OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and OpenBSD.
There is no OSSEC package available on the OSSEC website or in the OpenBSDs ports repositry, so I’ve decided to create an OpenBSD on my own.
OpenBSD packages are pretty easy to create and are very useful when installing, upgrading or deleting software on a server.
One of the disadvantages when creating an OpenBSD package, is that you will need to have X11 installed on your OpenBSD system.
In the following example I have used OpenBSD 5.8 to create a package for OSSEC 2.8.2 (OSSEC 2.8.3 doesn’t compile on OpenBSD 5.8)
Step 1: Prerequisites
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
cd /tmp wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/xbase58.tgz wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/xshare58.tgz wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/comp58.tgz tar -C / -xzvphf xbase58.tgz tar -C / -xzvphf xshare58.tgz tar -C / -xzvphf comp58.tgz cd /tmp ftp http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/ports.tar.gz ftp http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/SHA256.sig signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz cd /usr tar xzf /tmp/ports.tar.gz |
You will also need a compiler:
|
1 |
pkg_add gcc |
Step 2: Download and repack the source
|
1 2 3 4 5 6 |
ossec_version="2.8.2" cd /usr/src wget https://github.com/ossec/ossec-hids/archive/${ossec_version}.tar.gz mv ${ossec_version}.tar.gz ossec-hids-${ossec_version}.tar.gz tar xfz ossec-hids-${ossec_version}.tar.gz cd ossec-hids-${ossec_version} |
Since the Makefile for OSSEC is in the src/ sub directory, we will create a proxy Makefile in /usr/src/ossec-hids-2.8.2
|
1 2 |
cd ossec-hids-2.8.2 vim Makefile |
I have actually taken the original Makefile from src/ and narrowed it down to the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# Makefile # http://www.ossec.net/hids/ none: @echo "Nothing selected ..." @echo "\"make all\" to compile everything." @echo "\"make server\" to build the server." @echo "\"make local\" to build the local." @echo "\"make agent\" to build the agent." @echo "\"make clean\" to clean anything built." clean: cd src/ ; $(MAKE) clean all: cd src/ ; $(MAKE) all test: cd src/ ; $(MAKE) test server: cd src/ ; $(MAKE) server local: cd src/ ; $(MAKE) local agent: cd src/ ; $(MAKE) agent |
We will also edit the ‘ossec-clients.sh‘ script, because we will use this script as a start/stop script. We will have to set the path name in this script.
|
1 2 3 4 5 6 |
vim src/init/ossec-client.sh # LOCAL=/var/ossec # cd ${LOCAL} # PWD=`pwd` DIR=/var/ossec cd ${DIR} |
And that’s the only thing we will need to change in the sources, we can now repackage it.
|
1 2 |
cd .. tar czf /usr/ports/distfiles/ossec-hids-2.8.2.tar.gz ossec-hids-2.8.2/ |
Step 3: Prepare the ports directory
The following steps explain how to set up a ports directory in /usr/ports for OSSEC, in order to build the package.
Custom made packages are built in /usr/ports/mystuff. In there, we will have to one sub directory for the package category (we will use security) and in there the package name, which in our case will be ossec-hids.
|
1 2 |
cd /usr/ports/mystuff mkdir -p security/ossec-hids |
The configuration file for building an OpenBSD package is a Makefile. There is a template file in /usr/ports/infrastructure/templates/Makefile.template which can be used.
