Skip to content
Johnny Morano's Tech Articles

Johnny Morano's Tech Articles

Ramblings of an old-fashioned space cowboy

Menu
  • About
  • Privacy Policy
Menu

OSSEC: building an OpenBSD package

Posted on March 15, 2016April 9, 2022 by Johnny Morano

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and OpenBSD.

There is no OSSEC package available on the OSSEC website or in the OpenBSDs ports repositry, so I’ve decided to create an OpenBSD on my own.
OpenBSD packages are pretty easy to create and are very useful when installing, upgrading or deleting software on a server.

One of the disadvantages when creating an OpenBSD package, is that you will need to have X11 installed on your OpenBSD system.
In the following example I have used OpenBSD 5.8 to create a package for OSSEC 2.8.2 (OSSEC 2.8.3 doesn’t compile on OpenBSD 5.8)

Step 1: Prerequisites

cd /tmp
wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/xbase58.tgz 
wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/xshare58.tgz
wget http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/amd64/comp58.tgz
tar -C / -xzvphf xbase58.tgz
tar -C / -xzvphf xshare58.tgz
tar -C / -xzvphf comp58.tgz

cd /tmp
ftp http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/ports.tar.gz
ftp http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/SHA256.sig
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz

cd /usr
tar xzf /tmp/ports.tar.gz

You will also need a compiler:

pkg_add gcc

Step 2: Download and repack the source

ossec_version="2.8.2"
cd /usr/src
wget https://github.com/ossec/ossec-hids/archive/${ossec_version}.tar.gz 
mv ${ossec_version}.tar.gz ossec-hids-${ossec_version}.tar.gz 
tar xfz ossec-hids-${ossec_version}.tar.gz
cd ossec-hids-${ossec_version}

Since the Makefile for OSSEC is in the src/ sub directory, we will create a proxy Makefile in /usr/src/ossec-hids-2.8.2

cd ossec-hids-2.8.2
vim Makefile

I have actually taken the original Makefile from src/ and narrowed it down to the following:

# Makefile
# http://www.ossec.net/hids/

none:
 @echo "Nothing selected ..."
 @echo "\"make all\" to compile everything."
 @echo "\"make server\" to build the server."
 @echo "\"make local\" to build the local."
 @echo "\"make agent\" to build the agent."
 @echo "\"make clean\" to clean anything built."

clean:
 cd src/ ; $(MAKE) clean

all:
 cd src/ ; $(MAKE) all
 
test:
 cd src/ ; $(MAKE) test

server:
 cd src/ ; $(MAKE) server

local:
 cd src/ ; $(MAKE) local

agent:
 cd src/ ; $(MAKE) agent

We will also edit the ‘ossec-clients.sh‘ script, because we will use this script as a start/stop script. We will have to set the path name in this script.

vim src/init/ossec-client.sh
# LOCAL=/var/ossec
# cd ${LOCAL}
# PWD=`pwd`
DIR=/var/ossec
cd ${DIR}

And that’s the only thing we will need to change in the sources, we can now repackage it.

cd ..
tar czf /usr/ports/distfiles/ossec-hids-2.8.2.tar.gz ossec-hids-2.8.2/

Step 3: Prepare the ports directory

The following steps explain how to set up a ports directory in /usr/ports for OSSEC, in order to build the package.
Custom made packages are built in /usr/ports/mystuff. In there, we will have to one sub directory for the package category (we will use security) and in there the package name, which in our case will be ossec-hids.

cd /usr/ports/mystuff
mkdir -p security/ossec-hids

The configuration file for building an OpenBSD package is a Makefile. There is a template file in /usr/ports/infrastructure/templates/Makefile.template which can be used.

cd security/ossec-hids
cp /usr/ports/infrastructure/templates/Makefile.template Makefile

This file of course needs editing. Not everything is required in this file, so I have narrowed the Makefile down to what I need it for:

# $OpenBSD: Makefile.template,v 1.68 2013/10/02 07:34:45 ajacoutot Exp $
# $FreeBSD/NetBSD: credit FreeBSD/NetBSD if thats where the port came from $
# Original from: credit the original author here
COMMENT =               OSSEC is an Open Source HIDS
DISTNAME =              ossec-hids-2.8.2
CATEGORIES =            security
HOMEPAGE =              http://www.ossec.net/
MAINTAINER =            Johnny Morano <jmorano@moretrix.com>;
MASTER_SITES =          https://github.com/ossec/ossec-hids/

PERMIT_PACKAGE_CDROM =  Yes
PERMIT_PACKAGE_FTP =    Yes
PERMIT_DISTFILES_FTP =  Yes

PKG_ARCH =              *
PREFIX = /var/ossec

do-install:
        mkdir -p ${PREFIX}/bin
        mkdir -p ${PREFIX}/logs
        mkdir -p ${PREFIX}/var/run
        mkdir -p ${PREFIX}/queue
        mkdir -p ${PREFIX}/active-response/bin
        mkdir -p ${PREFIX}/agentless
        mkdir -p ${PREFIX}/etc/orig/shared
        mkdir -p ${PREFIX}/doc
        ${INSTALL_SCRIPT} ${WRKSRC}/active-response/firewalls/pf.sh ${PREFIX}/active-response/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/agentlessd/scripts/* ${PREFIX}/agentless
        ${INSTALL_SCRIPT} ${WRKSRC}/src/os_execd/ossec-execd ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/logcollector/ossec-logcollector ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/client-agent/ossec-agentd ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/addagent/manage_agents ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/syscheckd/ossec-syscheckd ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/os_auth/agent-auth ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/init/ossec-client.sh ${PREFIX}/bin/
        ${INSTALL_SCRIPT} ${WRKSRC}/doc/*.txt ${PREFIX}/doc/
        ${INSTALL_SCRIPT} ${WRKSRC}/doc/README.config ${PREFIX}/doc/
        ${INSTALL_SCRIPT} ${WRKSRC}/etc/*.conf ${PREFIX}/etc/orig/
        ${INSTALL_SCRIPT} ${WRKSRC}/etc/*.xml ${PREFIX}/etc/orig/
        ${INSTALL_SCRIPT} ${WRKSRC}/src/rootcheck/db/* ${PREFIX}/etc/orig/shared/

.include <bsd.port.mk>;

The above Makefile will install OSSEC in /var/ossec and will only install the agent files. It does not install the server files.

