Thanks everyone, can I just check my understanding then please. Configuration can be pushed to the agents from the server per http://www.ossec.net/doc/manual/agent/agent-configuration.html
However, this would need to call an existing active response script or binary already in place in the relevant directory on the agent system i.e. /var/ossec/active-response/bin/ http://www.ossec.net/doc/manual/ar/ar-custom.html#creating-the-command Are the config sections that can be pushed to the agent restricted in any way? The manual suggests not but I may have caught the wrong impression from your discussion. Thanks again --- On Wed, 6/6/12, Daniel Cid <[email protected]> wrote: > From: Daniel Cid <[email protected]> > Subject: Re: [ossec-list] Active Response Security > To: [email protected] > Date: Wednesday, 6 June, 2012, 2:36 > It was pre 2.6 :) It won't allow the > full command to be specified on agent.conf. > > thanks, > > On Tue, Jun 5, 2012 at 10:12 PM, Michael Starks > <[email protected]> > wrote: > > On 06/05/2012 07:50 PM, dan (ddp) wrote: > >> > >> You're right, but by default agents will not accept > commands from the > >> server. They have to be defined ib the ossec.conf. > > > > > > You're right. :) But I think this is a version > dependent thing. The > > functionality was removed, but I don't recall if it was > pre or post 2.6. > > >
