On Tue, Nov 26, 2013 at 2:11 PM, dan (ddp) <[email protected]> wrote: > On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) <[email protected]> wrote: >>>>>> >>>>> >>>>> Then I misunderstood. What part of the script looks incorrect to you? >>>>> >>>> >>>> The content of the restart-ossec.sh script. It is not appears an >>>> ossec-control restart action when agent.conf is modified. For example, >>>> executing without arguments: >>>> >>>> [root@ossec02 bin]# ./restart-ossec.sh >>>> ./restart-ossec.sh: invalid action: >>>> >>>> Perfect, but the problem is with the action: it can only be "add" or >>>> "delete" for the hosts.deny file ... But, where is the option to do a >>>> restart of the agent? >>>> >>> >>> From the script: >>> if [ "x${ACTION}" = "xadd" ]; then >>> ${PWD}/../bin/ossec-control restart >>> exit 0; >>> >>> The comments are off because of liberal copy/pasting, but Daniel is a busy >>> man. >>> >> >> >> But this is for insert an ip in hosts.deny file: >> >> # Adding the ip to hosts.deny >> if [ "x${ACTION}" = "xadd" ]; then >> ${PWD}/../bin/ossec-control restart >> exit 0; >> >> >> not to restart the agent ... or I don't understand nothing ... Or do I >> need to enable active response for hosts.deny?? Actually. I've >> disabled this active response ... >> > > If you run `/var/ossec/bin/ossec-control restart` and it adds an entry > to hosts.deny, you have bigger problems than this AR not working. > Go ahead and test, I'll wait. >
Wait a moment ... hosts-deny's active response is disabled in all of my agents and server ... And in the ossec.conf in the server side, I use whitelists ip that include all my IP agents ... But I am restarting ossec in my server, with an agent.conf modified ... and result is: [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf OSSEC HIDS agent_control. Agent information: Agent ID: 002 Agent Name: agent02.adsi.intranet.local IP address: 10.196.0.104 Status: Active Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd Last keep alive: Tue Nov 26 14:14:19 2013 Syscheck last started at: Tue Nov 26 04:01:49 2013 Rootcheck last started at: Tue Nov 26 04:00:42 2013 Nothing ... Ok, I restart ossec agent ... and: root@agent02:/var/ossec/etc # md5 shared/agent.conf MD5 (shared/agent.conf) = 55188a008ab5daf74988aaf585e56f64 in server: OSSEC HIDS agent_control. Agent information: Agent ID: 002 Agent Name: agent02.adsi.intranet.local IP address: 10.196.0.104 Status: Active Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd Last keep alive: Tue Nov 26 14:17:51 2013 Syscheck last started at: Tue Nov 26 04:01:49 2013 Rootcheck last started at: Tue Nov 26 04:00:42 2013 nothing ... no results ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
