net-analyzer/ossec-hids keeps its configuration in /var/ossec/etc/, which is outside of the usual CONFIG_PROTECT directories. This means that when upgrading or re-installing the package, all user configuration, including the list of registered clients, is overwritten with default values. After being bitten by this, and restoring from backup, I added these values to make.conf: CONFIG_PROTECT="/var/ossec/etc/" CONFIG_PROTECT_MASK="/var/ossec/etc/shared/" which seem to suffice. Portage 2.3.62 (python 3.6.8-final-0, default/linux/amd64/17.1/hardened, gcc-8.3.0, glibc-2.29-r2, 4.14.102-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.14.102-gentoo-x86_64-Intel-R-_Core-TM-_i7-6700K_CPU_@_4.00GHz-with-gentoo-2.6 KiB Mem: 65911040 total, 2163592 free KiB Swap: 33521660 total, 32483580 free Timestamp of repository gentoo: Mon, 15 Apr 2019 22:00:02 +0000 Head commit of repository gentoo: 990baa9260f72cad312523eb8f5f8089cdefcfc2 sh bash 5.0_p3-r1 ld GNU ld (Gentoo 2.30 p5) 2.30.0 app-shells/bash: 5.0_p3-r1::gentoo dev-lang/perl: 5.28.0-r1::gentoo dev-lang/python: 2.7.16::gentoo, 3.6.8::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.41.2::gentoo sys-apps/sandbox: 2.17::gentoo sys-devel/autoconf: 2.69-r4::gentoo sys-devel/automake: 1.15.1-r2::gentoo, 1.16.1-r1::gentoo sys-devel/binutils: 2.30-r4::gentoo, 2.32::gentoo sys-devel/gcc: 8.3.0-r1::gentoo sys-devel/gcc-config: 2.0::gentoo sys-devel/libtool: 2.4.6-r5::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 5.0-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-jobs: 1 sync-rsync-extra-opts: --timeout=10 --ipv6 sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/ossec/etc/" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /var/ossec/etc/shared/" CXXFLAGS="-march=native -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--alphabetical --keep-going --quiet-build=y --backtrack=30 --verbose-conflicts --usepkg --binpkg-respect-use=y --binpkg-changed-deps=y" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.mdfnet.se/gentoo" LANG="sv_SE.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--timeout=10 --ipv6" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 bzip2 crypt cxx hardened iconv idn ipv6 libtirpc multilib ncurses nls nptl openmp pam pcre pie readline seccomp ssl ssp unicode xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="en en-US en-GB sv" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS ================================================================= Package Settings ================================================================= net-analyzer/ossec-hids-3.2.0::gentoo was built with the following: USE="-agent -hybrid -local -mysql -postgres server -sqlite" ABI_X86="(64)"
Due to a limitation in Bugzilla (https://bugs.gentoo.org/660848) I cannot change the status of this bug to IN_PROGRESS, but the linked pull request should solve the config protection issue.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1701ae5fff85bd7e8b6eb84c7e0fbac3a2cadd11 commit 1701ae5fff85bd7e8b6eb84c7e0fbac3a2cadd11 Author: Ralph Seichter <github@seichter.de> AuthorDate: 2019-04-17 17:35:38 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-27 14:25:52 +0000 net-analyzer/ossec-hids: Fix config data getting overwritten Create an env.d file containing CONFIG_PROTECT="/var/ossec/etc" to prevent existing config data from being overwritten by the ebuild. Closes: https://bugs.gentoo.org/683448 Signed-off-by: Ralph Seichter <gentoo@seichter.de> Package-Manager: Portage-2.3.62, Repoman-2.3.11 Closes: https://github.com/gentoo/gentoo/pull/11724 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-analyzer/ossec-hids/ossec-hids-3.2.0-r1.ebuild | 64 ++++++++++++++++++++++ 1 file changed, 64 insertions(+)
