Hmm are you sure it's hard-coded to /var/ossec in some cases? The only reason I ask is that this is for a FreeBSD based system and the package, by default, installs OSSEC into /usr/local/ossec-hids. If what you're saying is true then surely it would be horribly broken on FreeBSD?
Also, does OSSEC do anything clever like try to determine the install path and chroot into that directory? If it is indeed the case, then is it possible to change the default install location in FreeBSD to /var/ossec for the OSSEC package? So far in my testing I've seen that without specifying an explicit chroot path using the "-D" option on the command line, the OSSEC agent fails with messages like: ossec-agentd(1103): ERROR: Unable to open file '/var/run/.syscheck_run' It's looking in /var/run when it clearly should be using /usr/local/ossec-hids/var/run (chroot) Using the "-D" options to each of the processes on the command line got rid of this ERROR but I've no confidence if it's actually working properly or not. Regards. On Monday, October 31, 2016 at 9:21:32 AM UTC, Pedro S wrote: > > Hi, > > The best way to start just the ones you need is to disabled them at > ossec.conf, that way the won't boot, for example for "exced" you can > disable Active-response and that will be enough to not boot that daemon. > > Regarding to change chroot directory, you are right, each binary has a > "-D" option to change it but in my experience not always works as expected, > the default folder "/var/ossec" is hardcoded some times and that causes > some incompatibilities when change chroot folder, what experiences did you > have so far? > > Regards, > Pedro S. > > On Sun, Oct 30, 2016 at 11:19 PM, Eponymous - <[email protected] > <javascript:>> wrote: > >> Hi, >> >> I've been looking through the documentation and I can't find a way to >> specify a different chroot directory in a configuration file. >> >> So far I've been looking at which services ossec-control starts when you >> issue a "bin/ossec-control start" command and then just starting each one >> individually with the -D option to change the chroot directory. >> >> Is there a better way to do it? Also, if I'm starting the services >> manually, is it ok to just start the ones I think I need? For example, I >> don't use active-response so can I leave out "execd"? >> >> Thanks >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
