On Fri, May 6, 2011 at 2:26 PM, sempai <sem...@hellyeah.com> wrote: > On Apr 18, 11:12 am, Michael Starks <ossec-l...@michaelstarks.com> > wrote: > >> OSSEC can be administered with someone who has sudo access to >> impersonate/become the ossec user account. I tried this several years >> ago. I recall that there was one daemon that failed to start because it >> started asrootand then dropped privileges. The situation may be >> slightly different today since there have been a few more daemons added. >> You can probably design a strategy around allowing someone to become the >> ossec user then granting sudorootaccess to perform bin/ossec-control >> stop|start|restart, or something along those lines. > > > I was hopeful! But I've hit a wall pretty fast because just about > everything generates an error even if you're uid:ossec. > > e.g. > > hids $ id > uid=500(testuser) gid=500(testgroup) groups=500(testgroup),508(ossec) > > hids $ sudo -u ossec /var/ossec/bin/list_agents > > OSSEC HIDS list_agents: List available agents. > Available options: > -h This help message. > -a List all agents. > -c List the connected (active) agents. > -n List the not connected (active) agents. > > hids $ sudo -u ossec /var/ossec/bin/list_agents -c > 2011/05/06 13:18:53 list_agents(1207): ERROR: Unable to switch to > group: 'ossec'. > > hids $ sudo -u ossec /var/ossec/bin/list_agents -n > 2011/05/06 13:18:56 list_agents(1207): ERROR: Unable to switch to > group: 'ossec'. > > hids $ sudo -u ossec /var/ossec/bin/manage_agents -h > > OSSEC HIDS manage_agents: Manage agents. > Available options: > -h This help message. > -V Display OSSEC version. > -l List available agents. > -e <id> Extracts key for an agent (Manager only). > -i <id> Import authentication key (Agent only). > > hids $ sudo -u ossec /var/ossec/bin/manage_agents > 2011/05/06 13:19:05 manage_agents(1207): ERROR: Unable to switch to > group: 'ossec'. > > My pilot server is on 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:04 > EDT 2011 i686 athlon i386 GNU/Linux, RHEL 5.6 > > Similar issue to: > http://groups.google.com/group/ossec-list/msg/71f6407e123f3de3 > > But re-installation has no effect. > > Any suggestions? My group doesn't want to manage the OS and platform, > we have administrators that do that. We just want to work with ossec > the application so that we can a test HIDS deployment, but we're > puzzled why it's unable to switch to the ossec group. >
It can't switch because you're not root. Make sure "sudo -u ossec" changes the group as well (and/or try it with "-g ossec" as well). You may run into other problems running the daemon processes though. For those you'd have to break out a text editor. (I'm thinking the chroot code.) > I can probably convince them to let us have superuser via sudo to run > the ossec-control, but they're going to balk if I say "...and > everything under /var/ossec/bin" due to how they manage the sudoers > across production systems on our campus. They are (rightly) adverse > to one-offs and "special snowflakes". > > You don't need sudo access to ossec-control, just the binaries in /var/ossec/bin (and a couple of quick mods to ossec-control to utilize sudo).
