Skip to content

Commit

Permalink
Merge pull request #1056 from atomicturtle/2.9-docs
Browse files Browse the repository at this point in the history
2.9 docs
  • Loading branch information
ddpbsd authored Feb 8, 2017
2 parents c664ef1 + 083a5f4 commit 7e402ff
Show file tree
Hide file tree
Showing 11 changed files with 183 additions and 47 deletions.
16 changes: 10 additions & 6 deletions BUGS
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
OSSEC v2.8
Copyright (C) 2014 Trend Micro Inc.
OSSEC v2.9
Copyright (C) 2017 Trend Micro Inc.


** Reporting bugs **

Bugs should be sent to the OSSEC mailling list
([email protected]). Please, make sure to include
the following information:
Please, make sure to include the following information:

-OSSEC version number.
-Content of /etc/ossec-init.conf
Expand All @@ -16,5 +14,11 @@ the following information:
-Any other relevant information.



Github (Public Issue Reporting):
https://github.com/ossec/ossec-hids/issues

Email (Private Issue Reporting):
If you prefer to contact us privately or if it is a security
issue, send an e-mail to OSSEC Project ( [email protected] ).
issue, send an e-mail to OSSEC Project ( [email protected] ).

94 changes: 90 additions & 4 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,8 +1,94 @@
OSSEC changelog.
OSSEC changelog (2.9.0) <[email protected]>

Release Maintainers

Changes at the -latest version
* Feature: Added hourly and daily options to the logcollecor frequency.
* Bug fix: Glob() implementation on logcollector.
Dan Parriott
Scott R. Shinn (Atomicorp, Inc.)

Whats New
Alert Output support for JSON and ZeroMQ
Syscheck improvements
Report file deletion, even without realtime enabled
Report modifications made on directories
Corrects bug so that files created between the first and second scan are reported as new files
Corrects bug that made changes reverting a file to the state it was in when ossec started unreported
Avoids computing hashes multiple times to improve performance
Make the time between two syscheck wakeups configurable in internal_options
Add support for the “nodiff” option when using report_changes, sensitive files tagged with in ossec.conf will not have their contents included in an alert.
IPv6 support
Support to call an external mailer. This solves the problem of supporting encryption when sending mail alerts in OSSEC. The <smtp_server> field can now be prepended with “/” to designate a local binary. Example: “<smtp_server>/usr/sbin/sendmail -t</smtp_server>”.
Slack notification support



New Rules / Decoders

PR#572: Rules/Decoders, Better Dropbear events detection
PR#602: Rules/Decoders, Add dropbear_rules and unbound_rules
PR#604: Rules/Decoders,sid 5300 incorrectly alerts on OS X
PR#607, Rules/Decoders, Update syslog_rules for OSX false positive
PR#611: Rules/Decoders, Sysmon decoder update, This should better support Windows 2003 R2.
PR#643, Rules/Decoders, update to IIS decoder
PR#654, Rules/Decoders, update to the vsftpd decoder
PR#668: Rules/Decoders, Fix for Cisco PIX decoder, ms-se_rules.xml, msauth_rules.xml
PR#721: Rules/Decoders, Update for sytemd rules to add support for new program_name, systemctl
PR#746: Rules/Decoders, Update to the apache decoders to handle Apache 2.4 events more gracefully
PR#755: Rules/Decoders, Update to ssh rules. Adds rules 5750-5753 to dedect client, protocol, and hostkey events
PR#762: Rules/Decoders, Update to ssh rules. Associates 5751 with 5700 instead of 1002
PR#763: Rules/Decoders, Add rules for OpenBSD smtpd
PR#774: Rules/Decoders, Add OpenBSD smtpd rules
PR#787: Rules/Decoders, Update to OpenBSD smtpd decoder to not conflict with postfix
PR#786: Rules/Decoders, SSH Rule improvements
PR#799: Rules/Decoders, Add rule for users not in sudoers
PR#803: Rules/Decoders, Add additional sshd decoders for ssh-pam & ssh invalid auth requests

