OSSEC Web Interface--Unable to access ossec directory
Robert5156
http://www.ossec.net/wiki/index.php/OSSECWUI:Install
for installing web interface.
I did add the web user to the ossec group and i did restart the apache
service.
When i access the site "http ://anyhost/ossec-wui/" i am getting the
error on the web page saying
"Unable to access ossec directory"
I also get a notification from OSSEC installed on this system saying
the following
OSSEC HIDS Notification.
2007 Aug 13 16:09:20
Received From: systemname->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc:
denied { read } for pid=29595 comm="httpd" name="ossec" dev=dm-0
ino=16957254 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:var_t:s0 tclass=dir
--END OF NOTIFICATION
Help please.
apache is my web user.Found by using ps -aux | grep http
The tmp/ folder inside ossec-wui folder has the following permissions
drwxrwxrwx 2 root apache 4096 Aug 13 15:05 tmp
The etc/group file has
"ossec:x:3004:apache" added
/var/ossec is the dir which has ossec installed.The permissions for
ossec folder are as follows.
dr-xr-xr-- 11 root ossec 4096 Aug 8 11:07 ossec
Help please. Running Fedora 6
Robert5156
turned on.Once i turned off the SE_linux policy ,i was able to see the
web page content and logs.
MdMonk
mode? If so, you will have to grant the web server proc read-access to
the ossec directory/log files.
What do you have in your /etc/sysconfig/selinux config file?
-Chuck (mdmonk)
Jeff Schroeder
able to fix this.
http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers.
I *think* something like this will work until a proper SELinux policy
is written for ossec:
chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui
chcon -R -h -t httpd_sys_content_t /var/ossec/logs
If you get tired of all of this and want to disable SELinux:
setenforce 0
Try looking at what labels are on ossec and on apache:
ps aux -Z | egrep 'httpd|ossec'
ls -alZ /var/ossec/ /path/to/ossec-wui
The -Z option shows SELinux labelling attributes. You can also use the
avc deny messages you got to feed into the audit2allow tool to create
a
template that permits what was denied. Note that I have 0 fedora boxes
to test this on so it is mostly from what I can read and remember.
Joel Gray
I am running into the same issue. I tried various combinations
including setting the type to var_log_t,httpd_log_t and others and
changing the user to system (basically setting the enforcement as the
httpd logs) but all to no avail.
Has anyone had any luck with it? For the time being I've turned off
enforcement which fixes the WUI error, but I would like to get SELinux
re-enabled.
Best Regards,
-Joel
MdMonk
#####
This will change the selinux permissions on the /var/ossec directory,
to match those of the web directory. You can get more restrictive but
I'm unsure exactly which directories the web server would need access
to in the ossec dir (/var/ossec).
For this example, the web dir is /var/www, and ossec is in /var/ossec:
chcon -R --reference /var/www/ /var/ossec/
That is what worked on my FC6 box. And it worked on F7 (just confirmed).
You can get more restrictive in your modifications of the selinux
permissions if you know what dirs and files the web server needs to
access; then modify the chcon cmd as needed.
NOTE: This works for my setup, and didn't break anything (that I have
seen so far). That's not to say that it wouldn't fubar your setup.
What's the acronym? YMMV. :)
-Chuck (MdMonk)
Joel Gray
I completely missed the --reference option. I'll have to play more with
restrictions later, but for the time being it's working and enabled.
Thanks!