You are not logged in.

#1 2020-06-20 17:36:39

pk.gmp
Member
Registered: 2020-06-15
Posts: 23

ossec-hids (3.5.0 or 3.6.0) issues

Background:
In AUR, we see this package as version 3.5.0 (and at the time of this message already flagged outdated).  I was curious to try this package (regardless of version) but was unable to get it compiling (with v3.5.0). So I tried going to source and downloaded sources (for 3.5.0) and tried without PKGBUILD. It too fails (gcc warning that some variable is defined twice or so). I felt, it may be something to do with my machine (or perhaps something to do with gcc 10 in arch or so).

Next, I tried 3.6.0 sources which are available on same git repo (which is visibile from AUR package itself). For this I tweaked my local PKGBUILD file to pull 3.6.0 sources. Again, no luck. Finally after navigating through compiler warnings (and editing source code locally) I was able to build this package. My rudimentary analysis tells me that source code upstream wouldn't compile for non-windows system.

Issue fix in short is about best practice of not declaring variables in shared ".h" files.

Question for this forum:
How do we relay this feedback upstream? Is there anyone in touch with the upstream about the package?  Apologies, I don't have prior experience in this. Hence this post/request.

Offline

#2 2020-06-20 18:09:52

loqs
Member
Registered: 2014-03-06
Posts: 10,969

Re: ossec-hids (3.5.0 or 3.6.0) issues

With the following changes makepkg then fails in package()

$ git diff
diff --git a/PKGBUILD b/PKGBUILD
index f724d82..a629c4c 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,7 +6,7 @@ pkgdesc="Open Source Host-based Intrusion Detection System"
 arch=('any')
 url="https://ossec.github.io/"
 license=('GPL2')
-depends=('openssl')
+depends=('openssl' 'libevent')
 optdepends=('geoip-database-extra')
 backup=('var/ossec/etc/ossec.conf'
         'var/ossec/etc/client.keys'
@@ -27,7 +27,7 @@ _preparevars() {
   export USER_NO_STOP=yes
   export USER_DIR=$_instdir
   export USER_BINARYINSTALL=x
-  export USE_GEOIP=1
+  export USE_GEOIP=0
 }
 
 build() {
@@ -40,6 +40,7 @@ build() {
   sed -i "s|^OSSEC_INIT.*|OSSEC_INIT=\"$pkgdir/etc/ossec-init.conf\"|" src/init/shared.sh
 
   cd src
+  export CFLAGS="$CFLAGS -fcommon"
   make TARGET=$USER_INSTALL_TYPE USE_GEOIP=$USE_GEOIP
 }
 
  grep -FRlZ "$startdir" "$pkgdir" | \
    xargs -0 -- sed -i "s|$startdir|/tmp/build|g"

Produces

sed: no input files

Commenting out the that line it then builds but it does not package the binary it built.
Porbably related to

Wait for success...
groupadd: cannot lock /etc/group; try again later.
make: *** [Makefile:402: install-common] Error 10
cp: cannot create regular file '/build/ossec-hids/pkg/ossec-hids//var/ossec/build/ossec-hids/pkg/ossec-hids/etc/ossec-init.conf': No such file or directory
chmod: cannot access '/build/ossec-hids/pkg/ossec-hids//var/ossec/build/ossec-hids/pkg/ossec-hids/etc/ossec-init.conf': No such file or directory

Full ossec-hids-3.5.0-1-x86_64-package.log

./src/init/shared.sh: line 24: hostname: command not found
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl)
./src/init/shared.sh: line 24: hostname: command not found
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl)

[H[2J[3J OSSEC HIDS v3.5.0 Installation Script - http://www.ossec.net
 
 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 
  - System: Linux builduser 5.6.19-1-stable
  - User: root
  - Host: 


  -- Press ENTER to continue or Ctrl-C to abort. --

2- Setting up the installation environment.


    - Installation will be made at  /build/ossec-hids/pkg/ossec-hids//var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]:    - What's your e-mail address? 
  3.2- Do you want to run the integrity check daemon? (y/n) [y]: 
   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 
   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
       http://www.ossec.net/en/manual.html#active-response
       
   - Do you want to enable active response? (y/n) [y]: 
     - Active response enabled.
   
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: 
     - firewall-drop enabled (local) for levels >= 6

   - 
      - 192.168.0.1

   - Do you want to add more IPs to the white list? (y/n)? [n]:    - IPs (space separated): 
  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 
   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
   
   
   --- Press ENTER to continue ---
                            

5- Installing the system
 - Running the Makefile
make settings
make[1]: Entering directory '/build/ossec-hids/src/ossec-hids-3.5.0/src'

General settings:
    TARGET:           server
    V:                
    DEBUG:            
    DEBUGAD:          
    PREFIX:           /build/ossec-hids/pkg/ossec-hids//var/ossec
    MAXAGENTS:        2048
    REUSE_ID:         no
    DATABASE:         
    ONEWAY:           no
    CLEANFULL:        no
User settings:
    OSSEC_GROUP:      ossec
    OSSEC_USER:       ossec
    OSSEC_USER_MAIL:  ossecm
    OSSEC_USER_REM:   ossecr
ZLIB settings:
    ZLIB_SYSTEM:      yes
    ZLIB_INCLUDE:     
    ZLIB_LIB:         os_zlib.a
PCRE2 settings:
    PCRE2_SYSTEM:     yes
    PCRE2_INCLUDE:    
Lua settings:
    LUA_PLAT:         posix
    LUA_ENABLE:       no
USE settings:
    USE_ZEROMQ:       no
    USE_GEOIP:        0
    USE_PRELUDE:      no
    USE_OPENSSL:      auto
    USE_INOTIFY:      no
    USE_SQLITE:       
    USE_PCRE2_JIT:    yes
Mysql settings:
    includes:         
    libs:             
Pgsql settings:
    includes:         
    libs:             
Defines:
    -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/build/ossec-hids/pkg/ossec-hids//var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBOPENSSL_ENABLED
Compiler:
    CFLAGS          -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -I./external/compat -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR="/build/ossec-hids/pkg/ossec-hids//var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBOPENSSL_ENABLED -Wall -Wextra -I./ -I./headers/
    LDFLAGS         -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -lm -lpthread -lpcre2-8 -lssl -lcrypto -lz
    CC              cc
    MAKE            make
make[1]: Leaving directory '/build/ossec-hids/src/ossec-hids-3.5.0/src'

