Permissions?
On Thu, Oct 4, 2018, 3:30 AM Judy Chen <[email protected]> wrote:
> Hi
>
> i check my audit log relative to ossec but cann't find why ossec cann't
> access '/var/ossec/queue/ossec/queue'
>
> type=SERVICE_START msg=audit(1537893567.527:2919): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> msg='unit=ossec-hids comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=failed'
> type=AVC msg=audit(1538308638.593:4576): avc: denied { read write } for
> pid=9787 comm="logrotate" name="ossec.log" dev="0:39"
> ino=17925539076010750948
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:nfs_t:s0 tclass=file
>
> Thanks a lot your help
>
> dan (ddpbsd)於 2018年10月3日星期三 UTC+8下午9時51分40秒寫道:
>>
>>
>>
>> On Wed, Oct 3, 2018 at 6:20 AM Judy Chen <[email protected]> wrote:
>>
>>> Hi
>>>
>>> Thanks for your feedback
>>>
>>> i checked my folder permission and should be OK
>>>
>>> [root@ip-10-23-207-85 ossec]# pwd
>>> /var/ossec
>>> [root@ip-10-23-207-85 ossec]# ls -ld queue
>>> dr-xr-x---. 11 root ossec 6144 Sep 18 07:58 queue
>>>
>>> [root@ip-10-23-207-85 ossec]# cd queue/
>>> [root@ip-10-23-207-85 queue]# ls -ld ossec
>>> drwxrwx---. 2 ossec ossec 6144 Sep 25 05:02 ossec
>>>
>>> [root@ip-10-23-207-85 queue]# cd ossec/
>>> [root@ip-10-23-207-85 ossec]# ls -ld queue
>>> srw-rw----. 1 ossec ossec 0 Sep 25 05:02 queue
>>>
>>> is it possible relative kernel version? ossec-agent seem cannot send log
>>> to server on Red Hat 4.8.3-9. but 4.4.35-33.55. is work (not sure it caused
>>> by AWS AMI or other problem)
>>>
>>
>> I don’t know of any issues with the kernel versions. Check the audit log
>> to see if something is being stopped. /var/log/audit I think
>>
>>
>>
>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