General

PR #2, Output, Adds ZeroMQ and Json output support
PR #4, Authd, Bugfix for Openssl operations on non-blocking socket
PR #563: IPv6 support
PR #599, Allow for the log format in proftpd 1.3.5+
PR #610: Execd, Reduce system load caused by simultaneous active response processes during ossec stop. #610
PR #615: Adds support for Binding src IP to ‘local_ip’ config value in agentd. In mulihomed host environment we have a big problem with binding agent to correct ip. By default agentd used ip-addr of interface, from which sented ip-packets.
PR #617: Agentd, Add CLIENT to DEFINES for winagent target #617 Bugfix #595
PR #622: Fix for CVE-2015-3222
PR #631, Log failure when ossec fails to remove a PID file
PR #652, Syscheck, add support for the “-t” flag to display XML parsing errors in agent.conf on agents
PR #657: Syscheck, Allows scanning of directories with , in the name. Let directory check_something=”no” options to work. This means you can do instead of listing out all the ones you want to use.
PR #670: Syscheck, Bugfix for report_changes
PR #689: Maild, add support to call an external MTA to send alert emails. The smtp_server setting can now be written as “/usr/sbin/sendmail -t”
PR #690: Cleanup for building on OSX
PR #691: adds support for syslog messages that prepend the year, ie: “2015 Nov 13 ....”
PR #696: Bugfix for OpenBSD sendto() sockaddr length restrictions.
PR #699: Encompassing only complete statements with conditional directives.
PR #717: Active Response, add Slack (www.slack.com) notification support
PR #720: Fixes for the statfs error spam
PR #724: Authd, bugfix for issue #642, This brings ossec-authd into parity with whatever the MAX_AGENTS is set at build time
PR #726: Make syslog/cef consistent with json/splunk and add classification field to alerts.
PR #727: Maild, Add support for “email_reply_to”. This allows configuing the Reply-To: field in email alerts sent from ossec-maild
PR #740: Remoted, bugfix for issue #739, Ossec will now report the agent ID of the agent that tries to conect
PR #744: Syscheck, Bugfix for issue #42, corrects issue on windows that would produce an incorrect hash
PR #749: Windows, Changed Makefile to use Windows subsystem only wth UI manager
PR #750: Analysisd, Fixes glob() impelemtation bug, adds Hourly/Daily options to logcollector, improved dfalts to analysisd diff alerts.
PR #751: Add simple python rule updater script
PR #754: Install.sh, Bugfix for OpenBSD adduser support
PR #765: Syscheck, add “nodiff” support. Sensitive data may leak through the diff attached to alerts when some file changes. This pull request add a nodiff option, which allows to explicitely set files for which we never want to output a diff.
PR #768: Analysisd, Bugfix for Issue #767, increase of value for stats
PR #770: Database support, Postgres support updates
PR #781: Syscheck, Bugfix for Issue #780
PR #788: System Audit, Add PCI DSS tags to RHEL/CentOS/Cloudlinux auditing tests
PR #789: Install.sh, Use ls for file existance checks, for cross platform compatibility
PR #791: Syscheck, add /boot to default directories. Fix for Issue #675
PR #797: Rootcheck, Remove legacy rootcheck options
PR #798: System Audit, Add RHEL/CentOS/Cloudlinux 7 CIS benchmarks
PR #802: Database support, Allow for longer entries in the system informtaion column
PR #849 Format string security fix
PR #864 Fix ossec-logtest to chroot when testing check_diff rules
PR #870 Fix installer permissions on the etc/shared directory
PR #878 Fix version field to correctly report "2.9.0" instead of 2.8.3
PR #909 Bugfix for decoders.d/rules.d logtest
PR #920 Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP
PR #923 Security fix for SQLi in al_data->location
PR #926 Rootcheck, updates or EL7
PR #945 Remove debug message
PR #986 - Prevent manage_agents from chrooting in bulk mode
6 changes: 3 additions & 3 deletions CONFIG
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
OSSEC v2.8
Copyright (C) 2014 Trend Micro Inc.
OSSEC v2.9.0
Copyright (C) 2017 Trend Micro Inc.


= Information about OSSEC =
Expand All @@ -16,4 +16,4 @@ See INSTALL

Just follow the steps from the install.sh script.
More information at
http://www.ossec.net/doc/manual/index.html
https://ossec-docs.readthedocs.io/en/latest/manual/index.html
10 changes: 5 additions & 5 deletions CONTRIBUTORS
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
OSSEC v2.8
Copyright (C) 2014 Trend Micro Inc.
OSSEC v2.9.0
Copyright (C) 2017 Trend Micro Inc.

Many thanks to everyone who contributed and helped with
the ossec project. Below is the list of all the people
who helped us since our first release (0.1).
(if you feel you should be here, but it is not, let us know).
(if you feel you should be here, but it is not, let [email protected] know).

