Following ps are active on my server and agent: *Server:*
ossec 1401 0.0 0.0 8840 3296 ? S Jun08 0:21 /u01/ossec/bin/ossec-analysisd ossec 1418 0.0 0.0 6496 780 ? S Jun08 0:01 /u01/ossec/bin/ossec-monitord ossecm 1393 0.0 0.0 6384 700 ? S Jun08 0:12 /u01/ossec/bin/ossec-maild ossecr 1411 0.0 0.0 160268 1092 ? Sl Jun08 1:24 /u01/ossec/bin/ossec-remoted root 1396 0.0 0.0 6232 528 ? S Jun08 0:00 /u01/ossec/bin/ossec-execd root 1404 0.0 0.0 4280 568 ? S Jun08 0:54 /u01/ossec/bin/ossec-logcollector root 1414 0.0 0.0 5240 1820 ? S Jun08 6:36 /u01/ossec/bin/ossec-syscheckd *Agent:* ossec 7584 0.0 0.0 6528 912 ? S 07:28 0:00 /u01/ossec/bin/ossec-agentd root 7580 0.0 0.0 6232 480 ? S 07:28 0:00 /u01/ossec/bin/ossec-execd root 7588 0.0 0.0 4292 540 ? S 07:28 0:00 /u01/ossec/bin/ossec-logcollector root 7592 0.0 0.0 4452 484 ? S 07:28 0:00 /u01/ossec/bin/ossec-syscheckd Q1: Can I run execd, logcollectord and syscheckd as ossec or ossecm ? What I tried: Documentation says it is possible to do that for all threee with -u option : http://www.ossec.net/doc/programs/ossec-execd.html http://www.ossec.net/doc/programs/ossec-logcollector.html http://www.ossec.net/doc/programs/ossec-syscheckd.html It also says that the defualt user is : ossem (but I dont see ossecm being used to run any of these) Now, when I run the following: # /u01/ossec/bin/ossec-execd -u ossec or # /u01/ossec/bin/ossec-execd -u ossecm the output is this : OSSEC HIDS v2.7 - Trend Micro Inc. ([email protected]) http://www.ossec.net ossec-execd: -[Vhdt] [-u user] [-g group] [-c config] [-D dir] -V Version and license message -h This help message -d Execute in debug mode -t Test configuration -f Run in foreground -u <user> Run as 'user' -g <group> Run as 'group' -c <config> Read the 'config' file -D <dir> Chroot to 'dir' The user is not switched. *How to force these processes to run as non-root?* On Monday, June 24, 2013 9:53:36 PM UTC+5:30, dan (ddpbsd) wrote: > > On Mon, Jun 24, 2013 at 11:10 AM, Rogue Bull <[email protected]<javascript:>> > wrote: > > Hello All, > > > > I noticed that we are creating the ossec user on the agent machines. > > However, the process itself is launched and run as root. So why do we > have > > ossec user? And is it not possible to run the process as non-root? > > > > > Which process are you worried about? I have 3 that run as root: > [ddp@arrakis] :; ps auxww | grep ossec | grep root > root 20984 0.0 0.0 568 784 ?? I 11:18AM 0:00.00 > /var/ossec/bin/ossec-execd > root 16204 0.0 0.0 572 996 ?? S 11:18AM 0:00.33 > /var/ossec/bin/ossec-logcollector (ossec-logcollect) > root 23166 0.0 0.1 828 1196 ?? I 11:18AM 0:15.48 > /var/ossec/bin/ossec-syscheckd > > All 3 of these need root permissions. ossec-execd has to be able to > add rules to firewalls or hosts.deny files, ossec-logcollector needs > to be able to read log files (which are often only readable to root), > an dossec-syscheckd has to be able to checksum any file on the system. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
