Run ossec process as non-root

Affichage de 110 messages sur 10
Run ossec process as non-root Rogue Bull 24/06/13 08:10

Hello All,

I noticed that we are creating the ossec user on the agent machines. However, the process itself is launched and run as root. So why do we have ossec user? And is it not possible to run the process as non-root?

Re: Run ossec process as non-root David Blanton 24/06/13 09:03
I don't believe it's possible to run the install.sh script as non-root.
Re: [ossec-list] Run ossec process as non-root dan (ddpbsd) 24/06/13 09:23
Which process are you worried about? I have 3 that run as root:
[ddp@arrakis] :; ps auxww | grep ossec | grep root
root     20984  0.0  0.0   568   784 ??  I     11:18AM    0:00.00
/var/ossec/bin/ossec-execd
root     16204  0.0  0.0   572   996 ??  S     11:18AM    0:00.33
/var/ossec/bin/ossec-logcollector (ossec-logcollect)
root     23166  0.0  0.1   828  1196 ??  I     11:18AM    0:15.48
/var/ossec/bin/ossec-syscheckd

All 3 of these need root permissions. ossec-execd has to be able to
add rules to firewalls or hosts.deny files, ossec-logcollector needs
to be able to read log files (which are often only readable to root),
an dossec-syscheckd has to be able to checksum any file on the system.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Re: [ossec-list] Run ossec process as non-root Michael Starks 24/06/13 11:08
The processes which don't require root drop privileges, and all
processes are chrooted.
Re: [ossec-list] Run ossec process as non-root Rogue Bull 25/06/13 07:39
Following ps are active on my server and agent:

Server:

ossec     1401  0.0  0.0   8840  3296 ?        S    Jun08   0:21 /u01/ossec/bin/ossec-analysisd
ossec     1418  0.0  0.0   6496   780 ?        S    Jun08   0:01 /u01/ossec/bin/ossec-monitord
ossecm    1393  0.0  0.0   6384   700 ?        S    Jun08   0:12 /u01/ossec/bin/ossec-maild
ossecr    1411  0.0  0.0 160268  1092 ?        Sl   Jun08   1:24 /u01/ossec/bin/ossec-remoted


root      1396  0.0  0.0   6232   528 ?        S    Jun08   0:00 /u01/ossec/bin/ossec-execd
root      1404  0.0  0.0   4280   568 ?        S    Jun08   0:54 /u01/ossec/bin/ossec-logcollector
root      1414  0.0  0.0   5240  1820 ?        S    Jun08   6:36 /u01/ossec/bin/ossec-syscheckd



Agent:

ossec     7584  0.0  0.0   6528   912 ?        S    07:28   0:00 /u01/ossec/bin/ossec-agentd

root      7580  0.0  0.0   6232   480 ?        S    07:28   0:00 /u01/ossec/bin/ossec-execd
root      7588  0.0  0.0   4292   540 ?        S    07:28   0:00 /u01/ossec/bin/ossec-logcollector
root      7592  0.0  0.0   4452   484 ?        S    07:28   0:00 /u01/ossec/bin/ossec-syscheckd



Q1: Can I run execd, logcollectord and syscheckd as ossec or ossecm ?
What I tried:
Documentation says it is possible to do that for all threee with -u option :
http://www.ossec.net/doc/programs/ossec-execd.html
http://www.ossec.net/doc/programs/ossec-logcollector.html
http://www.ossec.net/doc/programs/ossec-syscheckd.html

It also says that the defualt user is : ossem (but I dont see ossecm being used to run any of these)

Now, when I run the following:

# /u01/ossec/bin/ossec-execd -u ossec or # /u01/ossec/bin/ossec-execd -u ossecm

the output is this :

OSSEC HIDS v2.7 - Trend Micro Inc. (con...@ossec.net)
http://www.ossec.net

  ossec-execd: -[Vhdt] [-u user] [-g group] [-c config] [-D dir]
    -V          Version and license message
    -h          This help message
    -d          Execute in debug mode
    -t          Test configuration
    -f          Run in foreground
    -u <user>   Run as 'user'
    -g <group>  Run as 'group'
    -c <config> Read the 'config' file
    -D <dir>    Chroot to 'dir'

The user is not switched.

How to force these processes to run as non-root?
Re: [ossec-list] Run ossec process as non-root dan (ddpbsd) 25/06/13 07:46
You can't. Not really. I have explained why. Also, the chrooting
requires root privs.
Re: [ossec-list] Run ossec process as non-root Rogue Bull 25/06/13 08:12
Then why the -u option?

Re: [ossec-list] Run ossec process as non-root dan (ddpbsd) 25/06/13 08:15
On Tue, Jun 25, 2013 at 11:12 AM, Rogue Bull <r09u...@gmail.com> wrote:
> Then why the -u option?
>

Laziness. It looks like a copy/paste issue.

If execd didn't run as root, how would it add rules to the firewall?
Or hosts to hosts.deny? Or restart the ossec processes?
Re: [ossec-list] Run ossec process as non-root Rogue Bull 26/06/13 21:48
Oh. Do you need any help updating documentation or code? I have some time on weekends.
Re: [ossec-list] Run ossec process as non-root dan (ddpbsd) 27/06/13 05:30
On Thu, Jun 27, 2013 at 12:48 AM, Rogue Bull <r09u...@gmail.com> wrote:
> Oh. Do you need any help updating documentation or code? I have some time on
> weekends.
>

OSSEC is an open source project, of course we need help! ;-)