Attachment #191323 for bug #226465




# Created by: Valerio Daelli <valerio.daelli@gmail.com>
# $FreeBSD$

PORTNAME=	ossec-hids
PORTVERSION=	2.9.3
PORTREVISION?=
PORTREVISION?=	3
CATEGORIES=	security
PKGNAMESUFFIX?=	-server

MAINTAINER?=	dominik.lisiak@bemsoft.pl
COMMENT?=	Security tool to monitor and check logs and intrusions

LICENSE?=	GPLv2
LICENSE_FILE?=	${WRKSRC}/LICENSE
USE_RC_SUBR=	ossec-hids

.if !defined(AGENT_ONLY)
RUN_DEPENDS=	expect:lang/expect
USES=		readline ssl

.if defined(MAINTAINER_MODE)
UID_FILES+=	../../UIDs
GID_FILES+=	../../GIDs
.endif
USERS=		ossec ossecm ossecr
GROUPS=		ossec

GEOIP_LIB_DEPENDS=	libGeoIP.so:net/GeoIP
INOTIFY_LIB_DEPENDS=	libinotify.so:devel/libinotify
PRELUDE_LIB_DEPENDS=	libprelude.so:security/libprelude
ZEROMQ_LIB_DEPENDS=	libczmq.so:net/czmq

USES=		gmake readline ssl
MYSQL_USE=	mysql
MYSQL_PORTDOCS=	mysql.schema

PGSQL_VARS=	WITH_DB=yes
PGSQL_USES=	pgsql
PGSQL_PORTDOCS=	postgresql.schema

USE_GITHUB=	yes
GH_ACCOUNT=	ossec
USE_RC_SUBR=	ossec-hids

.if !defined(AGENT_ONLY)
USES+=		shebangfix
SHEBANG_LANG=	expect
expect_OLD_CMD=	"/usr/bin/env expect"

		src/agentlessd/scripts/sshlogin.exp \
		src/agentlessd/scripts/su.exp
.endif
OPTIONS_DEFINE+=	DOCS

OPTIONS_SUB=			yes
OPTIONS_DEFINE+=		DOCS INOTIFY

.if !defined(AGENT_ONLY)
OPTIONS_DEFINE+=		GEOIP PRELUDE ZEROMQ

OPTIONS_RADIO=			DATABASE
OPTIONS_RADIO_DATABASE=		MYSQL PGSQL
.endif

.if !defined(AGENT_ONLY)
OPTIONS_GROUP+=			G_RULES G_AR
OPTIONS_GROUP_G_RULES=		DEFAULT_R CONFIG_R FIREWALL_R PORTS_R
OPTIONS_GROUP_G_AR=		DEFAULT_C MERGE_C MERGE_AR RESTART_AR
.endif
OPTIONS_GROUP+=			G_CHECKS G_CMDS G_LOGS
OPTIONS_GROUP_G_CHECKS=		ROOTCHECK SYSCHECK
OPTIONS_GROUP_G_CMDS=		LOGINS PORTS_TCP PORTS_UDP
OPTIONS_GROUP_G_LOGS=		BASELOGS ARLOG

.if !defined(AGENT_ONLY) && !defined(LOCAL_ONLY)
OPTIONS_GROUP+=			G_CHECKS_P G_LOGS_P
OPTIONS_GROUP_G_CHECKS_P=	ROOTCHECK_P SYSCHECK_P
OPTIONS_GROUP_G_LOGS_P=		BASELOGS_P ARLOG_P
.endif

.if !defined(AGENT_ONLY)
OPTIONS_SINGLE=			FIREWALL
OPTIONS_SINGLE_FIREWALL=	PF IPFW IPF
.endif

OPTIONS_DEFAULT+=		INOTIFY LOGINS PORTS_TCP PORTS_UDP
.if !defined(AGENT_ONLY)
OPTIONS_DEFAULT+=		IPF DEFAULT_R CONFIG_R FIREWALL_R PORTS_R DEFAULT_C MERGE_C MERGE_AR RESTART_AR ROOTCHECK SYSCHECK BASELOGS ARLOG
.if !defined(LOCAL_ONLY)
OPTIONS_DEFAULT+=		ROOTCHECK_P SYSCHECK_P BASELOGS_P ARLOG_P
.endif
.endif

DIST_CONF_DESC=		(ossec-dist.conf)
AGENT_DIST_CONF_DESC=	(agent-dist.conf)

INOTIFY_DESC=		Kevent based real time monitoring
PRELUDE_DESC=		Sensor support from Prelude SIEM
ZEROMQ_DESC=		ZeroMQ support (experimental)

G_RULES_DESC=		Rules ${DIST_CONF_DESC}
DEFAULT_R_DESC=		Rules provided by OSSEC
CONFIG_R_DESC=		Alert OSSEC main configuration files changes
FIREWALL_R_DESC=	Alert firewall active resonse (PF and IPFW)
PORTS_R_DESC=		Alert open TCP and UDP ports
G_AR_DESC=		Active response ${DIST_CONF_DESC}
DEFAULT_C_DESC=		Commands provided by OSSEC
MERGE_C_DESC=		Merge "dist" and "local" configs command
MERGE_AR_DESC=		Merge "dist" and "local" configs when they change
RESTART_AR_DESC=	Restart OSSEC when main configuration files change
G_CHECKS_DESC=		System checks ${DIST_CONF_DESC}
ROOTCHECK_DESC=		System audit and rootkit detection
SYSCHECK_DESC=		Integrity checking
G_CMDS_DESC=		Command monitoring ${DIST_CONF_DESC}
LOGINS_DESC=		Last logins
PORTS_TCP_DESC=		Listening TCP ports
PORTS_UDP_DESC=		Open UDP ports
G_LOGS_DESC=		Log monitoring ${DIST_CONF_DESC}
BASELOGS_DESC=		Base logs (messages, maillog, ...)
ARLOG_DESC=		Active response log

G_CHECKS_P_DESC=	Pushed system checks ${AGENT_DIST_CONF_DESC}
ROOTCHECK_P_DESC=	${ROOTCHECK_DESC} (profile: rootcheck)
SYSCHECK_P_DESC=	${SYSCHECK_DESC} (profile: syscheck)
G_LOGS_P_DESC=		Pushed log monitoring ${AGENT_DIST_CONF_DESC}
BASELOGS_P_DESC=	${BASELOGS_DESC} (profile: baselogs)
ARLOG_P_DESC=		${ARLOG_DESC} (profile: arlog)

FIREWALL_DESC=		Active response firewall ${DIST_CONF_DESC}
PF_DESC=		Packet Filter
IPFW_DESC=		ipfirewall
IPF_DESC=		ipfilter, iptables

DATABASE_DESC=		Database output

PKGMSG_FILES=		message-header

TEMPL_HEADER=		template-header.xml
TEMPL_SAMPLE_HEADER=	template-sample-header.xml
TEMPL_P_HEADER=		template-pushed-header.xml

TEMPL_DEFAULT_R=	template-rules-default.xml
TEMPL_CONFIG_R=		template-rules-config.xml
TEMPL_FIREWALL_R=	template-rules-firewall.xml
TEMPL_PORTS_R=		template-rules-ports.xml
TEMPL_DEFAULT_C=	template-ar-cmds-default.xml
TEMPL_MERGE_C=		template-ar-cmds-merge.xml
TEMPL_MERGE_AR=		template-ar-merge.xml
TEMPL_RESTART_AR=	template-ar-restart.xml
TEMPL_ROOTCHECK=	template-rootcheck.xml
TEMPL_SYSCHECK=		template-syscheck.xml
TEMPL_LOGINS=		template-cmds-logins.xml
TEMPL_PORTS_TCP=	template-cmds-ports-tcp.xml
TEMPL_PORTS_UDP=	template-cmds-ports-udp.xml
TEMPL_BASELOGS=		template-baselogs.xml
TEMPL_ARLOG=		template-arlog.xml
TEMPL_SAMPLE=		template-sample${PKGNAMESUFFIX}.xml
TEMPL_P_SAMPLE=		template-pushed-sample.xml

GEOIP_VARS=	OSSEC_ARGS+=USE_GEOIP=yes
INOTIFY_VARS=	OSSEC_ARGS+=USE_INOTIFY=yes
PRELUDE_VARS=	OSSEC_ARGS+=USE_PRELUDE=yes
ZEROMQ_VARS=	OSSEC_ARGS+=USE_ZEROMQ=yes
MYSQL_VARS=	OSSEC_ARGS+=DATABASE=mysql PKGMSG_FILES+=message-db DB_TYPE=mysql DB_SCHEMA=mysql.schema
PGSQL_VARS=	OSSEC_ARGS+=DATABASE=pgsql PKGMSG_FILES+=message-db DB_TYPE=postgresql DB_SCHEMA=postgresql.schema

DEFAULT_R_VARS=		TEMPL_FILES+=${TEMPL_DEFAULT_R}
CONFIG_R_VARS=		TEMPL_FILES+=${TEMPL_CONFIG_R}
FIREWALL_R_VARS=	TEMPL_FILES+=${TEMPL_FIREWALL_R}
PORTS_R_VARS=		TEMPL_FILES+=${TEMPL_PORTS_R}
DEFAULT_C_VARS=		TEMPL_FILES+=${TEMPL_DEFAULT_C}
MERGE_C_VARS=		TEMPL_FILES+=${TEMPL_MERGE_C}
MERGE_AR_VARS=		TEMPL_FILES+=${TEMPL_MERGE_AR}
RESTART_AR_VARS=	TEMPL_FILES+=${TEMPL_RESTART_AR}
ROOTCHECK_VARS=		TEMPL_FILES+=${TEMPL_ROOTCHECK}
SYSCHECK_VARS=		TEMPL_FILES+=${TEMPL_SYSCHECK}
LOGINS_VARS=		TEMPL_FILES+=${TEMPL_LOGINS}
PORTS_TCP_VARS=		TEMPL_FILES+=${TEMPL_PORTS_TCP}
PORTS_UDP_VARS=		TEMPL_FILES+=${TEMPL_PORTS_UDP}
BASELOGS_VARS=		TEMPL_FILES+=${TEMPL_BASELOGS}
ARLOG_VARS=		TEMPL_FILES+=${TEMPL_ARLOG}

DEFAULT_R_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_DEFAULT_R}
CONFIG_R_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_CONFIG_R}
FIREWALL_R_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_FIREWALL_R}
PORTS_R_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_PORTS_R}
DEFAULT_C_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_DEFAULT_C}
MERGE_C_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_MERGE_C}
MERGE_AR_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_MERGE_AR}
RESTART_AR_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_RESTART_AR}
ROOTCHECK_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_ROOTCHECK}
SYSCHECK_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_SYSCHECK}
LOGINS_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_LOGINS}
PORTS_TCP_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_PORTS_TCP}
PORTS_UDP_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_PORTS_UDP}
BASELOGS_VARS_OFF=	TEMPL_SAMPLE_FILES+=${TEMPL_BASELOGS}
ARLOG_VARS_OFF=		TEMPL_SAMPLE_FILES+=${TEMPL_ARLOG}

ROOTCHECK_P_VARS=	TEMPL_P_FILES+=${TEMPL_ROOTCHECK}
SYSCHECK_P_VARS=	TEMPL_P_FILES+=${TEMPL_SYSCHECK}
BASELOGS_P_VARS=	TEMPL_P_FILES+=${TEMPL_BASELOGS}
ARLOG_P_VARS=		TEMPL_P_FILES+=${TEMPL_ARLOG}

ROOTCHECK_PROFILE=	rootcheck
SYSCHECK_PROFILE=	syscheck
BASELOGS_PROFILE=	baselogs
ARLOG_PROFILE=		arlog
CLIENT_PROFILES:=	${ROOTCHECK_PROFILE}, ${SYSCHECK_PROFILE}, ${BASELOGS_PROFILE}, ${ARLOG_PROFILE}

SUB_LIST+=	ROOTCHECK_PROFILE=${ROOTCHECK_PROFILE} \
		SYSCHECK_PROFILE=${SYSCHECK_PROFILE} \
		BASELOGS_PROFILE=${BASELOGS_PROFILE} \
		ARLOG_PROFILE=${ARLOG_PROFILE} \
		CLIENT_PROFILES="${CLIENT_PROFILES}"

PF_VARS=	FW_DROP=pf.sh PKGMSG_FILES+=message-pf
IPFW_VARS=	FW_DROP=ipfw.sh
IPF_VARS=	FW_DROP=firewall-drop.sh

OSSEC_TYPE?=	server
PKGHELP=	${PKGDIR}/pkg-help${PKGNAMESUFFIX}
OSSEC_ARGS+=	TARGET=${OSSEC_TYPE}
CONFLICTS_INSTALL?=	ossec-hids-client-[0-9]* ossec-hids-agent-[0-9]* ossec-hids-local-[0-9]*
STRIP_FILES?=	agent_control \
		clear_stats \
		list_agents \
		manage_agents \
		ossec-agentlessd \
		ossec-analysisd \
		ossec-authd \
		ossec-csyslogd \
		ossec-dbd \
		ossec-execd \
		ossec-logcollector \
		ossec-logtest \
		ossec-lua \
		ossec-luac \
		ossec-maild \
		ossec-makelists \
		ossec-monitord \
		ossec-regex \
		ossec-remoted \
		ossec-reportd \
		ossec-syscheckd \
		rootcheck_control \
		syscheck_control \
		syscheck_update \
		verify-agent-conf
TEMPL_TO_OSSEC=		${SCRIPTDIR}/template-to-ossec.sh ${OSSEC_TYPE} ${PREFIX}/${PORTNAME}
TEMPL_TO_OSSEC_P=	${SCRIPTDIR}/template-to-agent.sh ${OSSEC_TYPE} ${PREFIX}/${PORTNAME}
OSSEC_RC=		${PREFIX}/etc/rc.d/ossec-hids
OSSEC_OSSEC_CONF=	${PREFIX}/${PORTNAME}/bin/ossec_conf
OSSEC_AGENT_CONF=	${PREFIX}/${PORTNAME}/bin/agent_conf
OSSEC_MERGE_CONFIG=	${PREFIX}/${PORTNAME}/active-response/bin/merge-configs.sh
OSSEC_RESTART_OSSEC=	${PREFIX}/${PORTNAME}/active-response/bin/restart-ossec.sh
OSSEC_TMP=		${PREFIX}/${PORTNAME}/tmp
OSSEC_SHARED=		${PREFIX}/${PORTNAME}/etc/shared
OSSEC_CONF=		${PREFIX}/${PORTNAME}/etc/ossec.conf
OSSEC_DIST_CONF=	${PREFIX}/${PORTNAME}/etc/ossec-dist.conf
OSSEC_LOCAL_CONF=	${PREFIX}/${PORTNAME}/etc/ossec-local.conf.sample
OSSEC_P_CONF=		${PREFIX}/${PORTNAME}/etc/shared/agent.conf
OSSEC_P_DIST_CONF=	${PREFIX}/${PORTNAME}/etc/agent-dist.conf
OSSEC_P_LOCAL_CONF=	${PREFIX}/${PORTNAME}/etc/agent-local.conf.sample
OSSEC_RULES_DIR=	${PREFIX}/${PORTNAME}/rules
OSSEC_RULES_FILES=	config firewall ports

.if !defined(MAINTAINER_MODE)
USER_ARGS+=	OSSEC_GROUP=${GROUP} \
		OSSEC_USER=${USER} \
		OSSEC_USER_MAIL=${USER} \
		OSSEC_USER_REM=${USER}
.endif
OSSEC_USER=	ossec
OSSEC_GROUP=	ossec
USERS=		${OSSEC_USER} ossecm ossecr
GROUPS=		${OSSEC_GROUP}

SUB_LIST+=	PORTNAME=${PORTNAME} \
		OSSEC_TYPE=${OSSEC_TYPE} \
		VERSION=${PORTVERSION} \
		DB_TYPE=${DB_TYPE} \
		DB_SCHEMA=${DOCSDIR}/${DB_SCHEMA} \
		FW_DROP=${FW_DROP} \
		USER=${USER} \
		OSSEC_USER=${OSSEC_USER} \
		OSSEC_GROUP=${OSSEC_GROUP} \
		OSSEC_RC=${OSSEC_RC}
SUB_FILES=	${PKGMSG_FILES} \
		${TEMPL_HEADER} \
		${TEMPL_FILES} \
		${TEMPL_SAMPLE_HEADER} \
		${TEMPL_SAMPLE_FILES} \
		${TEMPL_P_HEADER} \
		${TEMPL_P_SAMPLE} \
		merge-config.sh \
		restart-ossec.sh \
		ossec-conf
.if !defined(AGENT_ONLY) && !defined(LOCAL_ONLY)
SUB_FILES+=	agent-conf
.endif
.for file in ${OSSEC_RULES_FILES}
SUB_FILES+=	rule-${file}.xml
.endfor

PLIST=		${PKGDIR}/pkg-plist${PKGNAMESUFFIX}
PLIST_SUB=	PORTNAME=${PORTNAME}
DOCSFILES=	BUGS CONFIG CONTRIBUTORS INSTALL LICENSE
PKGMESSAGE=	${WRKDIR}/pkg-message

CFLAGS+=	-I${LOCALBASE}/include

BUILD_ARGS+=	${MAKE_ARGS} ${OSSEC_ARGS} PREFIX=${PREFIX}/${PORTNAME}
INSTALL_ARGS+=	${USER_ARGS} ${OSSEC_ARGS} PREFIX=${STAGEDIR}${PREFIX}/${PORTNAME}

# Apache logs support
APACHE_OPTION=		APACHE
APACHE_PROFILE=		apache
APACHE_DESC=		Apache logs
APACHE_P_DESC=		${APACHE_DESC} (profile: ${APACHE_PROFILE})
LOGS_OPTIONS+=		${APACHE_OPTION}

# Nginx logs support
NGINX_OPTION=		NGINX
NGINX_PROFILE=		nginx
NGINX_DESC=		Nginx logs
NGINX_P_DESC=		${NGINX_DESC} (profile: ${NGINX_PROFILE})
LOGS_OPTIONS+=		${NGINX_OPTION}

# Radius logs support
RADIUS_OPTION=		RADIUS
RADIUS_PROFILE=		radius
RADIUS_DESC=		FreeRADIUS logs
RADIUS_P_DESC=		${RADIUS_DESC} (profile: ${RADIUS_PROFILE})
LOGS_OPTIONS+=		${RADIUS_OPTION}

# Vsftpd logs support
VSFTPD_OPTION=		VSFTPD
VSFTPD_PROFILE=		vsftpd
VSFTPD_DESC=		Vsftpd logs
VSFTPD_P_DESC=		${VSFTPD_DESC} (profile: ${VSFTPD_PROFILE})
LOGS_OPTIONS+=		${VSFTPD_OPTION}

.for option in ${LOGS_OPTIONS}
OPTIONS_GROUP_G_LOGS+=	${option}
OPTIONS_GROUP_G_LOGS_P+=${option}_P
OPTIONS_DEFAULT+=	${option}_P
SUB_FILES+=		template-logs-${${option}_PROFILE}.xml
SUB_LIST+=		${option}_PROFILE=${${option}_PROFILE}
CLIENT_PROFILES:=	${CLIENT_PROFILES}, ${${option}_PROFILE}
.endfor

