On Nov 1, 2016 2:12 PM, "Eponymous -" <[email protected]> wrote: > > Just after I posted that message I had an idea to check the permissions again and it looks like they were wrong. > > The permissions on the FreeBSD install are all messed up completely. I've had to change so many manually and this was another I'd missed. > > So far I have the processes running as default like this (user - command): > > root /usr/local/ossec-hids/bin/ossec-execd > ossec /usr/local/ossec-hids/bin/ossec-agentd > root /usr/local/ossec-hids/bin/ossec-logcollector > root /usr/local/ossec-hids/bin/ossec-syscheckd > > All the directories are set to root:ossec (root owner) and rwxr-wr-x. > > This is why agentd complained as it only had r-x access to /usr/local/ossec-hids/var/run. > > I also had to change /usr/local/ossec-hids/etc/shared, /usr/local/ossec-hids/queue/ossec and /usr/local/ossec-hids/queue/rids to be owned by the ossec user. > > I've no idea how this installer managed to mess this up. > > Just for reference, what should the permissions for the processes and chroot directory look like? >
The users for the processes look correct, but I don't know the permissions off hand. I'll try to look them up later. > Thanks! > > > On Tuesday, November 1, 2016 at 6:03:31 PM UTC, dan (ddpbsd) wrote: >> >> On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <[email protected]> wrote: >> > On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - <[email protected]> wrote: >> >>>> To a process chrooted to /usr/local/ossec-hids, /var/run and >> >>>> /usr/local/ossec-hids/var/run are the same thing. The process' root >> >>>> directory (/) is now /usr/local/ossec-hids. So /usr/local/ossec-hids/var/run >> >>>> looks like /var/run to that process. >> >> >> >> That is very true. >> >> >> >> Hmm, so why is it I get the error: ossec-agentd(1103): ERROR: Unable to open >> >> file '/var/run/.syscheck_run' >> >> when I run without any command line options but then the error disappears >> >> when I specify "-D /usr/local/ossec-hids"? The two instances should result >> >> in the same behaviour? >> >> >> > >> > No idea, I haven't looked at FreeBSD's port. Perhaps they have it >> > configured to chroot to a directory that doesn't contain var/run? >> >> It's possible that this line >> ( https://svnweb.freebsd.org/ports/head/security/ossec-hids-server/Makefile?revision=413754&view=markup#l87) >> @${ECHO} "DIR=\"${STAGEDIR}${PREFIX}/${PORTNAME}\"" > ${WRKSRC}/src/LOCATION >> in the port Makefile configures the chroot directory incorrectly. >> >> You can try `strings /var/ossec/bin/ossec-agentd | grep ossec` to see >> if it gives you any clues as to what directory is expected. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
