Remove OSSEC-HIDS

Discussion in 'Installation/Configuration' started by Jorem, Feb 20, 2007.

  1. Jorem

    Jorem New Member

    I have a problem with OSSEC-HIDS. User ID is in the ISPConfig range.

    Can I maybe change the user ID of ossec to 2000 something?

    If this is not possible, how can I remove ossec-hids form my system again? yum remove ossec or yum remove ossec-hids didn't work.

    Thanks for the help.
     
    Last edited: Feb 20, 2007
  2. Jorem

    Jorem New Member

    Have it working now.

    Removed the folder by hand from the server. Installed it again. Did not start it and changed all the id's of the group and after that the users and the group first (10050 to 20050 for group ossec and user 10050 to 20050 with group ossec for example).

    After that I changed the ID of the folders and files in /var/ossec .

    When I started the Ossec after the changes it worked great without any errors.

    It is now running and installed on a server with ISPConfig server. In may case easier than changing the ID of all the ISPConfig users and config op ISPConfig :).
     
  3. iverson0881

    iverson0881 New Member

    Would you be willing to go in detail about the commands you used to change the folders and which folders you changed permissions of?
     
  4. Jorem

    Jorem New Member

    I used Webmin for it :).

    First I installed using the guide: Securing Your Server With A Host-based Intrusion Detection System

    After that I switched to Webmin and went to system --> users & groups. Here you can click on the group and change the ID. I just made of the first 1 a 2 to keep it simple :). After that you click on each ossec user (4 total) and change the user id and add the new group ossec as primairy group (ignore the postfix errors).

    Than I went to /var/ossec and change witch the File Manager in Webmin all the files the user and or group. Only when it wasn't ossec allready but 10050 I changed it to 20050 for example (click on the file and then click the info button of the file manager). You have to do this with all the folders, subfolders and files. (don't forget the id of the ossec folder itself)

    After you have changed all the files you can start OSSEC by command or by Webmin (system --> startup & shutdown --> ossec --> start now).

    It started perfectly in my case. And after a few seconds I received the first ossec email that ossec started :).
     
  5. iverson0881

    iverson0881 New Member

    Thank you very much. This worked for me after a few tries. Cheers!
     

Share This Page