.include <bsd.port.pre.mk>

TEMPL_SAMPLE_FILES+=	${TEMPL_SAMPLE}
TEMPL_P_SAMPLE_FILES+=	${TEMPL_P_SAMPLE}
PKGMSG_FILES+=		message-footer
PKGNAMESUFFIX=	-client
CONFLICTS_INSTALL=	ossec-hids-server-[0-9]* ossec-hids-local-[0-9]*
STRIP_FILES=	agent-auth manage_agents ossec-agentd ossec-execd ossec-logcollector ossec-lua ossec-luac ossec-syscheckd
.elif defined(LOCAL_ONLY)
SUB_LIST+=	PRECMD=ossechids_start_precmd
PKGNAMESUFFIX=	-local
CONFLICTS_INSTALL=	ossec-hids-client-[0-9]* ossec-hids-server-[0-9]*
.else
SUB_LIST+=	PRECMD=ossechids_start_precmd
CONFLICTS_INSTALL=	ossec-hids-client-[0-9]* ossec-hids-local-[0-9]*
.endif

post-patch:
	@${REINPLACE_CMD} 's|PREFIX|${PREFIX}/${PORTNAME}|' ${WRKSRC}/src/headers/defs.h
	@${ECHO} "DIR=\"${STAGEDIR}${PREFIX}/${PORTNAME}\"" > ${WRKSRC}/src/LOCATION
	@${REINPLACE_CMD} -e 's|-DLUA_USE_LINUX|& ${CPPFLAGS}|' \
		-e 's|-lreadline|& ${LDFLAGS}|' \
		${WRKSRC}/src/external/lua/src/Makefile
	@${REINPLACE_CMD} -e 's|OPENSSLCMD=|OPENSSLCMD=-L${OPENSSLLIB} |' \
		${WRKSRC}/src/Makeall

do-build:
	@cd ${WRKSRC}/src; ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${BUILD_ARGS} build

do-install:
	@cd ${WRKSRC}/src; ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${INSTALL_ARGS} install

ossec-dist-conf:
	@${CAT} ${WRKDIR}/${TEMPL_HEADER} > ${STAGEDIR}${OSSEC_DIST_CONF}
.for file in ${TEMPL_FILES}
	@${TEMPL_TO_OSSEC} ${WRKDIR}/${file} >> ${STAGEDIR}${OSSEC_DIST_CONF}
	@${ECHO_CMD} >> ${STAGEDIR}${OSSEC_DIST_CONF}
.endfor
.for option in ${LOGS_OPTIONS}
.if ${PORT_OPTIONS:M${option}}
	@${TEMPL_TO_OSSEC} ${WRKDIR}/template-logs-${${option}_PROFILE}.xml >> ${STAGEDIR}${OSSEC_DIST_CONF}
	@${ECHO_CMD} >> ${STAGEDIR}${OSSEC_DIST_CONF}
.endif
.endfor
	@${CHMOD} 640 ${STAGEDIR}${OSSEC_DIST_CONF}
.if defined(MAINTAINER_MODE)
	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${OSSEC_DIST_CONF}
.elif defined(LOCAL_ONLY)
	@cd ${WRKSRC}/src;${MAKE} setlocal;${MAKE} all;${MAKE} build; \
		${MAKE} unsetdb
.else
	@cd ${WRKSRC}/src;${MAKE} all;${MAKE} build;${MAKE} unsetdb
.endif

ossec-local-conf:
	@${CAT} ${WRKDIR}/${TEMPL_SAMPLE_HEADER} > ${STAGEDIR}${OSSEC_LOCAL_CONF}
.for file in ${TEMPL_SAMPLE_FILES}
	@${TEMPL_TO_OSSEC} ${WRKDIR}/${file} >> ${STAGEDIR}${OSSEC_LOCAL_CONF}
	@${ECHO_CMD} >> ${STAGEDIR}${OSSEC_LOCAL_CONF}
.endfor
	@${CHMOD} 640 ${STAGEDIR}${OSSEC_LOCAL_CONF}
.if defined(MAINTAINER_MODE)
	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${OSSEC_LOCAL_CONF}
.endif

agent-dist-conf:
.if !defined(AGENT_ONLY) && !defined(LOCAL_ONLY)
	@${CAT} ${WRKDIR}/${TEMPL_P_HEADER} > ${STAGEDIR}${OSSEC_P_DIST_CONF}
.for file in ${TEMPL_P_FILES}
	@${TEMPL_TO_OSSEC_P} ${WRKDIR}/${file} >> ${STAGEDIR}${OSSEC_P_DIST_CONF}
	@${ECHO_CMD} >> ${STAGEDIR}${OSSEC_P_DIST_CONF}
.endfor
.for option in ${LOGS_OPTIONS}
.if ${PORT_OPTIONS:M${option}_P}
	@${TEMPL_TO_OSSEC_P} ${WRKDIR}/template-logs-${${option}_PROFILE}.xml >> ${STAGEDIR}${OSSEC_P_DIST_CONF}
	@${ECHO_CMD} >> ${STAGEDIR}${OSSEC_P_DIST_CONF}
.endif
.endfor
	@${CHMOD} 640 ${STAGEDIR}${OSSEC_P_DIST_CONF}
.if defined(MAINTAINER_MODE)
	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${OSSEC_P_DIST_CONF}
.endif
.endif

agent-local-conf:
.if !defined(AGENT_ONLY) && !defined(LOCAL_ONLY)
	@${CAT} ${WRKDIR}/${TEMPL_SAMPLE_HEADER} > ${STAGEDIR}${OSSEC_P_LOCAL_CONF}
.for file in ${TEMPL_P_SAMPLE_FILES}
	@${TEMPL_TO_OSSEC_P} ${WRKDIR}/${file} >> ${STAGEDIR}${OSSEC_P_LOCAL_CONF}
	@${ECHO_CMD} >> ${STAGEDIR}${OSSEC_P_LOCAL_CONF}
.endfor
	@${CHMOD} 640 ${STAGEDIR}${OSSEC_P_LOCAL_CONF}
.if defined(MAINTAINER_MODE)
	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${OSSEC_P_LOCAL_CONF}
.endif
.endif

ossec-rules:
.if !defined(AGENT_ONLY)
.for file in ${OSSEC_RULES_FILES}
	@${SED} -e 's|<?xml.*?>||' ${WRKDIR}/rule-${file}.xml > ${STAGEDIR}${OSSEC_RULES_DIR}/freebsd_${file}_rules.xml
	@${CHMOD} 640 ${STAGEDIR}${OSSEC_RULES_DIR}/freebsd_${file}_rules.xml
.if defined(MAINTAINER_MODE)
	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${OSSEC_RULES_DIR}/freebsd_${file}_rules.xml
.endif
.endfor
.endif

ossec-scripts:
	@${CP} -f ${WRKDIR}/ossec-conf ${STAGEDIR}${OSSEC_OSSEC_CONF}
	@${CHMOD} 550 ${STAGEDIR}${OSSEC_OSSEC_CONF}
.if !defined(AGENT_ONLY) && !defined(LOCAL_ONLY)
	@${CP} -f ${WRKDIR}/agent-conf ${STAGEDIR}${OSSEC_AGENT_CONF}
	@${CHMOD} 550 ${STAGEDIR}${OSSEC_AGENT_CONF}
.endif
	@${CP} -f ${WRKDIR}/merge-config.sh ${STAGEDIR}${OSSEC_MERGE_CONFIG}
	@${CHMOD} 550 ${STAGEDIR}${OSSEC_MERGE_CONFIG}
	@${CP} -f ${WRKDIR}/restart-ossec.sh ${STAGEDIR}${OSSEC_RESTART_OSSEC}
	@${CHMOD} 550 ${STAGEDIR}${OSSEC_RESTART_OSSEC}
.if defined(MAINTAINER_MODE)
	@${CHOWN} ${USER}:${OSSEC_GROUP} ${STAGEDIR}${OSSEC_MERGE_CONFIG}
.endif

post-install: ossec-dist-conf ossec-local-conf agent-dist-conf agent-local-conf ossec-rules ossec-scripts
	@${CHMOD} 770 ${STAGEDIR}${OSSEC_TMP}
.if defined(AGENT_ONLY)
.if defined(MAINTAINER_MODE)
	@for file in $$(find "${STAGEDIR}${OSSEC_SHARED}" -type f); do ${CHMOD} 0644 $${file}; ${CHOWN} ${OSSEC_USER}:${OSSEC_GROUP} $${file}; done
.else
	@for file in $$(find "${STAGEDIR}${OSSEC_SHARED}" -type f); do ${CHMOD} 0644 $${file}; done
.endif
.endif
	@${ECHO_CMD} -n > ${PKGMESSAGE}
.for file in ${PKGMSG_FILES}
	@${CAT} ${WRKDIR}/${file} >> ${PKGMESSAGE}
	@${ECHO_CMD} >> ${PKGMESSAGE}
.endfor
.for file in ${STRIP_FILES}
	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/${PORTNAME}/bin/${file}
.endfor

.if defined(MAINTAINER_MODE)
plist: makeplist
	@${SCRIPTDIR}/plist.sh ${OSSEC_TYPE} ${PLIST} ${PREFIX}/${PORTNAME} ${WRKDIR}
	${CP} ${WRKSRC}/etc/ossec-local.conf ${STAGEDIR}${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
.else
	${CP} ${WRKSRC}/etc/ossec-server.conf ${STAGEDIR}${PREFIX}/${PORTNAME}/etc/ossec.conf.sample
.endif

post-install-DOCS-on:


post-install-MYSQL-on:
	@${MKDIR} ${STAGEDIR}${DOCSDIR}
	@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/${DB_SCHEMA} ${STAGEDIR}${DOCSDIR}

post-install-PGSQL-on:
	@${MKDIR} ${STAGEDIR}${DOCSDIR}
	@cd ${WRKSRC} && ${INSTALL_DATA} src/os_dbd/${DB_SCHEMA} ${STAGEDIR}${DOCSDIR}

.include <bsd.port.post.mk>

Lines 1-2 Link Here

(-)distinfo (-2 / +3 lines)
1	SHA256 (ossec-ossec-hids-v2.8.3_GH0.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd	1	TIMESTAMP = 1517645028
2	SIZE (ossec-ossec-hids-v2.8.3_GH0.tar.gz) = 1642095	2	SHA256 (ossec-ossec-hids-2.9.3_GH0.tar.gz) = 6b70a8f93fc2412bfc34a793a53b4d22323568866c09fde87c7d3a9d04e3b313
		3	SIZE (ossec-ossec-hids-2.9.3_GH0.tar.gz) = 1711222




#!/bin/sh

ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%PREFIX%%/%%PORTNAME%%"

agent_dist_conf="${ossec_home}/etc/agent-dist.conf"
agent_local_conf="${ossec_home}/etc/agent-local.conf"

select_elements() {
    local element="$1"
    sed -n "/<${element}.*>/,/<\/${element}>/p"
}

remove_comments() {
    # Comments must be on separate lines i.e. not next to uncommented code
    awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
}

remove_empty_lines() {
    sed '/^\s*$/d'
}

agent_conf() {
    local dist_conf="$1"
    local local_conf="$2"

    echo "<!-- OSSEC HIDS %%VERSION%% -->"
    echo
    echo "<!-- DO NOT EDIT - edit \"${local_conf}\" instead -->"
    echo

    cat "${dist_conf}" "${local_conf}" | remove_comments | select_elements "agent_config" | remove_empty_lines
}

agent_conf "${agent_dist_conf}" "${agent_local_conf}"




#!/bin/sh

# This script is part of FreeBSD port - report any issues to the port MAINTAINER

ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%PREFIX%%/%%PORTNAME%%"
ossec_rc="%%OSSEC_RC%%"

ACTION=$1
USER=$2
IP=$3

LOCAL=`dirname $0`;
cd $LOCAL
cd ../../tmp

# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"

case ${ACTION} in
    add)
        "${ossec_rc}" merge_config
        exit 0
        ;;
    delete)
        exit 0
        ;;
    *)
        echo "$0: invalid action: ${ACTION}"
        exit 1
        ;;
esac

Line 0 Link Here

(-)files/message-db.in (+8 lines)
	1	The database schema file:
	2	%%DB_SCHEMA%%
	3
	4	To enable database output execute:
	5	# %%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database
	6
	7	Then check this documentation:
	8	https://ossec.github.io/docs/syntax/head_ossec_config.database_output.html

Line 0 Link Here

(-)files/message-footer.in (+5 lines)
	1	When you deinstall this port after starting the daemons once, many
	2	directories that are created by the daemons will remain. To fully
	3	remove the port you need to delete those directories manually. To
	4	further enhance the security on your system, you may also enable
	5	some checks in PAM for a fast reaction against intrusions.

Line 0 Link Here

(-)files/message-header.in (+9 lines)
	1	After installation, you need to edit the ossec-local.conf file to reflect
	2	the correct settings for your environment. All the files related
	3	to %%PORTNAME%% have been installed in %%PREFIX%%/%%PORTNAME%% and
	4	its subdirectories.
	5
	6	For information on proper configuration see:
	7	https://ossec.github.io/docs/syntax/ossec_config.html
	8
	9	To enable the startup script, add ossechids_enable="YES" to /etc/rc.conf.

Line 0 Link Here

(-)files/message-pf.in (+4 lines)
	1	Add the ossec_fwtable to /etc/pf.conf if using firewall-drop command:
	2	table <ossec_fwtable> persist
	3	block in quick from <ossec_fwtable> to any
	4	block out quick from any to <ossec_fwtable>




#!/bin/sh

ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%PREFIX%%/%%PORTNAME%%"

ossec_dist_conf="${ossec_home}/etc/ossec-dist.conf"
ossec_local_conf="${ossec_home}/etc/ossec-local.conf"

select_elements_content() {
    local element="$1"
    sed -n "/<${element}>/,/<\/${element}>/{ /<${element}>/d; /<\/${element}>/d; p; }"
}

remove_elements() {
    local element="$1"
    sed -e "/<${element}>/,/<\/${element}>/d"
}

remove_comments() {
    # Comments must be on separate lines i.e. not next to uncommented code
    awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
}

remove_empty_lines() {
    sed '/^\s*$/d'
}

ossec_conf() {
    local dist_conf="$1"
    local local_conf="$2"

    echo "<!-- OSSEC HIDS %%VERSION%% -->"
    echo
    echo "<!-- DO NOT EDIT - edit \"${local_conf}\" instead -->"
    echo
    echo "<ossec_config>"

    if [ "${ossec_type}" != "agent"  ]; then
        if cat "${dist_conf}" "${local_conf}" | remove_comments | grep -q "<rules>"; then
            echo "  <rules>"
            cat "${dist_conf}" "${local_conf}" | remove_comments | select_elements_content "rules" | remove_empty_lines
            echo "  </rules>"
        fi
    fi

    if cat "${dist_conf}" "${local_conf}" | remove_comments | grep -q "<rootcheck>"; then
        echo "  <rootcheck>"
        cat "${dist_conf}" "${local_conf}" | remove_comments | select_elements_content "rootcheck" | remove_empty_lines
        echo "  </rootcheck>"
    fi

    if cat "${dist_conf}" "${local_conf}" | remove_comments | grep -q "<syscheck>"; then
        echo "  <syscheck>"
        cat "${dist_conf}" "${local_conf}" | remove_comments | select_elements_content "syscheck" | remove_empty_lines
        echo "  </syscheck>"
    fi

    cat "${dist_conf}" "${local_conf}" | remove_comments | select_elements_content "ossec_config" | remove_elements "rules" | remove_elements "rootcheck" |  remove_elements "syscheck" | remove_empty_lines

    echo "</ossec_config>"
}

ossec_conf "${ossec_dist_conf}" "${ossec_local_conf}"

Lines 1-5 Link Here

(-)files/ossec-hids.in (-31 / +162 lines)
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# PROVIDE: ossechids	3	# PROVIDE: ossechids
4	# REQUIRE: DAEMON	4	# REQUIRE: DAEMON
5	# BEFORE: LOGIN	5	# BEFORE: LOGIN
Lines 15-65 Link Here
15	: ${ossechids_enable="NO"}	15	: ${ossechids_enable="NO"}
16	: ${ossechids_user="ossec"}	16	: ${ossechids_user="ossec"}
17	: ${ossechids_group="ossec"}	17	: ${ossechids_group="ossec"}
		18	: ${ossechids_clear_tmp="YES"}
		19	: ${ossechids_clear_log="NO"}
		20	: ${ossechids_clear_ar_log="NO"}
		21	: ${ossechids_fetch_time=15}
18		22
19	start_precmd=%%PRECMD%%	23	ossec_type="%%OSSEC_TYPE%%"
		24	ossec_home="%%PREFIX%%/%%PORTNAME%%"
		25
		26	ossec_conf="${ossec_home}/etc/ossec.conf"
		27	ossec_dist_conf="${ossec_home}/etc/ossec-dist.conf"
		28	ossec_local_conf="${ossec_home}/etc/ossec-local.conf"
		29
		30	agent_conf="${ossec_home}/etc/shared/agent.conf"
		31	agent_dist_conf="${ossec_home}/etc/agent-dist.conf"
		32	agent_local_conf="${ossec_home}/etc/agent-local.conf"
		33
		34	ossec_client_keys="${ossec_home}/etc/client.keys"
		35	ossec_tmp="${ossec_home}/tmp"
		36	ossec_log="${ossec_home}/logs/ossec.log"
		37	ossec_ar_log="${ossec_home}/logs/active-responses.log"
		38	ossec_merged="${ossec_home}/etc/shared/merged.mg"
		39
		40	extra_commands="reload ossec_conf"
		41	case ${ossec_type} in
		42	server)
		43	extra_commands="${extra_commands} agent_conf"
		44	;;
		45	agent)
		46	extra_commands="${extra_commands} fetch_config"
		47	;;
		48	esac
		49	extra_commands="${extra_commands} merge_config"
		50
20	start_cmd="ossechids_command start"	51	start_cmd="ossechids_command start"
21	stop_cmd="ossechids_command stop"	52	stop_cmd="ossechids_command stop"
22	restart_cmd="ossechids_command restart"	53	restart_cmd="ossechids_command restart"
23	status_cmd="ossechids_command status"	54	status_cmd="ossechids_command status"
24	reload_cmd="ossechids_command reload"	55	reload_cmd="ossechids_command reload"
		56	fetch_config_cmd="ossechids_command restart"
		57	merge_config_cmd="ossechids_create_configs"
		58	ossec_conf_cmd="ossechids_ossec_conf"
		59	agent_conf_cmd="ossechids_agent_conf"
25		60
26	command="%%PREFIX%%/%%PORTNAME%%/bin/ossec-control"	61	start_precmd="ossechids_prepare"
27	required_files="%%PREFIX%%/%%PORTNAME%%/etc/ossec.conf"	62	restart_precmd="ossechids_prepare"
28	extra_commands="reload"	63	reload_precmd="ossechids_prepare"
		64	fetch_config_precmd="ossechids_prepare"
29		65
30	fts_queue=%%PREFIX%%/%%PORTNAME%%/queue/fts/fts-queue	66	install_file() {
31	ig_queue=%%PREFIX%%/%%PORTNAME%%/queue/fts/ig-queue	67	local path=$1
32	ossec_log=%%PREFIX%%/%%PORTNAME%%/logs/ossec.log	68	local owner=$2
33	active_responses_log=%%PREFIX%%/%%PORTNAME%%/logs/active-responses.log	69	local mode=$3
34		70
35	ossechids_start_precmd() {	71	if [ ! -e "${path}" ]; then
36	# These files are not created by the daemons with the correct	72	touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}"
37	# ownership, so create them here before starting up the system,
38	# if they don't already exist. This is only done for the "local" and
39	# "server" installation types.
40	if [ ! -e ${fts_queue} ]; then
41	touch ${fts_queue}
42	chown ${ossechids_user}:${ossechids_group} ${fts_queue}
43	chmod 640 ${fts_queue}
44	fi	73	fi
45	if [ ! -e ${ig_queue} ]; then	74	}
46	touch ${ig_queue}	75
47	chown ${ossechids_user}:${ossechids_group} ${ig_queue}	76	ossechids_check() {
48	chmod 640 ${ig_queue}	77	case ${ossec_type} in
		78	server)
		79	if [ ! -s "${ossec_client_keys}" ]; then
		80	echo "WARNING: There are no client keys created - remote connections will be disabled"
		81	fi
		82	;;
		83	agent)
		84	if [ ! -s "${ossec_client_keys}" ]; then
		85	echo "WARNING: There are is no client key imported - connection to server not possible"
		86	fi
		87	;;
		88	esac
		89
		90	return 0
		91	}
		92
		93	ossechids_create_configs() {
		94	case ${ossec_type} in
		95	server)
		96	# Merge agent-dist.conf and agent-local.conf into agent.conf
		97	if [ ! -e "${agent_conf}" -o "${agent_dist_conf}" -nt "${agent_conf}" -o "${agent_local_conf}" -nt "${agent_conf}" ]; then
		98	install_file "${agent_conf}" %%USER%%:%%OSSEC_GROUP%% 0640
		99	"${ossec_home}/bin/agent_conf" > "${agent_conf}"
		100	fi
		101	;;
		102	agent)
		103	# Touch agent.conf so the agent daemons won't complain if it doesn't exist
		104	install_file "${agent_conf}" %%OSSEC_USER%%:%%OSSEC_GROUP%% 0644
		105	;;
		106	esac
		107
		108	# Merge ossec-dist.conf and ossec-local.conf into ossec.conf
		109	if [ ! -e "${ossec_conf}" -o "${ossec_dist_conf}" -nt "${ossec_conf}" -o "${ossec_local_conf}" -nt "${ossec_conf}" ]; then
		110	install_file "${ossec_conf}" %%USER%%:%%OSSEC_GROUP%% 0640
		111	"${ossec_home}/bin/ossec_conf" > "${ossec_conf}"
49	fi	112	fi
50		113
51	# Ensure logfiles are created with the correct ownership and mode	114	return 0
52	for log in ${ossec_log} ${active_responses_log}; do
53	if [ ! -e ${log} ]; then
54	touch ${log}
55	chown ${ossechids_user}:${ossechids_group} ${log}
56	chmod 660 ${log}
57	fi
58	done
59	}	115	}
60		116
		117	ossechids_create_logs() {
		118	# Create required log files if they don't exist
		119	install_file "${ossec_log}" ${ossechids_user}:${ossechids_group} 0660
		120	install_file "${ossec_ar_log}" ${ossechids_user}:${ossechids_group} 0660
		121
		122	return 0
		123	}
		124
		125	ossechids_clean_temps() {
		126	if [ "${ossec_type}" == "server" ]; then
		127	rm -f "${ossec_merged}"
		128	fi
		129
		130	if checkyesno ossechids_clear_tmp; then
		131	rm -rf "${ossec_tmp}/*"
		132	fi
		133
		134	if checkyesno ossechids_clear_log; then
		135	echo -n > "${ossec_log}"
		136	fi
		137
		138	if checkyesno ossechids_clear_ar_log; then
		139	echo -n > "${ossec_ar_log}"
		140	fi
		141
		142	return 0
		143	}
		144
		145	ossechids_fetch_configs() {
		146	case ${ossec_type} in
		147	agent)
		148	rm -f "${ossec_merged}"
		149	ossechids_command stop
		150	sleep 1
		151	ossechids_command start
		152	echo "Waiting ${ossechids_fetch_time} seconds for the shared configuration to be downloaded from the OSSEC server"
		153	sleep ${ossechids_fetch_time}
		154	if [ ! -s "${ossec_merged}" ]; then
		155	echo "Failed to download shared configuration from the OSSEC server"
		156	return 1
		157	fi
		158	;;
		159	*)
		160	echo "Shared configuration is only available for client installations"
		161	return 1
		162	;;
		163	esac
		164
		165	return 0
		166	}
		167
		168	ossechids_prepare() {
		169	case ${rc_arg} in
		170	start\|restart)
		171	ossechids_create_logs && ossechids_create_configs && ossechids_clean_temps && ossechids_check \|\| return 1
		172	;;
		173	fetch_config)
		174	ossechids_create_logs && ossechids_create_configs && ossechids_clean_temps && ossechids_fetch_configs && ossechids_check \|\| return 1
		175	;;
		176	reload)
		177	ossechids_create_configs \|\| return 1
		178	;;
		179	esac
		180
181	return 0
182	}
183
184	ossechids_ossec_conf() {
185	"${ossec_home}/bin/ossec_conf"
186	}
187
188	ossechids_agent_conf() {
189	"${ossec_home}/bin/agent_conf"
190	}
191
61	ossechids_command() {	192	ossechids_command() {
62	${command} ${rc_arg}	193	"${ossec_home}/bin/ossec-control" "$1"
63	}	194	}
64		195
65	run_rc_command "$1"	196	run_rc_command "$1"




