OSSEC Installation

I was wondering if someone knew a little bit about OSSEC installation in openSUSE 13.1.

I have downloaded, compiled, and installed the program from source with no issue. I then issued the command to start the service, which also gave no problem. Upon restart of my system, my login screen now has 3 additional names all having to do with the OSSEC program (ossec, etc.). When I login to my original account, which I made during the installation, everything works fine, but I have to manually instruct the program to run each time I logon. I was wondering if somebody can identify an error I made in the installation that would prevent it from automatically starting, and if not, a reference on how to set up a run script on openSUSE to run the program each time the computer starts up and I logon to the account.

Below I have included the step-by-step instructions I gave in the terminal to download, compile, and installed the program. Perhaps I failed to notice a OS specific instruction that would have prevented my issue.

 cd /tmp

 wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

 wget http://www.ossec.net/files/ossec-hids-latest_checksum.txt

 cat ossec-hids-latest_checksum.txt

 md5sum ossec-hids-*.tar.gz

 sha1sum ossec-hids-*.tar.gz

  tar -zxvf ossec-hids-*.tar.gz

 cd ossec-hids-*

 ./install.sh

Hi
Looking at an OBS build the ossec users were not created with the -s option (system users) so they don’t show up as normal users…

https://build.opensuse.org/package/view_file/home:deadpoint/ossec-hids/ossec.spec?expand=1

Perhaps it created new users. look in the /home and see if you some new user directories.

Is there a way to prevent them from showing up during an installation and also have OSSEC start normally at every system startup without having to create a separate script?

On Sun 26 Jan 2014 06:16:01 AM CST, BMor wrote:

Is there a way to prevent them from showing up during an installation
and also have OSSEC start normally at every system startup without
having to create a separate script?

Hi
Modify the install script to set as system users, does it not have an
init script or a systemd service file?


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.2 Kernel 3.11.6-4-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

I originally just followed their instructions on how to compile and where to install the program. During this normal installation I receive the message that the “Int” file has been modified to boot the program at startup, but it does not boot at startup. It now creates four separate IDs, none of which can be logged in. When I start my system, I can re-enter the start command in the terminal, and the program starts normally. On other Linux OS builds, the installation does not cause any of these issues, and I am having trouble identifying why this happens in openSUSE, and how to prevent it. Nevertheless, as I said above, the “int” file is modified to start the program at startup automatically, yet this does not happen.

Hi
Because openSUSE 13.1 doesn’t use init files any more, it uses systemd, however, some init files do work but may need tweaking.

Other systems use different ways to implement system users I guess, it also depends on what the developer develops on, no different that for instance someone using openSUSE and then a Debian user having difficulties installing, each may/may not need adapting…

Hi
And re-looking at this users spec file on the building, it would appear that using the install.sh is not appropriate, or needs modifying for openSUSE;
https://build.opensuse.org/package/view_file/home:deadpoint/ossec-hids/ossec.spec?expand=1

In the above users repository, do you see anything untoward with it to not use this build?

I am sorry, but I do not understand your question. Specifically, I don’t know what you mean by “untoward.” You say the above user’s repository. Is there a repository available with OSSEC already on it?

Nevertheless, I appreciate your help.

What Malcolm is saying is that there’s a ready built package for openSUSE: http://software.opensuse.org/package/ossec-hids
Chances are that the user who built this package already solved the issues you are meeting right now. I suggest you uninstall what you have installed so far, then install the package and see if the situation improves.

On Mon 27 Jan 2014 07:56:01 AM CST, BMor wrote:

malcolmlewis;2619566 Wrote:
> Hi
> And re-looking at this users spec file on the building, it would
> appear that using the install.sh is not appropriate, or needs
> modifying for openSUSE;
> Error
>
> In the above users repository, do you see anything untoward with it to
> not use this build?

I am sorry, but I do not understand your question. Specifically, I
don’t know what you mean by “untoward.” You say the above user’s
repository. Is there a repository available with OSSEC already on it?

Nevertheless, I appreciate your help.

Hi
Well, it is for security, since you are installed a security intrusion
system, easiest way to install something is to get the user to do it
themselves with no verification (md5sum the source etc)…?

So I would imagine you would like to review what that
user has done before installing it on your system?

http://software.opensuse.org/package/ossec-hids download and install
the rpm (I would not use the 1-click).


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.2 Kernel 3.11.6-4-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

The ossec-hids package in home:deadpoint, my repo, is incomplete and doesn’t work correctly if I’m not mistaken. I’ve been fine tuning the package in a private OBS instance and will push the fully working spec and sources out once it’s complete, which should be soon, and then hopefully to the server:monitoring repo ;-).

Hi
Excellent :slight_smile: Look forward to seeing it in a development repo…