Done building server

./init/adduser.sh ossec ossecm ossecr ossec /build/ossec-hids/pkg/ossec-hids//var/ossec
Wait for success...
groupadd: cannot lock /etc/group; try again later.
make: *** [Makefile:402: install-common] Error 10
cp: cannot create regular file '/build/ossec-hids/pkg/ossec-hids//var/ossec/build/ossec-hids/pkg/ossec-hids/etc/ossec-init.conf': No such file or directory
chmod: cannot access '/build/ossec-hids/pkg/ossec-hids//var/ossec/build/ossec-hids/pkg/ossec-hids/etc/ossec-init.conf': No such file or directory


 - Unknown system. No init script added.

 - Configuration finished properly.

 - To start OSSEC HIDS:
      /build/ossec-hids/pkg/ossec-hids//var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
      /build/ossec-hids/pkg/ossec-hids//var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /build/ossec-hids/pkg/ossec-hids//var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at https://github.com/ossec/ossec-hids or using
    our public maillist at  
    https://groups.google.com/forum/#!forum/ossec-list

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---
    

 - In order to connect agent and server, you need to add each agent to the server.
   Run the 'manage_agents' to add or remove them:

   /build/ossec-hids/pkg/ossec-hids//var/ossec/bin/manage_agents

   More information at: 
   http://www.ossec.net/en/manual.html#ma


 - No action was made to configure the OSSEC HIDS to start
   during the boot. Add the following line to your init script: 

      /build/ossec-hids/pkg/ossec-hids//var/ossec/bin/ossec-control start

The AUR package maintainer may be upstream or in contact with upstream.

The PKGBUILD appears to have multiple issues beyond being out of date.

The upstream Makefile and shellscript layout is not familiar to me it making it impossible for me to determine if there are any issues that could be classed as upstream rather than packing / integration without spending more time working through it.
Edit:
https://github.com/ossec/ossec-hids/pull/1875 should fix -fno-common

Last edited by loqs (2020-06-20 21:39:32)

Offline

#3 2020-06-21 05:25:18

pk.gmp
Member
Registered: 2020-06-15
Posts: 23

Re: ossec-hids (3.5.0 or 3.6.0) issues

Thanks,

I also see following bug report filed https://github.com/ossec/ossec-hids/issues/1886. As mentioned, I somehow got these sources compiling, but it needed a few non trivial changes. It will benefit everyone if upstream fixes correctly.

Offline

#4 2020-06-21 12:38:11

loqs
Member
Registered: 2014-03-06
Posts: 10,969

Re: ossec-hids (3.5.0 or 3.6.0) issues

Were you able to get your PKGBUILD to build in clean chroot?

Offline

#5 2020-06-22 20:12:15

pk.gmp
Member
Registered: 2020-06-15
Posts: 23

Re: ossec-hids (3.5.0 or 3.6.0) issues

loqs wrote:

Were you able to get your PKGBUILD to build in clean chroot?

No, I didn't know about this until now. My way was brute force. Looked at each compiler warning, went into source code, modified files and repeat till zero compilation errors. Ended up modifying a bunch of .h and .c files. I personally don't find it clean way. I think it is best if upstream provides clean sources rather than asking us https://github.com/ossec/ossec-hids/issues/1886 to take patches on top of marked stable releases.

Last edited by pk.gmp (2020-06-22 20:13:09)

Offline

#6 2020-06-22 21:04:21

loqs
Member
Registered: 2014-03-06
Posts: 10,969

Re: ossec-hids (3.5.0 or 3.6.0) issues

I agree but in the alternative that an issue free release is not available patches can be applied in the prepare function.

There appear to be other issues with the PKGBUILD that are not from upstream

arch=('any')

As the package is building and installing architecture specific binaries this is wrong.

depends=('openssl')

missing libevent

install=ossec.install
post_install() {
  getent group ossec >/dev/null || groupadd -g 525 ossec
  getent passwd ossec >/dev/null || useradd -u 524 -g ossec -d '/var/ossec' -s /bin/false ossec
  getent passwd ossecm >/dev/null || useradd -u 525 -g ossec -d '/var/ossec' -s /bin/false ossecm
  getent passwd ossecr >/dev/null || useradd -u 526 -g ossec -d '/var/ossec' -s /bin/false ossecr

  echo ">> Documentation: https://ossec.github.io/docs/"
}

post_upgrade() {
  post_install $1
}

# arg 1:  the old package version
post_remove() {
  userdel ossec &>/dev/null
  userdel ossecm &>/dev/null
  userdel ossecr &>/dev/null
  groupdel ossec &>/dev/null
}

Users and groups should be be created by a sysusers.d snippet and should never be automatically removed see https://www.archlinux.org/todo/usergroup-management/

The last one is a mixture of upstream / packaging

  USER_DIR="$pkgdir/$_instdir" ./install.sh

The shell scipt ends up calling useradd in package which can not work and would be wrong if it did as the build machines users are not the target machines users.
As the upstream makefile does not provide a standard make install target it might be easier to use install / cp to place everything in $pkgdir.

Offline

Board footer

Powered by FluxBB