SPEC file installs everything to /var/ossec

[willt]

Why was the spec file written to install everything to /var/ossec? As far as I'm aware binaries aren't really supposed to be installed into /var. /var is for things that constantly change logs, state files, etc. If for some reason its not possible to split up the install into /var, /usr/bin, /usr/sbin, etc I would rather see everything installed into /opt/ossec. I think that would make more sense.

[bigtrucker89]

/var/ossec is the chroot for all the OSSEC daemons. OSSEC chroots itself into this directory to reduce the attack surface for the daemons, sp everything the daemons need must be contained in this special chroot (Linux by design will not allow a process to access anything outside of a processes chroot.)

Because OSSEC collects a massive amount of logs in its subdirectories (which is one of its primary functions), /var was picked as the appropriate place for this chroot to be created.

[ddpbsd]

Basically no one has done the work to move the binaries out of /var. It's not hard, it just takes effort that everyone thought would be better spent elsewhere. I'm not against the changes (I think I have a branch somewhere that does some of the work).