Maybe there are some suid's scripts or files?
Andreas Chatzakis wrote: > Hi all, > following my previous email about running OSSEC with a different user > than root: > > i have done some more investigation. > I have changed owner of all OSSEC files and altered folder permissions > so that my ossec user could create the PID file. but still I get the > following processes where some are still running as root: > > ossec 19187 1 0 18:01:36 ? 0:00 > /export/home/OSSEC2/bin/ossec-monitord > ossec 19175 1 1 18:01:35 ? 0:03 > /export/home/OSSEC2/bin/ossec-analysisd > root 19219 17113 0 18:07:42 pts/40 0:00 grep OSSEC > root 19179 1 0 18:01:35 ? 0:00 > /export/home/OSSEC2/bin/ossec-logcollector > ossecm 19167 1 0 18:01:35 ? 0:00 > /export/home/OSSEC2/bin/ossec-maild > root 19171 1 0 18:01:35 ? 0:00 > /export/home/OSSEC2/bin/ossec-execd > root 19183 1 0 18:01:36 ? 0:05 > /export/home/OSSEC2/bin/ossec-syscheckd > this (running OSSEC as root) would not be accepted by our service > provider. > is there any work around? > > thanks in advance > andreas > > */Andreas Chatzakis <[EMAIL PROTECTED]>/* wrote: > > Hi Cid, > thanks for your help and for developing such a great tool. > > The Cron job might indeed be an option (althought i guess there is > no way to be 100% sure the process had enough time to finish all > the checks) > > Does OSSEC always have to run as root? Or will it be sufficient to > create a user:group with read access to the target folders? > > thanks > Andreas > > */Daniel Cid <[EMAIL PROTECTED]>/* wrote: > > > Hi Andreas, > > Unfortunately, you can't. Syscheck used to be available as a > separate package, > but I removed this option a few versions ago because no one > was using it. It was > only giving us more work, because we always had to make sure > that the > standalone version was working correctly... > > You can have a work around that by only enabling syscheck on > ossec (and > disabling everything else) and having a cron job to start it > every night and > stopping it 30 minutes later (to give enough time to scan)... > Not really > what you wanted, but may help. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 11/16/06, Andreas Chatzakis wrote: > > Hi all, > > I was wondering, > > > > is syscheck available standalone? I don't need any of the > other functions > > and syscheck is a great tool and so easy to configure. > > > > does it always need to run as root? Or can I configure it to > run as a > > different user? > > > > And one mroe question. instead of having it running all the > time as a > > process, could I schedule it or call it from another > software and have its > > results in the logs or via email? > > > > thanks in advance > > Andreas > > > > > > > > ________________________________ > > Sponsored Link > > > > Mortgage rates near 39yr lows. $310,000 Mortgage for $999/mo > - Calculate new > > house payment > > > ------------------------------------------------------------------------ > Sponsored Link > > Degrees for working adults in as fast as 1 year. Bachelors, > Masters, Associates. Top schools > > <http://forms.nextag.com/goto.jsp?url=/serv/main/buyer/education.jsp?doSearch=n&tm=y&search=wrkg_adults_1yr&s=3968&p=5036> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >
