[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Disable rootcheck / OSSEC inside openvz VPS
- To: "Daniel Cid" <daniel.cid@xxxxxxxxx>, ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Disable rootcheck / OSSEC inside openvz VPS
- From: "Blaine Aldridge" <blaine.aldridge@xxxxxxxxx>
- Date: Sun, 27 May 2007 00:18:18 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=X11niDqi5DUJcbFfsrdRbQ+7w4d19wCx6BdvB7wLWXqKZLMFg9Y5ZqXMxQrBQx/9v1kyMSO4lJ+FmURjJu+d0rsZMwuFLD4Y5udTrOQpBiLRp4809+AKdhEatMJiP7enRGL69X5NkOHgdxfdCaFwk9uxJWZRtpkTAQ7LJJpwOlI=
Thanks Daniel,
Everything is working correctly now.
Blaine Aldridge
On 5/26/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> Hi Blaine,
>
> Thanks for the additional information. This problem was caused by a bug
> on the configuration reader for "execd" that was reading, well, err, rootcheck
> config :)
>
> I released an updated version of 1.2 (stable snapshot) with a fix for this:
>
> http://www.ossec.net/files/snapshots/ossec-hids-070525.tar.gz
>
> Upgrade your ossec install to this one and the problem should go away
> (just choose upgrade option when you run ./install.sh).
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 5/22/07, Blaine Aldridge <blaine.aldridge@xxxxxxxxx> wrote:
> > ossec-execd was not running and refuses to start when rootcheck is
> > disabled. When I try to run /var/ossec/bin/ossec-execd manually it
> > just shows
> >
> > ossec-execd(1350): Active response disabled. Exiting.
> >
> > in the logs.
> >
> > Restarting ossec does not fix the problem either. The only way I can
> > get the execd process to not kill itself is by enabling rootcheck.
> >
> > Blaine Aldridge
> >
> >
> > On 5/22/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > > Hi Blaine,
> > >
> > > I think your problem is unrelated to rootcheck. The error you mentioned only
> > > happens when ossec-analysisd can not connect to ossec-execd...
> > >
> > > Can you make sure that ossec-execd is running (ps auwx |grep ossec)? If
> > > it is not, try to start it manually and see if it generates any errors. If it
> > > starts fine, just restart ossec and see if the problem persist...
> > >
> > > If that doesn't help, let us know and we will look deep into that :)
> > >
> > > Thanks,
> > >
> > > --
> > > Daniel B. Cid
> > > dcid ( at ) ossec.net
> > >
> > > On 5/20/07, Blaine Aldridge <blaine.aldridge@xxxxxxxxx> wrote:
> > > >
> > > > Hey all,
> > > >
> > > > I'm running OSSEC on a openvz based VPS and the rootcheck module
> > > > reports all sorts of hidden processes and such (as expected inside a
> > > > VPS). I've tried to disable the rootcheck module by with
> > > >
> > > > <rootcheck>
> > > > <disabled>yes</disabled>
> > > > </rootcheck>
> > > >
> > > > in the ossec.conf but when I start ossec via init.d I get the following
> > > >
> > > > ossec-rootcheck: Rootcheck disabled. Exiting.
> > > > ossec-syscheckd: Rootcheck module disabled.
> > > >
> > > > Everything seems to be fine... except with rootcheck disabled active
> > > > response no longer works. In the ossec.log file I see
> > > >
> > > > ossec-analysisd(1210): Queue '/queue/alerts/execq' not accessible:
> > > > 'Connection refused'.
> > > > ossec-analysisd(1301): Unable to connect to active response queue.
> > > >
> > > > Any suggestions are appreciated,
> > > > Blaine Aldridge
> > > >
> > >
> >
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.