--- active-response/host-deny.sh.orig	2017-12-19 21:30:31 UTC
+++ active-response/host-deny.sh
@@ -11,7 +11,7 @@ IP=$3
 
 LOCAL=`dirname $0`;
 cd $LOCAL
-cd ../
+cd ../../tmp
 PWD=`pwd`
 LOCK="${PWD}/host-deny-lock"
 LOCK_PID="${PWD}/host-deny-lock/pid"
@@ -112,10 +112,10 @@ if [ "x${ACTION}" = "xadd" ]; then
 # Deleting from hosts.deny   
 elif [ "x${ACTION}" = "xdelete" ]; then   
    lock;
-   TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` 
+   TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX` 
    if [ "X${TMP_FILE}" = "X" ]; then 
      # Cheap fake tmpfile, but should be harder then no random data 
-     TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
+     TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
    fi
    echo "${IP}" | grep "\:" > /dev/null 2>&1
    if [ $? = 0 ]; then




--- src/InstallAgent.sh.orig	2015-10-12 21:21:06 UTC
+++ src/InstallAgent.sh
@@ -37,11 +37,11 @@ fi
 
 # Creating groups/users
 if [ "$UNAME" = "FreeBSD" -o "$UNAME" = "DragonFly" ]; then
-    grep "^${USER}" /etc/passwd > /dev/null 2>&1
-    if [ ! $? = 0 ]; then
-    /usr/sbin/pw groupadd ${GROUP}
-	/usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
-    fi
+    #grep "^${USER}" /etc/passwd > /dev/null 2>&1
+    #if [ ! $? = 0 ]; then
+    #/usr/sbin/pw groupadd ${GROUP}
+	#/usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+    #fi
 
 elif [ "$UNAME" = "SunOS" ]; then
     grep "^${USER}" /etc/passwd > /dev/null 2>&1
@@ -106,22 +106,17 @@ for i in ${subdirs}; do
 done
 
 # Default for all directories
-chmod -R 550 ${DIR}
-chown -R root:${GROUP} ${DIR}
+chmod -R 750 ${DIR}
 
 # To the ossec queue (default for agentd to read)
-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
 chmod -R 770 ${DIR}/queue/ossec
 
 # For the logging user
-chown -R ${USER}:${GROUP} ${DIR}/logs
 chmod -R 750 ${DIR}/logs
 chmod -R 775 ${DIR}/queue/rids
 touch ${DIR}/logs/ossec.log
-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
 chmod 664 ${DIR}/logs/ossec.log
 
-chown -R ${USER}:${GROUP} ${DIR}/queue/diff
 chmod -R 750 ${DIR}/queue/diff
 chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
 
@@ -131,8 +126,7 @@ chmod 1550 ${DIR}/tmp
 
 
 # For the etc dir
-chmod 550 ${DIR}/etc
-chown -R root:${GROUP} ${DIR}/etc
+chmod 750 ${DIR}/etc
 
 ls /etc/localtime > /dev/null 2>&1
 if [ $? = 0 ]; then
@@ -144,13 +138,11 @@ if [ "$UNAME" = "SunOS" ]; then
     mkdir -p ${DIR}/usr/share/lib/zoneinfo/
     chmod -R 555 ${DIR}/usr/
     cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
-    chown -R root:${GROUP} ${DIR}/usr/
 fi    
 
 ls /etc/TIMEZONE > /dev/null 2>&1
 if [ $? = 0 ]; then
     cp -p /etc/TIMEZONE ${DIR}/etc/;
-    chown root:${GROUP} ${DIR}/etc/TIMEZONE
     chmod 555 ${DIR}/etc/TIMEZONE
 fi
             
@@ -170,25 +162,17 @@ cp -pr ../etc/local_internal_options.con
 cp -pr ../etc/client.keys ${DIR}/etc/ > /dev/null 2>&1
 cp -pr agentlessd/scripts/* ${DIR}/agentless/
 
-chown root:${GROUP} ${DIR}/etc/internal_options.conf
-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/client.keys > /dev/null 2>&1
-chown root:${GROUP} ${DIR}/agentless/*
-chown ${USER}:${GROUP} ${DIR}/.ssh
-chown -R root:${GROUP} ${DIR}/etc/shared
-
-chmod 550 ${DIR}/etc
+chmod 750 ${DIR}/etc
 chmod 440 ${DIR}/etc/internal_options.conf
 chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
 chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
 chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
-chmod 550 ${DIR}/agentless/*
+chmod 750 ${DIR}/agentless/*
 chmod 700 ${DIR}/.ssh
 
 
 # For the /var/run
 chmod 770 ${DIR}/var/run
-chown root:${GROUP} ${DIR}/var/run
 
 
 # Moving the binary files
@@ -202,7 +186,6 @@ cp -pr addagent/manage_agents ${DIR}/bin
 cp -pr ../contrib/util.sh ${DIR}/bin/
 cp -pr external/lua/src/ossec-lua ${DIR}/bin/
 cp -pr external/lua/src/ossec-luac ${DIR}/bin/
-chown root:${GROUP} ${DIR}/bin/util.sh
 chmod +x ${DIR}/bin/util.sh
 
 # Copying active response modules
@@ -210,10 +193,8 @@ sh ./init/fw-check.sh execute > /dev/nul
 cp -pr ../active-response/*.sh ${DIR}/active-response/bin/
 cp -pr ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
 chmod 755 ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/active-response/bin/*
 
-chown root:${GROUP} ${DIR}/bin/*
-chmod 550 ${DIR}/bin/*
+chmod 750 ${DIR}/bin/*
 
 
 # Moving the config file
@@ -229,7 +210,6 @@ if [ $? = 0 ]; then
 else    
     cp -pr ../etc/ossec-agent.conf ${DIR}/etc/ossec.conf
 fi
-chown root:${GROUP} ${DIR}/etc/ossec.conf
 chmod 440 ${DIR}/etc/ossec.conf
 
 




--- src/InstallServer.sh.orig	2015-10-12 21:21:06 UTC
+++ src/InstallServer.sh
@@ -44,13 +44,13 @@ fi
 
 # Creating groups/users
 if [ "$UNAME" = "FreeBSD" -o "$UNAME" = "DragonFly" ]; then
-    grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
-    if [ ! $? = 0 ]; then
-    /usr/sbin/pw groupadd ${GROUP}
-	/usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
-	/usr/sbin/pw useradd ${USER_MAIL} -d ${DIR} -s /sbin/nologin -g ${GROUP}
-	/usr/sbin/pw useradd ${USER_REM} -d ${DIR} -s /sbin/nologin -g ${GROUP}
-    fi
+#    grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
+#    if [ ! $? = 0 ]; then
+#    /usr/sbin/pw groupadd ${GROUP}
+#	/usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+#	/usr/sbin/pw useradd ${USER_MAIL} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+#	/usr/sbin/pw useradd ${USER_REM} -d ${DIR} -s /sbin/nologin -g ${GROUP}
+#    fi
 
 elif [ "$UNAME" = "SunOS" ]; then
     grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
@@ -121,66 +121,49 @@ for i in ${subdirs}; do
 done
 
 # Default for all directories
-chmod 550 ${DIR}
-chmod 550 ${DIR}/*
-chown root:${GROUP} ${DIR}
-chown root:${GROUP} ${DIR}/*
+chmod 750 ${DIR}
+chmod 750 ${DIR}/*
 
 # AnalysisD needs to write to alerts: log, mail and cmds
-chown -R ${USER}:${GROUP} ${DIR}/queue/alerts
 chmod -R 770 ${DIR}/queue/alerts
 
 # To the ossec queue (default for analysisd to read)
-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
 chmod -R 770 ${DIR}/queue/ossec
 
 # To the ossec fts queue
-chown -R ${USER}:${GROUP} ${DIR}/queue/fts
 chmod -R 750 ${DIR}/queue/fts
 chmod 750 ${DIR}/queue/fts/* > /dev/null 2>&1
 
 # To the ossec syscheck/rootcheck queue
-chown -R ${USER}:${GROUP} ${DIR}/queue/syscheck
 chmod -R 750 ${DIR}/queue/syscheck
 chmod 740 ${DIR}/queue/syscheck/* > /dev/null 2>&1
 
-chown -R ${USER}:${GROUP} ${DIR}/queue/rootcheck
 chmod -R 750 ${DIR}/queue/rootcheck
 chmod 740 ${DIR}/queue/rootcheck/* > /dev/null 2>&1
 
-chown ${USER}:${GROUP} ${DIR}/queue/diff
-chown ${USER}:${GROUP} ${DIR}/queue/diff/* > /dev/null 2>&1
 chmod 750 ${DIR}/queue/diff
 chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
 
-chown -R ${USER_REM}:${GROUP} ${DIR}/queue/agent-info
 chmod -R 750 ${DIR}/queue/agent-info
 chmod 740 ${DIR}/queue/agent-info/* > /dev/null 2>&1
-chown -R ${USER_REM}:${GROUP} ${DIR}/queue/rids
 chmod -R 750 ${DIR}/queue/rids
 chmod 740 ${DIR}/queue/rids/* > /dev/null 2>&1
 
-chown -R ${USER}:${GROUP} ${DIR}/queue/agentless
 chmod -R 750 ${DIR}/queue/agentless
 chmod 740 ${DIR}/queue/agentless/* > /dev/null 2>&1
 
-chown -R root:${GROUP} ${DIR}/tmp
-chmod 1550 ${DIR}/tmp
+chmod 1750 ${DIR}/tmp
 
 
 # For the stats directory
-chown -R ${USER}:${GROUP} ${DIR}/stats
 chmod -R 750 ${DIR}/stats
 
 # For the logging user
-chown -R ${USER}:${GROUP} ${DIR}/logs
 chmod -R 750 ${DIR}/logs
 touch ${DIR}/logs/ossec.log
-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
 chmod 660 ${DIR}/logs/ossec.log
 
 touch ${DIR}/logs/active-responses.log
-chown ${USER}:${GROUP} ${DIR}/logs/active-responses.log
 chmod 660 ${DIR}/logs/active-responses.log
 
 # For the rules directory
@@ -198,7 +181,7 @@ if [ $? = 0 ]; then
     fi    
 fi
     
-cp -pr ../etc/rules/* ${DIR}/rules/
+cp -pr ../etc/rules/*.xml ${DIR}/rules/
 find ${DIR}/rules/ -type f -exec chmod 440 {} \;
 
 # If the local_rules is saved, moved it back
@@ -207,37 +190,33 @@ if [ $? = 0 ]; then
     mv ${DIR}/rules/saved_local_rules.xml.$$ ${DIR}/rules/local_rules.xml
 fi    
 
-chown -R root:${GROUP} ${DIR}/rules
-chmod -R 550 ${DIR}/rules
+chmod -R 750 ${DIR}/rules
 
 
 # For the etc dir
-chmod 550 ${DIR}/etc
-chown -R root:${GROUP} ${DIR}/etc
+chmod 750 ${DIR}/etc
 ls /etc/localtime > /dev/null 2>&1
 if [ $? = 0 ]; then
     cp -pL /etc/localtime ${DIR}/etc/;
     chmod 440 ${DIR}/etc/localtime
-    chown root:${GROUP} ${DIR}/etc/localtime 
 fi
 
 # Solaris Needs some extra files
 if [ "$UNAME" = "SunOS" ]; then
     mkdir -p ${DIR}/usr/share/lib/zoneinfo/
-    chmod -R 550 ${DIR}/usr/
+    chmod -R 750 ${DIR}/usr/
     cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
 fi
 
 ls /etc/TIMEZONE > /dev/null 2>&1
 if [ $? = 0 ]; then
     cp -p /etc/TIMEZONE ${DIR}/etc/;
-    chmod 550 ${DIR}/etc/TIMEZONE
+    chmod 750 ${DIR}/etc/TIMEZONE
 fi
                         
 
 # For the /var/run
 chmod 770 ${DIR}/var/run
-chown root:${GROUP} ${DIR}/var/run
 
 # Moving the binary files
 cp -pr addagent/manage_agents agentlessd/ossec-agentlessd \
@@ -260,7 +239,6 @@ cp -pr util/rootcheck_control ${DIR}/bin
 cp -pr external/lua/src/ossec-lua ${DIR}/bin/
 cp -pr external/lua/src/ossec-luac ${DIR}/bin/
 cp -pr ../contrib/util.sh ${DIR}/bin/
-chown root:${GROUP} ${DIR}/bin/util.sh
 chmod +x ${DIR}/bin/util.sh
 
 # Local install chosen
@@ -290,23 +268,15 @@ fi
   
 cp -pr ../etc/internal_options.conf ${DIR}/etc/
 cp -pr rootcheck/db/*.txt ${DIR}/etc/shared/
-chown root:${GROUP} ${DIR}/etc/decoder.xml
-chown root:${GROUP} ${DIR}/etc/local_decoder.xml >/dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/internal_options.conf
-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1
-chown root:${GROUP} ${DIR}/etc/shared/*
-chown root:${GROUP} ${DIR}/agentless/*
-chown ${USER}:${GROUP} ${DIR}/.ssh
 chmod 440 ${DIR}/etc/decoder.xml
 chmod 440 ${DIR}/etc/local_decoder.xml >/dev/null 2>&1
 chmod 440 ${DIR}/etc/internal_options.conf
 chmod 440 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1
 chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1
-chmod 550 ${DIR}/etc
+chmod 750 ${DIR}/etc
 chmod 770 ${DIR}/etc/shared
 chmod 440 ${DIR}/etc/shared/*
-chmod 550 ${DIR}/agentless/*
+chmod 750 ${DIR}/agentless/*
 rm ${DIR}/etc/shared/merged.mg >/dev/null 2>&1
 chmod 700 ${DIR}/.ssh
 
@@ -316,11 +286,9 @@ sh ./init/fw-check.sh execute > /dev/nul
 cp -p ../active-response/*.sh ${DIR}/active-response/bin/
 cp -p ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
 
-chmod 550 ${DIR}/active-response/bin/*
-chown root:${GROUP} ${DIR}/active-response/bin/*
+chmod 750 ${DIR}/active-response/bin/*
 
-chown root:${GROUP} ${DIR}/bin/*
-chmod 550 ${DIR}/bin/*
+chmod 750 ${DIR}/bin/*
 
 
 # Moving the config file
@@ -331,12 +299,11 @@ fi
 
 ls ../etc/ossec.mc > /dev/null 2>&1
 if [ $? = 0 ]; then
-    cp -pr ../etc/ossec.mc ${DIR}/etc/ossec.conf
+    cp -pr ../etc/ossec.mc ${DIR}/etc/ossec.conf.sample
 else    
-    cp -pr ../etc/ossec-server.conf ${DIR}/etc/ossec.conf
+    cp -pr ../etc/ossec-server.conf ${DIR}/etc/ossec.conf.sample
 fi
-chown root:${GROUP} ${DIR}/etc/ossec.conf
-chmod 440 ${DIR}/etc/ossec.conf
+chmod 640 ${DIR}/etc/ossec.conf.sample
 
 
 

Lines 1-5 Link Here

(-)files/patch-src__LOCATION (-5 lines)
1	--- src/LOCATION.orig 2015-10-12 21:21:06 UTC
2	+++ src/LOCATION
3	@@ -1 +1 @@
4	-DIR="/var/ossec"
5	+DIR="/usr/ports/security/ossec-hids-server/work/stage/usr/local/ossec-hids"

Lines 1-11 Link Here

(-)files/patch-src__headers__defs.h (-11 lines)
1	--- src/headers/defs.h.orig 2015-10-12 21:21:06 UTC
2	+++ src/headers/defs.h
3	@@ -98,7 +98,7 @@ http://www.ossec.net/main/license/\n"
4	#endif
5
6	#ifndef DEFAULTDIR
7	- #define DEFAULTDIR "/var/ossec"
8	+ #define DEFAULTDIR "/usr/local/ossec-hids"
9	#endif
10
11

Lines 1-11 Link Here

(-)files/patch-src_os__dbd_mysql.schema (-11 lines)
1	--- src/os_dbd/mysql.schema.orig 2015-10-12 21:21:06 UTC
2	+++ src/os_dbd/mysql.schema
3	@@ -45,7 +45,7 @@ CREATE TABLE server
4	last_contact INT UNSIGNED NOT NULL,
5	version VARCHAR(32) NOT NULL,
6	hostname VARCHAR(64) NOT NULL UNIQUE,
7	- information VARCHAR(128) NOT NULL,
8	+ information TEXT NOT NULL,
9	PRIMARY KEY (id)
10	);
11

Lines 1-11 Link Here

(-)files/patch-src_os__dbd_postgresql.schema (-11 lines)
1	--- src/os_dbd/postgresql.schema.orig 2015-10-12 21:21:06 UTC
2	+++ src/os_dbd/postgresql.schema
3	@@ -47,7 +47,7 @@ CREATE TABLE server
4	last_contact INT8 NOT NULL,
5	version VARCHAR(32) NOT NULL,
6	hostname VARCHAR(64) NOT NULL UNIQUE,
7	- information VARCHAR(128) NOT NULL,
8	+ information TEXT NOT NULL,
9	PRIMARY KEY (id)
10	);
11




--- src/os_net/os_net.c.orig	2017-12-19 21:30:31 UTC
+++ src/os_net/os_net.c
@@ -48,16 +48,16 @@ int OS_Bindport(char *_port, unsigned in
 
 
     memset(&hints, 0, sizeof(struct addrinfo));
-#ifdef AI_V4MAPPED
-    hints.ai_family = AF_INET6;    /* Allow IPv4 and IPv6 */
-    hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED;
-#else
+//#ifdef AI_V4MAPPED
+//    hints.ai_family = AF_INET6;    /* Allow IPv4 and IPv6 */
+//    hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_V4MAPPED;
+//#else
     /* Certain *BSD OS (eg. OpenBSD) do not allow binding to a
        single-socket for both IPv4 and IPv6 per RFC 3493.  This will 
        allow one or the other based on _ip. */
     hints.ai_family = AF_UNSPEC;    /* Allow IPv4 or IPv6 */
     hints.ai_flags = AI_PASSIVE;
-#endif
+//#endif
     hints.ai_protocol = _proto;
     if (_proto == IPPROTO_UDP) {
         hints.ai_socktype = SOCK_DGRAM;

Line 0 Link Here

(-)files/patch-src_rootcheck_db_system__audit__rcl.txt (+11 lines)
	1	--- src/rootcheck/db/system_audit_rcl.txt.orig 2017-12-19 21:30:31 UTC
	2	+++ src/rootcheck/db/system_audit_rcl.txt
	3	@@ -25,7 +25,7 @@
	4	# Multiple patterns can be specified by using " && " between them.
	5	# (All of them must match for it to return true).
	6
	7	-$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
	8	+$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini;
	9	$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
	10
	11	# PHP checks




After installation, you need to edit the ossec.conf file to reflect
the correct settings for your environment.  All the files related
to %%PORTNAME%% have been installed in %%PREFIX%%/%%PORTNAME%% and
its subdirectories.

