Hi all I'm looking to confirm something with regards the active response feature, I believe this works in something like the following manner
Data sent from logs on Agent > triggers rules / alert on master > fires relevant active response script on agent The active response script / binary needs to be placed in active-response/bin on the agent and the master server is itself not capable of running arbitrary commands on the agent system or injecting scripts / binaries onto this for execution. I'm trying to get a handle on the impact of a theoretical compromise / malicious action on the master server and the extent of abuse this would make possible on the agent systems, outside of modifying configuration directives such as <location> within the server's configuration file. In essence I suppose this is a question over what level and type of actions the server is capable of making an agent perform. Many thanks in advance
