From 45bbcb9638d7b5cdf13c7e9d594e3cd660b31eca Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Mon, 9 Jul 2012 11:44:44 -0400 Subject: Add initial attempt at ossec Note: This will almost certainly not work as-is, but at least it compiles. NixOS module to come. --- pkgs/tools/security/ossec/default.nix | 40 ++++++++ pkgs/tools/security/ossec/no-root.patch | 176 ++++++++++++++++++++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 pkgs/tools/security/ossec/default.nix create mode 100644 pkgs/tools/security/ossec/no-root.patch (limited to 'pkgs/tools/security/ossec') diff --git a/pkgs/tools/security/ossec/default.nix b/pkgs/tools/security/ossec/default.nix new file mode 100644 index 00000000000..f6f062011ab --- /dev/null +++ b/pkgs/tools/security/ossec/default.nix @@ -0,0 +1,40 @@ +{ stdenv, fetchurl, which }: + +stdenv.mkDerivation { + name = "ossec-client-2.6"; + + src = fetchurl { + url = http://www.ossec.net/files/ossec-hids-2.6.tar.gz; + + sha256 = "0k1b59wdv9h50gbyy88qw3cnpdm8hv0nrl0znm92h9a11i5b39ip"; + }; + + buildInputs = [ which ]; + + phases = [ "unpackPhase" "patchPhase" "buildPhase" ]; + + patches = [ ./no-root.patch ]; + + buildPhase = '' + echo "en + +agent +$out +no +127.0.0.1 +yes +yes +yes + + +" | ./install.sh + ''; + + meta = { + description = "Open soruce host-based instrusion detection system"; + homepage = http://www.ossec.net; + license = stdenv.lib.licenses.gpl2; + maintainers = [ stdenv.lib.maintainers.shlevy ]; + }; +} + diff --git a/pkgs/tools/security/ossec/no-root.patch b/pkgs/tools/security/ossec/no-root.patch new file mode 100644 index 00000000000..ea6e9c54a9a --- /dev/null +++ b/pkgs/tools/security/ossec/no-root.patch @@ -0,0 +1,176 @@ +diff -Naur ossec-hids-2.6-orig/install.sh ossec-hids-2.6/install.sh +--- ossec-hids-2.6-orig/install.sh 2011-07-11 15:36:58.000000000 -0400 ++++ ossec-hids-2.6/install.sh 2012-07-09 09:58:57.970692818 -0400 +@@ -119,14 +119,14 @@ + # Generate the /etc/ossec-init.conf + VERSION_FILE="./src/VERSION" + VERSION=`cat ${VERSION_FILE}` +- chmod 700 ${OSSEC_INIT} > /dev/null 2>&1 +- echo "DIRECTORY=\"${INSTALLDIR}\"" > ${OSSEC_INIT} +- echo "VERSION=\"${VERSION}\"" >> ${OSSEC_INIT} +- echo "DATE=\"`date`\"" >> ${OSSEC_INIT} +- echo "TYPE=\"${INSTYPE}\"" >> ${OSSEC_INIT} +- chmod 600 ${OSSEC_INIT} +- cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT} +- chmod 644 ${INSTALLDIR}${OSSEC_INIT} ++ echo chmod 700 ${OSSEC_INIT} > /dev/null 2>&1 ++ echo "DIRECTORY=\"${INSTALLDIR}\"" > ${INSTALLDIR}${OSSEC_INIT} ++ echo "VERSION=\"${VERSION}\"" >> ${INSTALLDIR}${OSSEC_INIT} ++ echo "DATE=\"`date`\"" >> ${INSTALLDIR}${OSSEC_INIT} ++ echo "TYPE=\"${INSTYPE}\"" >> ${INSTALLDIR}${OSSEC_INIT} ++ echo chmod 600 ${OSSEC_INIT} ++ echo cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT} ++ echo chmod 644 ${INSTALLDIR}${OSSEC_INIT} + + + # If update_rules is set, we need to tweak +@@ -926,11 +926,6 @@ + catError "0x1-location"; + fi + +- # Must be root +- if [ ! "X$ME" = "Xroot" ]; then +- catError "0x2-beroot"; +- fi +- + # Checking dependencies + checkDependencies + +diff -Naur ossec-hids-2.6-orig/src/InstallAgent.sh ossec-hids-2.6/src/InstallAgent.sh +--- ossec-hids-2.6-orig/src/InstallAgent.sh 2011-07-11 15:36:58.000000000 -0400 ++++ ossec-hids-2.6/src/InstallAgent.sh 2012-07-09 09:56:12.061870552 -0400 +@@ -80,7 +80,7 @@ + else + grep "^${USER}" /etc/passwd > /dev/null 2>&1 + if [ ! $? = 0 ]; then +- /usr/sbin/groupadd ${GROUP} ++ echo /usr/sbin/groupadd ${GROUP} + + # We first check if /sbin/nologin is present. If it is not, + # we look for bin/false. If none of them is present, we +@@ -93,7 +93,7 @@ + OSMYSHELL="/bin/false" + fi + fi +- /usr/sbin/useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER} ++ echo /usr/sbin/useradd -d ${DIR} -s ${OSMYSHELL} -g ${GROUP} ${USER} + fi + fi + +@@ -105,31 +105,31 @@ + done + + # Default for all directories +-chmod -R 550 ${DIR} +-chown -R root:${GROUP} ${DIR} ++echo chmod -R 550 ${DIR} ++echo chown -R root:${GROUP} ${DIR} + + # To the ossec queue (default for agentd to read) +-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec +-chmod -R 770 ${DIR}/queue/ossec ++echo chown -R ${USER}:${GROUP} ${DIR}/queue/ossec ++echo chmod -R 770 ${DIR}/queue/ossec + + # For the logging user +-chown -R ${USER}:${GROUP} ${DIR}/logs +-chmod -R 750 ${DIR}/logs +-chmod -R 775 ${DIR}/queue/rids +-touch ${DIR}/logs/ossec.log +-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log +-chmod 664 ${DIR}/logs/ossec.log +- +-chown -R ${USER}:${GROUP} ${DIR}/queue/diff +-chmod -R 750 ${DIR}/queue/diff +-chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 ++echo chown -R ${USER}:${GROUP} ${DIR}/logs ++echo chmod -R 750 ${DIR}/logs ++echo chmod -R 775 ${DIR}/queue/rids ++echo touch ${DIR}/logs/ossec.log ++echo chown ${USER}:${GROUP} ${DIR}/logs/ossec.log ++echo chmod 664 ${DIR}/logs/ossec.log ++ ++echo chown -R ${USER}:${GROUP} ${DIR}/queue/diff ++echo chmod -R 750 ${DIR}/queue/diff ++echo chmod 740 ${DIR}/queue/diff/* "> /dev/null 2>&1" + + + + + # For the etc dir +-chmod 550 ${DIR}/etc +-chown -R root:${GROUP} ${DIR}/etc ++echo chmod 550 ${DIR}/etc ++echo chown -R root:${GROUP} ${DIR}/etc + + ls /etc/localtime > /dev/null 2>&1 + if [ $? = 0 ]; then +@@ -167,25 +167,25 @@ + cp -pr ../etc/client.keys ${DIR}/etc/ > /dev/null 2>&1 + cp -pr agentlessd/scripts/* ${DIR}/agentless/ + +-chown root:${GROUP} ${DIR}/etc/internal_options.conf +-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1 +-chown root:${GROUP} ${DIR}/etc/client.keys > /dev/null 2>&1 +-chown root:${GROUP} ${DIR}/agentless/* +-chown ${USER}:${GROUP} ${DIR}/.ssh +-chown -R root:${GROUP} ${DIR}/etc/shared +- +-chmod 550 ${DIR}/etc +-chmod 440 ${DIR}/etc/internal_options.conf +-chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1 +-chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1 +-chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it +-chmod 550 ${DIR}/agentless/* +-chmod 700 ${DIR}/.ssh ++echo chown root:${GROUP} ${DIR}/etc/internal_options.conf ++echo chown root:${GROUP} ${DIR}/etc/local_internal_options.conf "> /dev/null 2>&1" ++echo chown root:${GROUP} ${DIR}/etc/client.keys "> /dev/null 2>&1" ++echo chown root:${GROUP} ${DIR}/agentless/* ++echo chown ${USER}:${GROUP} ${DIR}/.ssh ++echo chown -R root:${GROUP} ${DIR}/etc/shared ++ ++echo chmod 550 ${DIR}/etc ++echo chmod 440 ${DIR}/etc/internal_options.conf ++echo chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1 ++echo chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1 ++echo chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it ++echo chmod 550 ${DIR}/agentless/* ++echo chmod 700 ${DIR}/.ssh + + + # For the /var/run +-chmod 770 ${DIR}/var/run +-chown root:${GROUP} ${DIR}/var/run ++echo chmod 770 ${DIR}/var/run ++echo chown root:${GROUP} ${DIR}/var/run + + + # Moving the binary files +@@ -201,11 +201,11 @@ + sh ./init/fw-check.sh execute > /dev/null + cp -pr ../active-response/*.sh ${DIR}/active-response/bin/ + cp -pr ../active-response/firewalls/*.sh ${DIR}/active-response/bin/ +-chmod 755 ${DIR}/active-response/bin/* +-chown root:${GROUP} ${DIR}/active-response/bin/* ++echo chmod 755 ${DIR}/active-response/bin/* ++echo chown root:${GROUP} ${DIR}/active-response/bin/* + +-chown root:${GROUP} ${DIR}/bin/* +-chmod 550 ${DIR}/bin/* ++echo chown root:${GROUP} ${DIR}/bin/* ++echo chmod 550 ${DIR}/bin/* + + + # Moving the config file +@@ -221,8 +221,8 @@ + else + cp -pr ../etc/ossec-agent.conf ${DIR}/etc/ossec.conf + fi +-chown root:${GROUP} ${DIR}/etc/ossec.conf +-chmod 440 ${DIR}/etc/ossec.conf ++echo chown root:${GROUP} ${DIR}/etc/ossec.conf ++echo chmod 440 ${DIR}/etc/ossec.conf + + + -- cgit 1.4.1