For information on proper configuration, see http://www.ossec.net/.

To enable the startup script, add ossechids_enable="YES" to
/etc/rc.conf.  To enable database output, execute:

%%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database

Then check this documentation:

http://www.ossec.net/doc/manual/output/database-output.html

When you deinstall this port after starting the daemons once, many
directories that are created by the daemons will remain.  To fully
remove the port you need to delete those directories manually.  To
further enhance the security on your system, you may also enable
some checks in PAM for a fast reaction against intrusions.




#!/bin/sh

# This script is part of FreeBSD port - report any issues to the port MAINTAINER

ossec_type="%%OSSEC_TYPE%%"
ossec_home="%%PREFIX%%/%%PORTNAME%%"
ossec_rc="%%OSSEC_RC%%"

ACTION=$1
USER=$2
IP=$3

LOCAL=`dirname $0`;
cd $LOCAL
cd ../../tmp

# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"

case ${ACTION} in
    add)
        "${ossec_rc}" restart
        exit 0
        ;;
    delete)
        exit 0
        ;;
    *)
        echo "$0: invalid action: ${ACTION}"
        exit 1
        ;;
esac




<?xml version="1.0" encoding="UTF-8"?>
<group name="ossec,">

  <rule id="56001" level="10">
    <if_group>syscheck</if_group>
    <match>%%PREFIX%%/%%PORTNAME%%/etc/ossec-dist.conf</match>
    <description>ossec-dist.conf has been modified</description>
  </rule>

  <rule id="56002" level="10">
    <if_group>syscheck</if_group>
    <match>%%PREFIX%%/%%PORTNAME%%/etc/ossec-local.conf</match>
    <description>ossec-local.conf has been modified</description>
  </rule>

  <rule id="56003" level="10" ignore="10">
    <if_group>syscheck</if_group>
    <match>%%PREFIX%%/%%PORTNAME%%/etc/ossec.conf</match>
    <description>ossec.conf has been modified</description>
  </rule>

  <rule id="56004" level="10" ignore="10">
    <if_group>syscheck</if_group>
    <match>/var/ossec/etc/ossec.conf</match>
    <description>ossec.conf has been modified</description>
  </rule>

  <rule id="56011" level="10">
    <if_group>syscheck</if_group>
    <match>%%PREFIX%%/%%PORTNAME%%/etc/agent-dist.conf</match>
    <description>agent-dist.conf has been modified</description>
  </rule>

  <rule id="56012" level="10">
    <if_group>syscheck</if_group>
    <match>%%PREFIX%%/%%PORTNAME%%/etc/agent-local.conf</match>
    <description>agent-local.conf has been modified</description>
  </rule>

  <rule id="56013" level="10" ignore="10">
    <if_group>syscheck</if_group>
    <match>%%PREFIX%%/%%PORTNAME%%/etc/shared/agent.conf</match>
    <description>agent.conf has been modified</description>
  </rule>

  <rule id="56014" level="10" ignore="10">
    <if_group>syscheck</if_group>
    <match>/var/ossec/etc/shared/agent.conf</match>
    <description>agent.conf has been modified</description>
  </rule>

</group>




<?xml version="1.0" encoding="UTF-8"?>
<group name="ossec,active_response,">

  <rule id="56021" level="3">
    <if_sid>600</if_sid>
    <action>ipfw.sh</action>
    <status>add</status>
    <description>Host Blocked by ipfw.sh Active Response</description>
  </rule>

  <rule id="56022" level="3">
    <if_sid>600</if_sid>
    <action>ipfw.sh</action>
    <status>delete</status>
    <description>Host Unblocked by ipfw.sh Active Response</description>
  </rule>

  <rule id="56023" level="3">
    <if_sid>600</if_sid>
    <action>pf.sh</action>
    <status>add</status>
    <description>Host Blocked by pf.sh Active Response</description>
  </rule>

  <rule id="56024" level="3">
    <if_sid>600</if_sid>
    <action>pf.sh</action>
    <status>delete</status>
    <description>Host Unblocked by pf.sh Active Response</description>
  </rule>

</group>




<?xml version="1.0" encoding="UTF-8"?>
<group name="ossec,">

  <rule id="56041" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'freebsd-ports-tcp4'</match>
    <check_diff />
    <description>Listening IPv4 TCP port opened or closed.</description>
  </rule>

  <rule id="56042" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'freebsd-ports-tcp6'</match>
    <check_diff />
    <description>Listening IPv6 TCP port opened or closed.</description>
  </rule>

  <rule id="56043" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'freebsd-ports-udp4'</match>
    <check_diff />
    <description>IPv4 UDP port opened or closed.</description>
  </rule>

  <rule id="56044" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'freebsd-ports-udp6'</match>
    <check_diff />
    <description>IPv6 UDP port opened or closed.</description>
  </rule>

</group>




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>%%FW_DROP%%</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

</template_config>

Line 0 Link Here

(-)files/template-ar-cmds-merge.xml.in (+10 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<command>
	5	<name>merge-configs</name>
	6	<executable>merge-configs.sh</executable>
	7	<expect></expect>
	8	</command>
	9
	10	</template_config>

Line 0 Link Here

(-)files/template-ar-merge.xml.in (+11 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<active-response>
	5	<!-- Create "ossec.conf" and "agent.conf" if "dist" or "local" files change. -->
	6	<command>merge-configs</command>
	7	<location>local</location>
	8	<rules_id>56001,56002,56011,56012</rules_id>
	9	</active-response>
	10
	11	</template_config>

Line 0 Link Here

(-)files/template-ar-restart.xml.in (+11 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<active-response>
	5	<!-- Restart OSSEC if "ossec.conf" or "agent.conf" changes. -->
	6	<command>restart-ossec</command>
	7	<location>local</location>
	8	<rules_id>56003,56004,56013,56014</rules_id>
	9	</active-response>
	10
	11	</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%ARLOG_PROFILE%%">
  <!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%ARLOG_PROFILE%%" profile). -->
  <localfile>
    <log_format>syslog</log_format>
    <location>%%PREFIX%%/%%PORTNAME%%/logs/active-responses.log</location>
  </localfile>

</template_config>

<template_config os="Linux" profile="%%ARLOG_PROFILE%%">

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%BASELOGS_PROFILE%%">
  <!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%BASELOGS_PROFILE%%" profile). -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/security</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/userlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

</template_config>

<template_config os="Linux" profile="%%BASELOGS_PROFILE%%">

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/mail.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

</template_config>

Line 0 Link Here

(-)files/template-cmds-logins.xml.in (+10 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<localfile>
	5	<log_format>full_command</log_format>
	6	<command>last -n 5</command>
	7	<alias>freebsd-last-logins</alias>
	8	</localfile>
	9
	10	</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -4 -p tcp -Wan | grep LISTEN | awk '{print $4}' | sed 's/\(.*\)\./\1:/' | sort</command>
    <alias>freebsd-ports-tcp4</alias>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -6 -p tcp -Wan | grep LISTEN | awk '{print $4}' | sed 's/\(.*\)\./\1:/' | sort</command>
    <alias>freebsd-ports-tcp6</alias>
  </localfile>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -4 -p udp -Wan | grep udp4 | awk '{print $4}' | sed 's/\(.*\)\./\1:/' | sort</command>
    <alias>freebsd-ports-udp4</alias>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -6 -p udp -Wan | grep udp6 | awk '{print $4}' | sed 's/\(.*\)\./\1:/' | sort</command>
    <alias>freebsd-ports-udp6</alias>
  </localfile>

</template_config>

Line 0 Link Here

(-)files/template-header.xml.in (+4 lines)
	1	<!-- OSSEC HIDS %%VERSION%% -->
	2
	3	<!-- DO NOT EDIT - file generated automatically based on selected port options. -->
	4




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%APACHE_PROFILE%%">
  <!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%APACHE_PROFILE%%" profile). -->
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd-error.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd-access.log</location>
  </localfile>

</template_config>

<template_config os="Linux" profile="%%APACHE_PROFILE%%">

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/error.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%NGINX_PROFILE%%">
  <!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%NGINX_PROFILE%%" profile). -->
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

</template_config>

<template_config os="Linux" profile="%%NGINX_PROFILE%%">

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%RADIUS_PROFILE%%">
  <!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%RADIUS_PROFILE%%" profile). -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/radius.log</location>
  </localfile>

</template_config>

<template_config os="Linux" profile="%%RADIUS_PROFILE%%">

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/freeradius/radius.log</location>
  </localfile>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%VSFTPD_PROFILE%%">
  <!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%VSFTPD_PROFILE%%" profile). -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/vsftpd.log</location>
  </localfile>

</template_config>

<template_config os="Linux" profile="%%VSFTPD_PROFILE%%">

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/vsftpd.log</location>
  </localfile>

</template_config>

Line 0 Link Here

(-)files/template-pushed-header.xml.in (+4 lines)
	1	<!-- OSSEC HIDS %%VERSION%% -->
	2
	3	<!-- DO NOT EDIT - file generated automatically based on selected port options. -->
	4

Line 0 Link Here

(-)files/template-pushed-sample.xml.in (+3 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3	</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%ROOTCHECK_PROFILE%%">
  <!-- agent: Remove this section if server pushes rootcheck configuration using "agent.conf" (FreeBSD server can push it using "%%ROOTCHECK_PROFILE%%" profile). -->
  <rootcheck>
    <rootkit_files>%%PREFIX%%/%%PORTNAME%%/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>%%PREFIX%%/%%PORTNAME%%/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>%%PREFIX%%/%%PORTNAME%%/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>%%PREFIX%%/%%PORTNAME%%/etc/shared/system_audit_ssh.txt</system_audit>
  </rootcheck>

</template_config>

<template_config os="Linux" profile="%%ROOTCHECK_PROFILE%%">

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
  </rootcheck>

</template_config>

Line 0 Link Here

(-)files/template-rules-config.xml.in (+8 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<rules>
	5	<include>freebsd_config_rules.xml</include>
	6	</rules>
	7
	8	</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <rules>
    <!-- Imported from "ossec-hids-2.9.3/etc/templates/config/rules.template". -->
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>

</template_config>

Line 0 Link Here

(-)files/template-rules-firewall.xml.in (+8 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<rules>
	5	<include>freebsd_firewall_rules.xml</include>
	6	</rules>
	7
	8	</template_config>

Line 0 Link Here

(-)files/template-rules-ports.xml.in (+8 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<rules>
	5	<include>freebsd_ports_rules.xml</include>
	6	</rules>
	7
	8	</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <client>
    <!-- Specify the IP address of the %%PORTNAME%% server. -->
    <server-ip>1.2.3.4</server-ip>
    <!-- Alternatively, specify the hostname of the %%PORTNAME%% server. -->
    <!-- <server-hostname>example.com</server-hostname> -->

    <!-- Specifies the agent.conf profiles to be used by the agent. Multiple profiles can be included, separated by a comma and a space. -->
    <!-- <config-profile>%%CLIENT_PROFILES%%</config-profile> -->
  </client>

  <syscheck>
    <!-- Ignoring the "hosts.allow" is reasonable if host-deny active response is active for this OSSEC instance. -->
    <ignore>/etc/hosts.allow</ignore>
  </syscheck>

</template_config>

Line 0 Link Here

(-)files/template-sample-header.xml.in (+1 lines)
	1	<!-- Place customized configuration here - it will not be overwritten during upgrades. -->




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <global>
    <!-- Uncomment to enable email notifications. -->
    <!--
    <email_notification>yes</email_notification>
    <email_to>example@example.com</email_to>
    <smtp_server>smtp.example.com</smtp_server>
    <email_from>ossecm@example.com</email_from>
    -->

    <!-- List of IP addresses that should never be blocked by the active response (one per element). -->
    <white_list>127.0.0.1</white_list>
  </global>

  <!-- Run "%%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database" to enable ossec-dbd. -->
  <!-- Uncomment to enable database output (if compiled with database support). -->
  <!--
  <database_output>
    <hostname>localhost</hostname>
    <username>ossec</username>
    <password>secret</password>
    <database>ossec</database>
    <type>%%DB_TYPE%%</type>
  </database_output>
  -->

  <syscheck>
    <auto_ignore>no</auto_ignore>
    <!-- Ignoring the "hosts.allow" is reasonable if host-deny active response is active for this OSSEC instance. -->
    <ignore>/etc/hosts.allow</ignore>
  </syscheck>

  <active-response>
    <!-- Deny the IP in "/etc/hosts.allow". -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Block the IP on the firewall. Remember to set proper "location" of the firewall. -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config>

  <remote>
    <connection>secure</connection>
    <!-- Because of a bug, setting the IP is mandatory for IPv4. -->
    <local_ip>1.2.3.4</local_ip>
  </remote>

  <global>
    <!-- Uncomment to enable email notifications. -->
    <!--
    <email_notification>yes</email_notification>
    <email_to>example@example.com</email_to>
    <smtp_server>smtp.example.com</smtp_server>
    <email_from>ossecm@example.com</email_from>
    -->

    <!-- List of IP addresses that should never be blocked by the active response (one per element). -->
    <white_list>127.0.0.1</white_list>
  </global>

  <!-- Run "%%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database" to enable ossec-dbd. -->
  <!-- Uncomment to enable database output (if compiled wit database support). -->
  <!--
  <database_output>
    <hostname>localhost</hostname>
    <username>ossec</username>
    <password>secret</password>
    <database>ossec</database>
    <type>%%DB_TYPE%%</type>
  </database_output>
  -->

  <syscheck>
    <auto_ignore>no</auto_ignore>
    <!-- Ignoring the "hosts.allow" is reasonable if host-deny active response is active for this OSSEC instance. -->
    <ignore>/etc/hosts.allow</ignore>
  </syscheck>

  <active-response>
    <!-- Deny the IP in "/etc/hosts.allow". -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Block the IP on the firewall. Remember to set proper "location" of the firewall. -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

</template_config>




<?xml version="1.0" encoding="UTF-8"?>
<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
  <!-- agent: Remove this section if server pushes syscheck configuration using "agent.conf" (FreeBSD server can push it using "%%SYSCHECK_PROFILE%%" profile). -->
  <syscheck>
    <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories realtime="yes" check_all="yes">/bin,/sbin</directories>
    <directories realtime="yes" check_all="yes">%%PREFIX%%/etc,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories>
    <directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_DIRS%%</directories>
  </syscheck>

</template_config>

<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">

  <syscheck>
    <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories realtime="yes" check_all="yes">/bin,/sbin</directories>
    <directories realtime="yes" check_all="yes">/usr/local/etc,/usr/local/bin,/usr/local/sbin</directories>
    <directories realtime="yes" check_all="yes">/var/ossec/etc,/var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless,/var/ossec/rules</directories>
  </syscheck>

</template_config>




#!/bin/sh

ossec_home="${PKG_PREFIX}/ossec-hids"
ossec_conf="${ossec_home}/etc/ossec.conf"
agent_conf="${ossec_home}/etc/shared/agent.conf"
ar_conf="${ossec_home}/etc/shared/ar.conf"
merged_mg="${ossec_home}/etc/shared/merged.mg"

if [ "$2" == "DEINSTALL"  ]; then
    rm -f "${ossec_conf}"
    rm -f "${agent_conf}"
    rm -f "${ar_conf}"
    rm -f "${merged_mg}"
fi

Lines 3-6 Link Here

(-)pkg-descr (-1 / +1 lines)
3	monitoring, rootkit detection, time-based alerting and active	3	monitoring, rootkit detection, time-based alerting and active
4	response.	4	response.
5		5
6	WWW: http://www.ossec.net/	6	WWW: https://ossec.github.io




Hints:

  The main configuration is kept in "ossec-dist.conf" and "ossec-local.conf".
  These two files will be merged into "ossec.conf" before OSSEC startup.

  Any unchecked "ossec-dist.conf" options will result in placing related
  configuration in "ossec-local.conf.sample" instead of "ossec-dist.conf".

  If the agent configuration is pushed by the server using "agent.conf", then
  the "System checks" and "Log monitoring" should remain empty - all options
  there should be unchecked (default) and proper sections removed from
  "ossec-local.conf". Note that for security reasons "Command monitoring"
  options cannot be pushed using "agent.conf".

Line 0 Link Here

(-)pkg-help-local (+7 lines)
	1	Hints:
	2
	3	The main configuration is kept in "ossec-dist.conf" and "ossec-local.conf".
	4	These two files will be merged into "ossec.conf" before OSSEC startup.
	5
	6	Any unchecked "ossec-dist.conf" options will result in placing related
	7	configuration in "ossec-local.conf.sample" instead of "ossec-dist.conf".




Hints:

  The main configuration is kept in "ossec-dist.conf" and "ossec-local.conf".
  These two files will be merged into "ossec.conf" before OSSEC startup.

  Any unchecked "ossec-dist.conf" options will result in placing related
  configuration in "ossec-local.conf.sample" instead of "ossec-dist.conf".

  The agent configuration is kept in "agent-dist.conf" and "agent-local.conf".
  These two files will be merged into "agent.conf" before OSSEC startup.

  The agent needs to use proper profile to benefit from "agent.conf"
  configuration on the server. This means you can leave all of the
  "agent-dist.conf" options checked even if no agents use them.


Note:

  The currently supported agent systems via "agent-dist.conf" are:
  - FreeBSD
  - Debian Linux

  Consider contributing to the port by contacting the maintainer and
  providing template configurations for other operating systems.




#!/bin/sh

ossec_home="${PKG_PREFIX}/ossec-hids"
ossec_conf="${ossec_home}/etc/ossec.conf"
ossec_conf_bak="${ossec_conf}.bak"
agent_conf="${ossec_home}/etc/shared/agent.conf"
agent_conf_bak="${ossec_home}/etc/agent.conf.bak"
ossec_client_keys="${ossec_home}/etc/client.keys"
ossec_internal_options="${ossec_home}/etc/local_internal_options.conf"

install_file() {
    local path=$1
    local owner=$2
    local mode=$3

    if [ ! -e "${path}" ]; then
        touch "${path}" && chown ${owner} "${path}" && chmod ${mode} "${path}"
    fi
}

if [ "$2" == "POST-INSTALL"  ]; then
    if [ -e "${ossec_conf}" ]; then
        mv -f "${ossec_conf}" "${ossec_conf_bak}"
        echo
        echo "WARNING:"
        echo "  Existing \"${ossec_conf}\" has been saved to \"${ossec_conf_bak}\"."
        echo "  The \"ossec.conf\" must no longer be used for configuration. Use \"ossec-local.conf\" instead."
        echo
    fi

    case "$1" in
        ossec-hids-server*)
            if [ -e "${agent_conf}" ]; then
                mv -f "${agent_conf}" "${agent_conf_bak}"
                echo
                echo "WARNING:"
                echo "  Existing \"${agent_conf}\" has been saved to \"${agent_conf_bak}\"."
                echo "  The \"agent.conf\" must no longer be used for configuration. Use \"agent-local.conf\" instead."
                echo
            fi
            ;;
    esac

    install_file "${ossec_client_keys}" root:ossec 0640

    if [ ! -e "${ossec_internal_options}" ]; then
       install_file "${ossec_internal_options}" root:ossec 0640

       echo "# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec-local.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades." > "${ossec_internal_options}"
    fi
fi




