On Mon, Jun 4, 2012 at 3:05 PM, [email protected] <[email protected]> wrote: > Hi all > > I'm looking to confirm something with regards the active response feature, I > believe this works in something like the following manner > > Data sent from logs on Agent > triggers rules / alert on master > fires > relevant active response script on agent > > The active response script / binary needs to be placed in active-response/bin > on the agent and the master server is itself not capable of running arbitrary > commands on the agent system or injecting scripts / binaries onto this for > execution. >
Correct. The server cannot run arbitrary commands on the agents or transfer AR files to the agents. > I'm trying to get a handle on the impact of a theoretical compromise / > malicious action on the master server and the extent of abuse this would make > possible on the agent systems, outside of modifying configuration directives > such as <location> within the server's configuration file. > > In essence I suppose this is a question over what level and type of actions > the server is capable of making an agent perform. > > Many thanks in advance >
