807

so i made a test:

cd ossec-*/src

make setagent

make all

make build

didn't work i try

make TARGET=agent build is it sufficient ? what other make command to do to build all ?

After i write my etc/preloaded-vars.conf

then ./install.sh with the little error on centos 6:

**> which: no host in** (/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
> which: no host in (/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
>  OSSEC HIDS v2.9.1 Installation Script - http://www.ossec.net
> 
>  You are about to start the installation process of the OSSEC HIDS.
>  You must have a C compiler pre-installed in your system.
> 
>   - System: Linux tdrv-eset-centos6.eolas-services.com 2.6.32-642.15.1.el6.x86_64
>   - User: root
>   - Host: tdrv-eset-centos6.eolas-services.com
> 
> 
>   -- Press ENTER to continue or Ctrl-C to abort. --
> 
> 
> 2- Setting up the installation environment.
> 
> 
>     - Installation will be made at  /var/ossec .
> 
> 3- Configuring the OSSEC HIDS.
> 
> 
>   3.2- Do you want to run the integrity check daemon? (y/n) [y]:
>    - Running syscheck (integrity check daemon).
> 
>   3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
>    - Running rootcheck (rootkit detection).
> **strings: '/usr/bin/mail': No such file**
> 
>   3.4 - Do you want to enable active response? (y/n) [y]:
>    - Active response disabled.
> 
>   3.5- Setting the configuration to analyze the following logs:
>     -- /var/log/messages
>     -- /var/log/secure
>     -- /var/log/maillog
> 
>  - If you want to monitor any other file, just change
>    the ossec.conf and add a new localfile entry.
>    Any questions about the configuration can be answered
>    by visiting us online at http://www.ossec.net .
> 
> 
>    --- Press ENTER to continue ---
> 
> 
> 
> 5- Installing the system
>  - Running the Makefile
> cd external/lua/ && make posix
> make[1]: Entering directory `/root/ossec-hids-2.9.1/src/external/lua-5.2.3'
> cd src && make posix
> make[2]: Entering directory `/root/ossec-hids-2.9.1/src/external/lua-5.2.3/src'
> make all SYSCFLAGS="-DLUA_USE_POSIX"
> make[3]: Entering directory `/root/ossec-hids-2.9.1/src/external/lua-5.2.3/src'
> make[3]: Nothing to be done for `all'.
> make[3]: Leaving directory `/root/ossec-hids-2.9.1/src/external/lua-5.2.3/src'
> make[2]: Leaving directory `/root/ossec-hids-2.9.1/src/external/lua-5.2.3/src'
> make[1]: Leaving directory `/root/ossec-hids-2.9.1/src/external/lua-5.2.3'
> make settings
> make[1]: Entering directory `/root/ossec-hids-2.9.1/src'
> 
> General settings:
>     TARGET:           agent
>     V:
>     DEBUG:
>     DEBUGAD
>     PREFIX:           /var/ossec
>     MAXAGENTS:        2048
>     DATABASE:
>     ONEWAY:           no
>     CLEANFULL:        no
> User settings:
>     OSSEC_GROUP:      ossec
>     OSSEC_USER:       ossec
>     OSSEC_USER_MAIL:  ossecm
>     OSSEC_USER_REM:   ossecr
> Lua settings:
>     LUA_PLAT:         posix
> USE settings:
>     USE_ZEROMQ:       no
>     USE_GEOIP:        no
>     USE_PRELUDE:      no
>     USE_OPENSSL:      auto
>     USE_PICVIZ:       yes
>     USE_INOTIFY:      no
> Mysql settings:
>     includes:
>     libs:
> Pgsql settings:
>     includes:
>     libs:
> Defines:
>     -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DPICVIZ_OUTPUT_ENABLED -DCLIENT
> Compiler:
>     CFLAGS           -O2 -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DPICVIZ_OUTPUT_ENABLED -DCLIENT -Wall -Wextra -I./ -I./headers/
>     LDFLAGS          -lm -lpthread
>     CC              cc
>     MAKE            make
> make[1]: Leaving directory `/root/ossec-hids-2.9.1/src'
> 
> Done building agent
> 
> ./init/adduser.sh ossec ossecm ossecr ossec /var/ossec
> Wait for success...
> useradd: warning: the home directory already exists.
> Not copying any file from skel directory into it.
> useradd: warning: the home directory already exists.
