On Mon, Oct 31, 2016 at 1:55 PM, Eponymous - <[email protected]> wrote: > Hmm are you sure it's hard-coded to /var/ossec in some cases? > > The only reason I ask is that this is for a FreeBSD based system and the > package, by default, installs OSSEC into /usr/local/ossec-hids. If what > you're saying is true then surely it would be horribly broken on FreeBSD? >
It's a compile time setting (defaults to /var/ossec). It mostly works if you change it then. > Also, does OSSEC do anything clever like try to determine the install path > and chroot into that directory? > > If it is indeed the case, then is it possible to change the default install > location in FreeBSD to /var/ossec for the OSSEC package? > > So far in my testing I've seen that without specifying an explicit chroot > path using the "-D" option on the command line, the OSSEC agent fails with > messages like: > > ossec-agentd(1103): ERROR: Unable to open file '/var/run/.syscheck_run' > > It's looking in /var/run when it clearly should be using > /usr/local/ossec-hids/var/run (chroot) > To a process chrooted to /usr/local/ossec-hids, /var/run and /usr/local/ossec-hids/var/run are the same thing. The process' root directory (/) is now /usr/local/ossec-hids. So /usr/local/ossec-hids/var/run looks like /var/run to that process. > Using the "-D" options to each of the processes on the command line got rid > of this ERROR but I've no confidence if it's actually working properly or > not. > > Regards. > > On Monday, October 31, 2016 at 9:21:32 AM UTC, Pedro S wrote: >> >> Hi, >> >> The best way to start just the ones you need is to disabled them at >> ossec.conf, that way the won't boot, for example for "exced" you can disable >> Active-response and that will be enough to not boot that daemon. >> >> Regarding to change chroot directory, you are right, each binary has a >> "-D" option to change it but in my experience not always works as expected, >> the default folder "/var/ossec" is hardcoded some times and that causes some >> incompatibilities when change chroot folder, what experiences did you have >> so far? >> >> Regards, >> Pedro S. >> >> On Sun, Oct 30, 2016 at 11:19 PM, Eponymous - <[email protected]> wrote: >>> >>> Hi, >>> >>> I've been looking through the documentation and I can't find a way to >>> specify a different chroot directory in a configuration file. >>> >>> So far I've been looking at which services ossec-control starts when you >>> issue a "bin/ossec-control start" command and then just starting each one >>> individually with the -D option to change the chroot directory. >>> >>> Is there a better way to do it? Also, if I'm starting the services >>> manually, is it ok to just start the ones I think I need? For example, I >>> don't use active-response so can I leave out "execd"? >>> >>> Thanks >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
