A few weeks back we had a problem with active response on a specific
machine and decided we didn't need it running on that machine.
I reinstalled the ossec agent on that machine, and specifically told it
NOT to enable active response in the installer.
Today it was noticed it was still running firewall/host.deny add/drops.
I thought maybe it had somehow carried over settings from the old
installation, so this time I completely removed ossec from the machine,
deleted the source, deleted the agent from the server and reinstalled it
entirely fresh with a new agent id. I answered no again to the active
response question and confirmed it replied " - Active response disabled."
We then ran another test, and it is STILL executing active response.
For the time being, i've removed execute permissions from the
active-response scripts on the machine so active response just fails,
but the question remains, why is it running at all when the question
about enabling active response is specifically answered no during the
installation?
ossec.log with the execute permissions removed
----
2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/error_log'.
2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/access_log'.
2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
'/etc/httpd/logs/access_log'.
2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
'/etc/httpd/logs/error_log'.
2009/02/20 11:10:18 ossec-logcollector: INFO: Started (pid: 745).
2009/02/20 11:11:39 ossec-execd: INFO: Active response command not
present: '/usr/local/ossec/active-response/bin/test-command.sh'. Not
using it on this system.
2009/02/20 11:11:39 ossec-execd(1312): ERROR: Error executing
'/usr/local/ossec/active-response/bin/host-deny.sh': Permission denied
2009/02/20 11:11:39 ossec-execd(1312): ERROR: Error executing
'/usr/local/ossec/active-response/bin/firewall-drop.sh': Permission denied
Termcap of the install q/a
----
1- What kind of installation do you want (server, agent, local or help)?
agent
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: /usr/local/ossec
- Installation will be made at /usr/local/ossec .
- The installation directory already exists. Should I delete it?
(y/n) [y]:
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.5.235
- Adding Server IP 192.168.5.235
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4 - Do you want to enable active response? (y/n) [y]: n
- Active response disabled.
