On Wed, Nov 2, 2016 at 1:55 PM, Eponymous - <the.e...@gmail.com> wrote: > Thanks! I'd appreciate the help :) >
>From src/Makefile (slightly truncated): install-common: build ./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX} install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/ install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/logs install -m 0660 -o ${OSSEC_USER} -g ${OSSEC_GROUP} /dev/null ${PREFIX}/logs/ossec.log install -d -m 0550 -o root -g 0 ${PREFIX}/bin install -d -m 0550 -o root -g 0 ${PREFIX}/lua install -d -m 0550 -o root -g 0 ${PREFIX}/lua/native install -d -m 0550 -o root -g 0 ${PREFIX}/lua/compiled install -m 0550 -o root -g 0 ossec-logcollector ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-syscheckd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-execd ${PREFIX}/bin install -m 0550 -o root -g 0 manage_agents ${PREFIX}/bin install -m 0550 -o root -g 0 external/lua/src/ossec-lua ${PREFIX}/bin/ install -m 0550 -o root -g 0 external/lua/src/ossec-luac ${PREFIX}/bin/ install -m 0550 -o root -g 0 ../contrib/util.sh ${PREFIX}/bin/ install -m 0550 -o root -g 0 ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/queue install -d -m 0770 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/alerts install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/ossec install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/syscheck install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/diff install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc install -m 0440 -o root -g ${OSSEC_GROUP} /etc/localtime ${PREFIX}/etc install -d -m 1550 -o root -g ${OSSEC_GROUP} ${PREFIX}/tmp ifneq (,$(wildcard /etc/TIMEZONE)) install -m 440 -o root -g ${OSSEC_GROUP} /etc/TIMEZONE ${PREFIX}/etc/ endif # Solaris Needs some extra files ifeq (${uname_S},SunOS) install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/usr/share/lib/zoneinfo/ install -m 0440 -o root -g ${OSSEC_GROUP} /usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/ endif install -m 0640 -o root -g ${OSSEC_GROUP} -b ../etc/internal_options.conf ${PREFIX}/etc/ ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf)) install -m 0640 -o root -g ${OSSEC_GROUP} ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf endif ifeq (,$(wildcard ${PREFIX}/etc/client.keys)) install -m 0640 -o root -g ${OSSEC_GROUP} /dev/null ${PREFIX}/etc/client.keys endif ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf)) ifneq (,$(wildcard ../etc/ossec.mc)) install -m 0640 -o root -g ${OSSEC_GROUP} ../etc/ossec.mc ${PREFIX}/etc/ossec.conf else install -m 0640 -o root -g ${OSSEC_GROUP} ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf endif endif install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/etc/shared install -m 0640 -o root -g ${OSSEC_GROUP} rootcheck/db/*.txt ${PREFIX}/etc/shared/ install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/active-response/bin install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/agentless install -m 0550 -o root -g ${OSSEC_GROUP} agentlessd/scripts/* ${PREFIX}/agentless/ install -d -m 0700 -o root -g ${OSSEC_GROUP} ${PREFIX}/.ssh install -m 0550 -o root -g ${OSSEC_GROUP} ../active-response/*.sh ${PREFIX}/active-response/bin/ install -m 0550 -o root -g ${OSSEC_GROUP} ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/ install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/var install -d -m 0770 -o root -g ${OSSEC_GROUP} ${PREFIX}/var/run install-server-generic: install-common install -m 0660 -o ${OSSEC_USER} -g ${OSSEC_GROUP} /dev/null ${PREFIX}/logs/active-responses.log install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/logs/archives install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/logs/alerts install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/logs/firewall install -m 0550 -o root -g 0 ossec-agentlessd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-analysisd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-monitord ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-reportd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-maild ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-remoted ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-logtest ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-csyslogd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-authd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-dbd ${PREFIX}/bin install -m 0550 -o root -g 0 ossec-makelists ${PREFIX}/bin install -m 0550 -o root -g 0 verify-agent-conf ${PREFIX}/bin/ install -m 0550 -o root -g 0 clear_stats ${PREFIX}/bin/ install -m 0550 -o root -g 0 list_agents ${PREFIX}/bin/ install -m 0550 -o root -g 0 ossec-regex ${PREFIX}/bin/ install -m 0550 -o root -g 0 syscheck_update ${PREFIX}/bin/ install -m 0550 -o root -g 0 agent_control ${PREFIX}/bin/ install -m 0550 -o root -g 0 syscheck_control ${PREFIX}/bin/ install -m 0550 -o root -g 0 rootcheck_control ${PREFIX}/bin/ install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/stats install -d -m 0550 -o root -g ${OSSEC_GROUP} ${PREFIX}/rules ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml)) cp ${PREFIX}/rules/local_rules.xml ${PREFIX}/rules/local_rules.xml.installbackup install -m 0640 -o root -g ${OSSEC_GROUP} -b ../etc/rules/*.xml ${PREFIX}/rules install -m 0640 -o root -g ${OSSEC_GROUP} ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml rm ${PREFIX}/rules/local_rules.xml.installbackup else install -m 0640 -o root -g ${OSSEC_GROUP} -b ../etc/rules/*.xml ${PREFIX}/rules endif install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/fts install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/rootcheck install -d -m 0750 -o ${OSSEC_USER_REM} -g ${OSSEC_GROUP} ${PREFIX}/queue/agent-info install -d -m 0750 -o ${OSSEC_USER} -g ${OSSEC_GROUP} ${PREFIX}/queue/agentless install -d -m 0750 -o ${OSSEC_USER_REM} -g ${OSSEC_GROUP} ${PREFIX}/queue/rids install -m 0640 -o root -g ${OSSEC_GROUP} ../etc/decoder.xml ${PREFIX}/etc/ > On Tuesday, November 1, 2016 at 8:27:43 PM UTC, dan (ddpbsd) wrote: >> >> On Nov 1, 2016 2:12 PM, "Eponymous -" <the....@gmail.com> wrote: >> > >> > Just after I posted that message I had an idea to check the permissions >> > again and it looks like they were wrong. >> > >> > The permissions on the FreeBSD install are all messed up completely. >> > I've had to change so many manually and this was another I'd missed. >> > >> > So far I have the processes running as default like this (user - >> > command): >> > >> > root /usr/local/ossec-hids/bin/ossec-execd >> > ossec /usr/local/ossec-hids/bin/ossec-agentd >> > root /usr/local/ossec-hids/bin/ossec-logcollector >> > root /usr/local/ossec-hids/bin/ossec-syscheckd >> > >> > All the directories are set to root:ossec (root owner) and rwxr-wr-x. >> > >> > This is why agentd complained as it only had r-x access to >> > /usr/local/ossec-hids/var/run. >> > >> > I also had to change /usr/local/ossec-hids/etc/shared, >> > /usr/local/ossec-hids/queue/ossec and /usr/local/ossec-hids/queue/rids to >> > be >> > owned by the ossec user. >> > >> > I've no idea how this installer managed to mess this up. >> > >> > Just for reference, what should the permissions for the processes and >> > chroot directory look like? >> > >> >> The users for the processes look correct, but I don't know the permissions >> off hand. I'll try to look them up later. >> >> > Thanks! >> > >> > >> > On Tuesday, November 1, 2016 at 6:03:31 PM UTC, dan (ddpbsd) wrote: >> >> >> >> On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> > On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - <the....@gmail.com> >> >> > wrote: >> >> >>>> To a process chrooted to /usr/local/ossec-hids, /var/run and >> >> >>>> /usr/local/ossec-hids/var/run are the same thing. The process' >> >> >>>> root >> >> >>>> directory (/) is now /usr/local/ossec-hids. So >> >> >>>> /usr/local/ossec-hids/var/run >> >> >>>> looks like /var/run to that process. >> >> >> >> >> >> That is very true. >> >> >> >> >> >> Hmm, so why is it I get the error: ossec-agentd(1103): ERROR: Unable >> >> >> to open >> >> >> file '/var/run/.syscheck_run' >> >> >> when I run without any command line options but then the error >> >> >> disappears >> >> >> when I specify "-D /usr/local/ossec-hids"? The two instances should >> >> >> result >> >> >> in the same behaviour? >> >> >> >> >> > >> >> > No idea, I haven't looked at FreeBSD's port. Perhaps they have it >> >> > configured to chroot to a directory that doesn't contain var/run? >> >> >> >> It's possible that this line >> >> >> >> (https://svnweb.freebsd.org/ports/head/security/ossec-hids-server/Makefile?revision=413754&view=markup#l87) >> >> @${ECHO} "DIR=\"${STAGEDIR}${PREFIX}/${PORTNAME}\"" > >> >> ${WRKSRC}/src/LOCATION >> >> in the port Makefile configures the chroot directory incorrectly. >> >> >> >> You can try `strings /var/ossec/bin/ossec-agentd | grep ossec` to see >> >> if it gives you any clues as to what directory is expected. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.