On Tue, Nov 26, 2013 at 2:24 PM, dan (ddp) <[email protected]> wrote: > On Tue, Nov 26, 2013 at 9:20 AM, C. L. Martinez <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 2:11 PM, dan (ddp) <[email protected]> wrote: >>> On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) <[email protected]> wrote: >>>>>>>> >>>>>>> >>>>>>> Then I misunderstood. What part of the script looks incorrect to you? >>>>>>> >>>>>> >>>>>> The content of the restart-ossec.sh script. It is not appears an >>>>>> ossec-control restart action when agent.conf is modified. For example, >>>>>> executing without arguments: >>>>>> >>>>>> [root@ossec02 bin]# ./restart-ossec.sh >>>>>> ./restart-ossec.sh: invalid action: >>>>>> >>>>>> Perfect, but the problem is with the action: it can only be "add" or >>>>>> "delete" for the hosts.deny file ... But, where is the option to do a >>>>>> restart of the agent? >>>>>> >>>>> >>>>> From the script: >>>>> if [ "x${ACTION}" = "xadd" ]; then >>>>> ${PWD}/../bin/ossec-control restart >>>>> exit 0; >>>>> >>>>> The comments are off because of liberal copy/pasting, but Daniel is a >>>>> busy man. >>>>> >>>> >>>> >>>> But this is for insert an ip in hosts.deny file: >>>> >>>> # Adding the ip to hosts.deny >>>> if [ "x${ACTION}" = "xadd" ]; then >>>> ${PWD}/../bin/ossec-control restart >>>> exit 0; >>>> >>>> >>>> not to restart the agent ... or I don't understand nothing ... Or do I >>>> need to enable active response for hosts.deny?? Actually. I've >>>> disabled this active response ... >>>> >>> >>> If you run `/var/ossec/bin/ossec-control restart` and it adds an entry >>> to hosts.deny, you have bigger problems than this AR not working. >>> Go ahead and test, I'll wait. >>> >> >> Wait a moment ... hosts-deny's active response is disabled in all of >> my agents and server ... And in the ossec.conf in the server side, I >> use whitelists ip that include all my IP agents ... >> >> But I am restarting ossec in my server, with an agent.conf modified >> ... and result is: >> >> [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf >> 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf >> >> OSSEC HIDS agent_control. Agent information: >> Agent ID: 002 >> Agent Name: agent02.adsi.intranet.local >> IP address: 10.196.0.104 >> Status: Active >> >> Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. >> Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd >> Last keep alive: Tue Nov 26 14:14:19 2013 >> >> Syscheck last started at: Tue Nov 26 04:01:49 2013 >> Rootcheck last started at: Tue Nov 26 04:00:42 2013 >> >> Nothing ... Ok, I restart ossec agent ... and: >> >> root@agent02:/var/ossec/etc # md5 shared/agent.conf >> MD5 (shared/agent.conf) = 55188a008ab5daf74988aaf585e56f64 >> >> in server: >> >> OSSEC HIDS agent_control. Agent information: >> Agent ID: 002 >> Agent Name: agent02.adsi.intranet.local >> IP address: 10.196.0.104 >> Status: Active >> >> Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. >> Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd >> Last keep alive: Tue Nov 26 14:17:51 2013 >> >> Syscheck last started at: Tue Nov 26 04:01:49 2013 >> Rootcheck last started at: Tue Nov 26 04:00:42 2013 >> >> nothing ... no results ... >> > > What is the md5 of the agent on the server? >
This: [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
