Hi Everyone, After messing around with my OSSEC setup (version 2.9.2, manager and two agents) I got an error like the following for every rootcheck file:
> 2017/09/17 10:24:35 ossec-agentd: ERROR: Unable to unmerge file '/etc/shared system_audit_rcl.txt'. Research this a bit, I found issue 869 on Github[1], which suggests to change the permissions to 0640 (user root, group ossec), but in my case they are already like that . > -rw-r--r-- 1 ossec ossec 2997 Sep 17 10:54 agent.conf > -rw-r--r-- 1 ossec ossec 169 Sep 17 10:54 ar.conf > -rw-r----- 1 root ossec 12262 Sep 16 22:01 cis_debian_linux_rcl.txt > -rw-r----- 1 root ossec 35576 Sep 16 22:01 cis_rhel5_linux_rcl.txt > -rw-r----- 1 root ossec 33665 Sep 16 22:01 cis_rhel6_linux_rcl.txt > -rw-r----- 1 root ossec 37026 Sep 16 22:01 cis_rhel7_linux_rcl.txt > -rw-r----- 1 root ossec 17459 Sep 16 22:01 cis_rhel_linux_rcl.txt > -rw-r--r-- 1 ossec ossec 179331 Sep 17 10:54 merged.mg > -rw-r----- 1 root ossec 16120 Sep 16 22:01 rootkit_files.txt > -rw-r----- 1 root ossec 5479 Sep 16 22:01 rootkit_trojans.txt > -rw-r----- 1 root ossec 4233 Sep 16 22:01 system_audit_rcl.txt > -rw-r----- 1 root ossec 4904 Sep 16 22:01 win_applications_rcl.txt > -rw-r----- 1 root ossec 4007 Sep 16 22:01 win_audit_rcl.txt > -rw-r----- 1 root ossec 5090 Sep 16 22:01 win_malware_rcl.txt Then I found out that ossec-agentd runs as user "ossec" and after changing the owner of the above files from root to ossec it seems to work again (at least there are no errors in the log and the changed time of the files is updated). Question: Should ossec-agentd run as root instead or should the owner of those files be "ossec" or anything else (e.g. possible problems with my setup). Thanks, Tobias Margiani [1] https://github.com/ossec/ossec-hids/issues/869 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.