On Fri, Sep 13, 2013 at 2:28 PM, Roy Feintuch <[email protected]> wrote: > I'm not talking about solving someones specific issues. If people knew which > file permission were changed - then they had no issue in the first place - > they would have just fix it. > I'm talking about an idiot proof script that goes over *all* relevant ossec > folders/ files and chown'ing them to the relevant ossec user (ossec,ossecr > ,?). > > Then whenever we see someone talking about 'ossec process does not start' > (or similar) the first question would be - > 'did you tried the 'fix-most-ossec-issues-script.sh' ? > > just my $0.02. Cheers >
We used to do better permissions/ownership on install/upgrades, but it took too long on some systems. It probably wouldn't be quick, and it seems like it would hide the real problem (the permissions being modified). If you come up with something before anyone else, please feel free to pass it along to the list. :) > > > On Fri, Sep 13, 2013 at 10:37 AM, dan (ddp) <[email protected]> wrote: >> >> On Fri, Sep 13, 2013 at 1:36 PM, Roy Feintuch <[email protected]> wrote: >> > Dan or anyone else - I see from time to time people reporting issues >> > cause >> > by wrong permissions. >> > Is there any script somewhere to fix/rebuild all OSSEC related files >> > permissions? >> > >> >> Not that I know of. If you let us know which files you keep changing >> the permissions on, we can probably create something. >> >> > >> > On Friday, September 13, 2013 8:06:15 AM UTC-7, [email protected] >> > wrote: >> >> >> >> Thanks Dan. That fixed that issue but now looking at others. Appears >> >> someone has changed ownership of files in the ossec directory structure >> >> and >> >> there are still issues which are causing problems with the app >> >> including >> >> errors like: >> >> >> >> 2013/09/13 09:30:22 ossec-analysisd: Rules in an inconsistent state. >> >> Exiting. >> >> -and- >> >> 2013/09/13 09:30:30 ossec-logcollector(1224): ERROR: Error sending >> >> message >> >> to queue. >> >> 2013/09/13 09:30:33 ossec-logcollector(1210): ERROR: Queue >> >> '/opt/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2013/09/13 09:30:33 ossec-logcollector(1211): ERROR: Unable to access >> >> queue: '/opt/ossec/queue/ossec/queue'. Giving up.. >> >> 2013/09/13 09:31:18 ossec-syscheckd: INFO: Starting syscheck scan >> >> (forwarding database). >> >> 2013/09/13 09:31:18 ossec-syscheckd: socketerr (not available). >> >> 2013/09/13 09:31:18 ossec-syscheckd(1224): ERROR: Error sending message >> >> to >> >> queue. >> >> >> >> Why always on a Friday??? ;-) >> >> >> >> >> >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] On >> >> Behalf Of dan (ddp) >> >> Sent: Friday, September 13, 2013 9:16 AM >> >> To: [email protected] >> >> Subject: Re: [ossec-list] "WARN: Process locked. Waiting for >> >> permission" >> >> At Server When Trying To Start Server >> >> >> >> On Fri, Sep 13, 2013 at 10:08 AM, MDACC-Luckie <[email protected]> >> >> wrote: >> >> > I have dealt with issues with agents not connecting to the server >> >> > with >> >> > a >> >> > "WARN: Process locked. Waiting for permission" message in the log but >> >> > not at the server. When starting OSSEC on the primary OSSEC server, >> >> > I >> >> > am getting that message in the OSSEC log file. No agents appear to be >> >> > able to connect to the server now. Any suggestions or thoughts on >> >> > what to look at on the server to fix this? >> >> > >> >> >> >> Make sure all ossec processes are stopped, and try removing the lock >> >> file: >> >> /var/ossec/queue/ossec/.wait >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/gjFg0WRdorg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > Roy Feintuch, > CTO & Co-founder > Dome9 Security > > (e) » [email protected] > (web) » http://dome9.com > (m) » +1-415-3423543 > (Skype) » froyke > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
