Date: Mon, 29 Sep 2008 09:00:57 +0000 (UTC) From: valerio.daelli@gmail.com To: FreeBSD-gnats-submit@FreeBSD.org Cc: valerio.daelli@gmail.com Subject: ports/127708: [patch] update of ossec-hids from 1.4 -> 1.6 Message-ID: <122267725578135161@lupin.ifom-ieo-campus.it> Resent-Message-ID: <200809290910.m8T9A18g029064@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127708 >Category: ports >Synopsis: [patch] update of ossec-hids from 1.4 -> 1.6 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Sep 29 09:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Valerio Daelli >Release: FreeBSD 6.2-RELEASE-p6 amd64 >Organization: >Environment: System: FreeBSD sodio.ifom-ieo-campus.it 6.2-RELEASE-p6 FreeBSD 6.2-RELEASE-p6 #8: Tue Jul 24 17:16:37 CEST 2007 root@sodio.ifom-ieo-campus.it:/usr/obj/usr/src/sys/SODIO amd64 >Description: This patch updates ossec-hids from 1.4 to 1.6 >How-To-Repeat: >Fix: cd /usr/ports/security/ossec-hids-server patch -p1 < ../OSSEC-HIDS-SERVER.patch --- OSSEC-HIDS-SERVER.patch begins here --- diff -ruN ossec-hids-server.OLD/Makefile ossec-hids-server/Makefile --- ossec-hids-server.OLD/Makefile 2007-12-30 10:53:43.000000000 +0000 +++ ossec-hids-server/Makefile 2008-09-28 20:15:10.000000000 +0000 @@ -6,7 +6,7 @@ # PORTNAME= ossec-hids -PORTVERSION= 1.4 +PORTVERSION= 1.6 PORTREVISION?= 0 CATEGORIES= security MASTER_SITES= http://www.ossec.net/files/ \ diff -ruN ossec-hids-server.OLD/distinfo ossec-hids-server/distinfo --- ossec-hids-server.OLD/distinfo 2007-12-30 10:53:43.000000000 +0000 +++ ossec-hids-server/distinfo 2008-09-28 20:15:13.000000000 +0000 @@ -1,3 +1,3 @@ -MD5 (ossec-hids-1.4.tar.gz) = f877f7afc225ba835bf697c026c77aa9 -SHA256 (ossec-hids-1.4.tar.gz) = 0dd7650a4c74ae2b9beec47660fd7c573eb35005e5cab6e62c640ba44930ff7f -SIZE (ossec-hids-1.4.tar.gz) = 598579 +MD5 (ossec-hids-1.6.tar.gz) = 2ed9ef649d44ad416047a4c28eaad13c +SHA256 (ossec-hids-1.6.tar.gz) = 07dc21b1d1b581c29c16ba0bdca525fabac775aa7f2be139708c5427261e0687 +SIZE (ossec-hids-1.6.tar.gz) = 666622 diff -ruN ossec-hids-server.OLD/files/patch-InstallServer.sh ossec-hids-server/files/patch-InstallServer.sh --- ossec-hids-server.OLD/files/patch-InstallServer.sh 2007-04-20 21:29:20.000000000 +0000 +++ ossec-hids-server/files/patch-InstallServer.sh 2008-09-28 22:13:41.000000000 +0000 @@ -1,7 +1,15 @@ -diff -ruN src/InstallServer.sh.orig src/InstallServer.sh ---- src/InstallServer.sh.orig Sun Jan 7 23:38:16 2007 -+++ src/InstallServer.sh Thu Apr 5 15:58:08 2007 -@@ -255,12 +255,12 @@ +--- src/InstallServer.sh 2008-08-22 20:42:09.000000000 +0000 ++++ src/InstallServer.sh 2008-09-28 22:10:45.000000000 +0000 +@@ -174,7 +174,7 @@ + fi + fi + +-cp -pr ../etc/rules/* ${DIR}/rules/ ++cp -pr ../etc/rules/*.xml ${DIR}/rules/ + + # If the local_rules is saved, moved it back + ls ${DIR}/rules/saved_local_rules.xml.$$ > /dev/null 2>&1 +@@ -284,12 +284,12 @@ ls ../etc/ossec.mc > /dev/null 2>&1 if [ $? = 0 ]; then diff -ruN ossec-hids-server.OLD/files/patch-attack_rules.xml ossec-hids-server/files/patch-attack_rules.xml --- ossec-hids-server.OLD/files/patch-attack_rules.xml 1970-01-01 00:00:00.000000000 +0000 +++ ossec-hids-server/files/patch-attack_rules.xml 2008-09-28 21:55:30.000000000 +0000 @@ -0,0 +1,16 @@ +--- etc/rules/attack_rules.xml 2008-08-29 17:15:08.000000000 +0000 ++++ attack_rules.xml 2008-09-28 21:39:52.000000000 +0000 +@@ -85,11 +85,13 @@ + <description>by a success.</description> + </rule> + ++<!-- + <rule id="40113" level="12" frequency="6" timeframe="360"> + <if_matched_group>virus</if_matched_group> + <description>Multiple viruses detected - Possible outbreak.</description> + <group>virus,</group> + </rule> ++--> + + </group> <!