On Fri, Jun 17, 2016 at 2:46 PM, JDS <j...@blispay.com> wrote: > Hi, everyone. First off, thanks to atomicturtle for helping me in IRC. And > thanks to dcid for replying to my tweet, that was pretty awesome. I think it > might be better to post my questions here, though, for posterity and maybe > to help others. > > Mind you, I've googled my pants off and now I'm stumped. I'll try to be as > concise yet informative as possible with my questions. > > Q1: I can't seem to get 'agent_control -r -u <agentid>' to work. It seems > like maybe it is working, but it could just be coincidence. > - Is there a refactory period before rootcheck will restart on an agent?
It probably won't start right away, but should start shortly. > - The docs say active-response must be enabled, but they don't say in what > specific way AR needs to be enabled. Is there a special command file I need > to craft to enable AR for agent_control to work? > I don't think there's a specific script or anything that needs to be enabled. > > Q2: Is there any additional documentation anywhere on the format of the > "rcl" files? There's docs in the header of the existing files, but they are > incomplete. For example, I get this error: > > ERROR: Invalid rk configuration value: '$sshd_file=/etc/ssh/sshd_config;' > > But as near as I can tell, I'm using the variable the same way as the > existing rcl files. > > My config that produces this error is copied verbatim from here: > http://blog.wazuh.com/root-user-access-monitoring-with-ossec/ > I'm not aware of any official documentation that's not on the site. > > Q3: Can one have multiple <system_audit> files declared in the rootcheck > section? How do they compile together? (i.e. do they all get used, or is it > last one, or first one only? etc) > I believe they'll all be used, but it's not a feature I've tested very much. > > I definitely have other questions but I'll ask them separately. > > Thanks! > -JDS > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
