Debian, ISPconfig and OSSEC - read this first!

Discussion in 'Tips/Tricks/Mods' started by Clouseau, Jan 6, 2015.

  1. Clouseau

    Clouseau Member

    If you want to install OSSEC-HIDS to your ISPConfig server this is a quick how to. This is relevant for those who are installing ossec after ISPconfig install.
    The deb packages for Debian which are stated here http://www.ossec.net/?p=1051#comment-588 and then here http://www.ossec.net/?page_id=19 are not good. In postinst scripts they use useradd and groupadd scripts which doesn't comply Debian policy. The correct ones are adduser and addgroup, they follow Debian policy and include proper creating of newly created UIDs and GIDs. If you install those packages your ISPConfig will get in trouble becase it creates a ossec users in ispconfig range. It doesn't matter if you put in IPSConfig panel at System -> Server config some other range ie. 10000 or 20000 which ISPconfig uses for creating new users because newly created OSSEC users gonna have an UID and GID in that range. So here is the proper way on installing ossec-hids:

    1) go to http://www.ossec.net/?page_id=19 and click on AlienVault repository which will lead you here http://ossec.alienvault.com/repos/apt/debian/pool/main/o/ossec-hids/. Do not add mirror to your apt sources.list we will download package manually, this is important. Do not add mirror even after install because updates gonna problably brake somethiing. You can add mirror when they fix the postinst scripts to use adduser and addgroup.
    2) download manually deb package with wget to /tmp
    wget -P /tmp http://ossec.alienvault.com/repos/a...ossec-hids/ossec-hids_2.8.1-1wheezy_amd64.deb
    3)create temp directory in /tmp and decompress package with dpkg-deb to /tmp/ossec_tmp
    mkdir /tmp/ossec_tmp
    dpkg-deb -R ossec-hids_2.8.1-1wheezy_amd64.deb /tmp/ossec_tmp
    4) edit file /tmp/ossec_tmp/DEBIAN/postinst and replace parts where it creates group and users with this bolds parts bellow:
    if ! getent group | grep -q "^ossec"
    then
    addgroup --system ossec
    fi
    if ! getent passwd | grep -q "^ossec"
    then
    adduser --system --no-create-home --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER}
    fi
    if ! getent passwd | grep -q "^ossecm"
    then
    adduser --system --no-create-home --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER_MAIL}
    fi
    if ! getent passwd | grep -q "^ossecr"
    then
    adduser --system --no-create-home --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER_REM}
    fi
    5) go to /tmp and then create deb package:
    dpkg-deb --build /tmp/ossec_tmp/ ossec-hids_FIXED__2.8.1-1wheezy_amd64.deb
    6) now you have your ossec-hids debian package
    ------------------------INSTALLATION-------------------
    install two dependencies: apt-get install expect tcl8.5
    and then install ossec-hids dpkg -i /tmp/ossec-hids_FIXED__2.8.1-1wheezy_amd64.deb
    You gonna see this "Not creating home directory `/var/ossec/'", and you ignore it. When first user is created, his home is created so when createing other two users its gonna post a message Not creating home directory... I could omit it with "--quiet" switch on creating other 2 users but better to see output to know all is good :)

    And thats it, you can now configure and tune your OSSEC to suit your needs,turn on active-responses etc, which logs to watch and etc. After ispconfig install and now when ossec-hids is installed, my system UIDs and GIDs are:
    /etc/passwd
    ossec:x:117:120::/var/ossec/:/bin/false
    ossecm:x:118:120::/var/ossec/:/bin/false
    ossecr:x:119:120::/var/ossec/:/bin/false
    /etc/group
    ossec:x:120:
     
    Last edited: Jan 6, 2015

Share This Page