我尝试了解 Ossec,但是,当我在主选项卡中访问 Ossec Web UI 时,Ossec 显示:
“无法检索警报”
我看到了 alerts.log 文件并且读到了不同的问题。
为什么我看不到网络上的警报?
了解更多信息:
Ossec Installation: /var/ossec
Ossec permissions: ossec:ossec
Ossec web UI installation: /var/www/
Ossec web UI permission: apache:apache
ossec 用户属于 apache 组。
谢谢大家,抱歉,我的英语不好
答案1
我的问题的答案。
问题在于 Selinux,你可以做两件事:
选项 1 - 禁用 Selinux:
#vi /etc/selinux/config
改变这个
SELINUX=enforcing
为了
SELINUX=disabled
并重新启动系统。
选项 2-允许使用 Selinux 选项。
如果您需要激活 Selinux,您可以告诉 Selinux 允许此操作。
安装:
yum install setroubleshoot
执行此操作:
sealert -a /var/log/audit/audit.log
这表明,Selinux 正在拒绝的应用程序,也在这个文件中,你可以看到解决方案,看示例:
SELinux is preventing /usr/sbin/httpd from getattr access on the archivo /var/ossec/queue/syscheck/syscheck.
***** Sugerencia de complemento catchall_labels (83.8 confidence) **********
Sidesea permitir que httpd tenga getattr acceso al syscheck file
Entoncesnecesita modificar la etiqueta en /var/ossec/queue/syscheck/syscheck
Hacer
# semanage fcontext -a -t FILE_TYPE '/var/ossec/queue/syscheck/syscheck'
donde FILE_TYPE es uno de los siguientes: dirsrv_config_t,
httpd_mediawiki_htaccess_t, fail2ban_var_lib_t, abrt_var_run_t, krb5_conf_t,
udev_tbl_t, httpd_tmp_t, smokeping_var_lib_t, shell_exec_t,
httpd_w3c_validator_htaccess_t, mysqld_etc_t, cvs_data_t, calamaris_www_t,
dirsrvadmin_tmp_t, cobbler_etc_t, sysctl_crypto_t, httpd_cache_t, httpd_tmpfs_t,
httpd_helper_exec_t, iso9660_t, dbusd_etc_t, dirsrv_share_t, var_lib_t,
user_cron_spool_t, configfile, httpd_squirrelmail_t, cfengine_var_log_t,
httpd_php_exec_t, httpd_nagios_htaccess_t, abrt_t, httpd_mediawiki_tmp_t, lib_t,
samba_var_t, dirsrv_var_log_t, zarafa_var_lib_t, abrt_helper_exec_t, net_conf_t,
ld_so_t, cert_type, etc_runtime_t, git_system_content_t, dirsrv_var_run_t,
puppet_var_lib_t, public_content_t, httpd_var_lib_t, httpd_var_run_t, logfile,
anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, user_tmp_t,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, textrel_shlib_t,
httpd_user_htaccess_t, chroot_exec_t, httpd_sys_content_t, public_content_rw_t,
httpd_suexec_exec_t, application_exec_type, httpd_bugzilla_htaccess_t,
httpd_cobbler_htaccess_t, rpm_script_tmp_t, httpd_nutups_cgi_htaccess_t,
mailman_data_t, mailman_cgi_exec_t, httpd_apcupsd_cgi_htaccess_t, gitosis_var_lib_t,
system_dbusd_var_lib_t, dirsrvadmin_config_t, httpd_cvs_htaccess_t,
httpd_git_htaccess_t, httpd_sys_htaccess_t, httpd_squid_htaccess_t,
squirrelmail_spool_t, httpd_munin_htaccess_t, dirsrvadmin_unconfined_script_exec_t,
mailman_archive_t, httpd_prewikka_htaccess_t, passenger_var_lib_t,
passenger_var_run_t, cobbler_var_lib_t, user_home_t, bin_t, rpm_tmp_t, httpd_t,
lib_t, puppet_tmp_t, ld_so_cache_t, usr_t, abrt_var_cache_t,
httpd_rotatelogs_exec_t, locale_t, httpd_unconfined_script_exec_t,
httpd_smokeping_cgi_htaccess_t, etc_t, fonts_t, nagios_etc_t, nagios_log_t,
sssd_public_t, proc_t, httpd_keytab_t, sysfs_t, krb5_keytab_t, passenger_exec_t,
cluster_conf_t, httpd_config_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
httpd_log_t, httpd_prewikka_script_exec_t, httpd_munin_ra_content_t,
httpd_munin_rw_content_t, httpd_nutups_cgi_content_t, httpd_sys_script_exec_t,
httpd_dirsrvadmin_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, root_t, httpd_cvs_ra_content_t,
httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t,
httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t,
httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t,
httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t,
httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t,
httpd_mediawiki_script_exec_t, httpd_smokeping_cgi_script_exec_t,
httpd_apcupsd_cgi_content_t, httpd_git_content_t, httpd_user_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_prewikka_content_t,
httpd_munin_script_exec_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t, httpd_munin_content_t, httpd_squid_content_t,
httpd_mediawiki_content_t, httpd_awstats_script_exec_t,
httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, krb5_host_rcache_t,
httpd_apcupsd_cgi_script_exec_t, httpd_dirsrvadmin_content_t,
httpd_cobbler_content_t, httpd_squid_script_exec_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t,
httpd_nagios_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_bugzilla_script_exec_t, httpdcontent,httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t.
Luego ejecute:
restorecon -v '/var/ossec/queue/syscheck/syscheck'
***** Sugerencia de complemento catchall (17.1 confidence) *****************
Sicree que de manera predeterminada, httpd debería permitir acceso getattr sobre syscheck file.
Entoncesdebería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Hacer
permita el acceso momentáneamente executando:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
解释命令:
# semanage fcontext -a -t FILE_TYPE '/var/ossec/queue/syscheck/syscheck'
此,暂时允许此申请
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
这2个命令,总是允许这个应用程序。
而且,如果您有桌面,您可以转到图形 Selinux 应用程序并查看相同的信息。
PD:抱歉,我知道报告是西班牙语的,但如果命令是重要的,这些命令在西班牙语和英语中是相同的。
再见!