[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: syscheck stand alone

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: syscheck stand alone
From: Andreas Chatzakis <ahadjak@xxxxxxxxx>
Date: Mon, 20 Nov 2006 10:24:49 -0800 (PST)

Hi Cid,

thanks for the suggestion

I am trying to run as a different user wth ./ossec-control start but I get the following:

Starting OSSEC HIDS v0.9-3 (by Daniel B. Cid)...
cat: cannot open /export/home/OSSEC/var/start-script-lock/pid
cat: cannot open /export/home/OSSEC/var/start-script-lock/pid
cat: cannot open /export/home/OSSEC/var/start-script-lock/pid
cat: cannot open /export/home/OSSEC/var/start-script-lock/pid
cat: cannot open /export/home/OSSEC/var/start-script-lock/pid
./ossec-control: /export/home/OSSEC/var/start-script-lock/pid: cannot create

the user that is starting the ossec-control is the owner of the folder and all subfolders and files.

any ideas?

thanks again

andreas
Daniel Cid <daniel.cid@xxxxxxxxx> wrote:

Hi Andreas,

You will see that the "main" ossec processes (analysisd, maild and remoted) run
as separated users (ossec, ossecm and ossecr) under a chroot jail. However,
we can not chroot syscheck, execd and logcollector and they also need to run
as root (to execute commands, scan the system, etc). To have them running
as different users you need to start them by a non-root user and make sure they
have all the right accesses they need (logcollector to read the files,
syscheck to
scan the directories, etc). We could probably add a privilege separation option
for these processes to make things easier, but currrently there is no way of
doing it easily...

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 11/17/06, Andreas Chatzakis wrote:
> Hi all,
> following my previous email about running OSSEC with a different user than
> root:
>
> i have done some more investigation.
> I have changed owner of all OSSEC files and altered folder permissions so
> that my ossec user could create the PID file. but still I get the following
> processes where some are still running as root:
>
> ossec 19187 1 0 18:01:36 ? 0:00
> /export/home/OSSEC2/bin/ossec-monitord
> ossec 19175 1 1 18:01:35 ? 0:03
> /export/home/OSSEC2/bin/ossec-analysisd
> root 19219 17113 0 18:07:42 pts/40 0:00 grep OSSEC
> root 19179 1 0 18:01:35 ? 0:00
> /export/home/OSSEC2/bin/ossec-logcollector
> ossecm 19167 1 0 18:01:35 ? 0:00
> /export/home/OSSEC2/bin/ossec-maild
> root 19171 1 0 18:01:35 ? 0:00
> /export/home/OSSEC2/bin/ossec-execd
> root 19183 1 0 18:01:36 ? 0:05
> /export/home/OSSEC2/bin/ossec-syscheckd
>
> this (running OSSEC as root) would not be accepted by our service provider.
> is there any work around?
>
> thanks in advance
> andreas
>
> Andreas Chatzakis wrote:
>
>
> Hi Cid,
> thanks for your help and for developing such a great tool.
>
> The Cron job might indeed be an option (althought i guess there is no way to
> be 100% sure the process had enough time to finish all the checks)
>
> Does OSSEC always have to run as root? Or will it be sufficient to create a
> user:group with read access to the target folders?
>
> thanks
> Andreas
>
> Daniel Cid wrote:
>
> Hi Andreas,
>
> Unfortunately, you can't. Syscheck used to be available as a separate
> package,
> but I removed this option a few versions ago because no one was using it. It
> was
> only giving us more work, because we always had to make sure that the
> standalone version was working correctly...
>
> You can have a work around that by only enabling syscheck on ossec (and
> disabling everything else) and having a cron job to start it every night and
> stopping it 30 minutes later (to give enough time to scan)... Not really
> what you wanted, but may help.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 11/16/06, Andreas Chatzakis wrote:
> > Hi all,
> > I was wondering,
> >
> > is syscheck available standalone? I don't need any of the other functions
> > and syscheck is a great tool and so easy to configure.
> >
> > does it always need to run as root? Or can I configure it to run as a
> > different user?
> >
> > And one mroe question. instead of having it running all the time as a
> > process, could I schedule it or call it from another software and have its
> > results in the logs or via email?
> >
> > thanks in advance
> > Andreas
> >
> >
> >
> > ________________________________
> > Sponsored Link
> >
> > Mortgage rates near 39yr lows. $310,000 Mortgage for $999/mo - Calculate
> new
> > house payment
>
>
> ________________________________
> Sponsored Link
>
> Degrees for working adults in as fast as 1 year. Bachelors, Masters,
> Associates. Top schools
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

Sponsored Link

$200,000 mortgage for $660/mo - 30/15 yr fixed, reduce debt, home equity - Click now for info

Follow-Ups:
- [ossec-list] active-response does'nt work
  - From: freenet

References:
- [ossec-list] Re: syscheck stand alone
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: OSSEC support for ...
Next by Date: [ossec-list] active-response does'nt work
Previous by thread: [ossec-list] Re: syscheck stand alone
Next by thread: [ossec-list] active-response does'nt work
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.