Hi Andreas,
You will see that the "main" ossec processes (analysisd, maild and remoted) run
as separated users (ossec, ossecm and ossecr) under a chroot jail. However,
we can not chroot syscheck, execd and logcollector and they also need to run
as root (to execute commands, scan the system, etc). To have them running
as different users you need to start them by a non-root user and make sure they
have all the right accesses they need (logcollector to read the files,
syscheck to
scan the directories, etc). We could probably add a privilege separation option
for these processes to make things easier, but currrently there is no way of
doing it easily...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 11/17/06, Andreas Chatzakis <[EMAIL PROTECTED]> wrote:
Hi all,
following my previous email about running OSSEC with a different user than
root:
i have done some more investigation.
I have changed owner of all OSSEC files and altered folder permissions so
that my ossec user could create the PID file. but still I get the following
processes where some are still running as root:
ossec 19187 1 0 18:01:36 ? 0:00
/export/home/OSSEC2/bin/ossec-monitord
ossec 19175 1 1 18:01:35 ? 0:03
/export/home/OSSEC2/bin/ossec-analysisd
root 19219 17113 0 18:07:42 pts/40 0:00 grep OSSEC
root 19179 1 0 18:01:35 ? 0:00
/export/home/OSSEC2/bin/ossec-logcollector
ossecm 19167 1 0 18:01:35 ? 0:00
/export/home/OSSEC2/bin/ossec-maild
root 19171 1 0 18:01:35 ? 0:00
/export/home/OSSEC2/bin/ossec-execd
root 19183 1 0 18:01:36 ? 0:05
/export/home/OSSEC2/bin/ossec-syscheckd
this (running OSSEC as root) would not be accepted by our service provider.
is there any work around?
thanks in advance
andreas
Andreas Chatzakis <[EMAIL PROTECTED]> wrote:
Hi Cid,
thanks for your help and for developing such a great tool.
The Cron job might indeed be an option (althought i guess there is no way to
be 100% sure the process had enough time to finish all the checks)
Does OSSEC always have to run as root? Or will it be sufficient to create a
user:group with read access to the target folders?
thanks
Andreas
Daniel Cid <[EMAIL PROTECTED]> wrote:
Hi Andreas,
Unfortunately, you can't. Syscheck used to be available as a separate
package,
but I removed this option a few versions ago because no one was using it. It
was
only giving us more work, because we always had to make sure that the
standalone version was working correctly...
You can have a work around that by only enabling syscheck on ossec (and
disabling everything else) and having a cron job to start it every night and
stopping it 30 minutes later (to give enough time to scan)... Not really
what you wanted, but may help.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 11/16/06, Andreas Chatzakis wrote:
> Hi all,
> I was wondering,
>
> is syscheck available standalone? I don't need any of the other functions
> and syscheck is a great tool and so easy to configure.
>
> does it always need to run as root? Or can I configure it to run as a
> different user?
>
> And one mroe question. instead of having it running all the time as a
> process, could I schedule it or call it from another software and have its
> results in the logs or via email?
>
> thanks in advance
> Andreas
>
>
>
> ________________________________
> Sponsored Link
>
> Mortgage rates near 39yr lows. $310,000 Mortgage for $999/mo - Calculate
new
> house payment
________________________________
Sponsored Link
Degrees for working adults in as fast as 1 year. Bachelors, Masters,
Associates. Top schools
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
