On Fri, Jan 31, 2014 at 10:33 AM, frwa onto <[email protected]> wrote: > Dear Dan, > I think the CIS benchmark is working because immediately I > receive some email like below. I change the release to 6 but here its still > pointing to 5 and reference http are all not working. Can you briefly tell > me what action must I take base on these emails ? >
No, that's up to you and your security team to decide. > OSSEC HIDS Notification. > 2014 Jan 31 16:43:56 > > Received From: pro1->rootcheck > Rule: 516 fired (level 3) -> "System Audit event." > Portion of the log(s): > > System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 > Benchmark v1.1. File: /etc/redhat-release. Reference: > http://www.ossec.net/wiki/index.php/CIS_RHEL5 . > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2014 Jan 31 16:43:56 > > Received From: pro1->rootcheck > Rule: 516 fired (level 3) -> "System Audit event." > Portion of the log(s): > > System Audit: CIS - RHEL5 5.1 - Network parameters - ICMP redirects > accepted. File: /proc/sys/net/ipv4/conf/all/accept_redirects. Reference: > http://www.ossec.net/wiki/index.php/CIS_RHEL5 . > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2014 Jan 31 16:43:56 > > Received From: pro1->rootcheck > Rule: 516 fired (level 3) -> "System Audit event." > Portion of the log(s): > > System Audit: CIS - RHEL5 5.1 - Network parameters - ICMP secure redirects > accepted. File: /proc/sys/net/ipv4/conf/all/secure_redirects. Reference: > http://www.ossec.net/wiki/index.php/CIS_RHEL5 . > > > > --END OF NOTIFICATION > > I have ensure the ossec-execd is working fine no issues with that. For the > permission I see as the current settings. > srw-rw---- 1 ossecr ossec 0 Jan 31 16:17 ar > > I saw this is the latest entry in my ossec.log 2014/01/31 22:42:53 > ossec-execd: INFO: Active response command not present: > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this > system. How to ensure AR setup for the server ? That command is for Windows systems only. If AR is working for you, ignore the errors. Not sure why they would be displaying, but I don't have any troubleshooting ideas at the moment. > I can see this in my ossec.conf > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > Regards, > Frwa. > > > > > > On Friday, January 31, 2014 10:20:28 PM UTC+8, dan (ddpbsd) wrote: >> >> On Fri, Jan 31, 2014 at 3:32 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > Ok I will not comment the <active-response> in fact it >> > was >> > good thing enabling with proper httpd log and help me in terms of a >> > php-cgi >> > attack today and I can see a new log file active-responses.log. Secondly >> > with regards to the system_audit I manage it and no more errors on it >> > now. >> > Actually what will the system_audit do in reality? Lastly I got this >> > error >> >> That file is supposed to go through the CIS benchmarks for RHEL 5. >> >> > still left there 2014/01/31 16:18:01 ossec-analysisd(1210): ERROR: Queue >> > '/queue/alerts/ar' not accessible: 'Connection refused'. >> > 2014/01/31 16:18:01 ossec-analysisd(1301): ERROR: Unable to connect to >> > active response queue. Are they suppose to be waiting for some agents? >> > Thank >> > you very much for the support and kind help. >> > >> >> I'm not sure why you are getting that error. I'd make sure ossec-execd >> is running on the OSSEC server, check permissions of the files in >> question, and restart the processes. Maybe you don't have AR setup for >> the server? >> >> > Regards, >> > Frwa. >> > >> > On Friday, January 31, 2014 1:28:45 AM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jan 30, 2014 at 11:19 AM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > So what is your best advice should I comment out this >> >> > <active-response> </active-response> to stop active response ? I >> >> > added >> >> >> >> No, probably not. I'd probably try and track down the original problem >> >> and fix that. >> >> >> >> > this line >> >> > >> >> > >> >> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> >> > and I tried to restart my ossec it gives me Ossec analysisd:Testing >> >> > rules >> >> > failed. Configuration error. Exiting. Over in the >> >> > cis_rhel5_linux_rcl.txt I >> >> >> >> Are there any additional logs in ossec.log? Did you add it to the >> >> correct section of the ossec.conf? >> >> >> >> > change this two lines 1) Red Hat Enterprise Linux \S+ release 6 and >> >> > 2) >> >> > CentOS && r:release 6.5. >> >> > >> >> >> >> I'll assume this is correct for now. >> >> >> >> I don't have time to hand hold you through all of this, Hopefully >> >> someone else does, or you can find someone with the technical skills >> >> to help. >> >> >> >> > Regards, >> >> > Frwa. >> >> > >> >> > >> >> > On Thursday, January 30, 2014 11:26:15 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Thu, Jan 30, 2014 at 10:20 AM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear Dan, >> >> >> > You said look into ossec.conf what to look to >> >> >> > diagnose >> >> >> > this ? >> >> >> >> >> >> I don't understand what this is in reference too. These emails are >> >> >> getting