ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.51k stars 1.04k forks source link

OSSEC logrotate SELinux issue #1948

Open EHRETic opened 3 years ago

EHRETic commented 3 years ago

Dear all,

On all my Linux servers, I've the following errors in SELinux:

SELinux is preventing /usr/sbin/logrotate from getattr access on the file /var/ossec/logs/ossec.log.
SELinux is preventing logrotate from open access on the file /var/ossec/logs/active-responses.log.

As I'm using Cockpit, SELinux gives me the following command as a solution: semanage fcontext -a -t FILE_TYPE '/var/ossec/logs/active-responses.log'

But I don't know what to put instead of FILE_TYPE to set it up correctly. There is some "FILE_TYPE logrotate" values available, but which one to use: logrotate_exec_t, logrotate_lock_t, logrotate_mail_tmp_t, logrotate_tmp_t, logrotate_var_lib_t

There is a possibility to make the logrotate process permissive, but that is not the right thing to do I think.... Any idea how to solve that? 😉

Thanks in advance

EHRETic commented 3 years ago

PS: depending on app you are using on your server, it can be problematic... I've installed OSSEC agent on my DNS servers (Technitium) and disks were full in a few hours... surprise in the morning!

Luckily I had some snapshots! 😊

atomicturtle commented 3 years ago

Sure, the current selinux policy is here: https://github.com/ossec/ossec-hids/tree/master/contrib/selinux, can you make an update there and send us a pull request?

EHRETic commented 3 years ago

Sure, the current selinux policy is here: https://github.com/ossec/ossec-hids/tree/master/contrib/selinux, can you make an update there and send us a pull request?

Hello,

I've tried but I get that when I try the install command, any idea?

libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/bz2 failed with code: 1. (No such file or directory).
ossec_agent.pp: libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/bz2 : No such file or directory
ossec_agent.pp:  (No such file or directory).
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
 (No such file or directory).
semodule:  Failed!
EHRETic commented 3 years ago

Any idea? 😉

ddpbsd commented 3 years ago

I don't see anything in the issue to help recreate the problem. So a general google search gives me: this. So you could try var_log_t for /var/ossec/logs/ossec.log.

EHRETic commented 3 years ago

I don't see anything in the issue to help recreate the problem. So a general google search gives me: this. So you could try var_log_t for /var/ossec/logs/ossec.log.

Hi there,

So I finally took the time to test is thoroughly. The command _semanage fcontext -a -t var_logt 'ossec.log' will actually stop SELinux to make some warning.

But this will not prevent my dns app to fill up the disk! 😊

The app is called Technitium DNS and is writing logs in the /etc/dns/config/logs folder resulting filling up the disk in the ossec folder at this path : /var/ossec/queue/diff/local/etc/dns/config/logs/yyyy-mm-dd.log OSSEC will generate dozens of the current log file copy within this folder, resulting in a disk filled up in a couple of hours.

Do you have any idea how I can solve that (either exception or preventing multiple file write there)?

Thanks in advance and best regards

ddpbsd commented 3 years ago

@EHRETic You should setup either an ignore or at least a nodiff for the /etc/dns/config/logs directory. https://www.ossec.net/docs/docs/syntax/head_ossec_config.syscheck.html

Also, I'd recommend looking for an update to Technitium or a configuration setting to fix the location of those logs.

EHRETic commented 3 years ago

Also, I'd recommend looking for an update to Technitium or a configuration setting to fix the location of those logs.

You mean it is not correct where those files are located? But I will definitively, especially if you give me recommandations. (sorry, Linux n0ob! 😊)

ddpbsd commented 3 years ago

Typically /etc is used for configurations, much more static content. /var/log is a good place to keep logs.

EHRETic commented 3 years ago

Typically /etc is used for configurations, much more static content. /var/log is a good place to keep logs.

I've just checked, there is an option to change log folder location. Would OSSEC behave in another way if I move them to a "right folder"? (without any extra configuration/exception)