On Tue, Nov 26, 2013 at 9:20 AM, C. L. Martinez <[email protected]> wrote: > On Tue, Nov 26, 2013 at 2:11 PM, dan (ddp) <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez <[email protected]> wrote: >>> On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) <[email protected]> wrote: >>>>>>> >>>>>> >>>>>> Then I misunderstood. What part of the script looks incorrect to you? >>>>>> >>>>> >>>>> The content of the restart-ossec.sh script. It is not appears an >>>>> ossec-control restart action when agent.conf is modified. For example, >>>>> executing without arguments: >>>>> >>>>> [root@ossec02 bin]# ./restart-ossec.sh >>>>> ./restart-ossec.sh: invalid action: >>>>> >>>>> Perfect, but the problem is with the action: it can only be "add" or >>>>> "delete" for the hosts.deny file ... But, where is the option to do a >>>>> restart of the agent? >>>>> >>>> >>>> From the script: >>>> if [ "x${ACTION}" = "xadd" ]; then >>>> ${PWD}/../bin/ossec-control restart >>>> exit 0; >>>> >>>> The comments are off because of liberal copy/pasting, but Daniel is a busy >>>> man. >>>> >>> >>> >>> But this is for insert an ip in hosts.deny file: >>> >>> # Adding the ip to hosts.deny >>> if [ "x${ACTION}" = "xadd" ]; then >>> ${PWD}/../bin/ossec-control restart >>> exit 0; >>> >>> >>> not to restart the agent ... or I don't understand nothing ... Or do I >>> need to enable active response for hosts.deny?? Actually. I've >>> disabled this active response ... >>> >> >> If you run `/var/ossec/bin/ossec-control restart` and it adds an entry >> to hosts.deny, you have bigger problems than this AR not working. >> Go ahead and test, I'll wait. >> > > Wait a moment ... hosts-deny's active response is disabled in all of > my agents and server ... And in the ossec.conf in the server side, I > use whitelists ip that include all my IP agents ... > > But I am restarting ossec in my server, with an agent.conf modified > ... and result is: > > [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf > 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf > > OSSEC HIDS agent_control. Agent information: > Agent ID: 002 > Agent Name: agent02.adsi.intranet.local > IP address: 10.196.0.104 > Status: Active > > Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. > Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd > Last keep alive: Tue Nov 26 14:14:19 2013 > > Syscheck last started at: Tue Nov 26 04:01:49 2013 > Rootcheck last started at: Tue Nov 26 04:00:42 2013 > > Nothing ... Ok, I restart ossec agent ... and: > > root@agent02:/var/ossec/etc # md5 shared/agent.conf > MD5 (shared/agent.conf) = 55188a008ab5daf74988aaf585e56f64 > > in server: > > OSSEC HIDS agent_control. Agent information: > Agent ID: 002 > Agent Name: agent02.adsi.intranet.local > IP address: 10.196.0.104 > Status: Active > > Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. > Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd > Last keep alive: Tue Nov 26 14:17:51 2013 > > Syscheck last started at: Tue Nov 26 04:01:49 2013 > Rootcheck last started at: Tue Nov 26 04:00:42 2013 > > nothing ... no results ... >
What is the md5 of the agent on the server? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
