diff options
author | Armin Kuster <akuster808@gmail.com> | 2023-06-26 13:06:17 -0400 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-07-31 06:18:52 -0400 |
commit | 3d2533f329b43f281d63b99d3251d0f361e0e5de (patch) | |
tree | 3cb470c08188f5004cd9dbf135bf45ec19363f59 | |
parent | 7840dd1b53fd735d69a8aefe1c0e9c87fa896e72 (diff) | |
download | meta-security-3d2533f329b43f281d63b99d3251d0f361e0e5de.tar.gz |
ossec-hids: Fix usermod
Use built in USERMOD to set uid and gid properly.
convert to using OSSEC_DIR instead of DIR
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | recipes-ids/ossec/ossec-hids_3.7.0.bb | 111 |
1 files changed, 58 insertions, 53 deletions
diff --git a/recipes-ids/ossec/ossec-hids_3.7.0.bb b/recipes-ids/ossec/ossec-hids_3.7.0.bb index 55c10fa..829715b 100644 --- a/recipes-ids/ossec/ossec-hids_3.7.0.bb +++ b/recipes-ids/ossec/ossec-hids_3.7.0.bb | |||
@@ -17,11 +17,19 @@ inherit autotools-brokensep useradd | |||
17 | 17 | ||
18 | S = "${WORKDIR}/git" | 18 | S = "${WORKDIR}/git" |
19 | 19 | ||
20 | |||
21 | OSSEC_DIR="/var/ossec" | ||
20 | OSSEC_UID ?= "ossec" | 22 | OSSEC_UID ?= "ossec" |
21 | OSSEC_RUID ?= "ossecr" | 23 | OSSEC_RUID ?= "ossecr" |
22 | OSSEC_GID ?= "ossec" | 24 | OSSEC_GID ?= "ossec" |
23 | OSSEC_EMAIL ?= "ossecm" | 25 | OSSEC_EMAIL ?= "ossecm" |
24 | 26 | ||
27 | USERADD_PACKAGES = "${PN}" | ||
28 | GROUPADD_PARAM:${PN} = "--system ${OSSEC_UID}" | ||
29 | USERADD_PARAM:${PN} = "--system -g ${OSSEC_GID} --home-dir \ | ||
30 | ${OSSEC_DIR} --no-create-home \ | ||
31 | --shell /sbin/nologin ${BPN}" | ||
32 | |||
25 | do_configure[noexec] = "1" | 33 | do_configure[noexec] = "1" |
26 | 34 | ||
27 | do_compile() { | 35 | do_compile() { |
@@ -45,78 +53,75 @@ do_install(){ | |||
45 | } | 53 | } |
46 | 54 | ||
47 | pkg_postinst_ontarget:${PN} () { | 55 | pkg_postinst_ontarget:${PN} () { |
48 | DIR="/var/ossec" | ||
49 | |||
50 | usermod -g ossec -G ossec -a root | ||
51 | 56 | ||
52 | # Default for all directories | 57 | # Default for all directories |
53 | chmod -R 550 ${DIR} | 58 | chmod -R 550 ${OSSEC_DIR} |
54 | chown -R root:${OSSEC_GID} ${DIR} | 59 | chown -R root:${OSSEC_GID} ${OSSEC_DIR} |
55 | 60 | ||
56 | # To the ossec queue (default for agentd to read) | 61 | # To the ossec queue (default for agentd to read) |
57 | chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/ossec | 62 | chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/queue/ossec |
58 | chmod -R 770 ${DIR}/queue/ossec | 63 | chmod -R 770 ${OSSEC_DIR}/queue/ossec |
59 | 64 | ||
60 | # For the logging user | 65 | # For the logging user |
61 | chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs | 66 | chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/logs |
62 | chmod -R 750 ${DIR}/logs | 67 | chmod -R 750 ${OSSEC_DIR}/logs |
63 | chmod -R 775 ${DIR}/queue/rids | 68 | chmod -R 775 ${OSSEC_DIR}/queue/rids |
64 | touch ${DIR}/logs/ossec.log | 69 | touch ${OSSEC_DIR}/logs/ossec.log |