%%PORTNAME%%/active-response/bin/disable-account.sh
%%PORTNAME%%/active-response/bin/firewall-drop.sh
%%PORTNAME%%/active-response/bin/host-deny.sh
%%PORTNAME%%/active-response/bin/ip-customblock.sh
%%PORTNAME%%/active-response/bin/ipfw_mac.sh
%%PORTNAME%%/active-response/bin/ipfw.sh
%%PORTNAME%%/active-response/bin/ossec-tweeter.sh
%%PORTNAME%%/active-response/bin/pf.sh
%%PORTNAME%%/active-response/bin/restart-ossec.sh
%%PORTNAME%%/active-response/bin/route-null.sh
%%PORTNAME%%/bin/agent_control
%%PORTNAME%%/bin/clear_stats
%%PORTNAME%%/bin/list_agents
%%PORTNAME%%/bin/manage_agents
%%PORTNAME%%/bin/ossec-agentlessd
%%PORTNAME%%/bin/ossec-analysisd
%%PORTNAME%%/bin/ossec-authd
%%PORTNAME%%/bin/ossec-control
%%PORTNAME%%/bin/ossec-csyslogd
%%PORTNAME%%/bin/ossec-dbd
%%PORTNAME%%/bin/ossec-execd
%%PORTNAME%%/bin/ossec-logcollector
%%PORTNAME%%/bin/ossec-logtest
%%PORTNAME%%/bin/ossec-lua
%%PORTNAME%%/bin/ossec-luac
%%PORTNAME%%/bin/ossec-maild
%%PORTNAME%%/bin/ossec-makelists
%%PORTNAME%%/bin/ossec-monitord
%%PORTNAME%%/bin/ossec-regex
%%PORTNAME%%/bin/ossec-remoted
%%PORTNAME%%/bin/ossec-reportd
%%PORTNAME%%/bin/ossec-syscheckd
%%PORTNAME%%/bin/rootcheck_control
%%PORTNAME%%/bin/syscheck_control
%%PORTNAME%%/bin/syscheck_update
%%PORTNAME%%/bin/util.sh
%%PORTNAME%%/bin/verify-agent-conf
@group ossec
%%PORTNAME%%/etc/decoder.xml
%%PORTNAME%%/etc/internal_options.conf
@sample %%PORTNAME%%/etc/ossec.conf.sample
%%PORTNAME%%/etc/shared/rootkit_files.txt
%%PORTNAME%%/etc/shared/rootkit_trojans.txt
%%PORTNAME%%/etc/shared/system_audit_rcl.txt
%%PORTNAME%%/etc/shared/win_applications_rcl.txt
%%PORTNAME%%/etc/shared/win_audit_rcl.txt
%%PORTNAME%%/etc/shared/win_malware_rcl.txt
%%PORTNAME%%/etc/shared/cis_debian_linux_rcl.txt
%%PORTNAME%%/etc/shared/cis_rhel_linux_rcl.txt
%%PORTNAME%%/etc/shared/cis_rhel5_linux_rcl.txt
@owner
@group
@mode
%%PORTNAME%%/rules/apache_rules.xml
%%PORTNAME%%/rules/arpwatch_rules.xml
%%PORTNAME%%/rules/asterisk_rules.xml
%%PORTNAME%%/rules/attack_rules.xml
%%PORTNAME%%/rules/cimserver_rules.xml
%%PORTNAME%%/rules/cisco-ios_rules.xml
%%PORTNAME%%/rules/clam_av_rules.xml
%%PORTNAME%%/rules/courier_rules.xml
%%PORTNAME%%/rules/dovecot_rules.xml
%%PORTNAME%%/rules/dropbear_rules.xml
%%PORTNAME%%/rules/firewall_rules.xml
%%PORTNAME%%/rules/ftpd_rules.xml
%%PORTNAME%%/rules/hordeimp_rules.xml
%%PORTNAME%%/rules/ids_rules.xml
%%PORTNAME%%/rules/imapd_rules.xml
%%PORTNAME%%/rules/local_rules.xml
%%PORTNAME%%/rules/mailscanner_rules.xml
%%PORTNAME%%/rules/mcafee_av_rules.xml
%%PORTNAME%%/rules/ms-exchange_rules.xml
%%PORTNAME%%/rules/ms-se_rules.xml
%%PORTNAME%%/rules/ms_dhcp_rules.xml
%%PORTNAME%%/rules/ms_ftpd_rules.xml
%%PORTNAME%%/rules/msauth_rules.xml
%%PORTNAME%%/rules/mysql_rules.xml
%%PORTNAME%%/rules/named_rules.xml
%%PORTNAME%%/rules/netscreenfw_rules.xml
%%PORTNAME%%/rules/nginx_rules.xml
%%PORTNAME%%/rules/openbsd_rules.xml
%%PORTNAME%%/rules/ossec_rules.xml
%%PORTNAME%%/rules/pam_rules.xml
%%PORTNAME%%/rules/php_rules.xml
%%PORTNAME%%/rules/pix_rules.xml
%%PORTNAME%%/rules/policy_rules.xml
%%PORTNAME%%/rules/postfix_rules.xml
%%PORTNAME%%/rules/postgresql_rules.xml
%%PORTNAME%%/rules/proftpd_rules.xml
%%PORTNAME%%/rules/pure-ftpd_rules.xml
%%PORTNAME%%/rules/racoon_rules.xml
%%PORTNAME%%/rules/roundcube_rules.xml
%%PORTNAME%%/rules/rules_config.xml
%%PORTNAME%%/rules/sendmail_rules.xml
%%PORTNAME%%/rules/smbd_rules.xml
%%PORTNAME%%/rules/solaris_bsm_rules.xml
%%PORTNAME%%/rules/sonicwall_rules.xml
%%PORTNAME%%/rules/spamd_rules.xml
%%PORTNAME%%/rules/squid_rules.xml
%%PORTNAME%%/rules/sshd_rules.xml
%%PORTNAME%%/rules/symantec-av_rules.xml
%%PORTNAME%%/rules/symantec-ws_rules.xml
%%PORTNAME%%/rules/syslog_rules.xml
%%PORTNAME%%/rules/telnetd_rules.xml
%%PORTNAME%%/rules/trend-osce_rules.xml
%%PORTNAME%%/rules/vmpop3d_rules.xml
%%PORTNAME%%/rules/vmware_rules.xml
%%PORTNAME%%/rules/vpn_concentrator_rules.xml
%%PORTNAME%%/rules/vpopmail_rules.xml
%%PORTNAME%%/rules/vsftpd_rules.xml
%%PORTNAME%%/rules/web_appsec_rules.xml
%%PORTNAME%%/rules/web_rules.xml
%%PORTNAME%%/rules/wordpress_rules.xml
%%PORTNAME%%/rules/zeus_rules.xml
@owner root
@group ossec
%%PORTNAME%%/agentless/main.exp
%%PORTNAME%%/agentless/register_host.sh
%%PORTNAME%%/agentless/ssh.exp
%%PORTNAME%%/agentless/ssh_asa-fwsmconfig_diff
%%PORTNAME%%/agentless/ssh_foundry_diff
%%PORTNAME%%/agentless/ssh_generic_diff
%%PORTNAME%%/agentless/ssh_integrity_check_bsd
%%PORTNAME%%/agentless/ssh_integrity_check_linux
%%PORTNAME%%/agentless/ssh_nopass.exp
%%PORTNAME%%/agentless/ssh_pixconfig_diff
%%PORTNAME%%/agentless/sshlogin.exp
%%PORTNAME%%/agentless/su.exp
@(ossec,,) %%PORTNAME%%/logs/active-responses.log
@(ossec,,) %%PORTNAME%%/logs/ossec.log
@mode 550
@dir %%PORTNAME%%/.ssh
@dir %%PORTNAME%%/active-response/bin
@dir %%PORTNAME%%/active-response
@dir %%PORTNAME%%/agentless
@dir %%PORTNAME%%/bin
@dir %%PORTNAME%%/etc/shared
@dir %%PORTNAME%%/etc
@dir %%PORTNAME%%/queue/rootcheck
@dir %%PORTNAME%%/rules
@dir %%PORTNAME%%/tmp
@mode 770
@dir %%PORTNAME%%/var/run
@mode 550
@dir %%PORTNAME%%/var
@owner ossec
@mode 770
@dir %%PORTNAME%%/queue/alerts
@dir %%PORTNAME%%/queue/ossec
@mode 750
@dir %%PORTNAME%%/queue/fts
@dir %%PORTNAME%%/queue/syscheck
@dir %%PORTNAME%%/queue/diff
@dir %%PORTNAME%%/queue/agentless
@dir %%PORTNAME%%/stats
@dir %%PORTNAME%%/logs/alerts
@dir %%PORTNAME%%/logs/archives
@dir %%PORTNAME%%/logs/firewall
@dir %%PORTNAME%%/logs
@owner ossecr
@dir %%PORTNAME%%/queue/agent-info
@dir %%PORTNAME%%/queue/rids
@owner ossec
@mode 550
@dir %%PORTNAME%%/queue
@owner root
@mode 550
@dir %%PORTNAME%%




@dir(,ossec,550) %%PORTNAME%%
@dir(,ossec,550) %%PORTNAME%%/active-response
@dir(,ossec,550) %%PORTNAME%%/active-response/bin
@(,ossec,550) %%PORTNAME%%/active-response/bin/disable-account.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/firewall-drop.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/firewalld-drop.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/host-deny.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ip-customblock.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ipfw.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ipfw_mac.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/merge-configs.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/npf.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ossec-slack.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ossec-tweeter.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/pf.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/restart-ossec.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/route-null.sh
@dir(,,550) %%PORTNAME%%/bin
@(,,550) %%PORTNAME%%/bin/agent-auth
@(,,550) %%PORTNAME%%/bin/manage_agents
@(,,550) %%PORTNAME%%/bin/ossec-agentd
@(,,550) %%PORTNAME%%/bin/ossec-control
@(,,550) %%PORTNAME%%/bin/ossec-execd
@(,,550) %%PORTNAME%%/bin/ossec-logcollector
@(,,550) %%PORTNAME%%/bin/ossec-lua
@(,,550) %%PORTNAME%%/bin/ossec-luac
@(,,550) %%PORTNAME%%/bin/ossec-syscheckd
@(,,550) %%PORTNAME%%/bin/ossec_conf
@(,,550) %%PORTNAME%%/bin/util.sh
@dir(,ossec,550) %%PORTNAME%%/etc
@(,ossec,640) %%PORTNAME%%/etc/internal_options.conf
@(,ossec,440) %%PORTNAME%%/etc/localtime
@(,ossec,640) %%PORTNAME%%/etc/ossec-dist.conf
@sample(,ossec,640) %%PORTNAME%%/etc/ossec-local.conf.sample
@dir(,ossec,770) %%PORTNAME%%/etc/shared
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_debian_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_mysql5-6_community_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_rhel5_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_rhel6_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_rhel7_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_rhel_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_sles11_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/cis_sles12_linux_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/rootkit_files.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/rootkit_trojans.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/system_audit_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/system_audit_ssh.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/win_applications_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/win_audit_rcl.txt
@(ossec,ossec,644) %%PORTNAME%%/etc/shared/win_malware_rcl.txt
@dir(ossec,ossec,750) %%PORTNAME%%/logs
@dir(,ossec,700) %%PORTNAME%%/.ssh
@dir(,ossec,550) %%PORTNAME%%/queue
@dir(ossec,ossec,770) %%PORTNAME%%/queue/alerts
@dir(ossec,ossec,750) %%PORTNAME%%/queue/diff
@dir(ossec,ossec,750) %%PORTNAME%%/queue/ossec
@dir(ossec,ossec,750) %%PORTNAME%%/queue/rids
@dir(ossec,ossec,750) %%PORTNAME%%/queue/syscheck
@dir(,ossec,770) %%PORTNAME%%/tmp
@dir(,ossec,550) %%PORTNAME%%/var
@dir(,ossec,770) %%PORTNAME%%/var/run
%%PORTDOCS%%%%DOCSDIR%%/BUGS
%%PORTDOCS%%%%DOCSDIR%%/CONFIG
%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
%%PORTDOCS%%%%DOCSDIR%%/INSTALL
%%PORTDOCS%%%%DOCSDIR%%/LICENSE




@dir(,ossec,550) %%PORTNAME%%
@dir(,ossec,550) %%PORTNAME%%/active-response
@dir(,ossec,550) %%PORTNAME%%/active-response/bin
@(,ossec,550) %%PORTNAME%%/active-response/bin/disable-account.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/firewall-drop.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/firewalld-drop.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/host-deny.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ip-customblock.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ipfw.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ipfw_mac.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/merge-configs.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/npf.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ossec-slack.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ossec-tweeter.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/pf.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/restart-ossec.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/route-null.sh
@dir(,ossec,550) %%PORTNAME%%/agentless
@(,ossec,550) %%PORTNAME%%/agentless/main.exp
@(,ossec,550) %%PORTNAME%%/agentless/register_host.sh
@(,ossec,550) %%PORTNAME%%/agentless/ssh.exp
@(,ossec,550) %%PORTNAME%%/agentless/ssh_asa-fwsmconfig_diff
@(,ossec,550) %%PORTNAME%%/agentless/ssh_foundry_diff
@(,ossec,550) %%PORTNAME%%/agentless/ssh_generic_diff
@(,ossec,550) %%PORTNAME%%/agentless/ssh_integrity_check_bsd
@(,ossec,550) %%PORTNAME%%/agentless/ssh_integrity_check_linux
@(,ossec,550) %%PORTNAME%%/agentless/ssh_nopass.exp
@(,ossec,550) %%PORTNAME%%/agentless/ssh_pixconfig_diff
@(,ossec,550) %%PORTNAME%%/agentless/sshlogin.exp
@(,ossec,550) %%PORTNAME%%/agentless/su.exp
@dir(,,550) %%PORTNAME%%/bin
@(,,550) %%PORTNAME%%/bin/agent_control
@(,,550) %%PORTNAME%%/bin/clear_stats
@(,,550) %%PORTNAME%%/bin/list_agents
@(,,550) %%PORTNAME%%/bin/manage_agents
@(,,550) %%PORTNAME%%/bin/ossec-agentlessd
@(,,550) %%PORTNAME%%/bin/ossec-analysisd
@(,,550) %%PORTNAME%%/bin/ossec-authd
@(,,550) %%PORTNAME%%/bin/ossec-control
@(,,550) %%PORTNAME%%/bin/ossec-csyslogd
@(,,550) %%PORTNAME%%/bin/ossec-dbd
@(,,550) %%PORTNAME%%/bin/ossec-execd
@(,,550) %%PORTNAME%%/bin/ossec-logcollector
@(,,550) %%PORTNAME%%/bin/ossec-logtest
@(,,550) %%PORTNAME%%/bin/ossec-lua
@(,,550) %%PORTNAME%%/bin/ossec-luac
@(,,550) %%PORTNAME%%/bin/ossec-maild
@(,,550) %%PORTNAME%%/bin/ossec-makelists
@(,,550) %%PORTNAME%%/bin/ossec-monitord
@(,,550) %%PORTNAME%%/bin/ossec-regex
@(,,550) %%PORTNAME%%/bin/ossec-remoted
@(,,550) %%PORTNAME%%/bin/ossec-reportd
@(,,550) %%PORTNAME%%/bin/ossec-syscheckd
@(,,550) %%PORTNAME%%/bin/ossec_conf
@(,,550) %%PORTNAME%%/bin/rootcheck_control
@(,,550) %%PORTNAME%%/bin/syscheck_control
@(,,550) %%PORTNAME%%/bin/syscheck_update
@(,,550) %%PORTNAME%%/bin/util.sh
@(,,550) %%PORTNAME%%/bin/verify-agent-conf
@dir(,ossec,550) %%PORTNAME%%/etc
@(,ossec,640) %%PORTNAME%%/etc/decoder.xml
@(,ossec,640) %%PORTNAME%%/etc/internal_options.conf
@(,ossec,440) %%PORTNAME%%/etc/localtime
@(,ossec,640) %%PORTNAME%%/etc/ossec-dist.conf
@sample(,ossec,640) %%PORTNAME%%/etc/ossec-local.conf.sample
@dir(,ossec,770) %%PORTNAME%%/etc/shared
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_debian_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_mysql5-6_community_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel5_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel6_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel7_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_sles11_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_sles12_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/rootkit_files.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/rootkit_trojans.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/system_audit_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/system_audit_ssh.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/win_applications_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/win_audit_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/win_malware_rcl.txt
@dir(ossec,ossec,750) %%PORTNAME%%/logs
@dir(,ossec,550) %%PORTNAME%%/rules
@(,ossec,640) %%PORTNAME%%/rules/apache_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/apparmor_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/arpwatch_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/asterisk_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/attack_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/cimserver_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/cisco-ios_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/clam_av_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/courier_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/dovecot_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/dropbear_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/exim_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/firewall_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/firewalld_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/freebsd_config_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/freebsd_firewall_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/freebsd_ports_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/hordeimp_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ids_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/imapd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/local_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/mailscanner_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/mcafee_av_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms-exchange_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms-se_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms_dhcp_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms_ftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/msauth_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/mysql_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/named_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/netscreenfw_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/nginx_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/nsd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/openbsd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/opensmtpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ossec_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/owncloud_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/pam_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/php_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/pix_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/policy_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/postfix_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/postgresql_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/proftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/proxmox-ve_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/psad_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/pure-ftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/racoon_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/roundcube_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/rules_config.xml
@(,ossec,640) %%PORTNAME%%/rules/sendmail_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/smbd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/solaris_bsm_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/sonicwall_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/spamd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/squid_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/sshd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/symantec-av_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/symantec-ws_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/syslog_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/sysmon_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/systemd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/telnetd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/trend-osce_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/unbound_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vmpop3d_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vmware_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vpn_concentrator_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vpopmail_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vsftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/web_appsec_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/web_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/wordpress_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/zeus_rules.xml
@dir(,ossec,700) %%PORTNAME%%/.ssh
@dir(ossec,ossec,750) %%PORTNAME%%/logs/alerts
@dir(ossec,ossec,750) %%PORTNAME%%/logs/archives
@dir(ossec,ossec,750) %%PORTNAME%%/logs/firewall
@dir(,ossec,550) %%PORTNAME%%/queue
@dir(ossecr,ossec,750) %%PORTNAME%%/queue/agent-info
@dir(ossec,ossec,750) %%PORTNAME%%/queue/agentless
@dir(ossec,ossec,770) %%PORTNAME%%/queue/alerts
@dir(ossec,ossec,750) %%PORTNAME%%/queue/diff
@dir(ossec,ossec,750) %%PORTNAME%%/queue/fts
@dir(ossec,ossec,750) %%PORTNAME%%/queue/ossec
@dir(ossecr,ossec,750) %%PORTNAME%%/queue/rids
@dir(ossec,ossec,750) %%PORTNAME%%/queue/rootcheck
@dir(ossec,ossec,750) %%PORTNAME%%/queue/syscheck
@dir(ossec,ossec,750) %%PORTNAME%%/stats
@dir(,ossec,770) %%PORTNAME%%/tmp
@dir(,ossec,550) %%PORTNAME%%/var
@dir(,ossec,770) %%PORTNAME%%/var/run
%%PORTDOCS%%%%DOCSDIR%%/BUGS
%%PORTDOCS%%%%DOCSDIR%%/CONFIG
%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
%%PORTDOCS%%%%DOCSDIR%%/INSTALL
%%PORTDOCS%%%%DOCSDIR%%/LICENSE
%%MYSQL%%%%DOCSDIR%%/mysql.schema
%%PGSQL%%%%DOCSDIR%%/postgresql.schema




