It is interesting that symlink works for ossec.conf under etc folder, but doesn't work for client.keys under etc folder for agent type.
On Wednesday, February 17, 2016 at 10:13:46 AM UTC-8, Santiago Bassett wrote: > > Yes, if it is inside the jail then that should be ok. Also check that your > ossec.conf is configured to look for the rules where you want. As well, > symbolic links inside the jail should work. > > I hope that helps > > On Wed, Feb 17, 2016 at 7:49 AM, Rui Zhang <jackc...@gmail.com > <javascript:>> wrote: > >> Thank you, Santiago! Other than remounting a partition inside the jail, >> can we configure the folder for rules files? If we can configure the >> folder, would this also be inside the same jail too? I am thinking of >> configuring the rules folder to /opt/ossec/rules, but I guess it will be >> looking for rules under /var/ossec/opt/ossec/rules instead of >> /opt/ossec/rules. >> >> On Tuesday, February 16, 2016 at 6:24:46 PM UTC-8, Santiago Bassett wrote: >>> >>> This is because ossec-analysisd process runs in a chroot environment, so >>> it can't reach anything out of the jail (/var/ossec). >>> >>> In some scenarios, when really necessary, what we do is remount a >>> partition inside the jail (mount -o bind). I don't recommend this, but it >>> is a workaround that should work. >>> >>> Best >>> >>> On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang <jackc...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I am trying to use a symlink for local_rules.xml. Here is what I did >>>> >>>> cd /var/ossec/rules >>>> cp local_rules.xml /opt/ossec/rules >>>> mv local_rules.xml local_rules.xml.bak >>>> ln -s /opt/ossec/rules/local_rules.xml local_rules.xml >>>> >>>> But I couln't start OSSEC after this change and when I check the log >>>> file, it indicates that it couldn't read the XML file local_rules.xml. >>>> 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML >>>> file '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not >>>> found. (line 88). >>>> 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the >>>> rules: 'local_rules.xml'. >>>> 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue >>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>>> 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access >>>> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >>>> >>>> I checked the user/group and permission of those files, and they seem >>>> to be identical. So OSSEC won't take symlink for rules XML file? >>>> ll /opt/ossec/rules/local_rules.xml >>>> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 >>>> /opt/ossec/rules/local_rules.xml* >>>> >>>> ll local_rules.xml.bak >>>> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
