ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.52k stars 1.04k forks source link

‘chroot’ cause 'getaddrinfo' Failed #1063

Closed cyongxue closed 6 years ago

cyongxue commented 7 years ago

The ossec-agentd will do ‘getaddrinfo’ Failed,after execd ‘chroot’。 The Error Info:

  1. gethostbyname, Unknown host
  2. getaddrinfo failed: Name or servicenot known

Isn't there someone else come across this questions? Or,know How to solve with 'chroot'?

raptorr commented 7 years ago

I've got 'getaddrinfo' error but with ossec-remoted "ERROR: Unable to Bind port '1514'" EDIT: on my side it was disabled ipv6. Setting net.ipv6.conf.default.disable_ipv6 = 0 and net.ipv6.conf.all.disable_ipv6 = 0 fixed the problem

ddpbsd commented 7 years ago

Have you tried copying /etc/resolv.conf to the chroot? (/var/ossec/etc)

cyongxue commented 7 years ago

No~~ And Thank you

and I had modified the code for open(chmod…) any file. Because OSSEC depend on many system files, e.g.:/etc/resolv.conf/dev/random…

The code:

/* char tmp_file_path[FILE_PATH_STR + 1]; if (!full_file_path(path, tmp_file_path, sizeof(tmp_file_path))) { ErrorExit("File[%s] deal full file path Error."FILE_LINE_FORMAT, path FILE_LINE_VALUE); } / int full_file_path(const char file_name, char buf_full_path, unsigned int buf_size) { if (buf_size = strlen(file_name) + strlen(DEFAULTDIR)) { return 0; }

memset(buf_full_path, 0x00, buf_size); if (isChroot()) { snprintf(buf_full_path, buf_size, "%s", file_name); } else { snprintf(buf_full_path, buf_size, "%s%s", DEFAULTDIR, file_name); }

return strlen(buf_full_path); }

原始邮件 发件人:Dan Parriottnotifications@github.com 收件人:ossec/ossec-hidsossec-hids@noreply.github.com 抄送:小用cyongxue@163.com; Authorauthor@noreply.github.com 发送时间:2017年2月22日(周三) 22:53 主题:Re: [ossec/ossec-hids] ‘chroot’ cause 'getaddrinfo' Failed (#1063)

Have you tried copying /etc/resolv.conf to the chroot? (/var/ossec/etc) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.