Yes, if it is inside the jail then that should be ok. Also check that your ossec.conf is configured to look for the rules where you want. As well, symbolic links inside the jail should work.
I hope that helps On Wed, Feb 17, 2016 at 7:49 AM, Rui Zhang <[email protected]> wrote: > Thank you, Santiago! Other than remounting a partition inside the jail, > can we configure the folder for rules files? If we can configure the > folder, would this also be inside the same jail too? I am thinking of > configuring the rules folder to /opt/ossec/rules, but I guess it will be > looking for rules under /var/ossec/opt/ossec/rules instead of > /opt/ossec/rules. > > On Tuesday, February 16, 2016 at 6:24:46 PM UTC-8, Santiago Bassett wrote: >> >> This is because ossec-analysisd process runs in a chroot environment, so >> it can't reach anything out of the jail (/var/ossec). >> >> In some scenarios, when really necessary, what we do is remount a >> partition inside the jail (mount -o bind). I don't recommend this, but it >> is a workaround that should work. >> >> Best >> >> On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang <[email protected]> wrote: >> >>> Hi, >>> >>> I am trying to use a symlink for local_rules.xml. Here is what I did >>> >>> cd /var/ossec/rules >>> cp local_rules.xml /opt/ossec/rules >>> mv local_rules.xml local_rules.xml.bak >>> ln -s /opt/ossec/rules/local_rules.xml local_rules.xml >>> >>> But I couln't start OSSEC after this change and when I check the log >>> file, it indicates that it couldn't read the XML file local_rules.xml. >>> 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML file >>> '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not found. >>> (line 88). >>> 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the >>> rules: 'local_rules.xml'. >>> 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue >>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access >>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>> >>> I checked the user/group and permission of those files, and they seem to >>> be identical. So OSSEC won't take symlink for rules XML file? >>> ll /opt/ossec/rules/local_rules.xml >>> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 >>> /opt/ossec/rules/local_rules.xml* >>> >>> ll local_rules.xml.bak >>> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
