What to make of ossec-hosts.* files

[fi...@vivaldi.net]

Hi,

I see a bunch of files in /var/ossec with names of the form
ossec-hosts.*. what are they and how can I stop the system from creating
them?

Here are a few examples.

ossec-hosts.1i6uugNQB3
ossec-hosts.BFHjPh9dwg
ossec-hosts.i4EvjkDXUh
ossec-hosts.U3thtpzm6b
ossec-hosts.1MeJfr9MGt


TIA,


--
finid

[fi...@vivaldi.net]

So those files appear to be temporary files. Shouldn't they be in /tmp,
instead of /var/ossec?


--
finid

[Brent Morris]

I think what you're seeing is what is described in CVE-2014-5284 - http://www.ossec.net/?p=1135

Basically, they were in /tmp, and then a vulnerability was disclosed... so those files were moved from /tmp to /var/ossec in 2.8.1

[fi...@vivaldi.net]

Thanks.

Since they are all empty files, nothing should break if they are all
deleted, right?


--
finid

> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout [1].
>
>
> Links:
> ------
> [1] https://groups.google.com/d/optout

[Nadir Boussoukaia]

For the record, what I do:

vi active-response/host-deny.sh

at the end for  TMP_FILE you cans replace  occurrences of /var/ossec/ by  /var/ossec/tmp