[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: OSSEC - sudo
From: Victor Fernandez <victor () wazuh ! com>
Date: 2016-09-30 11:51:56
Message-ID: 1fe7c4af-6b56-4d01-8d4f-0d7b075659e4 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Kumar,
The ossec group is intended to access shared files and write only onto logs
and queues, but not on settings and rules files. Nevertheless, if you need
to write those files, it's more secure to create a new user and add it to
the ossec group and give it the needed permissions that run maintenance
scripts as root, IMHO.
So I'd make the following changes:
$ adduser <you user> ossec
If you need to modify the rules files:
$ chmod g+w /var/ossec/rules/*.xml
And/or, if you need to create or delete rules files:
$ chmod g+w /var/ossec/rules
Hope it helps.
Victor.
On Tuesday, September 27, 2016 at 9:26:49 PM UTC+2, Kumar G wrote:
>
> Hi Dan,
>
> The main concern was we have to get the sudo command in place for
> maintaining ossec. With our setup the sudo commands started growing and
> increasing with any additional customizations. We are reluctant to change
> the permissions for files / directory, however checking if we are able to
> do them by any alternatives.
>
>
>
> Thanks
> Kumar
>
> On Tuesday, 27 September 2016, dan (ddp) <ddp...@gmail.com <javascript:>>
> wrote:
>
> > On Thu, Sep 15, 2016 at 2:38 PM, Kumar G <mkgaao@gmail.com> wrote:
> > > Hi team,
> > >
> > > We are in the process of getting the sudo rules worked out for OSSEC
> > > environment. However there came up a question like if we can have the
> > ossec
> > > user have read/write access on them.(eg: /var/ossec/rules,
> > /var/ossec/etc -
> > > ossec accountshould have the write permission). Is it advisable to
> > change
> > > the chmod permissions of files / folders under /var/ossec directory?
> > >
> >
> > I prefer to not let the ossec user have write permissions to anything
> > it doesn't need to write to.
> > There's no reason for the ossec user to write to the rules.
> >
> > > Any one has the list of sudo commands required on the OSSEC server /
> > agent
> > > t?
> > >
> >
> > What problem are you trying to solve exactly?
> >
> > >
> > > Thanks
> > > Kumar
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > Groups
> > > "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an
> > > email to ossec-list+unsubscribe@googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscribe@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Hi Kumar,<br><br>The ossec group is intended to access shared files \
and write only onto logs and queues, but not on settings and rules files. \
Nevertheless, if you need to write those files, it's more secure to create a new \
user and add it to the ossec group and give it the needed permissions that run \
maintenance scripts as root, IMHO.<br><br>So I'd make the following \
changes:<br><br><span style="font-family: courier new,monospace;"> $ adduser \
<you user> ossec<br><br><font face="arial,sans-serif">If you need to modify the \
rules files:</font><br><br> $ chmod g+w \
/var/ossec/rules/*.xml</span><br><br>And/or, if you need to create or delete rules \
files:<br><br><span style="font-family: courier new,monospace;"> $ chmod g+w \
/var/ossec/rules</span><br><br>Hope it helps.<br>Victor.<br><br>On Tuesday, September \
27, 2016 at 9:26:49 PM UTC+2, Kumar G wrote:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;">Hi Dan, <div><br></div><div>The main concern was we have to get the sudo \
command in place for maintaining ossec. With our setup the sudo commands started \
growing and increasing with any additional customizations. We are reluctant to change \
the permissions for files / directory, however checking if we are able to do them by \
any alternatives. </div><div><br></div><div><br></div><div><br></div><div>Thanks</div><div>Kumar</div><div><br>On \
Tuesday, 27 September 2016, dan (ddp) <<a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="S0EGSVn_CgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">ddp...@gmail.com</a>> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex">On Thu, Sep 15, 2016 at 2:38 PM, Kumar G \
<<a>mkgaao@gmail.com</a>> wrote:<br> > Hi team,<br>
><br>
> We are in the process of getting the sudo rules worked out for OSSEC<br>
> environment. However there came up a question like if we can have the ossec<br>
> user have read/write access on them.(eg: /var/ossec/rules, /var/ossec/etc -<br>
> ossec accountshould have the write permission). Is it advisable to change<br>
> the chmod permissions of files / folders under /var/ossec directory?<br>
><br>
<br>
I prefer to not let the ossec user have write permissions to anything<br>
it doesn't need to write to.<br>
There's no reason for the ossec user to write to the rules.<br>
<br>
> Any one has the list of sudo commands required on the OSSEC server / agent<br>
> t?<br>
><br>
<br>
What problem are you trying to solve exactly?<br>
<br>
><br>
> Thanks<br>
> Kumar<br>
><br>
> --<br>
><br>
> ---<br>
> You received this message because you are subscribed to the Google Groups<br>
> "ossec-list" group.<br>
> To unsubscribe from this group and stop receiving emails from it, send an<br>
> email to <a>ossec-list+unsubscribe@<wbr>googlegroups.com</a>.<br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br> <br>
--<br>
<br>
---<br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to \
<a>ossec-list+unsubscribe@<wbr>googlegroups.com</a>.<br> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br> </blockquote></div>
</blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic