On Jun 5, 2012 8:44 PM, "Michael Starks" <[email protected]> wrote: > > On 06/05/2012 11:21 AM, dan (ddp) wrote: >> >> On Mon, Jun 4, 2012 at 3:05 PM, [email protected] >> <[email protected]> wrote: >>> >>> Hi all >>> >>> I'm looking to confirm something with regards the active response feature, I believe this works in something like the following manner >>> >>> Data sent from logs on Agent> triggers rules / alert on master> fires relevant active response script on agent >>> >>> The active response script / binary needs to be placed in active-response/bin on the agent and the master server is itself not capable of running arbitrary commands on the agent system or injecting scripts / binaries onto this for execution. >>> >> >> Correct. The server cannot run arbitrary commands on the agents or >> transfer AR files to the agents. > > > You're right--in the context of AR. I just wanted to point out that if someone has control of the server (manager) they can distribute an agent.conf with full_command and do pretty much anything they want on the agents.
You're right, but by default agents will not accept commands from the server. They have to be defined ib the ossec.conf.