@dir(,ossec,550) %%PORTNAME%%
@dir(,ossec,550) %%PORTNAME%%/active-response
@dir(,ossec,550) %%PORTNAME%%/active-response/bin
@(,ossec,550) %%PORTNAME%%/active-response/bin/disable-account.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/firewall-drop.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/firewalld-drop.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/host-deny.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ip-customblock.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ipfw.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ipfw_mac.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/merge-configs.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/npf.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ossec-slack.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/ossec-tweeter.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/pf.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/restart-ossec.sh
@(,ossec,550) %%PORTNAME%%/active-response/bin/route-null.sh
@dir(,ossec,550) %%PORTNAME%%/agentless
@(,ossec,550) %%PORTNAME%%/agentless/main.exp
@(,ossec,550) %%PORTNAME%%/agentless/register_host.sh
@(,ossec,550) %%PORTNAME%%/agentless/ssh.exp
@(,ossec,550) %%PORTNAME%%/agentless/ssh_asa-fwsmconfig_diff
@(,ossec,550) %%PORTNAME%%/agentless/ssh_foundry_diff
@(,ossec,550) %%PORTNAME%%/agentless/ssh_generic_diff
@(,ossec,550) %%PORTNAME%%/agentless/ssh_integrity_check_bsd
@(,ossec,550) %%PORTNAME%%/agentless/ssh_integrity_check_linux
@(,ossec,550) %%PORTNAME%%/agentless/ssh_nopass.exp
@(,ossec,550) %%PORTNAME%%/agentless/ssh_pixconfig_diff
@(,ossec,550) %%PORTNAME%%/agentless/sshlogin.exp
@(,ossec,550) %%PORTNAME%%/agentless/su.exp
@dir(,,550) %%PORTNAME%%/bin
@(,,550) %%PORTNAME%%/bin/agent_conf
@(,,550) %%PORTNAME%%/bin/agent_control
@(,,550) %%PORTNAME%%/bin/clear_stats
@(,,550) %%PORTNAME%%/bin/list_agents
@(,,550) %%PORTNAME%%/bin/manage_agents
@(,,550) %%PORTNAME%%/bin/ossec-agentlessd
@(,,550) %%PORTNAME%%/bin/ossec-analysisd
@(,,550) %%PORTNAME%%/bin/ossec-authd
@(,,550) %%PORTNAME%%/bin/ossec-control
@(,,550) %%PORTNAME%%/bin/ossec-csyslogd
@(,,550) %%PORTNAME%%/bin/ossec-dbd
@(,,550) %%PORTNAME%%/bin/ossec-execd
@(,,550) %%PORTNAME%%/bin/ossec-logcollector
@(,,550) %%PORTNAME%%/bin/ossec-logtest
@(,,550) %%PORTNAME%%/bin/ossec-lua
@(,,550) %%PORTNAME%%/bin/ossec-luac
@(,,550) %%PORTNAME%%/bin/ossec-maild
@(,,550) %%PORTNAME%%/bin/ossec-makelists
@(,,550) %%PORTNAME%%/bin/ossec-monitord
@(,,550) %%PORTNAME%%/bin/ossec-regex
@(,,550) %%PORTNAME%%/bin/ossec-remoted
@(,,550) %%PORTNAME%%/bin/ossec-reportd
@(,,550) %%PORTNAME%%/bin/ossec-syscheckd
@(,,550) %%PORTNAME%%/bin/ossec_conf
@(,,550) %%PORTNAME%%/bin/rootcheck_control
@(,,550) %%PORTNAME%%/bin/syscheck_control
@(,,550) %%PORTNAME%%/bin/syscheck_update
@(,,550) %%PORTNAME%%/bin/util.sh
@(,,550) %%PORTNAME%%/bin/verify-agent-conf
@dir(,ossec,550) %%PORTNAME%%/etc
@(,ossec,640) %%PORTNAME%%/etc/agent-dist.conf
@sample(,ossec,640) %%PORTNAME%%/etc/agent-local.conf.sample
@(,ossec,640) %%PORTNAME%%/etc/decoder.xml
@(,ossec,640) %%PORTNAME%%/etc/internal_options.conf
@(,ossec,440) %%PORTNAME%%/etc/localtime
@(,ossec,640) %%PORTNAME%%/etc/ossec-dist.conf
@sample(,ossec,640) %%PORTNAME%%/etc/ossec-local.conf.sample
@dir(,ossec,770) %%PORTNAME%%/etc/shared
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_debian_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_mysql5-6_community_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_mysql5-6_enterprise_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel5_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel6_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel7_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_rhel_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_sles11_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/cis_sles12_linux_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/rootkit_files.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/rootkit_trojans.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/system_audit_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/system_audit_ssh.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/win_applications_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/win_audit_rcl.txt
@(,ossec,640) %%PORTNAME%%/etc/shared/win_malware_rcl.txt
@dir(ossec,ossec,750) %%PORTNAME%%/logs
@dir(,ossec,550) %%PORTNAME%%/rules
@(,ossec,640) %%PORTNAME%%/rules/apache_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/apparmor_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/arpwatch_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/asterisk_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/attack_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/cimserver_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/cisco-ios_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/clam_av_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/courier_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/dovecot_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/dropbear_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/exim_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/firewall_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/firewalld_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/freebsd_config_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/freebsd_firewall_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/freebsd_ports_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/hordeimp_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ids_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/imapd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/local_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/mailscanner_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/mcafee_av_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms-exchange_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms-se_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms_dhcp_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ms_ftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/msauth_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/mysql_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/named_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/netscreenfw_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/nginx_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/nsd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/openbsd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/opensmtpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/ossec_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/owncloud_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/pam_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/php_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/pix_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/policy_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/postfix_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/postgresql_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/proftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/proxmox-ve_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/psad_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/pure-ftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/racoon_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/roundcube_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/rules_config.xml
@(,ossec,640) %%PORTNAME%%/rules/sendmail_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/smbd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/solaris_bsm_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/sonicwall_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/spamd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/squid_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/sshd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/symantec-av_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/symantec-ws_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/syslog_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/sysmon_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/systemd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/telnetd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/trend-osce_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/unbound_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vmpop3d_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vmware_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vpn_concentrator_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vpopmail_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/vsftpd_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/web_appsec_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/web_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/wordpress_rules.xml
@(,ossec,640) %%PORTNAME%%/rules/zeus_rules.xml
@dir(,ossec,700) %%PORTNAME%%/.ssh
@dir(ossec,ossec,750) %%PORTNAME%%/logs/alerts
@dir(ossec,ossec,750) %%PORTNAME%%/logs/archives
@dir(ossec,ossec,750) %%PORTNAME%%/logs/firewall
@dir(,ossec,550) %%PORTNAME%%/queue
@dir(ossecr,ossec,750) %%PORTNAME%%/queue/agent-info
@dir(ossec,ossec,750) %%PORTNAME%%/queue/agentless
@dir(ossec,ossec,770) %%PORTNAME%%/queue/alerts
@dir(ossec,ossec,750) %%PORTNAME%%/queue/diff
@dir(ossec,ossec,750) %%PORTNAME%%/queue/fts
@dir(ossec,ossec,750) %%PORTNAME%%/queue/ossec
@dir(ossecr,ossec,750) %%PORTNAME%%/queue/rids
@dir(ossec,ossec,750) %%PORTNAME%%/queue/rootcheck
@dir(ossec,ossec,750) %%PORTNAME%%/queue/syscheck
@dir(ossec,ossec,750) %%PORTNAME%%/stats
@dir(,ossec,770) %%PORTNAME%%/tmp
@dir(,ossec,550) %%PORTNAME%%/var
@dir(,ossec,770) %%PORTNAME%%/var/run
%%PORTDOCS%%%%DOCSDIR%%/BUGS
%%PORTDOCS%%%%DOCSDIR%%/CONFIG
%%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS
%%PORTDOCS%%%%DOCSDIR%%/INSTALL
%%PORTDOCS%%%%DOCSDIR%%/LICENSE
%%MYSQL%%%%DOCSDIR%%/mysql.schema
%%PGSQL%%%%DOCSDIR%%/postgresql.schema




#!/bin/sh

# Script generates entries for pkg-plist
# Do not use it directly. Use the following command instead:
#
# make MAINTAINER_MODE=yes clean plist

OSSEC_TYPE=$1
PLIST=$2
PREFIX=$3
WORKDIR=$4
STAGEDIR="${WORKDIR}/stage"

staged_plist="${WORKDIR}/.staged-plist"
fixed_lines=""
if [ "${OSSEC_TYPE}" != "agent" ]; then
    fixed_lines="${fixed_lines} %%MYSQL%%%%DOCSDIR%%/mysql.schema %%PGSQL%%%%DOCSDIR%%/postgresql.schema"
fi
skip_lines="%%PORTDOCS%%%%DOCSDIR%%/mysql.schema %%PORTDOCS%%%%DOCSDIR%%/postgresql.schema"
skip_paths="/etc/ossec.conf /etc/local_internal_options.conf /etc/client.keys /logs/active-responses.log /logs/ossec.log /lua"
sample_paths="/etc/ossec-local.conf.sample /etc/agent-local.conf.sample"
if [ "${OSSEC_TYPE}" == "agent" ]; then
    skip_paths="${skip_paths} /rules /agentless"
fi

print_path() {
    local path="$1"
    local command="$2"
    local full_path="${STAGEDIR}${PREFIX}${path}"
    if [ -z "${command}" ]; then
	command="@"
	if [ -d "${full_path}" ]; then
	    command="@dir"
	fi
    fi
    local user=`stat -f "%Su" "${full_path}"`
    if [ "${user}" == "${USER}" ]; then
	user=""
    fi
    local group=`stat -f "%Sg" "${full_path}"`
    if [ "${group}" == "${GROUP}" ]; then
	group=""
    fi
    local mode=`stat -f "%p" "${full_path}" | tail -c 4`
    echo -e "${command}(${user},${group},${mode}) %%PORTNAME%%${path}" >> "${PLIST}"
}

echo -n > "${PLIST}"

print_path

done_paths=""
while read line; do
    skip_line=""
    for e in ${skip_lines}; do
	if [ "${e}" == "${line}" ]; then
	    skip_line="${e}"
	    break
	fi
    done
    if [ -z "${skip_line}" ]; then
	path=""
	case $line in
	    "@dir %%PORTNAME%%"*)
		path=`echo "${line}" | sed -e "s|@dir %%PORTNAME%%||g"`
		;;
	    "%%PORTNAME%%"*)
		path=`echo "${line}" | sed -e "s|%%PORTNAME%%||g"`
		;;
	    "%%"*)
		unchanged_lines="${unchanged_lines} ${line}"
		;;
	esac
	if [ -n "${path}" ]; then
	    segments=`echo "${path}" | tr "/" "\n"`
	    path=""
	    for segment in ${segments}; do
		path="${path}/${segment}"
		skip_path=""
		for e in ${skip_paths}; do
		    if [ "${e}" == "${path}" ]; then
			skip_path="${e}"
			break
		    fi
		done
		if [ -n "${skip_path}" ]; then
		    break
		fi
		done_path=""
		for e in ${done_paths}; do
		    if [ "${e}" == "${path}" ]; then
			done_path="${e}"
			break
		    fi
		done
		if [ -z "${done_path}" ]; then
		    done_paths="${done_paths} ${path}"
		    sample_path=""
		    for e in ${sample_paths}; do
			if [ "${e}" == "${path}" ]; then
			    sample_path="${e}"
			    break
			fi
		    done
		    if [ -n "${sample_path}" ]; then
			print_path "${path}" @sample
		    else
			print_path "${path}"
		    fi
		fi
	    done
	fi
    fi
done < "${staged_plist}"

unchanged_lines="${unchanged_lines} ${fixed_lines}"
for line in ${unchanged_lines}; do
    echo "${line}" >> "${PLIST}"
done




#!/bin/sh

ossec_type="$1"
ossec_prefix="$2"
ossec_file="$3"

ossec_syscheck_dirs="${ossec_prefix}/etc,${ossec_prefix}/bin,${ossec_prefix}/active-response"

replace() {
    sed -e 's|<template_config\(.*\)>|<agent_config\1>|' \
        -e 's|</template_config>|</agent_config>|' \
        -e "s|%%OSSEC_SYSCHECK_DIRS%%|${ossec_syscheck_dirs}|" \
        -e 's|^  <!-- agent:.*-->$||' \
        "${ossec_file}"
}

extract() {
    sed -n '/^<agent_config.*>$/,/^<\/agent_config>$/p'
}

replace | extract




#!/bin/sh

ossec_type="$1"
ossec_prefix="$2"
ossec_file="$3"

ossec_syscheck_dirs="${ossec_prefix}/etc,${ossec_prefix}/bin,${ossec_prefix}/active-response"
if [ "${ossec_type}" != "agent" ]; then
    ossec_syscheck_dirs="${ossec_syscheck_dirs},${ossec_prefix}/agentless,${ossec_prefix}/rules"
fi

replace() {
    case "${ossec_type}" in
        agent)
            sed -e 's|<template_config>|<ossec_config>|' \
                -e 's|<template_config .*os="FreeBSD".*>|<ossec_config>|' \
                -e 's|</template_config>|</ossec_config>|' \
                -e "s|%%OSSEC_SYSCHECK_DIRS%%|${ossec_syscheck_dirs}|" \
                -e 's|^  <!-- agent:\(.*\)-->$|  <!--\1-->|' \
                "${ossec_file}"
            ;;
        *)
            sed -e 's|<template_config>|<ossec_config>|' \
                -e 's|<template_config .*os="FreeBSD".*>|<ossec_config>|' \
                -e 's|</template_config>|</ossec_config>|' \
                -e "s|%%OSSEC_SYSCHECK_DIRS%%|${ossec_syscheck_dirs}|" \
                -e 's|^  <!-- agent:.*-->$||' \
                "${ossec_file}"
            ;;
    esac
}

extract() {
    sed -n '/^<ossec_config.*>$/,/^<\/ossec_config>$/p'
}

replace | extract

Return to bug 226465

Line 0 Link Here

(-)files/agent-conf.in (+35 lines)
	1	#!/bin/sh
	2
	3	ossec_type="%%OSSEC_TYPE%%"
	4	ossec_home="%%PREFIX%%/%%PORTNAME%%"
	5
	6	agent_dist_conf="${ossec_home}/etc/agent-dist.conf"
	7	agent_local_conf="${ossec_home}/etc/agent-local.conf"
	8
	9	select_elements() {
	10	local element="$1"
	11	sed -n "/<${element}.*>/,/<\/${element}>/p"
	12	}
	13
	14	remove_comments() {
	15	# Comments must be on separate lines i.e. not next to uncommented code
	16	awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
	17	}
	18
	19	remove_empty_lines() {
	20	sed '/^\s*$/d'
	21	}
	22
	23	agent_conf() {
	24	local dist_conf="$1"
	25	local local_conf="$2"
	26
	27	echo "<!-- OSSEC HIDS %%VERSION%% -->"
	28	echo
	29	echo "<!-- DO NOT EDIT - edit \"${local_conf}\" instead -->"
	30	echo
	31
	32	cat "${dist_conf}" "${local_conf}" \| remove_comments \| select_elements "agent_config" \| remove_empty_lines
	33	}
	34
	35	agent_conf "${agent_dist_conf}" "${agent_local_conf}"

Line 0 Link Here

(-)files/merge-config.sh.in (+32 lines)
	1	#!/bin/sh
	2
	3	# This script is part of FreeBSD port - report any issues to the port MAINTAINER
	4
	5	ossec_type="%%OSSEC_TYPE%%"
	6	ossec_home="%%PREFIX%%/%%PORTNAME%%"
	7	ossec_rc="%%OSSEC_RC%%"
	8
	9	ACTION=$1
	10	USER=$2
	11	IP=$3
	12
	13	LOCAL=`dirname $0`;
	14	cd $LOCAL
	15	cd ../../tmp
	16
	17	# Logging the call
	18	echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"
	19
	20	case ${ACTION} in
	21	add)
	22	"${ossec_rc}" merge_config
	23	exit 0
	24	;;
	25	delete)
	26	exit 0
	27	;;
	28	*)
	29	echo "$0: invalid action: ${ACTION}"
	30	exit 1
	31	;;
	32	esac

Line 0 Link Here

(-)files/ossec-conf.in (+63 lines)
	1	#!/bin/sh
	2
	3	ossec_type="%%OSSEC_TYPE%%"
	4	ossec_home="%%PREFIX%%/%%PORTNAME%%"
	5
	6	ossec_dist_conf="${ossec_home}/etc/ossec-dist.conf"
	7	ossec_local_conf="${ossec_home}/etc/ossec-local.conf"
	8
	9	select_elements_content() {
	10	local element="$1"
	11	sed -n "/<${element}>/,/<\/${element}>/{ /<${element}>/d; /<\/${element}>/d; p; }"
	12	}
	13
	14	remove_elements() {
	15	local element="$1"
	16	sed -e "/<${element}>/,/<\/${element}>/d"
	17	}
	18
	19	remove_comments() {
	20	# Comments must be on separate lines i.e. not next to uncommented code
	21	awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}'
	22	}
	23
	24	remove_empty_lines() {
	25	sed '/^\s*$/d'
	26	}
	27
	28	ossec_conf() {
	29	local dist_conf="$1"
	30	local local_conf="$2"
	31
	32	echo "<!-- OSSEC HIDS %%VERSION%% -->"
	33	echo
	34	echo "<!-- DO NOT EDIT - edit \"${local_conf}\" instead -->"
	35	echo
	36	echo "<ossec_config>"
	37
	38	if [ "${ossec_type}" != "agent" ]; then
	39	if cat "${dist_conf}" "${local_conf}" \| remove_comments \| grep -q "<rules>"; then
	40	echo " <rules>"
	41	cat "${dist_conf}" "${local_conf}" \| remove_comments \| select_elements_content "rules" \| remove_empty_lines
	42	echo " </rules>"
	43	fi
	44	fi
	45
	46	if cat "${dist_conf}" "${local_conf}" \| remove_comments \| grep -q "<rootcheck>"; then
	47	echo " <rootcheck>"
	48	cat "${dist_conf}" "${local_conf}" \| remove_comments \| select_elements_content "rootcheck" \| remove_empty_lines
	49	echo " </rootcheck>"
	50	fi
	51
	52	if cat "${dist_conf}" "${local_conf}" \| remove_comments \| grep -q "<syscheck>"; then
	53	echo " <syscheck>"
	54	cat "${dist_conf}" "${local_conf}" \| remove_comments \| select_elements_content "syscheck" \| remove_empty_lines
	55	echo " </syscheck>"
	56	fi
	57
	58	cat "${dist_conf}" "${local_conf}" \| remove_comments \| select_elements_content "ossec_config" \| remove_elements "rules" \| remove_elements "rootcheck" \| remove_elements "syscheck" \| remove_empty_lines
	59
	60	echo "</ossec_config>"
	61	}
	62
	63	ossec_conf "${ossec_dist_conf}" "${ossec_local_conf}"

Line 0 Link Here

(-)files/patch-active-response_host-deny.sh (+24 lines)
	1	--- active-response/host-deny.sh.orig 2017-12-19 21:30:31 UTC
	2	+++ active-response/host-deny.sh
	3	@@ -11,7 +11,7 @@ IP=$3
	4
	5	LOCAL=`dirname $0`;
	6	cd $LOCAL
	7	-cd ../
	8	+cd ../../tmp
	9	PWD=`pwd`
	10	LOCK="${PWD}/host-deny-lock"
	11	LOCK_PID="${PWD}/host-deny-lock/pid"
	12	@@ -112,10 +112,10 @@ if [ "x${ACTION}" = "xadd" ]; then
	13	# Deleting from hosts.deny
	14	elif [ "x${ACTION}" = "xdelete" ]; then
	15	lock;
	16	- TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
	17	+ TMP_FILE=`mktemp ${PWD}/ossec-hosts.XXXXXXXXXX`
	18	if [ "X${TMP_FILE}" = "X" ]; then
	19	# Cheap fake tmpfile, but should be harder then no random data
	20	- TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -1 `"
	21	+ TMP_FILE="${PWD}/ossec-hosts.`cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -1 `"
	22	fi
	23	echo "${IP}" \| grep "\:" > /dev/null 2>&1
	24	if [ $? = 0 ]; then

Lines 1-123 Link Here

(-)files/patch-src__InstallAgent.sh (-123 lines)
1	--- src/InstallAgent.sh.orig 2015-10-12 21:21:06 UTC
2	+++ src/InstallAgent.sh
3	@@ -37,11 +37,11 @@ fi
4
5	# Creating groups/users
6	if [ "$UNAME" = "FreeBSD" -o "$UNAME" = "DragonFly" ]; then
7	- grep "^${USER}" /etc/passwd > /dev/null 2>&1
8	- if [ ! $? = 0 ]; then
9	- /usr/sbin/pw groupadd ${GROUP}
10	- /usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
11	- fi
12	+ #grep "^${USER}" /etc/passwd > /dev/null 2>&1
13	+ #if [ ! $? = 0 ]; then
14	+ #/usr/sbin/pw groupadd ${GROUP}
15	+ #/usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
16	+ #fi
17
18	elif [ "$UNAME" = "SunOS" ]; then
19	grep "^${USER}" /etc/passwd > /dev/null 2>&1
20	@@ -106,22 +106,17 @@ for i in ${subdirs}; do
21	done
22
23	# Default for all directories
24	-chmod -R 550 ${DIR}
25	-chown -R root:${GROUP} ${DIR}
26	+chmod -R 750 ${DIR}
27
28	# To the ossec queue (default for agentd to read)
29	-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
30	chmod -R 770 ${DIR}/queue/ossec
31
32	# For the logging user
33	-chown -R ${USER}:${GROUP} ${DIR}/logs
34	chmod -R 750 ${DIR}/logs
35	chmod -R 775 ${DIR}/queue/rids
36	touch ${DIR}/logs/ossec.log
37	-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
38	chmod 664 ${DIR}/logs/ossec.log
39
40	-chown -R ${USER}:${GROUP} ${DIR}/queue/diff
41	chmod -R 750 ${DIR}/queue/diff
42	chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
43
44	@@ -131,8 +126,7 @@ chmod 1550 ${DIR}/tmp
45
46
47	# For the etc dir
48	-chmod 550 ${DIR}/etc
49	-chown -R root:${GROUP} ${DIR}/etc
50	+chmod 750 ${DIR}/etc
51
52	ls /etc/localtime > /dev/null 2>&1
53	if [ $? = 0 ]; then
54	@@ -144,13 +138,11 @@ if [ "$UNAME" = "SunOS" ]; then
55	mkdir -p ${DIR}/usr/share/lib/zoneinfo/
56	chmod -R 555 ${DIR}/usr/
57	cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
58	- chown -R root:${GROUP} ${DIR}/usr/
59	fi
60
61	ls /etc/TIMEZONE > /dev/null 2>&1
62	if [ $? = 0 ]; then
63	cp -p /etc/TIMEZONE ${DIR}/etc/;
64	- chown root:${GROUP} ${DIR}/etc/TIMEZONE
65	chmod 555 ${DIR}/etc/TIMEZONE
66	fi
67
68	@@ -170,25 +162,17 @@ cp -pr ../etc/local_internal_options.con
69	cp -pr ../etc/client.keys ${DIR}/etc/ > /dev/null 2>&1
70	cp -pr agentlessd/scripts/* ${DIR}/agentless/
71
72	-chown root:${GROUP} ${DIR}/etc/internal_options.conf
73	-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
74	-chown root:${GROUP} ${DIR}/etc/client.keys > /dev/null 2>&1
75	-chown root:${GROUP} ${DIR}/agentless/*
76	-chown ${USER}:${GROUP} ${DIR}/.ssh
77	-chown -R root:${GROUP} ${DIR}/etc/shared
78	-
79	-chmod 550 ${DIR}/etc
80	+chmod 750 ${DIR}/etc
81	chmod 440 ${DIR}/etc/internal_options.conf
82	chmod 440 ${DIR}/etc/local_internal_options.conf > /dev/null 2>&1
83	chmod 440 ${DIR}/etc/client.keys > /dev/null 2>&1
84	chmod -R 770 ${DIR}/etc/shared # ossec must be able to write to it
85	-chmod 550 ${DIR}/agentless/*
86	+chmod 750 ${DIR}/agentless/*
87	chmod 700 ${DIR}/.ssh
88
89
90	# For the /var/run
91	chmod 770 ${DIR}/var/run
92	-chown root:${GROUP} ${DIR}/var/run
93
94
95	# Moving the binary files
96	@@ -202,7 +186,6 @@ cp -pr addagent/manage_agents ${DIR}/bin
97	cp -pr ../contrib/util.sh ${DIR}/bin/
98	cp -pr external/lua/src/ossec-lua ${DIR}/bin/
99	cp -pr external/lua/src/ossec-luac ${DIR}/bin/
100	-chown root:${GROUP} ${DIR}/bin/util.sh
101	chmod +x ${DIR}/bin/util.sh
102
103	# Copying active response modules
104	@@ -210,10 +193,8 @@ sh ./init/fw-check.sh execute > /dev/nul
105	cp -pr ../active-response/*.sh ${DIR}/active-response/bin/
106	cp -pr ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
107	chmod 755 ${DIR}/active-response/bin/*
108	-chown root:${GROUP} ${DIR}/active-response/bin/*
109
110	-chown root:${GROUP} ${DIR}/bin/*
111	-chmod 550 ${DIR}/bin/*
112	+chmod 750 ${DIR}/bin/*
113
114
115	# Moving the config file
116	@@ -229,7 +210,6 @@ if [ $? = 0 ]; then
117	else
118	cp -pr ../etc/ossec-agent.conf ${DIR}/etc/ossec.conf
119	fi
120	-chown root:${GROUP} ${DIR}/etc/ossec.conf
121	chmod 440 ${DIR}/etc/ossec.conf
122
123