> Not copying any file from skel directory into it.
> success
> install -d -m 0550 -o root -g ossec /var/ossec/
> install -d -m 0750 -o ossec -g ossec /var/ossec/logs
> install -m 0660 -o ossec -g ossec /dev/null /var/ossec/logs/ossec.log
> install -d -m 0550 -o root -g 0 /var/ossec/bin
> install -d -m 0550 -o root -g 0 /var/ossec/lua
> install -d -m 0550 -o root -g 0 /var/ossec/lua/native
> install -d -m 0550 -o root -g 0 /var/ossec/lua/compiled
> install -m 0550 -o root -g 0 ossec-logcollector /var/ossec/bin
> install -m 0550 -o root -g 0 ossec-syscheckd /var/ossec/bin
> install -m 0550 -o root -g 0 ossec-execd /var/ossec/bin
> install -m 0550 -o root -g 0 manage_agents /var/ossec/bin
> install -m 0550 -o root -g 0 external/lua/src/ossec-lua /var/ossec/bin/
> install -m 0550 -o root -g 0 external/lua/src/ossec-luac /var/ossec/bin/
> install -m 0550 -o root -g 0 ../contrib/util.sh /var/ossec/bin/
> install -m 0550 -o root -g 0 ./init/ossec-client.sh /var/ossec/bin/ossec-control
> install -d -m 0550 -o root -g ossec /var/ossec/queue
> install -d -m 0770 -o ossec -g ossec /var/ossec/queue/alerts
> install -d -m 0750 -o ossec -g ossec /var/ossec/queue/ossec
> install -d -m 0750 -o ossec -g ossec /var/ossec/queue/syscheck
> install -d -m 0750 -o ossec -g ossec /var/ossec/queue/diff
> install -d -m 0550 -o root -g ossec /var/ossec/etc
> install -m 0440 -o root -g ossec /etc/localtime /var/ossec/etc
> install -d -m 1550 -o root -g ossec /var/ossec/tmp
> install -m 0640 -o root -g ossec -b ../etc/internal_options.conf /var/ossec/etc/
> install -m 0640 -o root -g ossec ../etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
> install -m 0640 -o root -g ossec /dev/null /var/ossec/etc/client.keys
> install -m 0640 -o root -g ossec ../etc/ossec.mc /var/ossec/etc/ossec.conf
> install -d -m 0770 -o root -g ossec /var/ossec/etc/shared
> install -m 0640 -o root -g ossec rootcheck/db/*.txt /var/ossec/etc/shared/
> install -d -m 0550 -o root -g ossec /var/ossec/active-response
> install -d -m 0550 -o root -g ossec /var/ossec/active-response/bin
> install -d -m 0550 -o root -g ossec /var/ossec/agentless
> install -m 0550 -o root -g ossec agentlessd/scripts/* /var/ossec/agentless/
> install -d -m 0700 -o root -g ossec /var/ossec/.ssh
> install -m 0550 -o root -g ossec ../active-response/*.sh /var/ossec/active-response/bin/
> install -m 0550 -o root -g ossec ../active-response/firewalls/*.sh /var/ossec/active-response/bin/
> install -d -m 0550 -o root -g ossec /var/ossec/var
> install -d -m 0770 -o root -g ossec /var/ossec/var/run
> ./init/fw-check.sh execute
> install -m 0550 -o root -g 0 ossec-agentd /var/ossec/bin
> install -m 0550 -o root -g 0 agent-auth /var/ossec/bin
> install -d -m 0750 -o ossec -g ossec /var/ossec/queue/rids
> 
> 
>  - System is Redhat Linux.
>  - Init script modified to start OSSEC HIDS during boot.
> 
>  - Configuration finished properly.
> 
>  - To start OSSEC HIDS:
>       /var/ossec/bin/ossec-control start
> 
>  - To stop OSSEC HIDS:
>       /var/ossec/bin/ossec-control stop
> 
>  - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
> 
> 
>     Thanks for using the OSSEC HIDS.
>     If you have any question, suggestion or if you find any bug,
>     contact us at contact@ossec.net or using our public maillist at
>     ossec-list@ossec.net
>     ( http://www.ossec.net/main/support/ ).
> 
>     More information can be found at http://www.ossec.net
> 
>     ---  Press ENTER to finish (maybe more information below). ---
> 
> 
> 
>  - You first need to add this agent to the server so they
>    can communicate with each other. When you have done so,
>    you can run the 'manage_agents' tool to import the
>    authentication key from the server.
> 
>    /var/ossec/bin/manage_agents
> 
>    More information at:
>    http://www.ossec.net/en/manual.html#ma