Step 4: Test the settings

First we will make a checksum and then we will start a fake compile run, to see if everything compiles nicely.

make makesum 
===>  Checking files for ossec-hids-2.8.2
`/usr/ports/distfiles/ossec-hids-2.8.2.tar.gz' is up to date.

make fake
===>  Checking files for ossec-hids-2.8.2
`/usr/ports/distfiles/ossec-hids-2.8.2.tar.gz' is up to date.
>> (SHA256) ossec-hids-2.8.2.tar.gz: OK
===>  Extracting for ossec-hids-2.8.2
===>  Patching for ossec-hids-2.8.2
===>  Configuring for ossec-hids-2.8.2
===>  Building for ossec-hids-2.8.2
***snip***

If there were no errors, then we are ready to create the actual package.

Step 5: Create the OpenBSD package

mkdir pkg
echo "OSSEC is an Open Source HIDS" > pkg/DESCR
make plist
vim pkg/PLIST

Normally we do not need to edit the PLIST file, but I wanted to create an ossec user upon installation and chown the /var/ossec directory to that user.
So I have added the following lines to the top of pkg/PLIST:

@comment $OpenBSD$
@newgroup ossec:1002
@newuser ossec:1005:ossec:daemon:OSSEC User:/var/ossec:/bin/sh

And these to the bottom:

@exec-add mkdir -p /var/ossec
@exec-add chown -R ossec.ossec /var/ossec
@exec-add cp %D/bin/ossec-client.sh /etc/rc.d/ossec

Afterwards you will need to run:

make plist

Now we are ready to build the package:

make package
`/usr/ports/pobj/ossec-hids-2.8.2/fake-amd64/.fake_done' is up to date.
===>  Building package for ossec-hids-2.8.2
Create /usr/ports/packages/amd64/no-arch/ossec-hids-2.8.2.tgz
Link to /usr/ports/packages/amd64/all/ossec-hids-2.8.2.tgz
Link to /usr/ports/packages/amd64/ftp/ossec-hids-2.8.2.tgz
Link to /usr/ports/packages/amd64/cdrom/ossec-hids-2.8.2.tgz

That’s it! This package can now be installed with the pkg_add command.

pkg_add ./ossec-hids-2.8.2.tgz 
quirks-2.114 signed on 2015-08-09T11:57:52Z
UNSIGNED PACKAGE file:./ossec-hids-2.8.2.tgz: install anyway ? [y/N/a] y
ossec-hids-2.8.2: ok
UNSIGNED PACKAGES: ossec-hids-2.8.2

1 thought on “OSSEC: building an OpenBSD package”

  1. hohol says:
    June 20, 2018 at 11:17

    SUPER !!!!
    MANY THANKS !!!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Use multiple Azure subscriptions in Terraform modules
  • Read the HAProxy UNIX socket file using Perl
  • A Prometheus Exporter framework written in Perl
  • Managing LDAP passwords with Perl
  • Libvirt guest startup issue with AppArmor
  • Deploy a PostgreSQL database with an initial schema using Ansible
  • Using Ansible to finalize Hashicorp Packer images

Categories

  • Automation (8)
  • Blog (60)
  • Database (4)
  • Development (37)
  • Linux (26)
  • Mac OS X (5)
  • Media (2)
  • OpenBSD (3)
  • Perl (34)
  • Photo (2)
  • PostgreSQL (4)
  • Terraform (5)
  • Web (11)

Tags

Ajax (3) Android (1) Ansible (2) API (5) AppArmor (1) Automation (5) Azure (3) azurerm (2) Bash (4) Cloud (2) CPAN (4) CSS (1) Debian (4) Dev (35) DevOps (11) EXIF (1) Facebook (1) Geotag (1) GMail (1) Google (3) Hack (2) Hashicorp (4) Hetzner (2) HTML (4) IMAP (2) IPTables (6) JavaScript (4) Libvirt (2) Linux (25) Logging (2) MacOSX (5) Media (2) Monitoring (6) MySQL (3) OpenBSD (4) Packer (1) Perl (35) PF (2) Postgresql (6) Security (7) SysAdmin (24) Terraform (4) Ubuntu (2) UNIX (9) Web 2.0 (3)

Archive

  • April 2022 (10)
  • March 2022 (6)
  • December 2016 (1)
  • March 2016 (1)
  • November 2015 (1)
  • November 2014 (1)
  • August 2014 (1)
  • May 2014 (1)
  • February 2014 (2)
  • December 2013 (1)
  • October 2013 (2)
  • September 2013 (2)
  • August 2013 (2)
  • October 2012 (1)
  • August 2012 (4)
  • March 2012 (3)
  • July 2011 (1)
  • June 2011 (2)
  • April 2011 (3)
  • March 2011 (4)
  • February 2011 (2)
  • December 2010 (2)
  • October 2010 (4)
  • September 2010 (1)
  • August 2010 (5)

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Footer

  • Shihai Corp
  • My Photo website
© 2022 Johnny Morano's Tech Articles | Powered by Superbs Personal Blog theme
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT