Re: [ossec-list] ossec centralized configuration

Thu, 03 Mar 2011 12:57:04 -0800

It is strange. I have tried on one agent and it works putting active response under agent.conf instead of ossec.conf ...
Have you tried to disable iptables at startup and launch ossec process on the agent side using centralized configuration?? 


On 03/03/2011 08:47 PM, satish patel wrote:

That is working!!

I need everything in agent.conf not ossec.conf  It would be painful to
manager more than 50 hosts by editing each ossec.conf file.. at
auditing time we need AR disable and after auditing we need that
option enable. I meant we are running few scanner and bunch of
security vulnerability tools.

Just wanted to know its possible to disable AR via agent.conf or not ?

-Satish



On Thu, Mar 3, 2011 at 2:30 PM, carlopmart<[email protected]>  wrote:

Try to put active response section on ossec.conf on the agent side and
restart agent.


On 03/03/2011 08:25 PM, satish patel wrote:


Yes, I reload agent 10 time. But still AR is there. md5sum and
everything is correct. What other way to disable AR?


root@vmg035:/var/ossec/etc/shared# md5sum /var/ossec/etc/shared/agent.conf
f4c01366249fcc231d8015e616f76aee  /var/ossec/etc/shared/agent.conf


root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002

OSSEC HIDS agent_control. Agent information:
    Agent ID:   002
    Agent Name: devserver1
    IP address: 172.24.10.51
    Status:     Active

    Operating system:    Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1
S..
    Client version:      OSSEC HIDS v2.5.1 /
f4c01366249fcc231d8015e616f76aee
    Last keep alive:     Thu Mar  3 11:21:51 2011

    Syscheck last started  at: Thu Mar  3 09:41:15 2011
    Rootcheck last started at: Thu Mar  3 09:55:00 2011




On Thu, Mar 3, 2011 at 1:25 PM, carlopmart<[email protected]>    wrote:


On 03/03/2011 07:05 PM, satish patel wrote:


Thanks bro,

That has been fix. Now i want to disable AR on specific agent and i
add following code in agent.conf but it doesn't working... still AR is
active on that node

<agent_config name="devserver1">
   <active-response>
    <disabled>yes</disabled>
   </active-response>
</agent_config>






Agent has reloaded agent.conf file?? try with this command:

/opt/ossec/bin/agent_control -i 001

OSSEC HIDS agent_control. Agent information:
   Agent ID:   001
   Agent Name: rhelauthsrv
   IP address: 172.25.50.10
   Status:     Active

   Operating system:    Linux rhelsrv01.hpulabs.org
2.6.32-71.14.1.el6.x86_64
..
   Client version:      OSSEC HIDS v2.5.1 /
689ae94cd232e6b5c503e6148a08b49b
   Last keep alive:     Thu Mar  3 19:23:09 2011

   Syscheck last started  at: Thu Mar  3 18:14:44 2011
   Rootcheck last started at: Thu Mar  3 18:19:19 2011


md5sum needs to be the same on agent and server. And try to restart ossec
services on the agent side if needed ...

--
CL Martinez
carlopmart {at} gmail {d0t} com




--
CL Martinez
carlopmart {at} gmail {d0t} com




--
CL Martinez
carlopmart {at} gmail {d0t} com

























					Reply via email to