Bug 256545 - security/ossec-hids-server 3.6.0_1 rc script fails to generate ossec.conf agent.conf
Summary: security/ossec-hids-server 3.6.0_1 rc script fails to generate ossec.conf age...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
: 256650 257617 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-06-11 07:17 UTC by Alexander
Modified: 2021-09-05 09:56 UTC (History)
5 users (show)

See Also:
sa.inbox: maintainer-feedback+


Attachments
ossec-hids-3.6.0_2.diff (6.50 KB, patch)
2021-06-27 20:12 UTC, Dominik Lisiak
dominik.lisiak: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander 2021-06-11 07:17:00 UTC
Hello.

ossec-hids script fails to generate ossec.conf and agent.conf files with default (right after installation) setup.

Diagnostic steps:
Install security/ossec-hids-server and security/ossec-hids-server-config ports.
Generation of configuration files fails right after installation (in default configuration):
# /usr/local/etc/rc.d/ossec-hids ossec_conf
<!-- OSSEC HIDS 3.6.0 -->

<!-- DO NOT EDIT - file generated automatically - edit "ossec.conf.d/900.local.conf" instead -->

<ossec_config>
  <rules>
sed: 1: "/^\s*$/d": RE error: trailing backslash (\)
  </rules>
  <rootcheck>
sed: 1: "/^\s*$/d": RE error: trailing backslash (\)
  </rootcheck>
  <syscheck>
sed: 1: "/^\s*$/d": RE error: trailing backslash (\)
  </syscheck>
sed: 1: "/^\s*$/d": RE error: trailing backslash (\)
</ossec_config>
# sudo /usr/local/etc/rc.d/ossec-hids agent_conf

<!-- OSSEC HIDS 3.6.0 -->

<!-- DO NOT EDIT - file generated automatically - edit "agent.conf.d/900.local.conf" instead -->

sed: 1: "/^\s*$/d": RE error: trailing backslash (\)

-------------
Build options for security/ossec-hids-server security/ossec-hids-server-config
~ % cd /usr/ports/security/ossec-hids-server && make showconfig
===> The following configuration options are available for ossec-hids-server-3.6.0_1:
     DOCS=on: Build and/or install documentation
     INOTIFY=on: Kevent based real time monitoring
     LUA=off: Lua scripting language support
     PRELUDE=off: Sensor support from Prelude SIEM
     ZEROMQ=off: ZeroMQ support (experimental)
====> Database output: you can only select none or one of them
     MYSQL=off: MySQL database support
     PGSQL=off: PostgreSQL database support
===> Use 'make config' to modify these settings
 % cd /usr/ports/security/ossec-hids-server-config && make showconfig
===> The following configuration options are available for ossec-hids-server-config-3.6.0_1:
====> Alerting Rules
     DEFAULT_R=on: Rules provided by OSSEC
     CONFIG_R=on: Alert changes of the OSSEC main configuration files
     CMDOUT_R=on: Alert changes of output of the monitored commands
====> Active Response
     DEFAULT_C=on: Commands provided by OSSEC
     MERGE_C=on: Commands to merge configuration files
     MERGE_AR=on: Merge configuration files when they change
     RESTART_AR=on: Restart OSSEC when main configuration files change
     HOSTDENY_AR=off: Block the attacker's IP using access control files
     FWDROP_AR=off: Block the attacker's IP on the firewall
====> System Audit and Rootkit Detection (rootcheck)
     BASIC_RC=on: Basic audit and rootkits
====> File Integrity Checking (syscheck)
     NEWFILES_SC=on: Alert on new files created
     NOAUTO_SC=on: Disable auto_ignore feature
     BASIC_SC=on: "bin", "sbin" and "etc" directories
     OSSEC_SC=on: OSSEC directories
     PGSQL_SC=on: PostgreSQL configuration files
====> Command Output Monitoring
     LOGINS=on: Last logins
     PORTS_TCP=on: Open TCP ports
     PORTS_UDP=off: Open UDP ports
====> Log Monitoring
     BASIC=on: Basic system logs
     OSSEC=on: OSSEC active response logs
     APACHE=on: Apache logs
     NGINX=off: Nginx logs
     RADIUS=off: FreeRADIUS logs
     VSFTPD=off: Vsftpd logs
====> Pushed System Audit and Rootkit Detection (rootcheck)
     BASIC_RC_P=on: Basic audit and rootkits (profile: basic)
     CIS_RC_P=on: CIS benchmark - Legacy (profile: cis)
     CIS_L1_RC_P=on: CIS benchmark - Level 1 (profile: cis-level1)
     CIS_L2_RC_P=on: CIS benchmark - Level 2 (profile: cis-level2)
====> Pushed File Integrity Checking (syscheck)
     BASIC_SC_P=on: "bin", "sbin" and "etc" directories (profile: basic)
     OSSEC_SC_P=on: OSSEC directories (profile: ossec)
     PGSQL_SC_P=on: PostgreSQL configuration files (profile: postgresql)
====> Pushed Log Monitoring
     BASIC_P=on: Basic system logs (profile: basic)
     OSSEC_P=on: OSSEC active response logs (profile: ossec)
     APACHE_P=on: Apache logs (profile: apache)
     NGINX_P=on: Nginx logs (profile: nginx)
     RADIUS_P=off: FreeRADIUS logs (profile: radius)
     VSFTPD_P=off: Vsftpd logs (profile: vsftpd)
====> Active Response Firewall: you have to select exactly one of them
     NOFW=off: Custom or no firewall
     IPF=off: ipfilter
     IPFW=off: ipfirewall
     PF=on: Packet Filter
Comment 1 Vitaliy Evsukov 2021-06-11 12:44:19 UTC
Solved

file /usr/local/ossec-hids/bin/config/ossec-conf

function remove_empty_lines()

Need to change "sed '/^\s*$/d'" to "sed '/^[[:space:]]*$/d'"
Comment 2 Dominik Lisiak 2021-06-16 22:57:30 UTC
(In reply to Alexander from comment #0)
(In reply to Vitaliy Evsukov from comment #1)

Can you confirm this is for FreeBSD 13.0?
It seems the 'sed' has been changed there.
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2021-06-17 02:22:16 UTC
*** Bug 256650 has been marked as a duplicate of this bug. ***
Comment 4 Vitaliy Evsukov 2021-06-17 02:26:03 UTC
(In reply to Dominik Lisiak from comment #2)
Yes. Last update.
Comment 5 Alexander 2021-06-17 05:46:46 UTC
(In reply to Dominik Lisiak from comment #2)
I confirm. This issue affects FreeBSD 13.
Comment 6 Dominik Lisiak 2021-06-27 20:12:53 UTC
Created attachment 226082 [details]
ossec-hids-3.6.0_2.diff

Attached patch to fix the described bug in FreeBSD 13.0 and still be compatible with FreeBSD 12.2.

- No binary changes
- Replaced all 'sed' invocations with 'sed -E' and adjusted regexes accordingly
- ossec-hids-local-config, ossec-hids-agent-config, ossec-hids-server-config updated to 3.6.0_2
- ossec-hids, ossec-hids-local, ossec-hids-agent, ossec-hids-server stay at 3.6.0_1

Tested with 'poudriere' and in live environments on FreeBSD 13.0 and 12.2.
Comment 7 Dominik Lisiak 2021-08-04 19:00:34 UTC
If you can't wait for the patch to be committed you can use public repo:
https://bemsoft.pl/git/freebsd-ports/ossec
with portshaker.
Comment 8 Mike 2021-08-04 19:19:43 UTC
*** Bug 257617 has been marked as a duplicate of this bug. ***