One of the problems with ossec is its a key based security solution that has multiple steps with interactive pieces. I needed to roll this package out to all of our ubuntu servers, so this is what I did:

1. One thing you need to do is remove some of the prompting from the source. Edit the file: ossec-hids-2.2/src/addagent/manage_keys.c

comment out line 91 - 94:

//                printf(ADD_CONFIRM);
//                fflush(stdout);

//                user_input = read_from_user();

and 114-115:

//                    printf(PRESS_ENTER);
//                    read_from_user();

2. Compiled and install the package on an ubuntu 8.04 server.

3. I used the script found at: ossec-list to do a quick add using execpt (requires perl modules I could have hacked the source on this one as well, but this was quicker and easier for this article.

4. create ssh keys for your ossec master server (ssh-keygen -t rsa -b 2048)

5. create/append the new key's .pub into your authorized_keys file in the~/.ssh directory

6.  go to the server you compiled and installed ossec and prep a directory for packaging:

mkdir /var/tmp/pkg-ossec/
cd /var/tmp/pkg-ossec/
mkdir -p etc/init.d var DEBIAN
cp -r /var/ossec var
cp /etc/ossec-init.conf etc
cp /etc/init.d/ossec etc/init.d/

cat > DEBIAN/control <
Package: ossec
Essential: yes
Priority: required
Section: base
Maintainer: Steve Wakham
Architecture: i386
Version: 2.2
Replaces: ossec (<= 2.2)
Description: Ossec Custom Package
EOF

7.  Next we need to create a magic little script to do all of out heavy lifting:

create the file:  DEBIAN/postinst (This file gets called once it's done copying the files to /var and/etc)

#!/bin/sh
#if you need to useradd/grpadd ossec, do it here
#we use ldap, so its a known user on our systems

chown -R root:ossec /var/ossec/
chown -R ossec /var/ossec/.ssh
chown -R ossec /var/ossec/queue/ossec /var/ossec/queue/rids
chown -R ossec /var/ossec/logs
chown -R ossec /var/ossec/logs/ossec.log
chown root:root /etc/init.d/ossec
chmod 755 /etc/init.d/ossec
/usr/sbin/update-rc.d ossec defaults

chown root:root /etc/ossec-init.conf
chmod 644 /etc/ossec-init.conf

cat >/tmp/agent_id <
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDaDaE8g11kVKlLue5vqJ+ETpeaiS+sN7euHrJFjO5OH3l3rHMR
kVKlLue5vqJ+ETpeaiS+sN7euHrJFjO5OH3l3rHMR...
O2Fot16Ht1+5mFon1mtq6uUh7nfEtgAVcA+e8l5jDQ==
-----END RSA PRIVATE KEY-----
EOF

chmod 400 /tmp/agent_id
hostname=`hostname -f`
ip=`/sbin/ifconfig eth0 |grep inet\ addr| sed 's/.*inet addr:\(.*\) Bcast.*/\1/'`
hash=`/usr/bin/ssh -o StrictHostKeyChecking=no ossecmaster.domain.com -i /tmp/agent_id "/root/ossec-mkclient.pl $hostname $ip"`
rm /tmp/agent_id

/var/ossec/bin/manage_agents -i $hash
/var/ossec/bin/ossec-control start

8. That's it, dpkg -b pkg-ossec ossec-2.2-i386.deb and to install dpkg -i ossec-2.2-i386.deb

I know this can be a security problem by leaving keys inside of a package, there's a number of measures you can take to reduce risk in this area, we created a special user and when you login you're dropped into a chrooted enviroment with only manage keys binary that's bound to the real one and suid'd to write to files the user cannot read, but worse case, yank your key once you deploy and just manually enter it from then on.