Ok, sorry for the stupid questions. But what does libmagic exactly do? How does it enhance OSSEC? How can I check if my OSSEC installation has libmagic support enable? Is this only necessary for the Master or for the Agent as well? (Agents do syschecks too)
thanks, theresa Am Dienstag, 21. Juli 2015 16:13:27 UTC+2 schrieb James Edwards: > > Due to the scope of the directories that we are monitoring, and a lot of > NFS shares, space and performance are concerns with OSSEC. By leveraging > libmagic, it helps resolve the space issues. In my case (on a working RHEL > compilation) without libmagic, /var/ossec/queue was ~770MB, while with > libmagic, it is ~62MB. > > On another note, I've previously recompiled the software in our RHEL > environment (6.6) using the same source tarball with libmagic, but Ubuntu > 14.04 has been problematic for me. Thanks for confirming, Ryan. > > Thanks, > James > > On Tuesday, July 21, 2015 at 8:36:52 AM UTC-4, Ryan Schulze wrote: >> >> I can verify the problem with Ubuntu 14.04. >> >> According to the syscheck docs libmagic is optionally used with >> report_changes (if found on the system). I haven't checked the source code >> yet to see what exactly the ramifications are, but according to the docs: >> >> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/ >> "Report Changes" >> If OSSEC has not been compiled with libmagic support, report_changes >> will copy any file designated, e.g. mp3, >> iso, executable, /chroot/dev/urandom (which would fill your hard >> drive). So unless libmagic is used, be very carefull >> on which directory you enable report_changes. >> >> >> On 7/21/2015 12:22 AM, theresa mic-snare wrote: >> >> Hi James, >> >> I'm not the expert here, but I just had a quick look in the docs... I'm >> not sure if this is possible or even supported. >> I couldn't find any reference to libmagic >> >> Have you checked? >> >> http://ossec-docs.readthedocs.org/en/latest/development/build/makefile.html >> >> Out of curiosity, what whould OSSEC be capable of doing with ligmagic >> support other than recognizing file formats (which it usually does) ?! >> >> best, >> theresa >> >> Am Montag, 20. Juli 2015 21:27:30 UTC+2 schrieb James Edwards: >>> >>> Hi All, >>> >>> I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic support and I >>> keep running into the following error when compiling syscheck (same error >>> running Makeall as well): >>> >>> [root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make >>> cc -g -Wall -I../ -I../headers -DUSEINOTIFY -DUSE_MAGIC >>> -DARGV0=\"ossec-syscheckd\" -DOSSECHIDS -lmagic syscheck.c config.c >>> seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a >>> ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a >>> ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o >>> ossec-syscheckd >>> /tmp/cc9nExX5.o: In function `init_magic': >>> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined reference >>> to `magic_open' >>> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined reference >>> to `magic_error' >>> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined reference >>> to `magic_load' >>> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined reference >>> to `magic_error' >>> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined reference >>> to `magic_close' >>> /tmp/ccLsn7RT.o: In function `is_text': >>> /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24: undefined reference >>> to `magic_buffer' >>> /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28: undefined reference >>> to `magic_error' >>> collect2: error: ld returned 1 exit status >>> make: *** [syscheck] Error 1 >>> >>> libmagic-dev 5.14-2ubuntu3.3 is installed and I see the following >>> magic.h header files: >>> >>> /usr/include/linux/magic.h >>> /usr/include/magic.h >>> >>> Any advice on how to resolve this? >>> >>> Thanks, >>> James >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
