Yes, I created it with the same owner / rights that the default active response scripts : [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh -r-xr-x--- 1 root ossec 59 Oct 8 08:49 /var/ossec/active-response/bin/restart.sh Does some others config files or logs can help to debug ?
Le mardi 13 octobre 2015 13:29:48 UTC+2, dan (ddpbsd) a écrit : > On Tue, Oct 13, 2015 at 4:57 AM, Kévin Printz <[email protected] > <javascript:>> wrote: > > Hello @dan > > > > Thank you for your answer. > > > > Yes, it seems that ossec-execd is running on my agent : > > [root@hostname etc]# ps -edf | grep ossec-exec[d] > > root 20235 1 0 08:36 ? 00:00:00 > /var/ossec/bin/ossec-execd > > > > And yes, the restart.sh is listed on the agent : > > [root@hostname etc]# cat /var/ossec/etc/shared/ar.conf > > 3restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec0 - restart-ossec.cmd - 0 > > restart-ossec0 - restart-ossec.sh - 0 > > restart0 - restart.sh - 0 > > restart-remoted0 - check_process.sh - 0 > > > > But the script doens't start on my agent that triggered the rule. (I > tried > > to make an echo in a file to debug, but nothing happened ...). Any ideas > on > > why ? > > > > > Does the script exist on the agent, and is it executable? > > > Thanks, > > Kevin > > > > Le vendredi 9 octobre 2015 13:35:37 UTC+2, dan (ddpbsd) a écrit : > >> > >> On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz <[email protected]> > wrote: > >> > Hello (again) > >> > > >> > I made other tests to try to understand why it's not working. If I > setup > >> > the > >> > <localfile> section into my server ossec.conf file, and I try to stop > >> > the > >> > NTPD process on my server, the rule is fired, and the active response > is > >> > executed in my server. > >> > But, when the rules is fired by the agent, the active response is > never > >> > executed (not in the server, neither on the agent). > >> > > >> > >> Is ossec-execd running on the agent? > >> Make sure the restart.sh is listed in the > >> /var/ossec/etc/shared/ar.conf file on the agent. > >> > >> > Any ideas ? > >> > Thanks, > >> > Kevin. > >> > > >> > Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit : > >> >> > >> >> Hi ! > >> >> > >> >> I have an OSSEC server, connected with a remote agent. And I want to > >> >> have > >> >> an active response setup on the agent, according to a process state > >> >> change. > >> >> For instance, I have a ntpd process running on my agent, and I want > to > >> >> start it if the process change to the stop state (using the service > >> >> command > >> >> - it's only for test in order to realize a POC) > >> >> > >> >> So, I setup the following configuration into my ossec.conf file on > the > >> >> agent side : > >> >> <localfile> > >> >> <log_format>full_command</log_format> > >> >> <command>service ntpd status</command> > >> >> </localfile> > >> >> > >> >> And, for the test, I create a script to start the ntpd service : > >> >> [root@agenthostname scripts]# ll > >> >> /var/ossec/active-response/bin/restart.sh > >> >> -r-xr-x--- 1 root ossec 40 Oct 6 13:33 > >> >> /var/ossec/active-response/bin/restart.sh > >> >> > >> >> [root@agenthostname scripts]# cat > >> >> /var/ossec/active-response/bin/restart.sh > >> >> #!/bin/bash > >> >> service ntpd start > >> >> exit 0 > >> >> > >> >> > >> >> > >> >> Then, on the server side, I setup the following rule : > >> >> <rule id="90000" level="7"> > >> >> <if_sid>530</if_sid> > >> >> <match>ossec: output: 'service ntpd status</match> > >> >> <check_diff /> > >> >> <description>ntpd change state - starting it</description> > >> >> </rule> > >> >> > >> >> And, on the ossec.conf on the server, I setup the following command, > >> >> and > >> >> active response : > >> >> <command> > >> >> <name>restart</name> > >> >> <executable>restart.sh</executable> > >> >> <expect></expect> > >> >> </command> > >> >> <active-response> > >> >> <command>restart</command> > >> >> <location>local</location> > >> >> <rules_id>90000</rules_id> > >> >> </active-response> > >> >> > >> >> So, when I stop the ntpd process on the server, some time later, I > got > >> >> the > >> >> following message on my server alerts file : > >> >> ==> /var/ossec/logs/alerts/alerts.log <== > >> >> ** Alert 1444138866.25874: mail - ossec, > >> >> 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status > >> >> Rule: 90000 (level 7) -> 'automatic restart of agent to load new > >> >> configuration' > >> >> ossec: output: 'service ntpd status': > >> >> ntpd is stopped > >> >> Previous output: > >> >> ossec: output: 'service ntpd status': > >> >> ntpd (pid 1418) is running... > >> >> > >> >> > >> >> > >> >> So, the rule is detected, but it's all. The active response doesn't > >> >> start > >> >> on my agent. (the NTPD process is still stopped, and nothing appear > in > >> >> the > >> >> client /var/ossec/logs/active-responses.log file ...) > >> >> Perhaps I have make a mistake on the active response setup ? > >> >> > >> >> Thank you, > >> >> Kevin > >> >> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