Lines 1-208 Link Here

(-)files/patch-src__InstallServer.sh (-208 lines)
1	--- src/InstallServer.sh.orig 2015-10-12 21:21:06 UTC
2	+++ src/InstallServer.sh
3	@@ -44,13 +44,13 @@ fi
4
5	# Creating groups/users
6	if [ "$UNAME" = "FreeBSD" -o "$UNAME" = "DragonFly" ]; then
7	- grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
8	- if [ ! $? = 0 ]; then
9	- /usr/sbin/pw groupadd ${GROUP}
10	- /usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
11	- /usr/sbin/pw useradd ${USER_MAIL} -d ${DIR} -s /sbin/nologin -g ${GROUP}
12	- /usr/sbin/pw useradd ${USER_REM} -d ${DIR} -s /sbin/nologin -g ${GROUP}
13	- fi
14	+# grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
15	+# if [ ! $? = 0 ]; then
16	+# /usr/sbin/pw groupadd ${GROUP}
17	+# /usr/sbin/pw useradd ${USER} -d ${DIR} -s /sbin/nologin -g ${GROUP}
18	+# /usr/sbin/pw useradd ${USER_MAIL} -d ${DIR} -s /sbin/nologin -g ${GROUP}
19	+# /usr/sbin/pw useradd ${USER_REM} -d ${DIR} -s /sbin/nologin -g ${GROUP}
20	+# fi
21
22	elif [ "$UNAME" = "SunOS" ]; then
23	grep "^${USER_REM}" /etc/passwd > /dev/null 2>&1
24	@@ -121,66 +121,49 @@ for i in ${subdirs}; do
25	done
26
27	# Default for all directories
28	-chmod 550 ${DIR}
29	-chmod 550 ${DIR}/*
30	-chown root:${GROUP} ${DIR}
31	-chown root:${GROUP} ${DIR}/*
32	+chmod 750 ${DIR}
33	+chmod 750 ${DIR}/*
34
35	# AnalysisD needs to write to alerts: log, mail and cmds
36	-chown -R ${USER}:${GROUP} ${DIR}/queue/alerts
37	chmod -R 770 ${DIR}/queue/alerts
38
39	# To the ossec queue (default for analysisd to read)
40	-chown -R ${USER}:${GROUP} ${DIR}/queue/ossec
41	chmod -R 770 ${DIR}/queue/ossec
42
43	# To the ossec fts queue
44	-chown -R ${USER}:${GROUP} ${DIR}/queue/fts
45	chmod -R 750 ${DIR}/queue/fts
46	chmod 750 ${DIR}/queue/fts/* > /dev/null 2>&1
47
48	# To the ossec syscheck/rootcheck queue
49	-chown -R ${USER}:${GROUP} ${DIR}/queue/syscheck
50	chmod -R 750 ${DIR}/queue/syscheck
51	chmod 740 ${DIR}/queue/syscheck/* > /dev/null 2>&1
52
53	-chown -R ${USER}:${GROUP} ${DIR}/queue/rootcheck
54	chmod -R 750 ${DIR}/queue/rootcheck
55	chmod 740 ${DIR}/queue/rootcheck/* > /dev/null 2>&1
56
57	-chown ${USER}:${GROUP} ${DIR}/queue/diff
58	-chown ${USER}:${GROUP} ${DIR}/queue/diff/* > /dev/null 2>&1
59	chmod 750 ${DIR}/queue/diff
60	chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1
61
62	-chown -R ${USER_REM}:${GROUP} ${DIR}/queue/agent-info
63	chmod -R 750 ${DIR}/queue/agent-info
64	chmod 740 ${DIR}/queue/agent-info/* > /dev/null 2>&1
65	-chown -R ${USER_REM}:${GROUP} ${DIR}/queue/rids
66	chmod -R 750 ${DIR}/queue/rids
67	chmod 740 ${DIR}/queue/rids/* > /dev/null 2>&1
68
69	-chown -R ${USER}:${GROUP} ${DIR}/queue/agentless
70	chmod -R 750 ${DIR}/queue/agentless
71	chmod 740 ${DIR}/queue/agentless/* > /dev/null 2>&1
72
73	-chown -R root:${GROUP} ${DIR}/tmp
74	-chmod 1550 ${DIR}/tmp
75	+chmod 1750 ${DIR}/tmp
76
77
78	# For the stats directory
79	-chown -R ${USER}:${GROUP} ${DIR}/stats
80	chmod -R 750 ${DIR}/stats
81
82	# For the logging user
83	-chown -R ${USER}:${GROUP} ${DIR}/logs
84	chmod -R 750 ${DIR}/logs
85	touch ${DIR}/logs/ossec.log
86	-chown ${USER}:${GROUP} ${DIR}/logs/ossec.log
87	chmod 660 ${DIR}/logs/ossec.log
88
89	touch ${DIR}/logs/active-responses.log
90	-chown ${USER}:${GROUP} ${DIR}/logs/active-responses.log
91	chmod 660 ${DIR}/logs/active-responses.log
92
93	# For the rules directory
94	@@ -198,7 +181,7 @@ if [ $? = 0 ]; then
95	fi
96	fi
97
98	-cp -pr ../etc/rules/* ${DIR}/rules/
99	+cp -pr ../etc/rules/*.xml ${DIR}/rules/
100	find ${DIR}/rules/ -type f -exec chmod 440 {} \;
101
102	# If the local_rules is saved, moved it back
103	@@ -207,37 +190,33 @@ if [ $? = 0 ]; then
104	mv ${DIR}/rules/saved_local_rules.xml.$$ ${DIR}/rules/local_rules.xml
105	fi
106
107	-chown -R root:${GROUP} ${DIR}/rules
108	-chmod -R 550 ${DIR}/rules
109	+chmod -R 750 ${DIR}/rules
110
111
112	# For the etc dir
113	-chmod 550 ${DIR}/etc
114	-chown -R root:${GROUP} ${DIR}/etc
115	+chmod 750 ${DIR}/etc
116	ls /etc/localtime > /dev/null 2>&1
117	if [ $? = 0 ]; then
118	cp -pL /etc/localtime ${DIR}/etc/;
119	chmod 440 ${DIR}/etc/localtime
120	- chown root:${GROUP} ${DIR}/etc/localtime
121	fi
122
123	# Solaris Needs some extra files
124	if [ "$UNAME" = "SunOS" ]; then
125	mkdir -p ${DIR}/usr/share/lib/zoneinfo/
126	- chmod -R 550 ${DIR}/usr/
127	+ chmod -R 750 ${DIR}/usr/
128	cp -pr /usr/share/lib/zoneinfo/* ${DIR}/usr/share/lib/zoneinfo/
129	fi
130
131	ls /etc/TIMEZONE > /dev/null 2>&1
132	if [ $? = 0 ]; then
133	cp -p /etc/TIMEZONE ${DIR}/etc/;
134	- chmod 550 ${DIR}/etc/TIMEZONE
135	+ chmod 750 ${DIR}/etc/TIMEZONE
136	fi
137
138
139	# For the /var/run
140	chmod 770 ${DIR}/var/run
141	-chown root:${GROUP} ${DIR}/var/run
142
143	# Moving the binary files
144	cp -pr addagent/manage_agents agentlessd/ossec-agentlessd \
145	@@ -260,7 +239,6 @@ cp -pr util/rootcheck_control ${DIR}/bin
146	cp -pr external/lua/src/ossec-lua ${DIR}/bin/
147	cp -pr external/lua/src/ossec-luac ${DIR}/bin/
148	cp -pr ../contrib/util.sh ${DIR}/bin/
149	-chown root:${GROUP} ${DIR}/bin/util.sh
150	chmod +x ${DIR}/bin/util.sh
151
152	# Local install chosen
153	@@ -290,23 +268,15 @@ fi
154
155	cp -pr ../etc/internal_options.conf ${DIR}/etc/
156	cp -pr rootcheck/db/*.txt ${DIR}/etc/shared/
157	-chown root:${GROUP} ${DIR}/etc/decoder.xml
158	-chown root:${GROUP} ${DIR}/etc/local_decoder.xml >/dev/null 2>&1
159	-chown root:${GROUP} ${DIR}/etc/internal_options.conf
160	-chown root:${GROUP} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1
161	-chown root:${GROUP} ${DIR}/etc/client.keys >/dev/null 2>&1
162	-chown root:${GROUP} ${DIR}/etc/shared/*
163	-chown root:${GROUP} ${DIR}/agentless/*
164	-chown ${USER}:${GROUP} ${DIR}/.ssh
165	chmod 440 ${DIR}/etc/decoder.xml
166	chmod 440 ${DIR}/etc/local_decoder.xml >/dev/null 2>&1
167	chmod 440 ${DIR}/etc/internal_options.conf
168	chmod 440 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1
169	chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1
170	-chmod 550 ${DIR}/etc
171	+chmod 750 ${DIR}/etc
172	chmod 770 ${DIR}/etc/shared
173	chmod 440 ${DIR}/etc/shared/*
174	-chmod 550 ${DIR}/agentless/*
175	+chmod 750 ${DIR}/agentless/*
176	rm ${DIR}/etc/shared/merged.mg >/dev/null 2>&1
177	chmod 700 ${DIR}/.ssh
178
179	@@ -316,11 +286,9 @@ sh ./init/fw-check.sh execute > /dev/nul
180	cp -p ../active-response/*.sh ${DIR}/active-response/bin/
181	cp -p ../active-response/firewalls/*.sh ${DIR}/active-response/bin/
182
183	-chmod 550 ${DIR}/active-response/bin/*
184	-chown root:${GROUP} ${DIR}/active-response/bin/*
185	+chmod 750 ${DIR}/active-response/bin/*
186
187	-chown root:${GROUP} ${DIR}/bin/*
188	-chmod 550 ${DIR}/bin/*
189	+chmod 750 ${DIR}/bin/*
190
191
192	# Moving the config file
193	@@ -331,12 +299,11 @@ fi
194
195	ls ../etc/ossec.mc > /dev/null 2>&1
196	if [ $? = 0 ]; then
197	- cp -pr ../etc/ossec.mc ${DIR}/etc/ossec.conf
198	+ cp -pr ../etc/ossec.mc ${DIR}/etc/ossec.conf.sample
199	else
200	- cp -pr ../etc/ossec-server.conf ${DIR}/etc/ossec.conf
201	+ cp -pr ../etc/ossec-server.conf ${DIR}/etc/ossec.conf.sample
202	fi
203	-chown root:${GROUP} ${DIR}/etc/ossec.conf
204	-chmod 440 ${DIR}/etc/ossec.conf
205	+chmod 640 ${DIR}/etc/ossec.conf.sample
206
207
208

Line 0 Link Here

(-)files/patch-src_os__net_os__net.c (+24 lines)
	1	--- src/os_net/os_net.c.orig 2017-12-19 21:30:31 UTC
	2	+++ src/os_net/os_net.c
	3	@@ -48,16 +48,16 @@ int OS_Bindport(char *_port, unsigned in
	4
	5
	6	memset(&hints, 0, sizeof(struct addrinfo));
	7	-#ifdef AI_V4MAPPED
	8	- hints.ai_family = AF_INET6; /* Allow IPv4 and IPv6 */
	9	- hints.ai_flags = AI_PASSIVE \| AI_ADDRCONFIG \| AI_V4MAPPED;
	10	-#else
	11	+//#ifdef AI_V4MAPPED
	12	+// hints.ai_family = AF_INET6; /* Allow IPv4 and IPv6 */
	13	+// hints.ai_flags = AI_PASSIVE \| AI_ADDRCONFIG \| AI_V4MAPPED;
	14	+//#else
	15	/* Certain *BSD OS (eg. OpenBSD) do not allow binding to a
	16	single-socket for both IPv4 and IPv6 per RFC 3493. This will
	17	allow one or the other based on _ip. */
	18	hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
	19	hints.ai_flags = AI_PASSIVE;
	20	-#endif
	21	+//#endif
	22	hints.ai_protocol = _proto;
	23	if (_proto == IPPROTO_UDP) {
	24	hints.ai_socktype = SOCK_DGRAM;

Lines 1-21 Link Here

(-)files/pkg-message.in (-21 lines)
1	After installation, you need to edit the ossec.conf file to reflect
2	the correct settings for your environment. All the files related
3	to %%PORTNAME%% have been installed in %%PREFIX%%/%%PORTNAME%% and
4	its subdirectories.
5
6	For information on proper configuration, see http://www.ossec.net/.
7
8	To enable the startup script, add ossechids_enable="YES" to
9	/etc/rc.conf. To enable database output, execute:
10
11	%%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database
12
13	Then check this documentation:
14
15	http://www.ossec.net/doc/manual/output/database-output.html
16
17	When you deinstall this port after starting the daemons once, many
18	directories that are created by the daemons will remain. To fully
19	remove the port you need to delete those directories manually. To
20	further enhance the security on your system, you may also enable
21	some checks in PAM for a fast reaction against intrusions.

Line 0 Link Here

(-)files/restart-ossec.sh.in (+32 lines)
	1	#!/bin/sh
	2
	3	# This script is part of FreeBSD port - report any issues to the port MAINTAINER
	4
	5	ossec_type="%%OSSEC_TYPE%%"
	6	ossec_home="%%PREFIX%%/%%PORTNAME%%"
	7	ossec_rc="%%OSSEC_RC%%"
	8
	9	ACTION=$1
	10	USER=$2
	11	IP=$3
	12
	13	LOCAL=`dirname $0`;
	14	cd $LOCAL
	15	cd ../../tmp
	16
	17	# Logging the call
	18	echo "`date` $0 $1 $2 $3 $4 $5" >> "${ossec_home}/logs/active-responses.log"
	19
	20	case ${ACTION} in
	21	add)
	22	"${ossec_rc}" restart
	23	exit 0
	24	;;
	25	delete)
	26	exit 0
	27	;;
	28	*)
	29	echo "$0: invalid action: ${ACTION}"
	30	exit 1
	31	;;
	32	esac

Line 0 Link Here

(-)files/rule-config.xml.in (+52 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<group name="ossec,">
	3
	4	<rule id="56001" level="10">
	5	<if_group>syscheck</if_group>
	6	<match>%%PREFIX%%/%%PORTNAME%%/etc/ossec-dist.conf</match>
	7	<description>ossec-dist.conf has been modified</description>
	8	</rule>
	9
	10	<rule id="56002" level="10">
	11	<if_group>syscheck</if_group>
	12	<match>%%PREFIX%%/%%PORTNAME%%/etc/ossec-local.conf</match>
	13	<description>ossec-local.conf has been modified</description>
	14	</rule>
	15
	16	<rule id="56003" level="10" ignore="10">
	17	<if_group>syscheck</if_group>
	18	<match>%%PREFIX%%/%%PORTNAME%%/etc/ossec.conf</match>
	19	<description>ossec.conf has been modified</description>
	20	</rule>
	21
	22	<rule id="56004" level="10" ignore="10">
	23	<if_group>syscheck</if_group>
	24	<match>/var/ossec/etc/ossec.conf</match>
	25	<description>ossec.conf has been modified</description>
	26	</rule>
	27
	28	<rule id="56011" level="10">
	29	<if_group>syscheck</if_group>
	30	<match>%%PREFIX%%/%%PORTNAME%%/etc/agent-dist.conf</match>
	31	<description>agent-dist.conf has been modified</description>
	32	</rule>
	33
	34	<rule id="56012" level="10">
	35	<if_group>syscheck</if_group>
	36	<match>%%PREFIX%%/%%PORTNAME%%/etc/agent-local.conf</match>
	37	<description>agent-local.conf has been modified</description>
	38	</rule>
	39
	40	<rule id="56013" level="10" ignore="10">
	41	<if_group>syscheck</if_group>
	42	<match>%%PREFIX%%/%%PORTNAME%%/etc/shared/agent.conf</match>
	43	<description>agent.conf has been modified</description>
	44	</rule>
	45
	46	<rule id="56014" level="10" ignore="10">
	47	<if_group>syscheck</if_group>
	48	<match>/var/ossec/etc/shared/agent.conf</match>
	49	<description>agent.conf has been modified</description>
	50	</rule>
	51
	52	</group>

Line 0 Link Here

(-)files/rule-firewall.xml.in (+32 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<group name="ossec,active_response,">
	3
	4	<rule id="56021" level="3">
	5	<if_sid>600</if_sid>
	6	<action>ipfw.sh</action>
	7	<status>add</status>
	8	<description>Host Blocked by ipfw.sh Active Response</description>
	9	</rule>
	10
	11	<rule id="56022" level="3">
	12	<if_sid>600</if_sid>
	13	<action>ipfw.sh</action>
	14	<status>delete</status>
	15	<description>Host Unblocked by ipfw.sh Active Response</description>
	16	</rule>
	17
	18	<rule id="56023" level="3">
	19	<if_sid>600</if_sid>
	20	<action>pf.sh</action>
	21	<status>add</status>
	22	<description>Host Blocked by pf.sh Active Response</description>
	23	</rule>
	24
	25	<rule id="56024" level="3">
	26	<if_sid>600</if_sid>
	27	<action>pf.sh</action>
	28	<status>delete</status>
	29	<description>Host Unblocked by pf.sh Active Response</description>
	30	</rule>
	31
	32	</group>

Line 0 Link Here

(-)files/rule-ports.xml.in (+32 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<group name="ossec,">
	3
	4	<rule id="56041" level="7">
	5	<if_sid>530</if_sid>
	6	<match>ossec: output: 'freebsd-ports-tcp4'</match>
	7	<check_diff />
	8	<description>Listening IPv4 TCP port opened or closed.</description>
	9	</rule>
	10
	11	<rule id="56042" level="7">
	12	<if_sid>530</if_sid>
	13	<match>ossec: output: 'freebsd-ports-tcp6'</match>
	14	<check_diff />
	15	<description>Listening IPv6 TCP port opened or closed.</description>
	16	</rule>
	17
	18	<rule id="56043" level="7">
	19	<if_sid>530</if_sid>
	20	<match>ossec: output: 'freebsd-ports-udp4'</match>
	21	<check_diff />
	22	<description>IPv4 UDP port opened or closed.</description>
	23	</rule>
	24
	25	<rule id="56044" level="7">
	26	<if_sid>530</if_sid>
	27	<match>ossec: output: 'freebsd-ports-udp6'</match>
	28	<check_diff />
	29	<description>IPv6 UDP port opened or closed.</description>
	30	</rule>
	31
	32	</group>