|
1 2 |
cd security/ossec-hids cp /usr/ports/infrastructure/templates/Makefile.template Makefile |
This file of course needs editing. Not everything is required in this file, so I have narrowed the Makefile down to what I need it for:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# $OpenBSD: Makefile.template,v 1.68 2013/10/02 07:34:45 ajacoutot Exp $ # $FreeBSD/NetBSD: credit FreeBSD/NetBSD if thats where the port came from $ # Original from: credit the original author here COMMENT = OSSEC is an Open Source HIDS DISTNAME = ossec-hids-2.8.2 CATEGORIES = security HOMEPAGE = http://www.ossec.net/ MAINTAINER = Johnny Morano <jmorano@moretrix.com>; MASTER_SITES = https://github.com/ossec/ossec-hids/ PERMIT_PACKAGE_CDROM = Yes PERMIT_PACKAGE_FTP = Yes PERMIT_DISTFILES_FTP = Yes PKG_ARCH = * PREFIX = /var/ossec do-install: mkdir -p ${PREFIX}/bin mkdir -p ${PREFIX}/logs mkdir -p ${PREFIX}/var/run mkdir -p ${PREFIX}/queue mkdir -p ${PREFIX}/active-response/bin mkdir -p ${PREFIX}/agentless mkdir -p ${PREFIX}/etc/orig/shared mkdir -p ${PREFIX}/doc ${INSTALL_SCRIPT} ${WRKSRC}/active-response/firewalls/pf.sh ${PREFIX}/active-response/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/agentlessd/scripts/* ${PREFIX}/agentless ${INSTALL_SCRIPT} ${WRKSRC}/src/os_execd/ossec-execd ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/logcollector/ossec-logcollector ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/client-agent/ossec-agentd ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/addagent/manage_agents ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/syscheckd/ossec-syscheckd ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/os_auth/agent-auth ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/src/init/ossec-client.sh ${PREFIX}/bin/ ${INSTALL_SCRIPT} ${WRKSRC}/doc/*.txt ${PREFIX}/doc/ ${INSTALL_SCRIPT} ${WRKSRC}/doc/README.config ${PREFIX}/doc/ ${INSTALL_SCRIPT} ${WRKSRC}/etc/*.conf ${PREFIX}/etc/orig/ ${INSTALL_SCRIPT} ${WRKSRC}/etc/*.xml ${PREFIX}/etc/orig/ ${INSTALL_SCRIPT} ${WRKSRC}/src/rootcheck/db/* ${PREFIX}/etc/orig/shared/ .include <bsd.port.mk>; |
The above Makefile will install OSSEC in /var/ossec and will only install the agent files. It does not install the server files.
Step 4: Test the settings
First we will make a checksum and then we will start a fake compile run, to see if everything compiles nicely.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
make makesum ===> Checking files for ossec-hids-2.8.2 `/usr/ports/distfiles/ossec-hids-2.8.2.tar.gz' is up to date. make fake ===> Checking files for ossec-hids-2.8.2 `/usr/ports/distfiles/ossec-hids-2.8.2.tar.gz' is up to date. >> (SHA256) ossec-hids-2.8.2.tar.gz: OK ===> Extracting for ossec-hids-2.8.2 ===> Patching for ossec-hids-2.8.2 ===> Configuring for ossec-hids-2.8.2 ===> Building for ossec-hids-2.8.2 ***snip*** |
If there were no errors, then we are ready to create the actual package.
Step 5: Create the OpenBSD package
|
1 2 3 4 |
mkdir pkg echo "OSSEC is an Open Source HIDS" > pkg/DESCR make plist vim pkg/PLIST |
Normally we do not need to edit the PLIST file, but I wanted to create an ossec user upon installation and chown the /var/ossec directory to that user.
So I have added the following lines to the top of pkg/PLIST:
|
1 2 3 |
@comment $OpenBSD$ @newgroup ossec:1002 @newuser ossec:1005:ossec:daemon:OSSEC User:/var/ossec:/bin/sh |
And these to the bottom:
|
1 2 3 |
@exec-add mkdir -p /var/ossec @exec-add chown -R ossec.ossec /var/ossec @exec-add cp %D/bin/ossec-client.sh /etc/rc.d/ossec |
Afterwards you will need to run:
|
1 |
make plist |
Now we are ready to build the package:
|
1 2 3 4 5 6 7 |
make package `/usr/ports/pobj/ossec-hids-2.8.2/fake-amd64/.fake_done' is up to date. ===> Building package for ossec-hids-2.8.2 Create /usr/ports/packages/amd64/no-arch/ossec-hids-2.8.2.tgz Link to /usr/ports/packages/amd64/all/ossec-hids-2.8.2.tgz Link to /usr/ports/packages/amd64/ftp/ossec-hids-2.8.2.tgz Link to /usr/ports/packages/amd64/cdrom/ossec-hids-2.8.2.tgz |
That’s it! This package can now be installed with the ‘pkg_add‘ command.
|
1 2 3 4 5 |
pkg_add ./ossec-hids-2.8.2.tgz quirks-2.114 signed on 2015-08-09T11:57:52Z UNSIGNED PACKAGE file:./ossec-hids-2.8.2.tgz: install anyway ? [y/N/a] y ossec-hids-2.8.2: ok UNSIGNED PACKAGES: ossec-hids-2.8.2 |