Hi all, So I was thinking about agent_control usage and how you can utilize this to push a "block" (or basically run an AR) on specified agents, etc.
What I was wondering, because it doesn't seem evident to me, is if anyone has figured out a good way to undo or reverse the block/AR? I can see this being useful in the case of testing ARs or if an IP needs to be unblocked across multiple servers. I don't see a flag to remove/undo in the agent_control script, and I actually tried adding my own lines to ar.conf. While the latter works, the line gets blown away when OSSEC restarts. The only other way I know this would work is by adding the command and AR in the ossec.conf. But to prevent an undo/reverse action from triggering, you would need to specify a unused rule ID, etc. In either case, it's a bit of extra legwork to add this functionality but it's possible. Just wondering if someone else has tried something out like this, or knows of another (or better) way to do what I'm trying to do.
