Page 1 of 1
ossec-hids RPM question
Posted: Mon May 20, 2013 9:02 pm
by mntbighker
I have about 10 servers and all have had ossec installed via the Atomic packages. My most recent install is running CentOS6 with SELinux permissive. I am seeing messages that logrotate was "denied", but in permissive mode it works anyway I presume. Once we switch to enforcing this will probably come to a screeching halt. I asked on the ossec list and they claim that the ossec source has nothing in /etc/logrotate.d, so go talk to the Atomic folks. Hence my note. Apparently they have their own log rotate function? I verified that the Atomic RPM in fact installs an ossec-hids file in /etc/logrotate.d.
Re: ossec-hids RPM question
Posted: Tue May 21, 2013 8:32 am
by scott
Indeed it installs this logrotate event:
[root@c6-64 ~]# rpm -qf /etc/logrotate.d/ossec-hids
ossec-hids-2.7-25.el6.art.x86_64
Re: ossec-hids RPM question
Posted: Tue May 21, 2013 2:07 pm
by mntbighker
So will the RPM get adjusted to provide the correct SELinux context to allow this to work in enforcing mode?
Re: ossec-hids RPM question
Posted: Tue May 21, 2013 8:11 pm
by scott
If someone submits one absolutely, I dont work on selinux so if you or someone else has a policy they'd like to contribute I'd be happy to include it in the package. We use the more powerful RBAC in grsecurity ourselves. SELinux just isnt powerful enough for our security requirements.
Re: ossec-hids RPM question
Posted: Fri Mar 21, 2014 4:53 pm
by desmondgc
For this specific issue (logrotate) you can do:
Code: Select all
semanage fcontext -a -t var_log_t /var/ossec/logs/ossec.log
restorecon -v -F /var/ossec/logs/ossec.log
Everything else seems to work fine in enforcing mode so far.