Hi Tobias, There is a recent commit related to this issue: https://github.com/ossec/ossec-hids/commit/8d16a383a280e301d8d3e6441cfc75482222445e
The thing is that the process ossec-agentd runs –and should run– as user *ossec*. Those files should have *ossec* as owner and permissions 640, or, *root* as owner and permissions 660. OSSEC will use the former combination (probably in the next release), Wazuh has the last one. Anyway, you can remove all files contained inside */var/ossec/etc/shared*, the agent will restore them when connects to the manager, and they will get the correct permissions. Hope it help. Best regards, Victor On Sun, Sep 17, 2017 at 12:00 PM, Tobias Margiani <[email protected]> wrote: > Hi Everyone, > > After messing around with my OSSEC setup (version 2.9.2, manager and two > agents) I got an error like the following for every rootcheck file: > > > 2017/09/17 10:24:35 ossec-agentd: ERROR: Unable to unmerge file > '/etc/shared > system_audit_rcl.txt'. > > Research this a bit, I found issue 869 on Github[1], which suggests to > change > the permissions to 0640 (user root, group ossec), but in my case they are > already like that . > > > -rw-r--r-- 1 ossec ossec 2997 Sep 17 10:54 agent.conf > > -rw-r--r-- 1 ossec ossec 169 Sep 17 10:54 ar.conf > > -rw-r----- 1 root ossec 12262 Sep 16 22:01 cis_debian_linux_rcl.txt > > -rw-r----- 1 root ossec 35576 Sep 16 22:01 cis_rhel5_linux_rcl.txt > > -rw-r----- 1 root ossec 33665 Sep 16 22:01 cis_rhel6_linux_rcl.txt > > -rw-r----- 1 root ossec 37026 Sep 16 22:01 cis_rhel7_linux_rcl.txt > > -rw-r----- 1 root ossec 17459 Sep 16 22:01 cis_rhel_linux_rcl.txt > > -rw-r--r-- 1 ossec ossec 179331 Sep 17 10:54 merged.mg > > -rw-r----- 1 root ossec 16120 Sep 16 22:01 rootkit_files.txt > > -rw-r----- 1 root ossec 5479 Sep 16 22:01 rootkit_trojans.txt > > -rw-r----- 1 root ossec 4233 Sep 16 22:01 system_audit_rcl.txt > > -rw-r----- 1 root ossec 4904 Sep 16 22:01 win_applications_rcl.txt > > -rw-r----- 1 root ossec 4007 Sep 16 22:01 win_audit_rcl.txt > > -rw-r----- 1 root ossec 5090 Sep 16 22:01 win_malware_rcl.txt > > Then I found out that ossec-agentd runs as user "ossec" and after changing > the > owner of the above files from root to ossec it seems to work again (at > least > there are no errors in the log and the changed time of the files is > updated). > > Question: Should ossec-agentd run as root instead or should the owner of > those > files be "ossec" or anything else (e.g. possible problems with my setup). > > Thanks, > Tobias Margiani > > [1] https://github.com/ossec/ossec-hids/issues/869 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