-Development
- Daniel B. Cid <[email protected]>
- Dan Parriott <[email protected]>
- Jeremy Rossi <[email protected]>
- Michael Starks
- Dan Parriott <[email protected]>
- Meir Michanie <[email protected]>
- Slava Semushin <[email protected]>
- Ahmet Ozturk <[email protected]>
- Scott R. Shinn
- Scott R. Shinn <[email protected]
- George Kargiotakis
- Jason Stelzer
- Xavier Mertens
Expand Down
4 changes: 2 additions & 2 deletions INSTALL
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
OSSEC v2.8
Copyright (C) 2014 Trend Micro Inc.
OSSEC v2.9.0
Copyright (C) 2017 Trend Micro Inc.


= Information about OSSEC =
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

Copyright (C) 2003 - 2013 Trend Micro Inc. All rights reserved.
Copyright (C) 2003 - 2017 Trend Micro Inc. All rights reserved.

OSSEC HIDS is a free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
OSSEC v2.8 Copyright (C) 2014 Trend Micro Inc.
OSSEC v2.9 Copyright (C) 2017 Trend Micro Inc.

# Information about OSSEC

Expand Down Expand Up @@ -28,7 +28,7 @@ The development version is hosted on GitHub and just a simple git clone away.
## Quick install

```
$ (ossec_version="2.8.2" ; ossec_checksum="a0f403270f388fbc6a0a4fd46791b1371f5597ec" ; cd /tmp/ && wget https://github.com/ossec/ossec-hids/archive/${ossec_version}.tar.gz && mv ${ossec_version}.tar.gz ossec-hids-${ossec_version}.tar.gz && checksum=$(sha1sum ossec-hids-${ossec_version}.tar.gz | cut -d" " -f1); if [ $checksum == $ossec_checksum ]; then tar xfz ossec-hids-${ossec_version}.tar.gz && cd ossec-hids-${ossec_version} && sudo ./install.sh ; else "Wrong checksum. Download again or check if file has been tampered with."; fi)
$ (ossec_version="2.9.0" ; ossec_checksum="a0f403270f388fbc6a0a4fd46791b1371f5597ec" ; cd /tmp/ && wget https://github.com/ossec/ossec-hids/archive/${ossec_version}.tar.gz && mv ${ossec_version}.tar.gz ossec-hids-${ossec_version}.tar.gz && checksum=$(sha1sum ossec-hids-${ossec_version}.tar.gz | cut -d" " -f1); if [ $checksum == $ossec_checksum ]; then tar xfz ossec-hids-${ossec_version}.tar.gz && cd ossec-hids-${ossec_version} && sudo ./install.sh ; else "Wrong checksum. Download again or check if file has been tampered with."; fi)
```

Expand Down
19 changes: 13 additions & 6 deletions src/addagent/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@ int main(int argc, char **argv)
int ret;
#endif

extern int willchroot;
willchroot = 1;

/* Set the name */
OS_SetName(ARGV0);

Expand Down Expand Up @@ -138,6 +141,7 @@ int main(int argc, char **argv)
ErrorExit("%s: -f needs an argument.", ARGV0);
}
cmdbulk = optarg;
willchroot = 0;
printf("Bulk load file: %s\n", cmdbulk);
break;
case 'l':
Expand Down Expand Up @@ -168,13 +172,16 @@ int main(int argc, char **argv)
ErrorExit(SETGID_ERROR, ARGV0, group, errno, strerror(errno));
}

/* Chroot to the default directory */
if (Privsep_Chroot(dir) < 0) {
ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno));
}

/* Inside chroot now */
nowChroot();
if(willchroot > 0) {

/* Chroot to the default directory */
if (Privsep_Chroot(dir) < 0) {
ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno));
}

nowChroot();
}

/* Start signal handler */
StartSIG2(ARGV0, manage_shutdown);
Expand Down
37 changes: 28 additions & 9 deletions src/addagent/manage_agents.c
Original file line number Diff line number Diff line change
Expand Up @@ -82,17 +82,26 @@ int add_agent()
os_ip c_ip;
c_ip.ip = NULL;

char authfile[257];

if(willchroot > 0) {
snprintf(authfile, 256, "%s", AUTH_FILE);
} else {
const char *dir = DEFAULTDIR;
snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE);
}

/* Check if we can open the auth_file */
fp = fopen(AUTH_FILE, "a");
fp = fopen(authfile, "a");
if (!fp) {
ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno));
}
fclose(fp);


