Run ossec process as non-root
429 views
Skip to first unread message
Rogue Bull
Jun 24, 2013, 11:10:28 AM6/24/13
to ossec...@googlegroups.com
Hello All,
I noticed that we are creating the ossec user on the agent machines. However, the process itself is launched and run as root. So why do we have ossec user? And is it not possible to run the process as non-root?
David Blanton
Jun 24, 2013, 12:03:12 PM6/24/13
to ossec...@googlegroups.com
I don't believe it's possible to run the install.sh script as non-root.
dan (ddp)
Jun 24, 2013, 12:23:36 PM6/24/13
to ossec...@googlegroups.com
[ddp@arrakis] :; ps auxww | grep ossec | grep root
root 20984 0.0 0.0 568 784 ?? I 11:18AM 0:00.00
/var/ossec/bin/ossec-execd
root 16204 0.0 0.0 572 996 ?? S 11:18AM 0:00.33
/var/ossec/bin/ossec-logcollector (ossec-logcollect)
root 23166 0.0 0.1 828 1196 ?? I 11:18AM 0:15.48
/var/ossec/bin/ossec-syscheckd
All 3 of these need root permissions. ossec-execd has to be able to
add rules to firewalls or hosts.deny files, ossec-logcollector needs
to be able to read log files (which are often only readable to root),
an dossec-syscheckd has to be able to checksum any file on the system.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Michael Starks
Jun 24, 2013, 2:08:47 PM6/24/13
to ossec...@googlegroups.com
processes are chrooted.
Rogue Bull
Jun 25, 2013, 10:39:16 AM6/25/13
to ossec...@googlegroups.com
Following ps are active on my server and agent:
Server:
ossec 1401 0.0 0.0 8840 3296 ? S Jun08 0:21 /u01/ossec/bin/ossec-analysisd
ossec 1418 0.0 0.0 6496 780 ? S Jun08 0:01 /u01/ossec/bin/ossec-monitord
ossecm 1393 0.0 0.0 6384 700 ? S Jun08 0:12 /u01/ossec/bin/ossec-maild
ossecr 1411 0.0 0.0 160268 1092 ? Sl Jun08 1:24 /u01/ossec/bin/ossec-remoted
root 1396 0.0 0.0 6232 528 ? S Jun08 0:00 /u01/ossec/bin/ossec-execd
root 1404 0.0 0.0 4280 568 ? S Jun08 0:54 /u01/ossec/bin/ossec-logcollector
root 1414 0.0 0.0 5240 1820 ? S Jun08 6:36 /u01/ossec/bin/ossec-syscheckd
Agent:
ossec 7584 0.0 0.0 6528 912 ? S 07:28 0:00 /u01/ossec/bin/ossec-agentd
root 7580 0.0 0.0 6232 480 ? S 07:28 0:00 /u01/ossec/bin/ossec-execd
root 7588 0.0 0.0 4292 540 ? S 07:28 0:00 /u01/ossec/bin/ossec-logcollector
root 7592 0.0 0.0 4452 484 ? S 07:28 0:00 /u01/ossec/bin/ossec-syscheckd
Q1: Can I run execd, logcollectord and syscheckd as ossec or ossecm ?
What I tried:
Documentation says it is possible to do that for all threee with -u option :
http://www.ossec.net/doc/programs/ossec-execd.html
http://www.ossec.net/doc/programs/ossec-logcollector.html
http://www.ossec.net/doc/programs/ossec-syscheckd.html
It also says that the defualt user is : ossem (but I dont see ossecm being used to run any of these)
Now, when I run the following:
# /u01/ossec/bin/ossec-execd -u ossec or # /u01/ossec/bin/ossec-execd -u ossecm
the output is this :
OSSEC HIDS v2.7 - Trend Micro Inc. (con...@ossec.net)
http://www.ossec.net
ossec-execd: -[Vhdt] [-u user] [-g group] [-c config] [-D dir]
-V Version and license message
-h This help message
-d Execute in debug mode
-t Test configuration
-f Run in foreground
-u <user> Run as 'user'
-g <group> Run as 'group'
-c <config> Read the 'config' file
-D <dir> Chroot to 'dir'
The user is not switched.
