[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Permissions and ownership of /etc/hosts.deny

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Permissions and ownership of /etc/hosts.deny
From: "List Subscriptions" <lists.canuck.eh@xxxxxxxxx>
Date: Wed, 2 May 2007 11:06:57 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=akzOyqAeLXqlW+chxrQp64qtxkdbNW1J+vi41xe4Ez9N/KlS4xicqO3ay9RWO9JkHQRAkPSY7yRkXv4CbQzuiC3AXVR5j90X6q9nYVtu2YEakVwfLyCQwZIx3XAiLkL4ut5aGBRGldvV7FCSLKdu/G9hE/zQze3woC8yJC5utB4=


I'm also new to OSSEC but I'll try to answer this question.  If you
setup active response then user/group ossec needs to be able to write
to hosts.deny so I would expect

664 root:ossec

With that said I checked my install which has active response enabled
and my hosts.deny has the following:

644 root:ossec

You definitely don't want 666 which is why ossec alerted you.

Hope that helps.

-Dale

On 5/2/07, Drew Myers <drew.myers@xxxxxxxxxxxxxxxxx> wrote:



Hi,

I'm new to OSSEC.

I recently received an email indicating some sort of a rootkit attempt
on one of my servers, due to improper permissions on /etc/hosts.deny.
Here's the applicable portion of the message:

> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

>File '/etc/hosts.deny' is owned by root and has written permissions to
anyone.

When I checked, the file was owned by root:ossec, with permissions of
0666.  After much investigation and comparison with other systems in my
environment, I can find no indication of anything amiss.  My key
binaries all appear to be untouched (checksums, permissions, sizes all
match), so it appears the only real "change" is the ownership and
permissions of /etc/hosts.deny itself.

I would expect the permissions for this file should be 0644 and
root.root.  Am I wrong?

Is this a known issue, or have I screwed up my configuration somehow? Do
I need to correct a script and submit a patch?

Thanks,

Drew

References:
- [ossec-list] Permissions and ownership of /etc/hosts.deny
  - From: Drew Myers

Prev by Date: [ossec-list] Permissions and ownership of /etc/hosts.deny
Next by Date: [ossec-list] Re: UI install
Previous by thread: [ossec-list] Permissions and ownership of /etc/hosts.deny
Next by thread: [ossec-list] SSH Brute Force Attacks and Alerting
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.