Dear Dan,
I think the CIS benchmark is working because immediately I
receive some email like below. I change the release to 6 but here its still
pointing to 5 and reference http are all not working. Can you briefly tell
me what action must I take base on these emails ?
OSSEC HIDS Notification.
2014 Jan 31 16:43:56
Received From: pro1->rootcheck
Rule: 516 fired (level 3) -> "System Audit event."
Portion of the log(s):
System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5
Benchmark v1.1. File: /etc/redhat-release. Reference:
http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Jan 31 16:43:56
Received From: pro1->rootcheck
Rule: 516 fired (level 3) -> "System Audit event."
Portion of the log(s):
System Audit: CIS - RHEL5 5.1 - Network parameters - ICMP redirects
accepted. File: /proc/sys/net/ipv4/conf/all/accept_redirects. Reference:
http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
--END OF NOTIFICATION
OSSEC HIDS Notification.
2014 Jan 31 16:43:56
Received From: pro1->rootcheck
Rule: 516 fired (level 3) -> "System Audit event."
Portion of the log(s):
System Audit: CIS - RHEL5 5.1 - Network parameters - ICMP secure redirects
accepted. File: /proc/sys/net/ipv4/conf/all/secure_redirects. Reference:
http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
--END OF NOTIFICATION
I have ensure the ossec-execd is working fine no issues with that. For the
permission I see as the current settings.
srw-rw---- 1 ossecr ossec 0 Jan 31 16:17 ar
I saw this is the latest entry in my ossec.log 2014/01/31 22:42:53
ossec-execd: INFO: Active response command not present:
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
system. How to ensure AR setup for the server ?
I can see this in my ossec.conf
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Regards,
Frwa.
On Friday, January 31, 2014 10:20:28 PM UTC+8, dan (ddpbsd) wrote:
>
> On Fri, Jan 31, 2014 at 3:32 AM, frwa onto <[email protected]<javascript:>>
> wrote:
> > Dear Dan,
> > Ok I will not comment the <active-response> in fact it
> was
> > good thing enabling with proper httpd log and help me in terms of a
> php-cgi
> > attack today and I can see a new log file active-responses.log. Secondly
> > with regards to the system_audit I manage it and no more errors on it
> now.
> > Actually what will the system_audit do in reality? Lastly I got this
> error
>
> That file is supposed to go through the CIS benchmarks for RHEL 5.
>
> > still left there 2014/01/31 16:18:01 ossec-analysisd(1210): ERROR: Queue
> > '/queue/alerts/ar' not accessible: 'Connection refused'.
> > 2014/01/31 16:18:01 ossec-analysisd(1301): ERROR: Unable to connect to
> > active response queue. Are they suppose to be waiting for some agents?
> Thank
> > you very much for the support and kind help.
> >
>
> I'm not sure why you are getting that error. I'd make sure ossec-execd
> is running on the OSSEC server, check permissions of the files in
> question, and restart the processes. Maybe you don't have AR setup for
> the server?
>
> > Regards,
> > Frwa.
> >
> > On Friday, January 31, 2014 1:28:45 AM UTC+8, dan (ddpbsd) wrote:
> >>
> >> On Thu, Jan 30, 2014 at 11:19 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > So what is your best advice should I comment out this
> >> > <active-response> </active-response> to stop active response ? I
> added
> >>
> >> No, probably not. I'd probably try and track down the original problem
> >> and fix that.
> >>
> >> > this line
> >> >
> >> >
> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
> >> > and I tried to restart my ossec it gives me Ossec analysisd:Testing
> >> > rules
> >> > failed. Configuration error. Exiting. Over in the
> >> > cis_rhel5_linux_rcl.txt I
> >>
> >> Are there any additional logs in ossec.log? Did you add it to the
> >> correct section of the ossec.conf?
> >>
> >> > change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and
> 2)
> >> > CentOS && r:release 6.5.
> >> >
> >>
> >> I'll assume this is correct for now.
> >>
> >> I don't have time to hand hold you through all of this, Hopefully
> >> someone else does, or you can find someone with the technical skills
> >> to help.
> >>
> >> > Regards,
> >> > Frwa.
> >> >
> >> >
> >> > On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote:
> >> >>
> >> >> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear Dan,
> >> >> > You said look into ossec.conf what to look to
> diagnose
> >> >> > this ?
> >> >>
> >> >> I don't understand what this is in reference too. These emails are
> >> >> getting harder and harder to follow.
> >> >>
> >> >> If this is in reference to the apache logs question and response: If
> >> >> you know where the configuration is, you shouldn't have any problems
> >> >> changing the configuration to match reality. Find the entries for
> the
> >> >> files that do not exist, and modify them so they reference files
> that
> >> >> do exist. Then restart OSSEC.
