Prob accessing ossec-wui on Centos 5.2

[Job 317]

I've installed the ossec server and ossec-wui packages (latest both) on
a Centos 5.2 server with PHP 5.1.6 and http 2.3. The html webroot is
/var/www/html so I put the ossec-wui folder in there. There's no www
group but there is an apache group so I added the ossec group to that:

ossec:x:501:apache

I also changed the group and permissions for the /tmp folder with this
in mind.

I'm only trying to access the ossec wui from the same machine (not from
another system). However I'm still getting "Forbidden: you don't have
permission to access /ossec-wui on this server".

However I can still access other files and folders from within
/var/www/html on the same system.

Ideas?

[Alessandro Di Giuseppe]

Sounds very similar to what I posted a couple of days ago.

I've yet to get a response...

Alessandro

Sent from my BlackBerry device on the Rogers Wireless Network

[David Williams]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've not tried to set the WUI up yet so this is a shot in the dark:
if SELinux is enabled, you may need to chcon the OSSEC files in
order for apache to be allowed to read them. You could check the
apache error_log for additional information as well as the selinux
log (I think /var/log/audit/audit.log).
Just a guess though.
- -David

- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJuxgACgkQCzuSgviBh0098wCfXo/V6oYFzgpx13nTL9HT4oot
EUcAmwUO815ZZoUdi10Gmnh+zWJ5aoRG
=GK57
-----END PGP SIGNATURE-----

[Menerick, John]

To start off, look at Apache's error logs and see which exact file it is complaining about the improper permissions. If you are not able to discern the improper permissions from looking at the file, email me the output of this command inside the "forbidden" directory and one level above:

ls -l

That will give me insight where to look first.

John Menerick
http://www.icehax.us

ossec:x:501:apache

Ideas?

NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited and subject to legal sanctions. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information.

[Daniel Cid]

Hi all,

It seems that we are getting lots of questions/issues with the web ui.
I will try to answer some of them
in there.

-If you are getting the error "Forbidden: you don't have permission
.." and you are not even seeing the
main page, it is because you didn't place the ossec-wui directory in
the right place (under the htdocs), or
you did that as root and apache can't access it. The easiest way to
fix it is by changing the permissions of the directory
to 755 or the ownership to the apache user.

-If you are getting the option to download "index.php" or you are
seeing some source code, instead of the
page, it is because you don't have php support installed/enabled.

-If you are getting the error "can't access OSSEC directory" , it is
because apache can't access the /var/ossec
directory. It can be a few things:
--You didn't add the apache user (it can be www, apache, www-data,
http, etc - all depends on the distribution*)
to the ossec group.
--You have apache running under chroot (or jail), so it can't access
anything outside of it.
--You have SELinux enabled and blocking outside access.
--You didn't restarted apache after making those changes.

-If you are getting errors in the search page only (like unable to
read file ./tmp/xx, or unable to write ./tmp/xx), it is
because apache can't write to the ./tmp directory under the ossec-wui.
Make sure that it has permissions (by
changing the ownership to the user apache or changing the permissions).

For all these errors, look at the apache error.log and access.log for
more information. they can generally tell
what is going on.

Small rant:
*this is one of the reasons why on OSSEC, I kept everything under the
same directory, with the same structure and always default to
/var/ossec... Makes much easier for everyone to debug, understand and
support. With apache, we have
some many different locations, configs and options that is hard to
automate and make the installation easier.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

[Alessandro Di Giuseppe]

FYI: I just got it going again by doing the following: In addition to all the steps given by Daniel / the wiki. chmod 755 /var/www/ossec chmod -R 755 /var/www/ossec/stats chmod -R 755 /var/www/ossec/logs Previously, when I had tried to chmod -R 755 on /var/www/ossec, ossec-logcollector wouldn't not restart because it did not have access subdirectory of  ./queue. Hope this helps anyone else with OSSEC-WUI on CentOS 5.x. Regards, Alessandro --- On Fri, 9/12/08, Daniel Cid <danie...@gmail.com> wrote: