Support for Ubuntu 22.04

[ogmueller]

There is currently no support for Ubuntu 22.04 (Jammy). Using the 20.04 (Focal) repository instead doesn't work as it is missing libssl1.1. Ubuntu has switched to libssl3 with 22.04.

# apt install ossec-hids-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 ossec-hids-agent : Depends: libssl1.1 (>= 1.1.0) but it is not installable
E: Unable to correct problems, you have held broken packages.

[rkuijt]

tl;dr: I have sent a mail requesting support for this distribution type.

The installer script does not contain entries for this release either which results in:

Configuring the [atomic] repo archive for this system

Error: Unable to determine distribution type. Please send the contents of /etc/os-release to support@atomicrocketturtle.com

The contents for this release's /etc/os-release is as follows:

PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Since the installer script asks to report unrecognized distribution types through mail and there has not been any activity on this issue since April, I decided to follow that process as well. Adding this info for reference, findability and to prevent duplicate support mails.

[ethindp]

Any update on support for this version of Ubuntu? I would like to use Ossec Plus but am unable to do so at this time.

[timbourne]

I would also be very interested in getting a build (deb package) for ubuntu 22.04 as well.

[bigtrucker89]

u22 binary builds are in the pipeline for next week

[fchapotot]

Looking forward, thanks!!!

[ogmueller]

Is anyone also providing Ubuntu 22.04 support in the Ubuntu repositories here: https://updates.atomicorp.com/channels/atomic/ubuntu/dists/.

[vintury]

Ubuntu 22.04 Jammy packages available by this link: https://updates.atomicorp.com/channels/atomic/ubuntu/jammy/amd64/

[afunix]

@vintury There is no dists/jammy, so the repo is incomplete.

E:The repository 'https://updates.atomicorp.com/channels/ossec/ubuntu jammy Release' does not have a Release file
W:Updating from such a repository can't be done securely, and is therefore disabled by default.

[rkuijt]

@afunix That repo seems to be a bit inconsistent. The packages for jammy are present but not under the dists path.

Quoting @vintury

Ubuntu 22.04 Jammy packages available by this link: https://updates.atomicorp.com/channels/atomic/ubuntu/jammy/amd64/

If you look at that link, the deb files are actually present. The error seems to be there because apt expects the Release metadata file as well in order to verify the package signatures. Because of the absence of that file, the signatures can't be verified, hence the message: Updating from such a repository can't be done securely, and is therefore disabled by default.

The current workaround (that is used by the provided installer script) seems to be to ignore signature verification issues. This has some security implications for which I've opened an issue here: https://github.com/ossec/ossec-hids/issues/2068

If you'd like to replicate the behavior of the installer, you'd need this as your repository configuration:

deb [trusted=yes] https://updates.atomicorp.com/channels/atomic/ubuntu jammy/amd64/

I do think this is a less optimal solution than one where signatures for the packages would be provided through a Release file. But since there aren't any signatures present. This is currently the only way to fix the repository configuration.

[Danrancan]

I would also be very interested in getting a build (deb package) for ubuntu 22.04 as well.

It's been much longer than next week. Any news on updates for Ubuntu 22.04? I want to install Ossec but it's not compatable with 22.04. Let me know how long I have to wait. Otherwise I guess I will have to resort to fail2ban in the meantime. Thanks.

P.S. I am trying to install the ARM version on the Raspberry Pi Version of Ubuntu.

[libellux]

You can still build it from source on ubuntu 22.04. I've done it myself and wrote a guide about it found here: https://libellux.com/ossec/, For ARM version @Danrancan use Raspian where systemd is used and it should work.

[Danrancan]

You can still build it from source on ubuntu 22.04. I've done it myself and wrote a guide about it found here: https://libellux.com/ossec/, For ARM version @Danrancan use Raspian where systemd is used and it should work.

Thank you so much! As soon as I get around to building this I will let you know my findings!