65 | chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs/ossec.log | 70 | chown ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/logs/ossec.log |
66 | chmod 664 ${DIR}/logs/ossec.log | 71 | chmod 664 ${OSSEC_DIR}/logs/ossec.log |
67 | 72 | ||
68 | chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/diff | 73 | chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/queue/diff |
69 | chmod -R 750 ${DIR}/queue/diff | 74 | chmod -R 750 ${OSSEC_DIR}/queue/diff |
70 | chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true | 75 | chmod 740 ${OSSEC_DIR}/queue/diff/* > /dev/null 2>&1 || true |
71 | 76 | ||
72 | # For the etc dir | 77 | # For the etc dir |
73 | chmod 550 ${DIR}/etc | 78 | chmod 550 ${OSSEC_DIR}/etc |
74 | chown -R root:${OSSEC_GID} ${DIR}/etc | 79 | chown -R root:${OSSEC_GID} ${OSSEC_DIR}/etc |
75 | if [ -f /etc/localtime ]; then | 80 | if [ -f /etc/localtime ]; then |
76 | cp -pL /etc/localtime ${DIR}/etc/; | 81 | cp -pL /etc/localtime ${OSSEC_DIR}/etc/; |
77 | chmod 555 ${DIR}/etc/localtime | 82 | chmod 555 ${OSSEC_DIR}/etc/localtime |
78 | chown root:${OSSEC_GID} ${DIR}/etc/localtime | 83 | chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/localtime |
79 | fi | 84 | fi |
80 | 85 | ||
81 | if [ -f /etc/TIMEZONE ]; then | 86 | if [ -f /etc/TIMEZONE ]; then |
82 | cp -p /etc/TIMEZONE ${DIR}/etc/; | 87 | cp -p /etc/TIMEZONE ${OSSEC_DIR}/etc/; |
83 | chmod 555 ${DIR}/etc/TIMEZONE | 88 | chmod 555 ${OSSEC_DIR}/etc/TIMEZONE |
84 | fi | 89 | fi |
85 | 90 | ||
86 | # More files | 91 | # More files |
87 | chown root:${OSSEC_GID} ${DIR}/etc/internal_options.conf | 92 | chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/internal_options.conf |
88 | chown root:${OSSEC_GID} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true | 93 | chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true |
89 | chown root:${OSSEC_GID} ${DIR}/etc/client.keys >/dev/null 2>&1 || true | 94 | chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/client.keys >/dev/null 2>&1 || true |
90 | chown root:${OSSEC_GID} ${DIR}/agentless/* | 95 | chown root:${OSSEC_GID} ${OSSEC_DIR}/agentless/* |
91 | chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/.ssh | 96 | chown ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/.ssh |
92 | chown root:${OSSEC_GID} ${DIR}/etc/shared/* | 97 | chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/shared/* |
93 | 98 | ||
94 | chmod 550 ${DIR}/etc | 99 | chmod 550 ${OSSEC_DIR}/etc |
95 | chmod 440 ${DIR}/etc/internal_options.conf | 100 | chmod 440 ${OSSEC_DIR}/etc/internal_options.conf |
96 | chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true | 101 | chmod 660 ${OSSEC_DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true |
97 | chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true | 102 | chmod 440 ${OSSEC_DIR}/etc/client.keys >/dev/null 2>&1 || true |
98 | chmod 550 ${DIR}/agentless/* | 103 | chmod 550 ${OSSEC_DIR}/agentless/* |
99 | chmod 700 ${DIR}/.ssh | 104 | chmod 700 ${OSSEC_DIR}/.ssh |
100 | chmod 770 ${DIR}/etc/shared | 105 | chmod 770 ${OSSEC_DIR}/etc/shared |
101 | chmod 660 ${DIR}/etc/shared/* | 106 | chmod 660 ${OSSEC_DIR}/etc/shared/* |
102 | 107 | ||
103 | # For the /var/run | 108 | # For the /var/run |
104 | chmod 770 ${DIR}/var/run | 109 | chmod 770 ${OSSEC_DIR}/var/run |
105 | chown root:${OSSEC_GID} ${DIR}/var/run | 110 | chown root:${OSSEC_GID} ${OSSEC_DIR}/var/run |
106 | 111 | ||
107 | # For util.sh | 112 | # For util.sh |
108 | chown root:${OSSEC_GID} ${DIR}/bin/util.sh | 113 | chown root:${OSSEC_GID} ${OSSEC_DIR}/bin/util.sh |
109 | chmod +x ${DIR}/bin/util.sh | 114 | chmod +x ${OSSEC_DIR}/bin/util.sh |
110 | 115 | ||
111 | # For binaries and active response | 116 | # For binaries and active response |
112 | chmod 755 ${DIR}/active-response/bin/* | 117 | chmod 755 ${OSSEC_DIR}/active-response/bin/* |
113 | chown root:${OSSEC_GID} ${DIR}/active-response/bin/* | 118 | chown root:${OSSEC_GID} ${OSSEC_DIR}/active-response/bin/* |
114 | chown root:${OSSEC_GID} ${DIR}/bin/* | 119 | chown root:${OSSEC_GID} ${OSSEC_DIR}/bin/* |
115 | chmod 550 ${DIR}/bin/* | 120 | chmod 550 ${OSSEC_DIR}/bin/* |
116 | 121 | ||
117 | # For ossec.conf | 122 | # For ossec.conf |
118 | chown root:${OSSEC_GID} ${DIR}/etc/ossec.conf | 123 | chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/ossec.conf |
119 | chmod 660 ${DIR}/etc/ossec.conf | 124 | chmod 660 ${OSSEC_DIR}/etc/ossec.conf |
120 | 125 | ||
121 | # Debconf | 126 | # Debconf |
122 | . /usr/share/debconf/confmodule | 127 | . /usr/share/debconf/confmodule |
@@ -126,23 +131,23 @@ pkg_postinst_ontarget:${PN} () { | |||
126 | db_get ossec-hids-agent/server-ip | 131 | db_get ossec-hids-agent/server-ip |
127 | SERVER_IP=$RET | 132 | SERVER_IP=$RET |
128 | 133 | ||
129 | sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf | 134 | sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${OSSEC_DIR}/etc/ossec.conf |
130 | db_stop | 135 | db_stop |
131 | 136 | ||
132 | # ossec-init.conf | 137 | # ossec-init.conf |
133 | if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then | 138 | if [ -e ${OSSEC_DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then |
134 | if [ -e /etc/ossec-init.conf ]; then | 139 | if [ -e /etc/ossec-init.conf ]; then |
135 | rm -f /etc/ossec-init.conf | 140 | rm -f /etc/ossec-init.conf |
136 | fi | 141 | fi |
137 | ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf | 142 | ln -s ${OSSEC_DIR}/etc/ossec-init.conf /etc/ossec-init.conf |
138 | fi | 143 | fi |
139 | 144 | ||
140 | # init.d/ossec file | 145 | # init.d/ossec file |
141 | if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then | 146 | if [ -x ${OSSEC_DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then |
142 | if [ -e /etc/init.d/ossec ]; then | 147 | if [ -e /etc/init.d/ossec ]; then |
143 | rm -f /etc/init.d/ossec | 148 | rm -f /etc/init.d/ossec |
144 | fi | 149 | fi |
145 | ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec | 150 | ln -s ${OSSEC_DIR}/etc/init.d/ossec /etc/init.d/ossec |
146 | fi | 151 | fi |
147 | 152 | ||
148 | # Service | 153 | # Service |