Line 0 Link Here

(-)files/template-ar-cmds-default.xml.in (+38 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<command>
	5	<name>host-deny</name>
	6	<executable>host-deny.sh</executable>
	7	<expect>srcip</expect>
	8	<timeout_allowed>yes</timeout_allowed>
	9	</command>
	10
	11	<command>
	12	<name>firewall-drop</name>
	13	<executable>%%FW_DROP%%</executable>
	14	<expect>srcip</expect>
	15	<timeout_allowed>yes</timeout_allowed>
	16	</command>
	17
	18	<command>
	19	<name>disable-account</name>
	20	<executable>disable-account.sh</executable>
	21	<expect>user</expect>
	22	<timeout_allowed>yes</timeout_allowed>
	23	</command>
	24
	25	<command>
	26	<name>restart-ossec</name>
	27	<executable>restart-ossec.sh</executable>
	28	<expect></expect>
	29	</command>
	30
	31	<command>
	32	<name>route-null</name>
	33	<executable>route-null.sh</executable>
	34	<expect>srcip</expect>
	35	<timeout_allowed>yes</timeout_allowed>
	36	</command>
	37
	38	</template_config>

Line 0 Link Here

(-)files/template-arlog.xml.in (+18 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%ARLOG_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%ARLOG_PROFILE%%" profile). -->
	4	<localfile>
	5	<log_format>syslog</log_format>
	6	<location>%%PREFIX%%/%%PORTNAME%%/logs/active-responses.log</location>
	7	</localfile>
	8
	9	</template_config>
	10
	11	<template_config os="Linux" profile="%%ARLOG_PROFILE%%">
	12
	13	<localfile>
	14	<log_format>syslog</log_format>
	15	<location>/var/ossec/logs/active-responses.log</location>
	16	</localfile>
	17
	18	</template_config>

Line 0 Link Here

(-)files/template-baselogs.xml.in (+68 lines)
		1	<?xml version="1.0" encoding="UTF-8"?>
		2	<template_config os="FreeBSD" profile="%%BASELOGS_PROFILE%%">
		3	<!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%BASELOGS_PROFILE%%" profile). -->
		4	<localfile>
		5	<log_format>syslog</log_format>
		6	<location>/var/log/auth.log</location>
		7	</localfile>
		8
		9	<localfile>
		10	<log_format>syslog</log_format>
		11	<location>/var/log/maillog</location>
		12	</localfile>
		13
		14	<localfile>
		15	<log_format>syslog</log_format>
		16	<location>/var/log/messages</location>
		17	</localfile>
		18
		19	<localfile>
		20	<log_format>syslog</log_format>
		21	<location>/var/log/security</location>
		22	</localfile>
		23
		24	<localfile>
		25	<log_format>syslog</log_format>
		26	<location>/var/log/userlog</location>
		27	</localfile>
		28
		29	<localfile>
		30	<log_format>syslog</log_format>
		31	<location>/var/log/xferlog</location>
		32	</localfile>
		33
		34	</template_config>
		35
		36	<template_config os="Linux" profile="%%BASELOGS_PROFILE%%">
		37
		38	<localfile>
		39	<log_format>syslog</log_format>
		40	<location>/var/log/auth.log</location>
		41	</localfile>
		42
		43	<localfile>
		44	<log_format>syslog</log_format>
		45	<location>/var/log/dpkg.log</location>
		46	</localfile>
		47
		48	<localfile>
		49	<log_format>syslog</log_format>
		50	<location>/var/log/kern.log</location>
		51	</localfile>
		52
		53	<localfile>
		54	<log_format>syslog</log_format>
		55	<location>/var/log/mail.log</location>
		56	</localfile>
		57
		58	<localfile>
		59	<log_format>syslog</log_format>
		60	<location>/var/log/messages</location>
		61	</localfile>
		62
		63	<localfile>
		64	<log_format>syslog</log_format>
65	<location>/var/log/syslog</location>
66	</localfile>
67
68	</template_config>

Line 0 Link Here

(-)files/template-cmds-ports-tcp.xml.in (+16 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<localfile>
	5	<log_format>full_command</log_format>
	6	<command>netstat -4 -p tcp -Wan \| grep LISTEN \| awk '{print $4}' \| sed 's/\(.*\)\./\1:/' \| sort</command>
	7	<alias>freebsd-ports-tcp4</alias>
	8	</localfile>
	9
	10	<localfile>
	11	<log_format>full_command</log_format>
	12	<command>netstat -6 -p tcp -Wan \| grep LISTEN \| awk '{print $4}' \| sed 's/\(.*\)\./\1:/' \| sort</command>
	13	<alias>freebsd-ports-tcp6</alias>
	14	</localfile>
	15
	16	</template_config>

Line 0 Link Here

(-)files/template-cmds-ports-udp.xml.in (+16 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<localfile>
	5	<log_format>full_command</log_format>
	6	<command>netstat -4 -p udp -Wan \| grep udp4 \| awk '{print $4}' \| sed 's/\(.*\)\./\1:/' \| sort</command>
	7	<alias>freebsd-ports-udp4</alias>
	8	</localfile>
	9
	10	<localfile>
	11	<log_format>full_command</log_format>
	12	<command>netstat -6 -p udp -Wan \| grep udp6 \| awk '{print $4}' \| sed 's/\(.*\)\./\1:/' \| sort</command>
	13	<alias>freebsd-ports-udp6</alias>
	14	</localfile>
	15
	16	</template_config>

Line 0 Link Here

(-)files/template-logs-apache.xml.in (+28 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%APACHE_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%APACHE_PROFILE%%" profile). -->
	4	<localfile>
	5	<log_format>apache</log_format>
	6	<location>/var/log/httpd-error.log</location>
	7	</localfile>
	8
	9	<localfile>
	10	<log_format>apache</log_format>
	11	<location>/var/log/httpd-access.log</location>
	12	</localfile>
	13
	14	</template_config>
	15
	16	<template_config os="Linux" profile="%%APACHE_PROFILE%%">
	17
	18	<localfile>
	19	<log_format>apache</log_format>
	20	<location>/var/log/apache2/error.log</location>
	21	</localfile>
	22
	23	<localfile>
	24	<log_format>apache</log_format>
	25	<location>/var/log/apache2/access.log</location>
	26	</localfile>
	27
	28	</template_config>

Line 0 Link Here

(-)files/template-logs-nginx.xml.in (+28 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%NGINX_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%NGINX_PROFILE%%" profile). -->
	4	<localfile>
	5	<log_format>apache</log_format>
	6	<location>/var/log/nginx/error.log</location>
	7	</localfile>
	8
	9	<localfile>
	10	<log_format>apache</log_format>
	11	<location>/var/log/nginx/access.log</location>
	12	</localfile>
	13
	14	</template_config>
	15
	16	<template_config os="Linux" profile="%%NGINX_PROFILE%%">
	17
	18	<localfile>
	19	<log_format>apache</log_format>
	20	<location>/var/log/nginx/error.log</location>
	21	</localfile>
	22
	23	<localfile>
	24	<log_format>apache</log_format>
	25	<location>/var/log/nginx/access.log</location>
	26	</localfile>
	27
	28	</template_config>

Line 0 Link Here

(-)files/template-logs-radius.xml.in (+18 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%RADIUS_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%RADIUS_PROFILE%%" profile). -->
	4	<localfile>
	5	<log_format>syslog</log_format>
	6	<location>/var/log/radius.log</location>
	7	</localfile>
	8
	9	</template_config>
	10
	11	<template_config os="Linux" profile="%%RADIUS_PROFILE%%">
	12
	13	<localfile>
	14	<log_format>syslog</log_format>
	15	<location>/var/log/freeradius/radius.log</location>
	16	</localfile>
	17
	18	</template_config>

Line 0 Link Here

(-)files/template-logs-vsftpd.xml.in (+18 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%VSFTPD_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes log monitoring configuration using "agent.conf" (FreeBSD server can push it using "%%VSFTPD_PROFILE%%" profile). -->
	4	<localfile>
	5	<log_format>syslog</log_format>
	6	<location>/var/log/vsftpd.log</location>
	7	</localfile>
	8
	9	</template_config>
	10
	11	<template_config os="Linux" profile="%%VSFTPD_PROFILE%%">
	12
	13	<localfile>
	14	<log_format>syslog</log_format>
	15	<location>/var/log/vsftpd.log</location>
	16	</localfile>
	17
	18	</template_config>

Line 0 Link Here

(-)files/template-rootcheck.xml.in (+23 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%ROOTCHECK_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes rootcheck configuration using "agent.conf" (FreeBSD server can push it using "%%ROOTCHECK_PROFILE%%" profile). -->
	4	<rootcheck>
	5	<rootkit_files>%%PREFIX%%/%%PORTNAME%%/etc/shared/rootkit_files.txt</rootkit_files>
	6	<rootkit_trojans>%%PREFIX%%/%%PORTNAME%%/etc/shared/rootkit_trojans.txt</rootkit_trojans>
	7	<system_audit>%%PREFIX%%/%%PORTNAME%%/etc/shared/system_audit_rcl.txt</system_audit>
	8	<system_audit>%%PREFIX%%/%%PORTNAME%%/etc/shared/system_audit_ssh.txt</system_audit>
	9	</rootcheck>
	10
	11	</template_config>
	12
	13	<template_config os="Linux" profile="%%ROOTCHECK_PROFILE%%">
	14
	15	<rootcheck>
	16	<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
	17	<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
	18	<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
	19	<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
	20	<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
	21	</rootcheck>
	22
	23	</template_config>

Line 0 Link Here

(-)files/template-rules-default.xml.in (+66 lines)
		1	<?xml version="1.0" encoding="UTF-8"?>
		2	<template_config>
		3
		4	<rules>
		5	<!-- Imported from "ossec-hids-2.9.3/etc/templates/config/rules.template". -->
		6	<include>rules_config.xml</include>
		7	<include>pam_rules.xml</include>
		8	<include>sshd_rules.xml</include>
		9	<include>telnetd_rules.xml</include>
		10	<include>syslog_rules.xml</include>
		11	<include>arpwatch_rules.xml</include>
		12	<include>symantec-av_rules.xml</include>
		13	<include>symantec-ws_rules.xml</include>
		14	<include>pix_rules.xml</include>
		15	<include>named_rules.xml</include>
		16	<include>smbd_rules.xml</include>
		17	<include>vsftpd_rules.xml</include>
		18	<include>pure-ftpd_rules.xml</include>
		19	<include>proftpd_rules.xml</include>
		20	<include>ms_ftpd_rules.xml</include>
		21	<include>ftpd_rules.xml</include>
		22	<include>hordeimp_rules.xml</include>
		23	<include>roundcube_rules.xml</include>
		24	<include>wordpress_rules.xml</include>
		25	<include>cimserver_rules.xml</include>
		26	<include>vpopmail_rules.xml</include>
		27	<include>vmpop3d_rules.xml</include>
		28	<include>courier_rules.xml</include>
		29	<include>web_rules.xml</include>
		30	<include>web_appsec_rules.xml</include>
		31	<include>apache_rules.xml</include>
		32	<include>nginx_rules.xml</include>
		33	<include>php_rules.xml</include>
		34	<include>mysql_rules.xml</include>
		35	<include>postgresql_rules.xml</include>
		36	<include>ids_rules.xml</include>
		37	<include>squid_rules.xml</include>
		38	<include>firewall_rules.xml</include>
		39	<include>cisco-ios_rules.xml</include>
		40	<include>netscreenfw_rules.xml</include>
		41	<include>sonicwall_rules.xml</include>
		42	<include>postfix_rules.xml</include>
		43	<include>sendmail_rules.xml</include>
		44	<include>imapd_rules.xml</include>
		45	<include>mailscanner_rules.xml</include>
		46	<include>dovecot_rules.xml</include>
		47	<include>ms-exchange_rules.xml</include>
		48	<include>racoon_rules.xml</include>
		49	<include>vpn_concentrator_rules.xml</include>
		50	<include>spamd_rules.xml</include>
		51	<include>msauth_rules.xml</include>
		52	<include>mcafee_av_rules.xml</include>
		53	<include>trend-osce_rules.xml</include>
		54	<include>ms-se_rules.xml</include>
		55	<!-- <include>policy_rules.xml</include> -->
		56	<include>zeus_rules.xml</include>
		57	<include>solaris_bsm_rules.xml</include>
		58	<include>vmware_rules.xml</include>
		59	<include>ms_dhcp_rules.xml</include>
		60	<include>asterisk_rules.xml</include>
		61	<include>ossec_rules.xml</include>
		62	<include>attack_rules.xml</include>
		63	<include>local_rules.xml</include>
		64	</rules>
65
66	</template_config>

Line 0 Link Here

(-)files/template-sample-agent.xml.in (+19 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<client>
	5	<!-- Specify the IP address of the %%PORTNAME%% server. -->
	6	<server-ip>1.2.3.4</server-ip>
	7	<!-- Alternatively, specify the hostname of the %%PORTNAME%% server. -->
	8	<!-- <server-hostname>example.com</server-hostname> -->
	9
	10	<!-- Specifies the agent.conf profiles to be used by the agent. Multiple profiles can be included, separated by a comma and a space. -->
	11	<!-- <config-profile>%%CLIENT_PROFILES%%</config-profile> -->
	12	</client>
	13
	14	<syscheck>
	15	<!-- Ignoring the "hosts.allow" is reasonable if host-deny active response is active for this OSSEC instance. -->
	16	<ignore>/etc/hosts.allow</ignore>
	17	</syscheck>
	18
	19	</template_config>

Line 0 Link Here

(-)files/template-sample-local.xml.in (+51 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<global>
	5	<!-- Uncomment to enable email notifications. -->
	6	<!--
	7	<email_notification>yes</email_notification>
	8	<email_to>example@example.com</email_to>
	9	<smtp_server>smtp.example.com</smtp_server>
	10	<email_from>ossecm@example.com</email_from>
	11	-->
	12
	13	<!-- List of IP addresses that should never be blocked by the active response (one per element). -->
	14	<white_list>127.0.0.1</white_list>
	15	</global>
	16
	17	<!-- Run "%%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database" to enable ossec-dbd. -->
	18	<!-- Uncomment to enable database output (if compiled with database support). -->
	19	<!--
	20	<database_output>
	21	<hostname>localhost</hostname>
	22	<username>ossec</username>
	23	<password>secret</password>
	24	<database>ossec</database>
	25	<type>%%DB_TYPE%%</type>
	26	</database_output>
	27	-->
	28
	29	<syscheck>
	30	<auto_ignore>no</auto_ignore>
	31	<!-- Ignoring the "hosts.allow" is reasonable if host-deny active response is active for this OSSEC instance. -->
	32	<ignore>/etc/hosts.allow</ignore>
	33	</syscheck>
	34
	35	<active-response>
	36	<!-- Deny the IP in "/etc/hosts.allow". -->
	37	<command>host-deny</command>
	38	<location>local</location>
	39	<level>6</level>
	40	<timeout>600</timeout>
	41	</active-response>
	42
	43	<active-response>
	44	<!-- Block the IP on the firewall. Remember to set proper "location" of the firewall. -->
	45	<command>firewall-drop</command>
	46	<location>local</location>
	47	<level>6</level>
	48	<timeout>600</timeout>
	49	</active-response>
	50
	51	</template_config>

Line 0 Link Here

(-)files/template-sample-server.xml.in (+57 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config>
	3
	4	<remote>
	5	<connection>secure</connection>
	6	<!-- Because of a bug, setting the IP is mandatory for IPv4. -->
	7	<local_ip>1.2.3.4</local_ip>
	8	</remote>
	9
	10	<global>
	11	<!-- Uncomment to enable email notifications. -->
	12	<!--
	13	<email_notification>yes</email_notification>
	14	<email_to>example@example.com</email_to>
	15	<smtp_server>smtp.example.com</smtp_server>
	16	<email_from>ossecm@example.com</email_from>
	17	-->
	18
	19	<!-- List of IP addresses that should never be blocked by the active response (one per element). -->
	20	<white_list>127.0.0.1</white_list>
	21	</global>
	22
	23	<!-- Run "%%PREFIX%%/%%PORTNAME%%/bin/ossec-control enable database" to enable ossec-dbd. -->
	24	<!-- Uncomment to enable database output (if compiled wit database support). -->
	25	<!--
	26	<database_output>
	27	<hostname>localhost</hostname>
	28	<username>ossec</username>
	29	<password>secret</password>
	30	<database>ossec</database>
	31	<type>%%DB_TYPE%%</type>
	32	</database_output>
	33	-->
	34
	35	<syscheck>
	36	<auto_ignore>no</auto_ignore>
	37	<!-- Ignoring the "hosts.allow" is reasonable if host-deny active response is active for this OSSEC instance. -->
	38	<ignore>/etc/hosts.allow</ignore>
	39	</syscheck>
	40
	41	<active-response>
	42	<!-- Deny the IP in "/etc/hosts.allow". -->
	43	<command>host-deny</command>
	44	<location>local</location>
	45	<level>6</level>
	46	<timeout>600</timeout>
	47	</active-response>
	48
	49	<active-response>
	50	<!-- Block the IP on the firewall. Remember to set proper "location" of the firewall. -->
	51	<command>firewall-drop</command>
	52	<location>local</location>
	53	<level>6</level>
	54	<timeout>600</timeout>
	55	</active-response>
	56
	57	</template_config>

Line 0 Link Here

(-)files/template-syscheck.xml.in (+22 lines)
	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<template_config os="FreeBSD" profile="%%SYSCHECK_PROFILE%%">
	3	<!-- agent: Remove this section if server pushes syscheck configuration using "agent.conf" (FreeBSD server can push it using "%%SYSCHECK_PROFILE%%" profile). -->
	4	<syscheck>
	5	<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
	6	<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
	7	<directories realtime="yes" check_all="yes">%%PREFIX%%/etc,%%PREFIX%%/bin,%%PREFIX%%/sbin</directories>
	8	<directories realtime="yes" check_all="yes">%%OSSEC_SYSCHECK_DIRS%%</directories>
	9	</syscheck>
	10
	11	</template_config>
	12
	13	<template_config os="Linux" profile="%%SYSCHECK_PROFILE%%">
	14
	15	<syscheck>
	16	<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
	17	<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
	18	<directories realtime="yes" check_all="yes">/usr/local/etc,/usr/local/bin,/usr/local/sbin</directories>
	19	<directories realtime="yes" check_all="yes">/var/ossec/etc,/var/ossec/bin,/var/ossec/active-response,/var/ossec/agentless,/var/ossec/rules</directories>
	20	</syscheck>
	21
	22	</template_config>

Line 0 Link Here

(-)pkg-deinstall (+14 lines)
	1	#!/bin/sh
	2
	3	ossec_home="${PKG_PREFIX}/ossec-hids"
	4	ossec_conf="${ossec_home}/etc/ossec.conf"
	5	agent_conf="${ossec_home}/etc/shared/agent.conf"
	6	ar_conf="${ossec_home}/etc/shared/ar.conf"
	7	merged_mg="${ossec_home}/etc/shared/merged.mg"
	8
	9	if [ "$2" == "DEINSTALL" ]; then
	10	rm -f "${ossec_conf}"
	11	rm -f "${agent_conf}"
	12	rm -f "${ar_conf}"
	13	rm -f "${merged_mg}"
	14	fi

Line 0 Link Here

(-)pkg-help-agent (+13 lines)
	1	Hints:
	2
	3	The main configuration is kept in "ossec-dist.conf" and "ossec-local.conf".
	4	These two files will be merged into "ossec.conf" before OSSEC startup.
	5
	6	Any unchecked "ossec-dist.conf" options will result in placing related
	7	configuration in "ossec-local.conf.sample" instead of "ossec-dist.conf".
	8
	9	If the agent configuration is pushed by the server using "agent.conf", then
	10	the "System checks" and "Log monitoring" should remain empty - all options
	11	there should be unchecked (default) and proper sections removed from
	12	"ossec-local.conf". Note that for security reasons "Command monitoring"
	13	options cannot be pushed using "agent.conf".

Line 0 Link Here

(-)pkg-help-server (+24 lines)
	1	Hints:
	2
	3	The main configuration is kept in "ossec-dist.conf" and "ossec-local.conf".
	4	These two files will be merged into "ossec.conf" before OSSEC startup.
	5
	6	Any unchecked "ossec-dist.conf" options will result in placing related
	7	configuration in "ossec-local.conf.sample" instead of "ossec-dist.conf".
	8
	9	The agent configuration is kept in "agent-dist.conf" and "agent-local.conf".
	10	These two files will be merged into "agent.conf" before OSSEC startup.
	11
	12	The agent needs to use proper profile to benefit from "agent.conf"
	13	configuration on the server. This means you can leave all of the
	14	"agent-dist.conf" options checked even if no agents use them.
	15
	16
	17	Note:
	18
	19	The currently supported agent systems via "agent-dist.conf" are:
	20	- FreeBSD
	21	- Debian Linux
	22
	23	Consider contributing to the port by contacting the maintainer and
	24	providing template configurations for other operating systems.