Skip to Main Menu

OSSEC - log rotation

When SELinux enabled, some OSSEC packages will fail to rotate logs under /var/ossec/logs, which will result in crontab errors and in some cases failure to write to logs.

One way to fix this is to change context type, for this let’s first check the current context:

  
    # Check the current SELinux context:
    ls -aZ /var/ossec/logs

    # Change SELinux context:
    semanage fcontext -a -t var_log_t "/var/ossec/logs(/.*)?"

    # Apply the previous context change:
    restorecon -R -v /var/ossec/logs

    # Check/confirm the context change:
    ls -aZ /var/ossec/logs
  
Command explanation:
  • semanage fcontext : Used to change SELinux context of files.
  • semanage fcontext -a: Add object to record name.
  • semanage fcontext -t: SELinux type of Object.
  • restorecon : -R for recursively and -v for verbose, or to show changes in file labels.

If above failed, don’t disable SELinux, instead generate and install a SELinux targeted policy, audit2allow is your best friend in this case. Red Hat offers a good step by step or Dan’s Walsh revisited guide to achieve this, if you are following Red Hat’s guide, pleas keep in mind that you might have multiple denials, so you might need to Grep for the “comm” value to create a specific policy.

References: