ebuild for OSSEC-HIDS required

Corvinian · n00b Joined: 07 Sep 2007 Posts: 42 Location: Europe

Hello,

I require an ebuild for OSSEC - Host Intrusion Detection System.
http://www.ossec.net/

there was a thread about OSSEC-HIDS in Gentoo Forum:
https://forums.gentoo.org/viewtopic-t-487233-highlight-ossec.html

and also a Bugzilla-Entry:
https://bugs.gentoo.org/show_bug.cgi?id=143233

but there's currently no (official) ebuild.

AFAIK there has been an ebuild on Stuart Herbert's Overlay via
'layman -a stuart-server'. Problem is the overlay does not exist anymore.

'wget http://www.gentoo.org/proj/en/overlays/layman-global.txt'

Caiman · Tux's lil' helper Joined: 01 Jul 2007 Posts: 93

https://ossec.github.io/downloads.html
Latest Stable Release (2.9.1)
So .. after ~10 years ...does it worth for ebuild ?

pjp · Administrator Joined: 16 Apr 2002 Posts: 20588

The current bug opened in 2015 and last updated in 2016 is https://bugs.gentoo.org/545788

Based on that and its references along with the references in the 10 year old original post, it doesn't appear anyone as been able to create an ebuild. Efforts have seemed to start and go nowhere, so maybe no one who has tried has been able.

Do you know how to install it on Gentoo without an ebuild? Those details might help someone to create an ebuild.
_________________
Quis separabit? Quo animo?

Caiman · Tux's lil' helper Joined: 01 Jul 2007 Posts: 93

wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
cd ossec-hids-*
./install.sh

#review /edit
/var/ossec/etc/ossec.conf

rc-service ossec start

rc-service ossec status
* /etc/init.d/ossec uses runscript, please convert to openrc-run.
* Use of the opts variable is deprecated and will be
* removed in the future.
* Please use extra_commands, extra_started_commands or extra_stopped_commands.
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...

pjp · Administrator Joined: 16 Apr 2002 Posts: 20588

That install script appears to bypass any package management.

I've been curious about OSSEC in the past, so I started looking around. I've only built a few very simple ebuilds, so for me, the requirements needed to make an ebuild do not appear to be at all simple.

At a minimum, the items here need to be addressed, and there appear to be others as well. Apparently an install can be of 4 different types (server/agent/hybrid/local), so probably more than one ebuild is required. Documentation for installing from source is not as good as it could be (or certainly not as straight forward as I'd need to get it done any time soon).

Another possibility to consider would be using another packaged format. I know there is some capability for Portage to use RPMs, not sure about apt packages.

And I just came across a series of posts from 2015 by a forum moderator, admin and a Gentoo developer. You can read those comments in this thread. With that in mind, I'm calling this one beyond my time and current interest level to try creating.
_________________
Quis separabit? Quo animo?

Caiman · Tux's lil' helper Joined: 01 Jul 2007 Posts: 93

https://github.com/ossec/ossec-hids/releases/tag/3.0.0

Caiman · Tux's lil' helper Joined: 01 Jul 2007 Posts: 93

Latest Stable Release (3.2.0)
https://www.ossec.net/downloads.html

Caiman · Tux's lil' helper Joined: 01 Jul 2007 Posts: 93

https://packages.gentoo.org/packages/net-analyzer/ossec-hids <-- 3.1 here