OSSEC configuration/installation and non-root access?

92 views
Skip to first unread message

jplee3

unread,
Nov 12, 2010, 5:24:29 PM11/12/10
to ossec-list
I was under the impression that the installation and configuration of
OSSEC is designed to be handled as root. Is there any way around this?
It seems like root is definitely required for the install. But what
about configuration (i.e. running manage_agents or editing ossec.conf,
etc? Is it possible (and safe) to change things so another non-root
user can modify? Is this a recommended best practice? I have a systems
engineer who's been overly cautious (and resistant) of giving me sudo
access so I can finish setting up OSSEC on his boxes... :T

Joe Gedeon

unread,
Nov 12, 2010, 8:06:42 PM11/12/10
to ossec...@googlegroups.com
Would you want a non-root or non administrator to be able to be able
to make configuration changes to a program that could do just about
anything to a system? Hmm, nice little Active response that clear out
the root users password? A non administrator making changes to OSSEC
opens a big whole in the system. If it is just manage_agents then the
administrator could allow you that command in the sudo file. But
editing the ossec.conf or the shared agents file is off limits in my
opinion.

--
Registered Linux User # 379282

dan (ddp)

unread,
Nov 12, 2010, 5:56:45 PM11/12/10
to ossec...@googlegroups.com

SUMMARY: Changing the permissions from the default is not recommended,
best practice, or supported by me. :)

That sounds like a pain in the butt. He should be able to give you
sudo access to the things you need (/var/ossec/bin/*).
At least the non-scripted executables. The ossec-control script
wouldn't be hard to modify to use sudo in the appropriate places.

Another possibility may be MAC/RBAC type setups that allow specific
users to perform the necessary actions of managing an OSSEC system.
But this isn't something I've looked into. Most of these systems scare
me with their complexity and my lack of time.

Over-all changing the permissions sounds dangerous. I don't know of
anyone doing testing with odd permissions, so no idea what weird
things could break.

Putting your user in the ossec group may go a long way in getting
access to the various parts, and I guess opening up permissions to the
ossec group may not be too bad... Again, this isn't recommended, just
tossing it out there.

Beyond the initial setup (and future upgrades), what needs to be done
as root? For an agent you add the key and point the agent to the
manager in ossec.conf. Most other things can be handled through the
agent.conf, and wouldn't require root access.

Reply all
Reply to author
Forward
0 new messages