[NEW] ossec

[jul_bsd@…]

host-based intrusion detection system

• work in progress
• 2.7.1
• build and run on default variant
• other variants to review

[jul_bsd@…]

updated Portfile

• compile/install/run ok
• reviewing sane default config as work in progress
• subport for devel
• variants still need review
• seems to easily be eating cpu: dtrace seems to point on ossec-analysisd w read_nocancel

[jul_bsd@…]

I got a strange behavior. As I was refining the configuration, I got problem with some matching rules and run ossec-logtest to check for it. Normally, there are 3 phases in it but.

from a full install as root

# strings /opt/local/var/ossec/bin/ossec-logtest |grep -i phase
**Phase 3: Completed filtering (rules).
**Phase 1: Completed pre-decoding.

from a build as common user

$ strings ~/.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest |grep -i phase
**Phase 3: Completed filtering (rules).
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.

which is the normal one

if I repeat, I got

$ strings ~/.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest |grep -i phase
**Phase 3: Completed filtering (rules).
**Phase 1: Completed pre-decoding.

=> not very consistent

with both,

# ls -l /opt/local/var/ossec/bin/ossec-logtest /Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest
-rwxr-xr-x  1 u  staff  528156 Mar  7 23:20 /Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest
-r-xr-x---  1 root    ossec  525764 Mar  7 23:12 /opt/local/var/ossec/bin/ossec-logtest
# otool -L /opt/local/var/ossec/bin/ossec-logtest /Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest
/opt/local/var/ossec/bin/ossec-logtest:
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
        /opt/local/lib/libgcc/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/Users/u//.macports/opt/local/var/macports/build/_Volumes_Data_myports_security_ossec/ossec/work/ossec-hids-2.7.1/src/analysisd/ossec-logtest:
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
        /opt/local/lib/libgcc/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)

How could be??? and could be other executables with this problem???

As for other anomalies, I can also got build which fails one time and at a second execution succeed without changing anything, mostly because of ranlib

ranlib: archive member: cdb_make.a(cdb.o) size too large (archive member extends past the end of the file)

update Portfile

• clang subport but current branch for that is not compiling
• some random annoying error like ranlib size too large/cant open file, or error: expected expression before 'int' (usually, re-starting build solves the problem but...)
• divide previous patch in two (else fails against -clang)
• tested subport -devel and each variant (hybrid,agent,server) and outside of the two previous problems, it built and destrooted well
• is there a way to specify that a variant cancels/supersedes another variant?

[jul_bsd@…]

• review
• port lint
• bug with "Portfile: extra characters after close-brace"

[neverpanic (Clemens Lang)]

The character after the closing bracket of the variant description of the picviz variant isn't a space.

[jul_bsd@…]

got it ... but how do you see that??? vim 'set invlist' or list doesn't show it as special

[neverpanic (Clemens Lang)]

Binary search by commenting parts of the Portfile and checking whether the problem still occurs. Once the line is found, the error message gives away that the problem most be after a closing brace. Then, use hexdump or xxd to verify.

[jul_bsd@…]

ok. would be better if the error message could point on a line/column if possible.

[jul_bsd@…]

• miss dep gcc-devel
• start listing compiler.blacklist
• start universal variant
• change -agent variant as subport

[jul_bsd@…]

• 2,8
• add_users partly used as it doesn't seem to support multiple users

[jul_bsd@…]

• lot of review as I tested agent install (for now mostly tested local and agent). back to variant as had a few glitches with subport (destroot.cmd not changed)
• remove dep gcc-devel
• for universal, try to do at patch phase as usual way replace existing flags but it fails

--->  Patching Config.Make: s|-DOSSECHIDS|-DOSSECHIDS -arch x86_64 -arch i386|g
Error: org.macports.patch for port ossec returned: invalid command name " "

[jul_bsd@…]

• use github portgroup
• remove clang variant. repository disappeared

[jul_bsd@…]

• update devel to 20141123, seems to involve many change/different building, add lib zmq czmq, ...
• devel destroot but options/variant missing, to be reviewed with uptream

[jul_bsd@…]

• rename ossec-hids
• switch to github
• re-test using install.sh with unattended settings but imply doing everything in destroot, can't edit destdir in middle and use root all the time, so stay with custom build/setup
• destroot ok, same for variant agent; agent tested with external server.
• hybrid, server and universal variants triggers a strange bug

  Error: org.macports.patch for port ossec returned: invalid command name " "
  

I double checked and don't see typo. If I comment line, I start to comment everything in post-patch

[jul_bsd@…]

2.8.1