On 2014-09-15 10:17, MDACC-Luckie wrote:
All:
The standard deployment instructions in our group for installation of
the OSSEC (2.6) agents on servers is to set ACTIVE RESPONSE as
disabled. There is some question/concern by our management that this
was not done on all server. Are there any options available for
checking each of our 600 servers to determine whether ACTIVE RESPONSE
is enabled or disabled (short of parsing conf files on each)?
Thanks
Luckie Ford
How about attempting to run restart-ossec.sh (or .cmd) by looping
through the output of ./bin/agent_control -lc and see who reports back
in?
Btw, I understand why they would want to have AR disabled, but I don't
recommend that approach. I think it's better to keep it enabled and have
no responses configured. Windows, at least, requires AR to be enabled in
order to restart the agent remotely. And if you ever have a major
incident you will be prepared to response with AR enabled.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
