Issue
Resolving issues with starting OSSEC services and SELinux.
Environment
- Imunify360
- OSSEC
- SELinux
Solution
Imunify360 has SELinux support, and can be run on a server with SELinux enabled. Policy file /opt/alt/python38/share/imunify360/imunify360.te shipped with the “main” package imunify360-firewall. To check if SELinux policies are installed for Imunify, do the following:
# semodule --list-modules | grep imunify360
imunify360 1.1
In case of missing policies the installation can be done using the method described in the documentation: https://docs.imunify360.com/installation/#selinux-support.
In rare cases, however, a server administrator may encounter a problem in which OSSEC may not work correctly or may not work at all because SELinux context has not been applied to the OSSEC log directory or the OSSEC binary directory.
In case of problems with OSSEC and SELinux, which may appear, for example, with such an error:
No events from OSSEC for 7 days. Check OSSEC settings in the /var/ossec/etc/ossec.conf file.
Policies can be applied manually.
- For the directory with logs:
# checkmodule -M -m -o /var/imunify360/imunify360.mod /opt/imunify360/venv/share/imunify360/imunify360.te
# semodule_package -o /var/imunify360/imunify360.pp -m /var/imunify360/imunify360.mod
# semodule -i /var/imunify360/imunify360.pp
# semanage fcontext -a -t var_log_t '/var/ossec/logs(/.*)?'
# restorecon -Frvv /var/ossec/logs
- For the directory with bins:
# checkmodule -M -m -o /var/imunify360/imunify360.mod /opt/imunify360/venv/share/imunify360/imunify360.te
# semodule_package -o /var/imunify360/imunify360.pp -m /var/imunify360/imunify360.mod
# semodule -i /var/imunify360/imunify360.pp
# semanage fcontext -a -t bin_t "/var/ossec/bin/(.*)"
# restorecon -rv /var/ossec/bin
Please note that in older releases this template can be placed here, so please keep this in mind when executing the commands:
/opt/alt/python38/share/imunify360/imunify360.te
After that, it only remains to restart OSSEC on the server:
# systemctl restart ossec-hids
And the service will work as usual.
In some cases, reinstallation of the package imunify360-ossec-server may be useful too. While reinstalling the package, the context for the files will be restored automatically.
# yum reinstall imunify360-ossec-server
It is worth noting that the developers considered a complete reinstallation of the package superfluous. This should only be done as a last resort.
Also, as an indicator of the problem with ossec can be this issue when ossec during enabling:
ossec-hids.service: Main process exited, code=exited, status=203/EXEC
Comments
0 comments
Please sign in to leave a comment.