From OSSEC Wiki
Beta Testing
Contents |
[edit]
Beta Testing goals
The goal of beta testing and QA (quality assurance) is the following:
- Make sure that everything that was working on previous versions is still on the new one.
- Make sure your local rules still work and it can parse all your logs.
- Make sure that all the new features work as expected.
- Make sure that the upgrade process still works on all platforms. <li>We need to make sure it compiles fine on all platforms and operating systems. Try it on Solaris, NetBSD, FreeBSD, AIX, HP-UX, any Linux distribution that you have.
- On Windows, make sure there are no false positives regarding our new Windows policy violation checks.
[edit]
v1.5 New features
As with every version of OSSEC, v1.5 is full of new features/bug fixes. Some of them are:
- Support for Solaris BSM auditing, Asterisk, Checkpoint and Shorewall logs were added.
- Added agent_control binary to the server side (to get information from agent).
- Added ability to execute syscheck/rootcheck outside of the normal frequency (see agent_control).
- Added support for DJB multilog.
- Added "scan_time" and "scan_day" to syscheck config to be used instead of the frequency.
- Added multiple checks looking for web exploits. Based on research at: http://www.ossec.net/wiki/index.php/WebAttacks_links .
Beta 1 is completed... A few changes were made to the Unix version of Beta2.
[edit]
Beta Testing v1.5 - Part 2
Please note, Beta 2 period is from April 19 (Saturday), 2008 to April 24 (Thursday), 2008
- Download Unix: http://www.ossec.net/files/snapshots/ossec-hids-080423.tar.gz
- Download Windows: http://www.ossec.net/files/snapshots/ossec-win32-080412.exe
**Please put any errors in red.
***Create as many entries as you want, one per type or per hardware.
****Also, let us know of all the log formats that you know are working (you tested).
[edit]
Beta v1.5 Table
| Operating System | Compiler | Type | Who | - | Compiled OK? | Alerts generated? | Init script created? | Updated? | Logs used |
|---|---|---|---|---|---|---|---|---|---|
| OpenBSD 3.9 | gcc 3.5.5 | Server | by Daniel Cid | YES | YES | YES | YES - from 1.4 | sshd, su, sudo, squid | |
| OpenBSD 4.0 | gcc XX | X | <your name> | ? | ? | ? | |||
| MacOS 10.5.2 i386 | gcc 4.0.1 | Local | John Ives | Yes | Yes | Already Existed | Yes from 1.4 | sshd, su, sudo | |
| MacOS 10.5.2 i386 | gcc 4.0.1 | Local | John Ives | Yes | No | No | No | ||
| MacOS 10.4.10 i386 | gcc 4.0.1 | Local | John Ives | Yes | Yes | Already Existed | Yes from 1.4 | sshd, su, sudo, snort | |
| MacOS 10.4.10 i386 | gcc 4.0.1 | Local | John Ives | Yes | Yes | No | No | sshd, su, sudo, snort | |
| MacOS X ppc | gcc XX | X | <your name> | ? | ? | ? | |||
| Solaris 10 i386 | gcc XX | X | <your name> | ? | ? | ? | |||
| Solaris X sparc | gcc XX | X | <your name> | ? | ? | ? | |||
| FreeBSD X | gcc XX | X | <your name> | ? | ? | ? | |||
| FreeBSD 7.0 | gcc 4.2.1 | Server | John Ives | Yes | Yes | No | No | sshd, sudo, su | |
| FreeBSD 7.0 | gcc 4.2.1 | Client | John Ives | Yes | Yes | Yes | Yes from 1.4 | sshd, sudo, su | |
| FreeBSD 6.2 | gcc 3.4.6 | Client | John Ives | Yes | Yes | Yes | Yes from 1.4 | sshd, sudo, su | |
| NetBSD Y | gcc XX | X | <your name> | ? | ? | ? | |||
| HP-UX | gcc XX | X | <your name> | ? | ? | ? | |||
| AIX | gcc XX | X | <your name> | ? | ? | ? | |||
| Windows XP Home SP1 | [not needed] | Agent | Daniel Cid | [not needed] | YES | YES | YES | Tested only some basic event logs (auth ,etc) | |
| Windows 2000 | [not needed] | X | <your name> | [not needed] | ? | ? | |||
| smeserver 7.3 (CentOS 4.3) | gcc 3.4.6-9 | server | John Lewis | YES | YES | ? | YES from 1.4 | syslog, apache, djb-multilog | |
| Any system A | gcc XX | X | <your name> | ? | ? | ? | |||
| Any system B | gcc XX | X | <your name> | ? | ? | ? |
[edit]
Beta1 v1.5 comments
Apr 10, 2008 (Daniel Cid): Post your comments in here, including what/how you tested if you wish not to use the tables above.
Apr 14, 2008 (John Ives): The /etc/ossec-init.conf file was created on FreeBSD, however nothing was added to /etc/rc.conf, /etc/rc.d/ or /usr/local/etc/rc.d, that would have invoked the ossec. --- Apr 16, 2008 (Daniel Cid): Hey, we add ossec at /etc/rc.local , which used to work with FreeBSD... When you restart the box ossec comes up? --- Apr 16, 2008 (John Ives): It doesn't come up and I think I found the problem: > cat /etc/rc.local #echo "Starting OSSEC HIDS" #/var/ossec/bin/ossec-control start Uncommenting the lines caused ossec to start automatically.
Apr 15, 2008 (John Ives): On the Mac OS 10.4.10 box, after a clean install, OSSEC did not start after a boot. I put in the script I have used in the past and it did work out. One thing I did notice, was that when I initiated a reboot from the command line (while restarting to test the start-up script), is that, as it was shutting down, it looked like it was trying to start OSSEC. It went by so fast I couldn't be sure, but it may be that where ever it is trying to launch from runs after something that doesn't stop until shutdown. --- Apr 16, 2008 (Daniel Cid): Can you share your script? I would like to make sure it is all working fine :) --- Apr 16, 2008 (John Ives): Usually, I just copy a tar file around that contains the proper files. I wrote a quick and dirty shell script to create the files and emailed it to you.
Apr 15, 2008 (John Ives): On the Mac OS 10.5.2 box, after a clean install, the startup script was not created. Additionally, the ossec group was not created which resulted in the following when trying to run: Starting OSSEC HIDS v1.5 (by Daniel B. Cid)... 2008/04/15 17:16:05 ossec-maild(1203): ERROR: Invalid user 'ossecm' or group 'ossec' given. ossec-maild: Configuration error. Exiting (the ossecm account does exist) --- Apr 16, 2008 (Daniel Cid): Hi John, Thanks for all the testing... So, the way we check if the box is 10.5 is by running: # /usr/bin/sw_vers 2>/dev/null| grep "ProductVersion" | grep "10.5." > /dev/null 2>&1 ; echo $? Where the output is 0 for 10.5... It that works, we run the script inside src/init/osx105-addusers.sh Can you try to run it manually to see if the users/group is created? --- Apr 16, 2008 (John Ives): It appears the roblem may have been on my end. I believe when I tried to remove the previous 1.4 install to do a fresh one the ossec group did not come out correctly. A system rebuild and I was able to install it without a problem. Though I did need to use the script I sent to create the startup script. As an aside the osx105-addusers.sh uses predefined uid's which could cause problems on heavily used systems. At the very least I would change the UIDs to a higher numbers.