On Tue, Jun 25, 2013 at 10:39 AM, Rogue Bull <r09u3b...@gmail.com> wrote: > Following ps are active on my server and agent: > > Server: > > ossec 1401 0.0 0.0 8840 3296 ? S Jun08 0:21 > /u01/ossec/bin/ossec-analysisd > ossec 1418 0.0 0.0 6496 780 ? S Jun08 0:01 > /u01/ossec/bin/ossec-monitord > ossecm 1393 0.0 0.0 6384 700 ? S Jun08 0:12 > /u01/ossec/bin/ossec-maild > ossecr 1411 0.0 0.0 160268 1092 ? Sl Jun08 1:24 > /u01/ossec/bin/ossec-remoted > > > root 1396 0.0 0.0 6232 528 ? S Jun08 0:00 > /u01/ossec/bin/ossec-execd > root 1404 0.0 0.0 4280 568 ? S Jun08 0:54 > /u01/ossec/bin/ossec-logcollector > root 1414 0.0 0.0 5240 1820 ? S Jun08 6:36 > /u01/ossec/bin/ossec-syscheckd > > > > Agent: > > ossec 7584 0.0 0.0 6528 912 ? S 07:28 0:00 > /u01/ossec/bin/ossec-agentd > > root 7580 0.0 0.0 6232 480 ? S 07:28 0:00 > /u01/ossec/bin/ossec-execd > root 7588 0.0 0.0 4292 540 ? S 07:28 0:00 > /u01/ossec/bin/ossec-logcollector > root 7592 0.0 0.0 4452 484 ? S 07:28 0:00 > /u01/ossec/bin/ossec-syscheckd > > > > Q1: Can I run execd, logcollectord and syscheckd as ossec or ossecm ? > What I tried: > Documentation says it is possible to do that for all threee with -u option : > http://www.ossec.net/doc/programs/ossec-execd.html > http://www.ossec.net/doc/programs/ossec-logcollector.html > http://www.ossec.net/doc/programs/ossec-syscheckd.html > > It also says that the defualt user is : ossem (but I dont see ossecm being > used to run any of these) > > Now, when I run the following: > > # /u01/ossec/bin/ossec-execd -u ossec or # /u01/ossec/bin/ossec-execd -u > ossecm > > the output is this : > > OSSEC HIDS v2.7 - Trend Micro Inc. (cont...@ossec.net) > http://www.ossec.net > > ossec-execd: -[Vhdt] [-u user] [-g group] [-c config] [-D dir] > -V Version and license message > -h This help message > -d Execute in debug mode > -t Test configuration > -f Run in foreground > -u <user> Run as 'user' > -g <group> Run as 'group' > -c <config> Read the 'config' file > -D <dir> Chroot to 'dir' > > The user is not switched. > > How to force these processes to run as non-root? >
You can't. Not really. I have explained why. Also, the chrooting requires root privs. > > On Monday, June 24, 2013 9:53:36 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Mon, Jun 24, 2013 at 11:10 AM, Rogue Bull <r09u...@gmail.com> wrote: >> > Hello All, >> > >> > I noticed that we are creating the ossec user on the agent machines. >> > However, the process itself is launched and run as root. So why do we >> > have >> > ossec user? And is it not possible to run the process as non-root? >> > >> >> >> Which process are you worried about? I have 3 that run as root: >> [ddp@arrakis] :; ps auxww | grep ossec | grep root >> root 20984 0.0 0.0 568 784 ?? I 11:18AM 0:00.00 >> /var/ossec/bin/ossec-execd >> root 16204 0.0 0.0 572 996 ?? S 11:18AM 0:00.33 >> /var/ossec/bin/ossec-logcollector (ossec-logcollect) >> root 23166 0.0 0.1 828 1196 ?? I 11:18AM 0:15.48 >> /var/ossec/bin/ossec-syscheckd >> >> All 3 of these need root permissions. ossec-execd has to be able to >> add rules to firewalls or hosts.deny files, ossec-logcollector needs >> to be able to read log files (which are often only readable to root), >> an dossec-syscheckd has to be able to checksum any file on the system. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
