd@… 9 years ago.
ossec-client.conf (6.9 KB) - added by jul_bsd@… 9 years ago.

Download all attachments as: .zip

Change History (21)

Changed 10 years ago by jul_bsd@…

Attachment: patch-ossec-src added

comment:1 Changed 10 years ago by jul_bsd@…

updated Portfile

  • compile/install/run ok
  • reviewing sane default config as work in progress
  • subport for devel
  • variants still need review
  • seems to easily be eating cpu: dtrace seems to point on ossec-analysisd w read_nocancel

comment:2 Changed 10 years ago by jul_bsd@…

I got a strange behavior. As I was refining the configuration, I got problem with some matching rules and run ossec-logtest to check for it. Normally, there are 3 phases in it but.

from a full install as root

# strings /opt/local/var/ossec/bin/ossec-logtest |grep -i phase
**Phase 3: Completed filtering (rules).
**Phase 1: Completed pre-decoding.

from a build as common user

$ strings ~/.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest |grep -i phase
**Phase 3: Completed filtering (rules).
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.

which is the normal one

if I repeat, I got

$ strings ~/.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest |grep -i phase
**Phase 3: Completed filtering (rules).
**Phase 1: Completed pre-decoding.

=> not very consistent

with both,

# ls -l /opt/local/var/ossec/bin/ossec-logtest /Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest
-rwxr-xr-x  1 u  staff  528156 Mar  7 23:20 /Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest
-r-xr-x---  1 root    ossec  525764 Mar  7 23:12 /opt/local/var/ossec/bin/ossec-logtest
# otool -L /opt/local/var/ossec/bin/ossec-logtest /Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest
/opt/local/var/ossec/bin/ossec-logtest:
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
        /opt/local/lib/libgcc/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest:
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
        /opt/local/lib/libgcc/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)

How could be??? and could be other executables with this problem???

As for other anomalies, I can also got build which fails one time and at a second execution succeed without changing anything, mostly because of ranlib

ranlib: archive member: cdb_make.a(cdb.o) size too large (archive member extends past the end of the file)

update Portfile

  • clang subport but current branch for that is not compiling
  • some random annoying error like ranlib size too large/cant open file, or error: expected expression before 'int' (usually, re-starting build solves the problem but...)
  • divide previous patch in two (else fails against -clang)
  • tested subport -devel and each variant (hybrid,agent,server) and outside of the two previous problems, it built and destrooted well
  • is there a way to specify that a variant cancels/supersedes another variant?

Changed 10 years ago by jul_bsd@…

Changed 10 years ago by jul_bsd@…

Changed 10 years ago by jul_bsd@…

Attachment: local_rules_mac.xml added

Changed 10 years ago by jul_bsd@…

Attachment: decoder_local_mac.xml added

comment:3 Changed 10 years ago by jul_bsd@…

  • review
  • port lint
  • bug with "Portfile: extra characters after close-brace"

comment:4 Changed 10 years ago by neverpanic (Clemens Lang)

The character after the closing bracket of the variant description of the picviz variant isn't a space.

comment:5 Changed 10 years ago by jul_bsd@…

got it ... but how do you see that??? vim 'set invlist' or list doesn't show it as special

comment:6 Changed 10 years ago by neverpanic (Clemens Lang)

Binary search by commenting parts of the Portfile and checking whether the problem still occurs. Once the line is found, the error message gives away that the problem most be after a closing brace. Then, use hexdump or xxd to verify.

comment:7 Changed 10 years ago by jul_bsd@…

ok. would be better if the error message could point on a line/column if possible.

comment:8 Changed 10 years ago by jul_bsd@…

  • miss dep gcc-devel
  • start listing compiler.blacklist
  • start universal variant
  • change -agent variant as subport

comment:9 Changed 10 years ago by jul_bsd@…

  • 2,8
  • add_users partly used as it doesn't seem to support multiple users

comment:10 Changed 10 years ago by jul_bsd@…

  • lot of review as I tested agent install (for now mostly tested local and agent). back to variant as had a few glitches with subport (destroot.cmd not changed)
  • remove dep gcc-devel
  • for universal, try to do at patch phase as usual way replace existing flags but it fails
--->  Patching Config.Make: s|-DOSSECHIDS|-DOSSECHIDS -arch x86_64 -arch i386|g
Error: org.macports.patch for port ossec returned: invalid command name " "

comment:11 Changed 9 years ago by jul_bsd@…

  • use github portgroup
  • remove clang variant. repository disappeared

comment:12 Changed 9 years ago by jul_bsd@…

  • update devel to 20141123, seems to involve many change/different building, add lib zmq czmq, ...
  • devel destroot but options/variant missing, to be reviewed with uptream

comment:13 Changed 9 years ago by jul_bsd@…

  • rename ossec-hids
  • switch to github
  • re-test using install.sh with unattended settings but imply doing everything in destroot, can't edit destdir in middle and use root all the time, so stay with custom build/setup
  • destroot ok, same for variant agent; agent tested with external server.
  • hybrid, server and universal variants triggers a strange bug
    Error: org.macports.patch for port ossec returned: invalid command name " "
    

I double checked and don't see typo. If I comment line, I start to comment everything in post-patch

Changed 9 years ago by jul_bsd@…

Attachment: Portfile added

2.8.1

Changed 9 years ago by jul_bsd@…

Attachment: ossec.conf added

Changed 9 years ago by jul_bsd@…

Attachment: ossec-client.conf added
Note: See TracTickets for help on using tickets.