On Wed, Nov 2, 2016 at 1:55 PM, Eponymous - <the.e...@gmail.com> wrote:
> Thanks! I'd appreciate the help :)
>
>From src/Makefile (slightly truncated):
install-common: build
./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL}
${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX}
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/logs
install -m 0660 -o ${OSSEC_USER} -g ${OSSEC_GROUP} /dev/null
${PREFIX}/logs/ossec.log
install -d -m 0550 -o root -g 0 ${PREFIX}/bin
install -d -m 0550 -o root -g 0 ${PREFIX}/lua
install -d -m 0550 -o root -g 0 ${PREFIX}/lua/native
install -d -m 0550 -o root -g 0 ${PREFIX}/lua/compiled
install -m 0550 -o root -g 0 ossec-logcollector ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-syscheckd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-execd ${PREFIX}/bin
install -m 0550 -o root -g 0 manage_agents ${PREFIX}/bin
install -m 0550 -o root -g 0 external/lua/src/ossec-lua ${PREFIX}/bin/
install -m 0550 -o root -g 0 external/lua/src/ossec-luac ${PREFIX}/bin/
install -m 0550 -o root -g 0 ../contrib/util.sh ${PREFIX}/bin/
install -m 0550 -o root -g 0 ${OSSEC_CONTROL_SRC}
${PREFIX}/bin/ossec-control
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/queue
install -d -m 0770 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/alerts
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/ossec
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/syscheck
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/diff
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc
install -m 0440 -o root -g ${OSSEC_GROUP} /etc/localtime ${PREFIX}/etc
install -d -m 1550 -o root -g ${OSSEC_GROUP} ${PREFIX}/tmp
ifneq (,$(wildcard /etc/TIMEZONE))
install -m 440 -o root -g ${OSSEC_GROUP} /etc/TIMEZONE ${PREFIX}/etc/
endif
# Solaris Needs some extra files
ifeq (${uname_S},SunOS)
install -d -m 0550 -o root -g ${OSSEC_GROUP}
${PREFIX}/usr/share/lib/zoneinfo/
install -m 0440 -o root -g ${OSSEC_GROUP}
/usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/
endif
install -m 0640 -o root -g ${OSSEC_GROUP} -b
../etc/internal_options.conf ${PREFIX}/etc/
ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf))
install -m 0640 -o root -g ${OSSEC_GROUP}
../etc/local_internal_options.conf
${PREFIX}/etc/local_internal_options.conf
endif
ifeq (,$(wildcard ${PREFIX}/etc/client.keys))
install -m 0640 -o root -g ${OSSEC_GROUP} /dev/null
${PREFIX}/etc/client.keys
endif
ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf))
ifneq (,$(wildcard ../etc/ossec.mc))
install -m 0640 -o root -g ${OSSEC_GROUP} ../etc/ossec.mc
${PREFIX}/etc/ossec.conf
else
install -m 0640 -o root -g ${OSSEC_GROUP} ${OSSEC_CONF_SRC}
${PREFIX}/etc/ossec.conf
endif
endif
install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc/shared
install -m 0640 -o root -g ${OSSEC_GROUP} rootcheck/db/*.txt
${PREFIX}/etc/shared/
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response
install -d -m 0550 -o root -g ${OSSEC_GROUP}
${PREFIX}/active-response/bin
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/agentless
install -m 0550 -o root -g ${OSSEC_GROUP} agentlessd/scripts/*
${PREFIX}/agentless/
install -d -m 0700 -o root -g ${OSSEC_GROUP} ${PREFIX}/.ssh
install -m 0550 -o root -g ${OSSEC_GROUP}
../active-response/*.sh ${PREFIX}/active-response/bin/
install -m 0550 -o root -g ${OSSEC_GROUP}
../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/var
install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/var/run
install-server-generic: install-common
install -m 0660 -o ${OSSEC_USER} -g ${OSSEC_GROUP} /dev/null
${PREFIX}/logs/active-responses.log
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/logs/archives
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/logs/alerts
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/logs/firewall
install -m 0550 -o root -g 0 ossec-agentlessd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-analysisd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-monitord ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-reportd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-maild ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-remoted ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-logtest ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-csyslogd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-authd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-dbd ${PREFIX}/bin
install -m 0550 -o root -g 0 ossec-makelists ${PREFIX}/bin
install -m 0550 -o root -g 0 verify-agent-conf ${PREFIX}/bin/
install -m 0550 -o root -g 0 clear_stats ${PREFIX}/bin/
install -m 0550 -o root -g 0 list_agents ${PREFIX}/bin/
install -m 0550 -o root -g 0 ossec-regex ${PREFIX}/bin/
install -m 0550 -o root -g 0 syscheck_update ${PREFIX}/bin/
install -m 0550 -o root -g 0 agent_control ${PREFIX}/bin/
install -m 0550 -o root -g 0 syscheck_control ${PREFIX}/bin/
install -m 0550 -o root -g 0 rootcheck_control ${PREFIX}/bin/
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/stats
install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/rules
ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml))
cp ${PREFIX}/rules/local_rules.xml
${PREFIX}/rules/local_rules.xml.installbackup
install -m 0640 -o root -g ${OSSEC_GROUP} -b
../etc/rules/*.xml ${PREFIX}/rules
install -m 0640 -o root -g ${OSSEC_GROUP}
${PREFIX}/rules/local_rules.xml.installbackup
${PREFIX}/rules/local_rules.xml
rm ${PREFIX}/rules/local_rules.xml.installbackup
else
install -m 0640 -o root -g ${OSSEC_GROUP} -b
../etc/rules/*.xml ${PREFIX}/rules
endif
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/fts
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/rootcheck
install -d -m 0750 -o ${OSSEC_USER_REM} -g ${OSSEC_GROUP}
${PREFIX}/queue/agent-info
install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP}
${PREFIX}/queue/agentless
install -d -m 0750 -o ${OSSEC_USER_REM} -g ${OSSEC_GROUP}
${PREFIX}/queue/rids
install -m 0640 -o root -g ${OSSEC_GROUP} ../etc/decoder.xml
${PREFIX}/etc/
> On Tuesday, November 1, 2016 at 8:27:43 PM UTC, dan (ddpbsd) wrote:
>>
>> On Nov 1, 2016 2:12 PM, "Eponymous -" <the....@gmail.com> wrote:
>> >
>> > Just after I posted that message I had an idea to check the permissions
>> > again and it looks like they were wrong.
>> >
>> > The permissions on the FreeBSD install are all messed up completely.
>> > I've had to change so many manually and this was another I'd missed.
>> >
>> > So far I have the processes running as default like this (user -
>> > command):
>> >
>> > root /usr/local/ossec-hids/bin/ossec-execd
>> > ossec /usr/local/ossec-hids/bin/ossec-agentd
>> > root /usr/local/ossec-hids/bin/ossec-logcollector
>> > root /usr/local/ossec-hids/bin/ossec-syscheckd
>> >
>> > All the directories are set to root:ossec (root owner) and rwxr-wr-x.
>> >
>> > This is why agentd complained as it only had r-x access to
>> > /usr/local/ossec-hids/var/run.
>> >
>> > I also had to change /usr/local/ossec-hids/etc/shared,
>> > /usr/local/ossec-hids/queue/ossec and /usr/local/ossec-hids/queue/rids to
>> > be
>> > owned by the ossec user.
>> >
>> > I've no idea how this installer managed to mess this up.
>> >
>> > Just for reference, what should the permissions for the processes and
>> > chroot directory look like?
>> >
>>
>> The users for the processes look correct, but I don't know the permissions
>> off hand. I'll try to look them up later.
>>
>> > Thanks!
>> >
>> >
>> > On Tuesday, November 1, 2016 at 6:03:31 PM UTC, dan (ddpbsd) wrote:
>> >>
>> >> On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> >> > On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - <the....@gmail.com>
>> >> > wrote:
>> >> >>>> To a process chrooted to /usr/local/ossec-hids, /var/run and
>> >> >>>> /usr/local/ossec-hids/var/run are the same thing. The process'
>> >> >>>> root
>> >> >>>> directory (/) is now /usr/local/ossec-hids. So
>> >> >>>> /usr/local/ossec-hids/var/run
>> >> >>>> looks like /var/run to that process.
>> >> >>
>> >> >> That is very true.
>> >> >>
>> >> >> Hmm, so why is it I get the error: ossec-agentd(1103): ERROR: Unable
>> >> >> to open
>> >> >> file '/var/run/.syscheck_run'
>> >> >> when I run without any command line options but then the error
>> >> >> disappears
>> >> >> when I specify "-D /usr/local/ossec-hids"? The two instances should
>> >> >> result
>> >> >> in the same behaviour?
>> >> >>
>> >> >
>> >> > No idea, I haven't looked at FreeBSD's port. Perhaps they have it
>> >> > configured to chroot to a directory that doesn't contain var/run?
>> >>
>> >> It's possible that this line
>> >>
>> >> (https://svnweb.freebsd.org/ports/head/security/ossec-hids-server/Makefile?revision=413754&view=markup#l87)
>> >> @${ECHO} "DIR=\"${STAGEDIR}${PREFIX}/${PORTNAME}\"" >
>> >> ${WRKSRC}/src/LOCATION
>> >> in the port Makefile configures the chroot directory incorrectly.
>> >>
>> >> You can try `strings /var/ossec/bin/ossec-agentd | grep ossec` to see
>> >> if it gives you any clues as to what directory is expected.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