#ifndef WIN32
if (chmod(AUTH_FILE, 0440) == -1) {
ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
if (chmod(authfile, 0440) == -1) {
ErrorExit(CHMOD_ERROR, ARGV0, authfile, errno, strerror(errno));
}
#endif

Expand Down Expand Up @@ -244,12 +253,12 @@ int add_agent()
time3 = time(0);
rand2 = random();

fp = fopen(AUTH_FILE, "a");
fp = fopen(authfile, "a");
if (!fp) {
ErrorExit(FOPEN_ERROR, ARGV0, KEYS_FILE, errno, strerror(errno));
}
#ifndef WIN32
chmod(AUTH_FILE, 0440);
chmod(authfile, 0440);
#endif

/* Random 1: Time took to write the agent information
Expand Down Expand Up @@ -295,6 +304,16 @@ int remove_agent()
char u_id[FILE_SIZE + 1];
int id_exist;

extern int willchroot;
char authfile[257];
if(willchroot > 0) {
snprintf(authfile, 256, "%s", AUTH_FILE);
} else {
const char *dir = DEFAULTDIR;
snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE);
}


u_id[FILE_SIZE] = '\0';

if (!print_agents(0, 0, 0)) {
Expand Down Expand Up @@ -353,13 +372,13 @@ int remove_agent()
return (1);
}

fp = fopen(AUTH_FILE, "r+");
fp = fopen(authfile, "r+");
if (!fp) {
free(full_name);
ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno));
}
#ifndef WIN32
chmod(AUTH_FILE, 0440);
chmod(authfile, 0440);
#endif

/* Remove the agent, but keep the id */
Expand Down
3 changes: 3 additions & 0 deletions src/addagent/manage_agents.h
Original file line number Diff line number Diff line change
Expand Up @@ -139,3 +139,6 @@ extern fpos_t fp_pos;
#define GMF_BUFF_ERROR ARGV0 ": Could not get path because it is too long and was shrunk by (%d) characters with a max of (%d).\n"
#define GMF_UNKN_ERROR ARGV0 ": Could not run GetModuleFileName which returned (%ld).\n"

/* Do we chroot? */
int willchroot;

35 changes: 26 additions & 9 deletions src/addagent/manage_keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -221,9 +221,18 @@ int k_extract(const char *cmdextract)
}

/* Try to open the auth file */
fp = fopen(AUTH_FILE, "r");
char authfile[257];
extern int willchroot;
if(willchroot > 0) {
snprintf(authfile, 256, "%s", AUTH_FILE); //XXX
} else {
const char *dir = DEFAULTDIR;
snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE); //XXX
}

fp = fopen(authfile, "r");
if (!fp) {
ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno));
}

if (fsetpos(fp, &fp_pos)) {
Expand Down Expand Up @@ -286,9 +295,17 @@ int k_bulkload(const char *cmdbulk)
}

/* Check if we can open the auth_file */
fp = fopen(AUTH_FILE, "a");
char authfile[257];
if(willchroot > 0) {
snprintf(authfile, 256, "%s", AUTH_FILE); //XXX
} else {
const char *dir = DEFAULTDIR;
snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE); //XXX
}

fp = fopen(authfile, "a");
if (!fp) {
ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno));
}
fclose(fp);

Expand All @@ -309,8 +326,8 @@ int k_bulkload(const char *cmdbulk)
strncpy(name, trimwhitespace(token), FILE_SIZE - 1);

#ifndef WIN32
if (chmod(AUTH_FILE, 0440) == -1) {
ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
if (chmod(authfile, 0440) == -1) {
ErrorExit(CHMOD_ERROR, ARGV0, authfile, errno, strerror(errno));
}
#endif

Expand Down Expand Up @@ -373,13 +390,13 @@ int k_bulkload(const char *cmdbulk)
time3 = time(0);
rand2 = random();

fp = fopen(AUTH_FILE, "a");
fp = fopen(authfile, "a");
if (!fp) {
ErrorExit(FOPEN_ERROR, ARGV0, KEYS_FILE, errno, strerror(errno));
}
#ifndef WIN32
if (chmod(AUTH_FILE, 0440) == -1) {
ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno));
if (chmod(authfile, 0440) == -1) {
ErrorExit(CHMOD_ERROR, ARGV0, authfile, errno, strerror(errno));
}
#endif

Expand Down

0 comments on commit 7e402ff

Please sign in to comment.