How to force these processes to run as non-root?
Server:
ossec 1401 0.0 0.0 8840 3296 ? S Jun08 0:21 /u01/ossec/bin/ossec-analysisd
ossec 1418 0.0 0.0 6496 780 ? S Jun08 0:01 /u01/ossec/bin/ossec-monitord
ossecm 1393 0.0 0.0 6384 700 ? S Jun08 0:12 /u01/ossec/bin/ossec-maild
ossecr 1411 0.0 0.0 160268 1092 ? Sl Jun08 1:24 /u01/ossec/bin/ossec-remoted
root 1396 0.0 0.0 6232 528 ? S Jun08 0:00 /u01/ossec/bin/ossec-execd
root 1404 0.0 0.0 4280 568 ? S Jun08 0:54 /u01/ossec/bin/ossec-logcollector
root 1414 0.0 0.0 5240 1820 ? S Jun08 6:36 /u01/ossec/bin/ossec-syscheckd
Agent:
ossec 7584 0.0 0.0 6528 912 ? S 07:28 0:00 /u01/ossec/bin/ossec-agentd
root 7580 0.0 0.0 6232 480 ? S 07:28 0:00 /u01/ossec/bin/ossec-execd
root 7588 0.0 0.0 4292 540 ? S 07:28 0:00 /u01/ossec/bin/ossec-logcollector
root 7592 0.0 0.0 4452 484 ? S 07:28 0:00 /u01/ossec/bin/ossec-syscheckd
Q1: Can I run execd, logcollectord and syscheckd as ossec or ossecm ?
What I tried:
Documentation says it is possible to do that for all threee with -u option :
http://www.ossec.net/doc/programs/ossec-execd.html
http://www.ossec.net/doc/programs/ossec-logcollector.html
http://www.ossec.net/doc/programs/ossec-syscheckd.html
It also says that the defualt user is : ossem (but I dont see ossecm being used to run any of these)
Now, when I run the following:
# /u01/ossec/bin/ossec-execd -u ossec or # /u01/ossec/bin/ossec-execd -u ossecm
the output is this :
OSSEC HIDS v2.7 - Trend Micro Inc. (con...@ossec.net)
http://www.ossec.net
ossec-execd: -[Vhdt] [-u user] [-g group] [-c config] [-D dir]
-V Version and license message
-h This help message
-d Execute in debug mode
-t Test configuration
-f Run in foreground
-u <user> Run as 'user'
-g <group> Run as 'group'
-c <config> Read the 'config' file
-D <dir> Chroot to 'dir'
The user is not switched.
How to force these processes to run as non-root?
dan (ddp)
Jun 25, 2013, 10:46:19 AM6/25/13
to ossec...@googlegroups.com
requires root privs.
Rogue Bull
Jun 25, 2013, 11:12:32 AM6/25/13
to ossec...@googlegroups.com
Then why the -u option?
dan (ddp)
Jun 25, 2013, 11:15:35 AM6/25/13
to ossec...@googlegroups.com
Laziness. It looks like a copy/paste issue.
If execd didn't run as root, how would it add rules to the firewall?
Or hosts to hosts.deny? Or restart the ossec processes?
If execd didn't run as root, how would it add rules to the firewall?
Or hosts to hosts.deny? Or restart the ossec processes?
Rogue Bull
Jun 27, 2013, 12:48:50 AM6/27/13
to ossec...@googlegroups.com
Oh. Do you need any help updating documentation or code? I have some time on weekends.
dan (ddp)
Jun 27, 2013, 8:30:09 AM6/27/13
to ossec...@googlegroups.com
On Thu, Jun 27, 2013 at 12:48 AM, Rogue Bull <r09u...@gmail.com> wrote:
> Oh. Do you need any help updating documentation or code? I have some time on
> weekends.
>
OSSEC is an open source project, of course we need help! ;-)
> Oh. Do you need any help updating documentation or code? I have some time on
> weekends.
>
Reply all
Reply to author
Forward
0 new messages