DIRECTORY="/var/ossec"
fi
-# create users
+# create group
+if ! getent group $OSSEC_GROUP >/dev/null; then
+ addgroup --system $OSSEC_GROUP
+fi
+
+# create/modify users
if ! getent passwd $OSSEC_USER >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER >/dev/null 2>&1
fi
if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER_MAIL >/dev/null 2>&1
fi
if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER_EXEC >/dev/null 2>&1
fi
if ! getent passwd $OSSEC_USER_REM >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
-fi
-
-# create group
-if ! getent group $OSSEC_GROUP >/dev/null; then
- addgroup --system $OSSEC_GROUP
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
+else
+ usermod -g $OSSEC_GROUP -s /bin/false \
+ -d $DIRECTORY $OSSEC_USER_REM >/dev/null 2>&1
fi
# fix ownership
chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/rids
chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/stats
chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs
+chown -R root:$OSSEC_GROUP $DIRECTORY/etc
touch $DIRECTORY/logs/ossec.log
chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs/ossec.log
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
chown -R root:$OSSEC_GROUP $DIRECTORY/rules
-chown root:$OSSEC_GROUP $DIRECTORY/var/run
chown root:$OSSEC_GROUP $DIRECTORY/etc/decoder.xml
chown root:$OSSEC_GROUP $DIRECTORY/etc/internal_options.conf
-chown root:$OSSEC_GROUP $DIRECTORY/etc/shared/*
+chown root:$OSSEC_GROUP $DIRECTORY/etc/client.keys >/dev/null 2>&1 || true
+chown root:$OSSEC_GROUP $DIRECTORY/agentless/*
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
+chown -R root:$OSSEC_GROUP $DIRECTORY/etc/shared
+chown root:$OSSEC_GROUP $DIRECTORY/var/run
+chown root:$OSSEC_GROUP $DIRECTORY/active-response/bin/*
+chown root:$OSSEC_GROUP $DIRECTORY/bin/*
chown root:$OSSEC_GROUP $DIRECTORY/etc/ossec.conf
# fix perms
chmod -R 550 $DIRECTORY/rules
chmod 770 $DIRECTORY/var/run
chmod 550 $DIRECTORY/etc
-chmod 770 $DIRECTORY/etc/shared
+chmod 440 $DIRECTORY/etc/internal_options.conf
+chmod -R 770 $DIRECTORY/etc/shared
chmod 700 $DIRECTORY/.ssh
+chmod 755 $DIRECTORY/active-response/bin/*
+chmod 550 $DIRECTORY/bin/*
+chmod 440 $DIRECTORY/etc/ossec.conf
+
+# fixups: no need for execute bits on files there
+find $DIRECTORY/rules -type f -exec chmod ugo-x '{}' ';'
+find $DIRECTORY/etc -type f -exec chmod ugo-x '{}' ';'
# copy timezone and localtime
if [ -e /etc/timezone ]; then