ravenousMonkey commented 7 years ago

Just wanted to point out that running a source installation of 2.9.0 (not 2.9.1) I too am getting the error "strings: '/usr/bin/mail': No such file" on step 3.3. Installing on Ubuntu Mate 16.04.2 (64-bit); gcc 5.4.0.

ddpbsd commented 7 years ago

I haven't tried a binary install with 2.9.x, so I'm not sure what all is involved. I'll have to do it eventually though to work on the docs.

**> which: no host in** (/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
> which: no host in (/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)

This is from src/init/shared.sh. I'm not sure why your system wouldn't have the host command.

> **strings: '/usr/bin/mail': No such file**

This is from the following lines in install.sh:

        if strings /usr/bin/mail | grep "x-shsh bash" 1> /dev/null; then
          sed -i 's/mail        !bash|/mail        !/' ./src/rootcheck/db/rootkit_trojans.txt
        fi

Again, not sure why your host doesn't have the mail command. We can add something to see if the file is there though.

marcRBD commented 7 years ago

hello on centos, the mail command is in mailx package, like debian. i wait for the documentation to validate on all OS i work on thanks

marcRBD commented 7 years ago

For centos and host: yum install bind-utils

which host /usr/bin/host

make TARGET=agent build cd external/lua/ && make posix make[1]: Entering directory/root/ossec-hids-2.9.1/src/external/lua-5.2.3' cd src && make posix make[2]: Entering directory /root/ossec-hids-2.9.1/src/external/lua-5.2.3/src' make all SYSCFLAGS="-DLUA_USE_POSIX" make[3]: Entering directory/root/ossec-hids-2.9.1/src/external/lua-5.2.3/src' make[3]: Nothing to be done for all'. make[3]: Leaving directory/root/ossec-hids-2.9.1/src/external/lua-5.2.3/src' make[2]: Leaving directory /root/ossec-hids-2.9.1/src/external/lua-5.2.3/src' make[1]: Leaving directory/root/ossec-hids-2.9.1/src/external/lua-5.2.3' make settings make[1]: Entering directory `/root/ossec-hids-2.9.1/src'

General settings: TARGET: agent V: DEBUG: DEBUGAD PREFIX: /var/ossec MAXAGENTS: 2048 DATABASE: ONEWAY: no CLEANFULL: no User settings: OSSEC_GROUP: ossec OSSEC_USER: ossec OSSEC_USER_MAIL: ossecm OSSEC_USER_REM: ossecr Lua settings: LUA_PLAT: posix USE settings: USE_ZEROMQ: no USE_GEOIP: no USE_PRELUDE: no USE_OPENSSL: auto USE_PICVIZ: yes USE_INOTIFY: no Mysql settings: includes: libs: Pgsql settings: includes: libs: Defines: -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DPICVIZ_OUTPUT_ENABLED -DCLIENT Compiler: CFLAGS -O2 -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DPICVIZ_OUTPUT_ENABLED -DCLIENT -Wall -Wextra -I./ -I./headers/ LDFLAGS -lm -lpthread CC cc MAKE make make[1]: Leaving directory `/root/ossec-hids-2.9.1/src'

Done building agent `

still some error , i already seen:

Started ossec-agentd... 2017/07/12 09:49:48 ossec-logcollector(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 89). Started ossec-logcollector... 2017/07/12 09:49:48 ossec-syscheckd(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 89). 2017/07/12 09:49:48 ossec-syscheckd(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 89).

So make TARGET=agent build is sufficient with the preload configuration ? i will test all this OS:

All debian and centos 6 & 7

marcRBD commented 7 years ago

As i test now 2.9.2 i think we can close this one ?

ossec / ossec-hids

2.9.1 binary installation #1164

807

cd ossec-*/src

make setagent

make all

make build