[ogmueller]

Is it possible to provide the ubuntu (jammy) installation signed by GPG like most other repositories?

As @fchapotot mentioned, this is a security tool and "grabbing" it in an insecure manner seems very counter intuitive.

[slithernix]

Any updates on this? Ubuntu 22.04 has been the current LTS version of one of the most popular OSs on the planet for over a year now.

[clausing]

The issue for the last year or so has been the following:

W: Conflicting distribution: https://updates.atomicorp.com/channels/atomic/ubuntu jammy/amd64/ InRelease (expected jammy/amd64/ but got )

any plans to fix this?

[Danrancan]

@libellux

You can still build it from source on ubuntu 22.04. I've done it myself and wrote a guide about it found here: https://libellux.com/ossec/, For ARM version @Danrancan use Raspian where systemd is used and it should work.

Okay, NOW, i have finally created a cleanly installed Ubuntu Server 22.04, and am about to build this from source. However, is the link you posted to the build instructions correct? Your link directs to https://libellux.com/ossec/ shouldn't it be directing me to the github page https://github.com/libellux/Libellux-Up-and-Running/blob/master/docs/ossec/config/ubuntu_22.04.sh ?

I just want to make sure I am following the right tutorial. Let me know. Thanks.

[Danrancan]

Any updates on an Ubuntu 22.04 repository so I don't have to build from source?

[atomicturtle]

Yeah they've been out for a while now: https://updates.atomicorp.com/channels/atomic/ubuntu/jammy/amd64/

[Danrancan]

@libellux also what is the difference between the Server Installation, and the Agent installation? Do i need the server or agent ? I'm running an Ubuntu 22.04 server. What should I be using?

[Danrancan]

https://updates.atomicorp.com/channels/atomic/ubuntu/jammy/amd64/

Thank you, but I am using a Raspberry Pi 4 (aarch64). Do you know if they have any armV8 releases?

[libellux]

@libellux also what is the difference between the Server Installation, and the Agent installation? Do i need the server or agent ? I'm running an Ubuntu 22.04 server. What should I be using?

Depends of course on your set up. You always should have 1 server installation which manages the agents/clients.. or if you just want to run in on standalone machine u should go server installation. Summary, the server installation manages either itself and/or its clients.

If you need assistance you can reach me at https://www.ossec.net/join-us-on-slack/ my user name there is Fredrik Himersson and I'm more than happy to guide you

[Danrancan]

@libellux also what is the difference between the Server Installation, and the Agent installation? Do i need the server or agent ? I'm running an Ubuntu 22.04 server. What should I be using?

Depends of course on your set up. You always should have 1 server installation which manages the agents/clients.. or if you just want to run in on standalone machine u should go server installation. Summary, the server installation manages either itself and/or its clients.

If you need assistance you can reach me at https://www.ossec.net/join-us-on-slack/ my user name there is Fredrik Himersson and I'm more than happy to guide you

Seems like the slack channel is closed. I just sent an email requesting membership. Thanks.

[atomicturtle]

I didnt see anything, but here is the invite link: https://join.slack.com/t/ossec/shared_invite/zt-2ijx9i8me-Jg8z0cxmAyxpzmtFFi5nmw

[slithernix]

amazingly they finally fixed the repo (sort of). you can actually apt install the packages now but on apt update still get:

W: Conflicting distribution: https://updates.atomicorp.com/channels/atomic/ubuntu jammy/amd64/ InRelease (expected jammy/amd64/ but got )

also, the atomic repo installer script uses legacy apt-key setup which causes another warning:

W: https://updates.atomicorp.com/channels/atomic/ubuntu/jammy/amd64/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

[atomicturtle]

Yes, "they" are :P

[atomicturtle]

U20-U24 arm64 and amd64 packages are available now. For existing systems you'll need to run the installer again to get the newer repo layout. The legacy repos will still be there but wont be maintained any more

[slithernix]

nice work @atomicturtle