Open EHRETic opened 3 years ago
PS: depending on app you are using on your server, it can be problematic... I've installed OSSEC agent on my DNS servers (Technitium) and disks were full in a few hours... surprise in the morning!
Luckily I had some snapshots! 😊
Sure, the current selinux policy is here: https://github.com/ossec/ossec-hids/tree/master/contrib/selinux, can you make an update there and send us a pull request?
Sure, the current selinux policy is here: https://github.com/ossec/ossec-hids/tree/master/contrib/selinux, can you make an update there and send us a pull request?
Hello,
I've tried but I get that when I try the install command, any idea?
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/bz2 failed with code: 1. (No such file or directory).
ossec_agent.pp: libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/bz2 : No such file or directory
ossec_agent.pp: (No such file or directory).
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
(No such file or directory).
semodule: Failed!
Any idea? 😉
I don't see anything in the issue to help recreate the problem. So a general google search gives me: this. So you could try var_log_t
for /var/ossec/logs/ossec.log
.
I don't see anything in the issue to help recreate the problem. So a general google search gives me: this. So you could try
var_log_t
for/var/ossec/logs/ossec.log
.
Hi there,
So I finally took the time to test is thoroughly. The command _semanage fcontext -a -t var_logt 'ossec.log' will actually stop SELinux to make some warning.
But this will not prevent my dns app to fill up the disk! 😊
The app is called Technitium DNS and is writing logs in the /etc/dns/config/logs folder resulting filling up the disk in the ossec folder at this path : /var/ossec/queue/diff/local/etc/dns/config/logs/yyyy-mm-dd.log OSSEC will generate dozens of the current log file copy within this folder, resulting in a disk filled up in a couple of hours.
Do you have any idea how I can solve that (either exception or preventing multiple file write there)?
Thanks in advance and best regards
@EHRETic You should setup either an ignore
or at least a nodiff
for the /etc/dns/config/logs
directory. https://www.ossec.net/docs/docs/syntax/head_ossec_config.syscheck.html
Also, I'd recommend looking for an update to Technitium or a configuration setting to fix the location of those logs.
Also, I'd recommend looking for an update to Technitium or a configuration setting to fix the location of those logs.
You mean it is not correct where those files are located? But I will definitively, especially if you give me recommandations. (sorry, Linux n0ob! 😊)
Typically /etc
is used for configurations, much more static content. /var/log
is a good place to keep logs.
Typically
/etc
is used for configurations, much more static content./var/log
is a good place to keep logs.
I've just checked, there is an option to change log folder location. Would OSSEC behave in another way if I move them to a "right folder"? (without any extra configuration/exception)
Dear all,
On all my Linux servers, I've the following errors in SELinux:
As I'm using Cockpit, SELinux gives me the following command as a solution:
semanage fcontext -a -t FILE_TYPE '/var/ossec/logs/active-responses.log'
But I don't know what to put instead of FILE_TYPE to set it up correctly. There is some "FILE_TYPE logrotate" values available, but which one to use:
logrotate_exec_t, logrotate_lock_t, logrotate_mail_tmp_t, logrotate_tmp_t, logrotate_var_lib_t
There is a possibility to make the logrotate process permissive, but that is not the right thing to do I think.... Any idea how to solve that? 😉
Thanks in advance