[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Integrity Checking Not Working <-- BREAKTHROUGH ;-)
Perhaps you're running them as different users and it's a permissions
problem?
Erik Delfgaauw wrote:
> Hi folks,
>
> I have found out that when I do:
>
> apache@<host>:/var/www/website/ossec-wui> php index.php f=i
>
> ...I get a correct output with an "Agent name" picklist containing all
> the agents, plus the Integrity Check information displayed below.
>
> However, when I go to:
>
> http://<host>/ossec-wui/index.php?f=i
>
> ...I get an incorrect output with an empty "Agent name" picklist (or
> merely containing ossec-server), and no Integrity Check information is
> displayed.
>
> So, apparently OSSEC-WUI is working fine, but somehow it goes wrong
> between Apache and PHP.
>
> We have tried PHP debugging, but apparently it's not that there are any
> errors occuring, it is just not working properly ;-)
>
> Does anybody have any idea or hint on where to look regarding this
> strange behavior? A PHP script that returns different information when
> launched on the command line than when launched through Apache web
> server, without returning errors?
>
> Thanks in advance !
>
> E.
>
>
> 2007/5/30, Erik Delfgaauw <erik.delfgaauw@xxxxxxxxx
> <mailto:erik.delfgaauw@xxxxxxxxx>>:
>
> Hi Daniel,
>
> Verified once more, the web user is apache, and it has definitely
> access to the OSSEC-WUI tmp directory.
>
> In a different environment which IS working, in the OSSEC-WUI tmp
> directory, I see a file called output-tmp-<some-id>.php, and this
> file does not exist in the NOT working environment.
>
> How to proceed, where else can I look? Can it also be an Apache
> setting that is causing the problem?
>
> E.
>
> 2007/5/28, Daniel Cid < daniel.cid@xxxxxxxxx
> <mailto:daniel.cid@xxxxxxxxx>>:
>
> Hi Erik,
>
> Yes, I mean the ossec-wui tmp directory :) sorry for not being
> specific. Also,
> make sure to restart apache, otherwise the group permissions
> will not apply.
>
> Let me know how it goes :)
>
> Thanks,
>
> Daniel
>
> On 5/27/07, Erik Delfgaauw < erik.delfgaauw@xxxxxxxxx
> <mailto:erik.delfgaauw@xxxxxxxxx>> wrote:
> > Hi Daniel,
> >
> > I guess you mean the OSSEC-WUI tmp directory right? Just to be
> 100% sure,
> > because there's also a /tmp and a /var/ossec/tmp.
> >
> > I will verify once more, gotta admit that it already makes me
> feel stupid
> > now, if this is the case ;-)
> >
> > Thanks, will get back to you this Tuesday !
> >
> > E.
> >
> > 2007/5/27, Daniel Cid < daniel.cid@xxxxxxxxx
> <mailto:daniel.cid@xxxxxxxxx>>:
> > > Hi Erik,
> > >
> > > Can you make sure that your web server is really running as
> user "www"?
> > Probably
> > > a ps auwx |grep http will show you that. It looks like to
> me that
> > > php can't write
> > > to the tmp directory...
> > >
> > > daniel
> > >
> > > On 5/25/07, Erik Delfgaauw < erik.delfgaauw@xxxxxxxxx
> <mailto:erik.delfgaauw@xxxxxxxxx>> wrote:
> > > > Hi Daniel,
> > > >
> > > > /var/ossec/queue/syscheck/ contains a bunch of files with a
> naming
> > scheme
> > > > like:
> > > >
> > > > (<host>) <ip>->syscheck
> > > > .(<host>) <ip>->syscheck.cpt
> > > >
> > > > There is a couple for each agent, plus there's:
> > > >
> > > > syscheck
> > > > .syscheck.cpt
> > > >
> > > > I have executed every single step from the OSSEC WUI
> install guide, the
> > only
> > > > thing about permissions was regarding the ossec-wui/tmp/
> directory
> > (chmod
> > > > 770/chgrp www), there are no errors in the web server log,
> and I have
> > just
> > > > found out that Stats isn't working too, and ONLY real time
> search is
> > > > working.
> > > >
> > > > So, very likely a permission problem :-)
> > > >
> > > > What OSSEC HIDS files / directories are required for the
> OSSEC-WUI
> > Integrity
> > > > Check, Stats and Search functionality?
> > > >
> > > > Thanks,
> > > >
> > > > E.
> > > >
> > > >
> > > > 2007/5/22, Daniel Cid < daniel.cid@xxxxxxxxx
> <mailto:daniel.cid@xxxxxxxxx>>:
> > > > > Hi Erik,
> > > > >
> > > > > We first need to determine where the problem is (agent/server
> > connection
> > > > or at
> > > > > the ui).
> > > > >
> > > > > -Did you follow all the steps from the installation
> guide? If the
> > > > > permissions are
> > > > > wrong, it will not work properly. In addition to that,
> did you add
> > > > > your apache user
> > > > > name to the ossec group and restarted apache?
> > > > >
> > > > > -Do you have any file at /var/ossec/queue/syscheck ? Can
> you show what
> > is
> > > > > in there to us?
> > > > >
> > > > > -Is there any errors at the apache error log? At the
> ossec log (both
> > > > server
> > > > > and agent side)?
> > > > >
> > > > >
> > > > > With that information we can start troubleshooting :)
> > > > >
> > > > > thanks,
> > > > >
> > > > > --
> > > > > Daniel B. Cid
> > > > > dcid ( at ) ossec.net <http://ossec.net>
> > > > >
> > > > >
> > > > >
> > > > > On 5/11/07, Erik Delfgaauw < erik.delfgaauw@xxxxxxxxx
> <mailto:erik.delfgaauw@xxxxxxxxx>> wrote:
> > > > > > Hi folks,
> > > > > >
> > > > > > The Main screen of the OSSEC WUI shows "ossec-server"
> plus 4 agents.
> > The
> > > > > > ossec-server is receiving information from the agents
> correctly,
> > BUT:
> > > > > >
> > > > > > The Integrity checking screen shows:
> > > > > >
> > > > > > "No integrity checking information available.
> > > > > > Nothing reported as changed."
> > > > > >
> > > > > > The Agent name pick list only contains "ossec-server"
> and clicking
> > the
> > > > Dump
> > > > > > database button doesn't have any result but a quick
> reload of the
> > page.
> > > > > >
> > > > > > OSSEC ( 1.1) + WUI ( 0.2) are running on RHEL ES 4.4.
> Port 1514 is
> > > > reachable
> > > > > > for the agents.
> > > > > >
> > > > > > Syscheckd is running on all agents.
> > > > > >
> > > > > > I'm very curious to what the problem can be, and
> especially to what
> > > > would be
> > > > > > the best way to troubleshoot this.
> > > > > >
> > > > > > Many thanks in advance !
> > > > > >
> > > > > > Erik
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
>
>
--
Brad Lhotsky <lhotskyb@xxxxxxxxxxxx>
NCTS Computer Specialist Phone: 410.558.8006
"Darkness is a state of mind, I can go where you would stumble."
-Wolfsheim, 'Blind'
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.