Symptoms
-
An email from cron.daily is sent with the following content:
/etc/cron.daily/logrotate:
error: stat of /var/ossec/logs/active-responses.log failed: Permission denied
error: stat of /var/ossec/logs/ossec.log failed: Permission denied -
Permissions on the files mentioned in the error log are correct (644 and owner ossec):
# ls -l /var/ossec/logs/
total 440
-rw-r--r--. 1 ossec ossec 0 Mar 26 03:26 active-responses.log
drwxrwx---. 4 ossec ossec 67 Apr 13 00:00 alerts
drwxr-x---. 4 ossec ossec 50 Apr 13 00:00 archives
drwxr-x---. 4 ossec ossec 50 Apr 13 00:00 firewall
-rw-r--r--. 1 ossec ossec 13024 Apr 12 10:47 ossec.log
Cause
SELinux blocks access to logfiles located in /var/ossec/logs (part of Imunify360) during log rotation.
Resolution
Solution I:
Disable SELinux permanently on the server.
Solution II:
If SELinux should be enabled, apply a special policy for OSSEC.
See the "Installation" section on this page: