Thanks for sharing Sebastian.
On Thu, May 21, 2015 at 5:32 AM, skotthof
sebastian.kotth...@rz.uni-mannheim.de wrote:
Hi,
I having ossec-execd running as (new) user ossece.
For the Latest Stable Release (2.8.1)
On agent:
# ps aux | grep ossec
ossece 21669 0.0 0.0 12564 504 ?S10:57 0:00
/opt/ossec/bin/ossec-execd
ossec21673 0.0 0.0 12888 932 ?S10:57 0:01
/opt/ossec/bin/ossec-agentd
root 21678 0.0 0.0 4316 556 ?S10:57 0:00
/opt/ossec/bin/ossec-logcollector
root 21681 0.2 0.0 5100 1664 ?S10:57 0:12
/opt/ossec/bin/ossec-syscheckd
If anybody is interested here some howto (you only need to do this on the
agent):
* create new user
# sudo useradd -g ossec -s /bin/false ossece
* give the new user ossece sudo rights for special commands (in
/etc/suders):
ossece ALL=NOPASSWD: /bin/netstat, /opt/ossec/bin/ossec-control
* modify your ossec commands with “sudo”
- in active-response/bin/restart-ossec.sh put “sudo ” before
“${PWD}/../bin/ossec-control restart”
- put sudo /bin/ before netstat in the netstat command in and
netstat rule
* change owner of socket in ossec dir
# chown -R ossece queue/alerts
# chmod g+rwx,u+rwx queue/alerts
# chmod g+rw,u+rw queue/alerts/execq
* change owner of logfile
# chown ossece logs/active-responses.log
# chmod g+w logs/active-responses.log
* patch source
- headers/defs.h
--
--- headers/defs.h.orig 2015-05-21 11:02:43.266942603 +0200
+++ headers/defs.h 2015-05-20 21:04:06.279314754 +0200
@@ -93,6 +93,10 @@
#define REMUSER ossecr
#endif
+#ifndef EXUSER
+#define EXUSER ossece
+#endif
+
#ifndef GROUPGLOBAL
#define GROUPGLOBAL ossec
#endif
--
- os_execd/execd.c
--
--- os_execd/execd.orig.c 2015-05-21 10:53:10.170970564 +0200
+++ os_execd/execd.c2015-05-21 10:56:11.838961712 +0200
@@ -76,9 +76,11 @@
int c;
int test_config = 0,run_foreground = 0;
int gid = 0,m_queue = 0;
+int uid = 0;
// TODO: delete or implement
char *dir __attribute__((unused)) = DEFAULTDIR;
+char *user = EXUSER;
char *group = GROUPGLOBAL;
// TODO: delete or implement
char *cfg __attribute__((unused)) = DEFAULTARPATH;
@@ -132,14 +134,18 @@
/* Check if the group given are valid */
gid = Privsep_GetGroup(group);
-if(gid 0)
-ErrorExit(USER_ERROR,ARGV0,,group);
-
+uid = Privsep_GetUser(user);
+if((uid 0)||(gid 0))
+ErrorExit(USER_ERROR, ARGV0, user, group);
/* Privilege separation */
if(Privsep_SetGroup(gid) 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
+/* Changing user */
+if(Privsep_SetUser(uid) 0)
+ErrorExit(SETUID_ERROR,ARGV0,user);
+
/* Reading config */
if((c = ExecdConfig(xmlcfg)) 0)
--
* compile
# cd os_execd
# make clean
# make
# sudo cp ossec-execd /var/ossec/bin/
* Restart ossec
* Test
- on client
# tail -f logs/ossec.log
- on server
# ./bin/agent_control -R 001
Thats it!
If you get the error:
ERROR: Queue '/var/ossec/queue/alerts/execq' not accessible: 'Address
already in use'.
then check:
- /var/ossec/queue/alerts must be read and writeable and x by ossece
- /var/ossec/queue/alerts/execq must be read and writeable by ossece
Best
Sebastian
--
Sebastian Kotthoff
Rechenzentrum
Universität Mannheim
B6, 23-29; Building B; Room 1.10
68159 Mannheim
Tel: +49 621 181 2516
Fax: +49 621 181 2682
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.