harder and harder to follow. >> >> >> >> >> >> If this is in reference to the apache logs question and response: If >> >> >> you know where the configuration is, you shouldn't have any problems >> >> >> changing the configuration to match reality. Find the entries for >> >> >> the >> >> >> files that do not exist, and modify them so they reference files >> >> >> that >> >> >> do exist. Then restart OSSEC. >> >> >> >> >> >> > I am the one setup during setup it did not ask for active response >> >> >> >> >> >> Yes it did ask. But I didn't see it disabled in your ossec.conf, so >> >> >> it's probably enabled. >> >> >> >> >> >> > activation? How to decide based on the ossec.conf that the active >> >> >> > response >> >> >> > is on or off ? The ossec-execd is running . Yes this file exist >> >> >> >> >> >> I believe AR is enabled, unless expressly disabled. >> >> >> >> >> >> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt how you want me to >> >> >> > test >> >> >> > it >> >> >> > ? >> >> >> > >> >> >> >> >> >> Add it to the ossec.conf as a system_audit file. You'll have to >> >> >> modify >> >> >> the cis_rhel5_linux_rcl.txt file to reference RHEL release 6 instead >> >> >> of 5, but that shouldn't be difficult. >> >> >> >> >> >> > Regards, >> >> >> > Frwa. >> >> >> > >> >> >> > On Wednesday, January 29, 2014 8:44:01 PM UTC+8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Tue, Jan 28, 2014 at 10:43 PM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > I have attached my ossec.conf file. Yes for the >> >> >> >> > first >> >> >> >> > problem >> >> >> >> > I have known where the settings for the /var/www/log/access_log >> >> >> >> > and >> >> >> >> >> >> >> >> Then I'm not sure why you asked how to change the entries. >> >> >> >> >> >> >> >> > error_log. For your next question I am not sure how you >> >> >> >> > determine >> >> >> >> > the >> >> >> >> > rook >> >> >> >> > check? I am using Centos 6.5 (Final). Also how to determine if >> >> >> >> > the >> >> >> >> > active >> >> >> >> >> >> >> >> You look in the ossec.conf. I'll have to go through the source to >> >> >> >> find >> >> >> >> out what the error is complaining about. >> >> >> >> >> >> >> >> > response is being use? Should I comment it to off it? >> >> >> >> > >> >> >> >> >> >> >> >> You should ask your administrator if they disabled it, either >> >> >> >> during >> >> >> >> or post installation. >> >> >> >> It doesn't look like it, based on the ossec.conf. >> >> >> >> Is ossec-execd running? >> >> >> >> >> >> >> >> > Regards, >> >> >> >> > Frwa. >> >> >> >> > >> >> >> >> > On Tuesday, January 28, 2014 8:36:50 PM UTC+8, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Jan 27, 2014 at 11:29 PM, frwa onto >> >> >> >> >> <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Dear All, >> >> >> >> >> > I saw this in my log file of ossec. For my case >> >> >> >> >> > its >> >> >> >> >> > /var/www/log >> >> >> >> >> > not logs. How to change this ? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> These configurations are in /var/ossec/etc/ossec.conf on the >> >> >> >> >> system >> >> >> >> >> generating the errors. >> >> >> >> >> >> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> >> > available, >> >> >> >> >> > ignoring it: '/var/log/authlog'. >> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> >> > available, >> >> >> >> >> > ignoring it: '/var/log/xferlog'. >> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> >> > available, >> >> >> >> >> > ignoring it: '/var/www/logs/access_log'. >> >> >> >> >> > 2014/01/24 23:50:19 ossec-logcollector(1904): INFO: File not >> >> >> >> >> > available, >> >> >> >> >> > ignoring it: '/var/www/logs/error_log'. >> >> >> >> >> > >> >> >> >> >> > Also saw this. How to configure the system audit file is it >> >> >> >> >> > a >> >> >> >> >> > must >> >> >> >> >> > here? >> >> >> >> >> > >> >> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: No Hostname in >> >> >> >> >> > the >> >> >> >> >> > white >> >> >> >> >> > list >> >> >> >> >> > for >> >> >> >> >> > active reponse. >> >> >> >> >> > 2014/01/24 23:48:03 ossec-analysisd: INFO: Started (pid: >> >> >> >> >> > 1925). >> >> >> >> >> > 2014/01/24 23:48:03 ossec-rootcheck: System audit file not >> >> >> >> >> > configured. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> What is your rootcheck configuration? What OS is the system >> >> >> >> >> generating >> >> >> >> >> the error? >> >> >> >> >> >> >> >> >> >> > Another error I saw was this. >> >> >> >> >> > >> >> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1210): ERROR: Queue >> >> >> >> >> > '/queue/alerts/ar' >> >> >> >> >> > not accessible: 'Connection refused'. >> >> >> >> >> > 2014/01/20 20:10:46 ossec-analysisd(1301): ERROR: Unable to >> >> >> >> >> > connect >> >> >> >> >> > to >> >> >> >> >> > active response queue. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Are you using active response? >> >> >> >> >> >> >> >> >> >> > I need help on these few errors which I see and what I >> >> >> >> >> > should >> >> >> >> >> > avoid ? >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
