>> To a process chrooted to /usr/local/ossec-hids, /var/run and /usr/local/ossec-hids/var/run are the same thing. The process' root directory (/) is now /usr/local/ossec-hids. So /usr/local/ossec-hids/var/run looks like /var/run to that process.
That is very true. Hmm, so why is it I get the error: ossec-agentd(1103): ERROR: Unable to open file '/var/run/.syscheck_run' when I run without any command line options but then the error disappears when I specify "-D /usr/local/ossec-hids"? The two instances should result in the same behaviour? On Tuesday, 1 November 2016 10:30:50 UTC, dan (ddpbsd) wrote: > > On Mon, Oct 31, 2016 at 1:55 PM, Eponymous - <[email protected] > <javascript:>> wrote: > > Hmm are you sure it's hard-coded to /var/ossec in some cases? > > > > The only reason I ask is that this is for a FreeBSD based system and the > > package, by default, installs OSSEC into /usr/local/ossec-hids. If what > > you're saying is true then surely it would be horribly broken on > FreeBSD? > > > > It's a compile time setting (defaults to /var/ossec). It mostly works > if you change it then. > > > Also, does OSSEC do anything clever like try to determine the install > path > > and chroot into that directory? > > > > If it is indeed the case, then is it possible to change the default > install > > location in FreeBSD to /var/ossec for the OSSEC package? > > > > So far in my testing I've seen that without specifying an explicit > chroot > > path using the "-D" option on the command line, the OSSEC agent fails > with > > messages like: > > > > ossec-agentd(1103): ERROR: Unable to open file '/var/run/.syscheck_run' > > > > It's looking in /var/run when it clearly should be using > > /usr/local/ossec-hids/var/run (chroot) > > > > To a process chrooted to /usr/local/ossec-hids, /var/run and > /usr/local/ossec-hids/var/run are the same thing. > The process' root directory (/) is now /usr/local/ossec-hids. So > /usr/local/ossec-hids/var/run looks like /var/run to that process. > > > Using the "-D" options to each of the processes on the command line got > rid > > of this ERROR but I've no confidence if it's actually working properly > or > > not. > > > > Regards. > > > > On Monday, October 31, 2016 at 9:21:32 AM UTC, Pedro S wrote: > >> > >> Hi, > >> > >> The best way to start just the ones you need is to disabled them at > >> ossec.conf, that way the won't boot, for example for "exced" you can > disable > >> Active-response and that will be enough to not boot that daemon. > >> > >> Regarding to change chroot directory, you are right, each binary has a > >> "-D" option to change it but in my experience not always works as > expected, > >> the default folder "/var/ossec" is hardcoded some times and that causes > some > >> incompatibilities when change chroot folder, what experiences did you > have > >> so far? > >> > >> Regards, > >> Pedro S. > >> > >> On Sun, Oct 30, 2016 at 11:19 PM, Eponymous - <[email protected]> > wrote: > >>> > >>> Hi, > >>> > >>> I've been looking through the documentation and I can't find a way to > >>> specify a different chroot directory in a configuration file. > >>> > >>> So far I've been looking at which services ossec-control starts when > you > >>> issue a "bin/ossec-control start" command and then just starting each > one > >>> individually with the -D option to change the chroot directory. > >>> > >>> Is there a better way to do it? Also, if I'm starting the services > >>> manually, is it ok to just start the ones I think I need? For example, > I > >>> don't use active-response so can I leave out "execd"? > >>> > >>> Thanks > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to [email protected]. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