-- SYSLOG, ATTACKS, --> + diff -ruN ossec-hids-server.OLD/files/patch-mcafee_av_rules.xml ossec-hids-server/files/patch-mcafee_av_rules.xml --- ossec-hids-server.OLD/files/patch-mcafee_av_rules.xml 1970-01-01 00:00:00.000000000 +0000 +++ ossec-hids-server/files/patch-mcafee_av_rules.xml 2008-09-28 21:55:36.000000000 +0000 @@ -0,0 +1,18 @@ +--- etc/rules/mcafee_av_rules.xml 2008-08-28 15:56:00.000000000 +0000 ++++ mcafee_av_rules.xml 2008-09-28 21:39:52.000000000 +0000 +@@ -42,6 +42,7 @@ + <description>McAfee Windows AV error event.</description> + </rule> + ++<!-- + <rule id="7504" level="12"> + <if_sid>7500</if_sid> + <regex>$MCAFEE_VIRUS</regex> +@@ -62,6 +63,7 @@ + <group>virus</group> + <description>McAfee Windows AV - Virus detected and file will be deleted.</description> + </rule> ++--> + + <rule id="7507" level="3"> + <if_sid>7500</if_sid> diff -ruN ossec-hids-server.OLD/files/patch-symantec-av_rules.xml ossec-hids-server/files/patch-symantec-av_rules.xml --- ossec-hids-server.OLD/files/patch-symantec-av_rules.xml 1970-01-01 00:00:00.000000000 +0000 +++ ossec-hids-server/files/patch-symantec-av_rules.xml 2008-09-28 21:55:42.000000000 +0000 @@ -0,0 +1,17 @@ +--- etc/rules/symantec-av_rules.xml 2008-06-17 17:03:56.000000000 +0000 ++++ symantec-av_rules.xml 2008-09-28 21:39:52.000000000 +0000 +@@ -31,12 +31,14 @@ + <description>Grouping of Symantec AV rules from eventlog.</description> + </rule> + ++<!-- + <rule id="7310" level="9"> + <if_sid>7300, 7301</if_sid> + <id>^5$|^17$</id> + <group>virus</group> + <description>Virus detected.</description> + </rule> ++--> + + <rule id="7320" level="3"> + <if_sid>7300, 7301</if_sid> diff -ruN ossec-hids-server.OLD/files/pkg-message.in ossec-hids-server/files/pkg-message.in --- ossec-hids-server.OLD/files/pkg-message.in 2007-12-30 10:53:43.000000000 +0000 +++ ossec-hids-server/files/pkg-message.in 2008-09-28 21:35:18.000000000 +0000 @@ -16,3 +16,5 @@ When you deinstall this port after starting the daemons once, many directories that are created by the daemons will remain. To fully remove the port you need to delete those directories manually. +To further enhance the security on your system, you may also enable some checks +in PAM for a fast reaction against intrusions. diff -ruN ossec-hids-server.OLD/pkg-plist ossec-hids-server/pkg-plist --- ossec-hids-server.OLD/pkg-plist 2007-12-30 10:53:43.000000000 +0000 +++ ossec-hids-server/pkg-plist 2008-09-28 22:16:56.000000000 +0000 @@ -19,6 +19,10 @@ %%PORTNAME%%/bin/ossec-remoted %%PORTNAME%%/bin/ossec-syscheckd %%PORTNAME%%/bin/syscheck_update +%%PORTNAME%%/bin/ossec-csyslogd +%%PORTNAME%%/bin/agent_control +%%PORTNAME%%/bin/syscheck_control +%%PORTNAME%%/bin/rootcheck_control %%PORTNAME%%/etc/decoder.xml %%PORTNAME%%/etc/internal_options.conf @unexec if cmp -s %D/%%PORTNAME%%/etc/ossec.conf %D/%%PORTNAME%%/etc/ossec.conf.sample; then rm -f %D/%%PORTNAME%%/etc/ossec.conf; fi @@ -29,6 +33,9 @@ %%PORTNAME%%/etc/shared/win_applications_rcl.txt %%PORTNAME%%/etc/shared/win_audit_rcl.txt %%PORTNAME%%/etc/shared/win_malware_rcl.txt +%%PORTNAME%%/etc/shared/cis_debian_linux_rcl.txt +%%PORTNAME%%/etc/shared/cis_rhel_linux_rcl.txt +%%PORTNAME%%/etc/shared/cis_rhel5_linux_rcl.txt %%PORTNAME%%/logs/ossec.log %%PORTNAME%%/rules/apache_rules.xml %%PORTNAME%%/rules/arpwatch_rules.xml @@ -73,6 +80,11 @@ %%PORTNAME%%/rules/vsftpd_rules.xml %%PORTNAME%%/rules/web_rules.xml %%PORTNAME%%/rules/zeus_rules.xml +%%PORTNAME%%/rules/vmware_rules.xml +%%PORTNAME%%/rules/vmpop3d_rules.xml +%%PORTNAME%%/rules/solaris_bsm_rules.xml +%%PORTNAME%%/rules/mcafee_av_rules.xml +%%PORTNAME%%/rules/asterisk_rules.xml @dirrmtry %%PORTNAME%%/var/run @dirrmtry %%PORTNAME%%/var @dirrmtry %%PORTNAME%%/tmp --- OSSEC-HIDS-SERVER.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?122267725578135161>