ossec-hids RPM question
-
- New Forum User
- Posts: 2
- Joined: Mon May 20, 2013 8:48 pm
- Location: United States
ossec-hids RPM question
I have about 10 servers and all have had ossec installed via the Atomic packages. My most recent install is running CentOS6 with SELinux permissive. I am seeing messages that logrotate was "denied", but in permissive mode it works anyway I presume. Once we switch to enforcing this will probably come to a screeching halt. I asked on the ossec list and they claim that the ossec source has nothing in /etc/logrotate.d, so go talk to the Atomic folks. Hence my note. Apparently they have their own log rotate function? I verified that the Atomic RPM in fact installs an ossec-hids file in /etc/logrotate.d.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: ossec-hids RPM question
Indeed it installs this logrotate event:
[root@c6-64 ~]# rpm -qf /etc/logrotate.d/ossec-hids
ossec-hids-2.7-25.el6.art.x86_64
[root@c6-64 ~]# rpm -qf /etc/logrotate.d/ossec-hids
ossec-hids-2.7-25.el6.art.x86_64
-
- New Forum User
- Posts: 2
- Joined: Mon May 20, 2013 8:48 pm
- Location: United States
Re: ossec-hids RPM question
So will the RPM get adjusted to provide the correct SELinux context to allow this to work in enforcing mode?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: ossec-hids RPM question
If someone submits one absolutely, I dont work on selinux so if you or someone else has a policy they'd like to contribute I'd be happy to include it in the package. We use the more powerful RBAC in grsecurity ourselves. SELinux just isnt powerful enough for our security requirements.
Re: ossec-hids RPM question
For this specific issue (logrotate) you can do:
Everything else seems to work fine in enforcing mode so far.
Code: Select all
semanage fcontext -a -t var_log_t /var/ossec/logs/ossec.log
restorecon -v -F /var/ossec/logs/ossec.log