Re: [ossec-list] OSSEC RPM

[Stephane Rossan]

I created my own RPM for OSSEC. What I did, I downloaded the latest
snapshot from mercurial, and run the install.sh on a test machine.
Once installed, I created a tarball of the ossec directory and used it to
create a RPM.
In my case, the application has to be under /apps.
Here is my spec file:
%define name            ossec
%define release         2
%define version         26
%define prg             ossec
%define appsdir         /apps

BuildRoot:              %{_tmppath}/%{name}-%{version}-buildroot
Summary:                Ossec agent
License:                GPL
Name:                   %{name}
Version:                %{version}
Release:                %{release}
Source:                 %{name}-%{version}.tar.gz
Prefix:                 /
Autoreq:                0
Group:                  Development/Tools
Vendor:                 http://www.ossec.net
Packager: InfoSec
Provides:               ossec
ExclusiveOS:            linux

%description
OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It
performs log analysis, integrity checking, rootkit detection, time-based
alerting and active response.

%prep
%setup -q

%build
%define debug_package %{nil}
%define __strip /bin/true

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT
cp -r * $RPM_BUILD_ROOT

%pre
if ! id -g %{prg} > /dev/null 2>&1; then
  groupadd -r %{prg}
fi
if ! id -u %{prg} > /dev/null 2>&1; then
  useradd -g %{prg} -G %{prg}       \
        -d %{appsdir}/%{prg} \
        -r -s /sbin/nologin %{prg}
fi

%post 
# Generate the ossec-init.conf template
echo "DIRECTORY=\"%{appsdir}/%{prg}\""          >
%{appsdir}/%{prg}/etc/%{prg}-init.conf
echo "VERSION=\"v2.6\""                         >>
%{appsdir}/%{prg}/etc/%{prg}-init.conf
echo "DATE=\"`date`\""                          >>
%{appsdir}/%{prg}/etc/%{prg}-init.conf
echo "TYPE=\"agent\""                           >>
%{appsdir}/%{prg}/etc/%{prg}-init.conf

# Symlink
ln -sf %{appsdir}/%{prg}/etc/%{prg}-init.conf
%{_sysconfdir}/%{prg}-init.conf

# Enable service
chkconfig --add %{name}
chkconfig %{name} off

%files
%defattr(-,root,root)
/etc/rc.d/init.d/ossec
%defattr(-,root,%{prg})
/apps/ossec/*
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/active-response
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/active-response/bin
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/bin
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/etc
%attr(770,%{prg},%{prg}) %dir %{appsdir}/%{prg}/etc/shared
%attr(750,%{prg},%{prg}) %dir %{appsdir}/%{prg}/logs
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/queue
%attr(750,%{prg},%{prg}) %dir %{appsdir}/%{prg}/queue/syscheck
%attr(770,%{prg},%{prg}) %dir %{appsdir}/%{prg}/queue/ossec
%attr(755,%{prg},%{prg}) %dir %{appsdir}/%{prg}/queue/rids
%attr(550,root,%{prg}) %dir %{appsdir}/%{prg}/var
%attr(770,root,%{prg}) %dir %{appsdir}/%{prg}/var/run

So far, it has been working very well for me. I can use this RPM to be
deployed through our puppet infrastructure.
And with 2.6, autoregistration is a very nice feature to have.

I created RPM for x86_64 and i386 RHEL/CentOS 5 machines.

I hope it helps.

-Stephane



On 1/4/12 5:02 PM, "Joe S" <js.li...@gmail.com> wrote:

>I few people have mentioned that they were working on making RPMs for
>OSSEC, given the issues with the Atomic RPMs linked on the OSSEC
>download page. Have you had any success? Do you have a SPEC file you
>can share?
>