Disable rootcheck / OSSEC inside openvz VPS

304 views
Skip to first unread message

Blaine Aldridge

unread,
May 20, 2007, 2:24:32 AM5/20/07
to ossec...@ossec.net
Hey all,

I'm running OSSEC on a openvz based VPS and the rootcheck module
reports all sorts of hidden processes and such (as expected inside a
VPS). I've tried to disable the rootcheck module by with

<rootcheck>
<disabled>yes</disabled>
</rootcheck>

in the ossec.conf but when I start ossec via init.d I get the following

ossec-rootcheck: Rootcheck disabled. Exiting.
ossec-syscheckd: Rootcheck module disabled.

Everything seems to be fine... except with rootcheck disabled active
response no longer works. In the ossec.log file I see

ossec-analysisd(1210): Queue '/queue/alerts/execq' not accessible:
'Connection refused'.
ossec-analysisd(1301): Unable to connect to active response queue.

Any suggestions are appreciated,
Blaine Aldridge

Daniel Cid

unread,
May 22, 2007, 2:40:56 AM5/22/07
to ossec...@googlegroups.com, Blaine Aldridge
Hi Blaine,

I think your problem is unrelated to rootcheck. The error you mentioned only
happens when ossec-analysisd can not connect to ossec-execd...

Can you make sure that ossec-execd is running (ps auwx |grep ossec)? If
it is not, try to start it manually and see if it generates any errors. If it
starts fine, just restart ossec and see if the problem persist...

If that doesn't help, let us know and we will look deep into that :)

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Blaine Aldridge

unread,
May 22, 2007, 4:17:51 PM5/22/07
to Daniel Cid, ossec...@googlegroups.com
ossec-execd was not running and refuses to start when rootcheck is
disabled. When I try to run /var/ossec/bin/ossec-execd manually it
just shows

ossec-execd(1350): Active response disabled. Exiting.

in the logs.

Restarting ossec does not fix the problem either. The only way I can
get the execd process to not kill itself is by enabling rootcheck.

Blaine Aldridge

Daniel Cid

unread,
May 26, 2007, 10:12:11 PM5/26/07
to Blaine Aldridge, ossec...@googlegroups.com
Hi Blaine,

Thanks for the additional information. This problem was caused by a bug
on the configuration reader for "execd" that was reading, well, err, rootcheck
config :)

I released an updated version of 1.2 (stable snapshot) with a fix for this:

http://www.ossec.net/files/snapshots/ossec-hids-070525.tar.gz

Upgrade your ossec install to this one and the problem should go away
(just choose upgrade option when you run ./install.sh).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Blaine Aldridge

unread,
May 27, 2007, 12:18:18 AM5/27/07
to Daniel Cid, ossec...@googlegroups.com
Thanks Daniel,

Everything is working correctly now.

Blaine Aldridge

Reply all
Reply to author
Forward
0 new messages