> >> >>
> >> >> > I am the one setup during setup it did not ask for active response
> >> >>
> >> >> Yes it did ask. But I didn't see it disabled in your ossec.conf, so
> >> >> it's probably enabled.
> >> >>
> >> >> > activation? How to decide based on the ossec.conf that the active
> >> >> > response
> >> >> > is on or off ? The ossec-execd is running . Yes this file exist
> >> >>
> >> >> I believe AR is enabled, unless expressly disabled.
> >> >>
> >> >> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to
> test
> >> >> > it
> >> >> > ?
> >> >> >
> >> >>
> >> >> Add it to the ossec.conf as a system_audit file. You'll have to
> modify
> >> >> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead
> >> >> of 5, but that shouldn't be difficult.
> >> >>
> >> >> > Regards,
> >> >> > Frwa.
> >> >> >
> >> >> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd)
> wrote:
> >> >> >>
> >> >> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]>
> >> >> >> wrote:
> >> >> >> > Dear Dan,
> >> >> >> > I have attached my ossec.conf file. Yes for the
> >> >> >> > first
> >> >> >> > problem
> >> >> >> > I have known where the settings for the /var/www/log/access_log
> >> >> >> > and
> >> >> >>
> >> >> >> Then I'm not sure why you asked how to change the entries.
> >> >> >>
> >> >> >> > error_log. For your next question I am not sure how you
> determine
> >> >> >> > the
> >> >> >> > rook
> >> >> >> > check? I am using Centos 6.5 (Final). Also how to determine if
> the
> >> >> >> > active
> >> >> >>
> >> >> >> You look in the ossec.conf. I'll have to go through the source to
> >> >> >> find
> >> >> >> out what the error is complaining about.
> >> >> >>
> >> >> >> > response is being use? Should I comment it to off it?
> >> >> >> >
> >> >> >>
> >> >> >> You should ask your administrator if they disabled it, either
> during
> >> >> >> or post installation.
> >> >> >> It doesn't look like it, based on the ossec.conf.
> >> >> >> Is ossec-execd running?
> >> >> >>
> >> >> >> > Regards,
> >> >> >> > Frwa.
> >> >> >> >
> >> >> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd)
> wrote:
> >> >> >> >>
> >> >> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto <[email protected]>
>
> >> >> >> >> wrote:
> >> >> >> >> > Dear All,
> >> >> >> >> > I saw this in my log file of ossec. For my case
> its
> >> >> >> >> > /var/www/log
> >> >> >> >> > not logs. How to change this ?
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> These configurations are in /var/ossec/etc/ossec.conf on the
> >> >> >> >> system
> >> >> >> >> generating the errors.
> >> >> >> >>
> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> >> > available,
> >> >> >> >> > ignoring it: '/var/log/authlog'.
> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> >> > available,
> >> >> >> >> > ignoring it: '/var/log/xferlog'.
> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> >> > available,
> >> >> >> >> > ignoring it: '/var/www/logs/access_log'.
> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not
> >> >> >> >> > available,
> >> >> >> >> > ignoring it: '/var/www/logs/error_log'.
> >> >> >> >> >
> >> >> >> >> > Also saw this. How to configure the system audit file is it
> a
> >> >> >> >> > must
> >> >> >> >> > here?
> >> >> >> >> >
> >> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in
> the
> >> >> >> >> > white
> >> >> >> >> > list
> >> >> >> >> > for
> >> >> >> >> > active reponse.
> >> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid:
> 1925).
> >> >> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not
> >> >> >> >> > configured.
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> What is your rootcheck configuration? What OS is the system
> >> >> >> >> generating
> >> >> >> >> the error?
> >> >> >> >>
> >> >> >> >> > Another error I saw was this.
> >> >> >> >> >
> >> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue
> >> >> >> >> > '/queue/alerts/ar'
> >> >> >> >> > not accessible: 'Connection refused'.
> >> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to
> >> >> >> >> > connect
> >> >> >> >> > to
> >> >> >> >> > active response queue.
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> Are you using active response?
> >> >> >> >>
> >> >> >> >> > I need help on these few errors which I see and what I
> should
> >> >> >> >> > avoid ?
> >> >> >> >> >
> >> >> >> >> > --
> >> >> >> >> >
> >> >> >> >> > ---
> >> >> >> >> > You received this message because you are subscribed to the
> >> >> >> >> > Google
> >> >> >> >> > Groups
> >> >> >> >> > "ossec-list" group.
> >> >> >> >> > To unsubscribe from this group and stop receiving emails
> from
> >> >> >> >> > it,
> >> >> >> >> > send
> >> >> >> >> > an
> >> >> >> >> > email to [email protected].
> >> >> >> >> > For more options, visit
> >> >> >> >> > https://groups.google.com/groups/opt_out.
> >> >> >> >
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to [email protected].
> >> >> >> > For more options, visit
> https://groups.google.com/groups/opt_out.
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
