Chuck Braden wrote: > Just to be clear, in this age of 'running with reduced privilege', I did the > client install with just general privs as opposed to installing from an admin > account. That appears to have been the cause. > > Once I reinstalled with an admin account, it worked fine.
Glad it worked out for you. Software installs generally require admin privileges, but may not require admin to run a userspace program. The OSSEC service runs as SYSTEM and one of these days I'm going to do some testing to see if it will run with fewer privileges. I suspect it would run with a standard user account and the 'log on as a service' and 'manage auditing and security log' rights. For syscheck, the user would have to at least have read access to all of the files it is checking. Again, this is untested and may not work, but in theory (if I'm not missing something), it may.
