On Thu, Jul 28, 2016 at 11:25 AM, Dominik <[email protected]> wrote: > Dear all > somehow I'm missing something fundamental on Active Response - it just does > not work for me. > > I'm working on an ubuntu ossec server V2.8.3 > > I want to run an active response on rule 2902. So I changed the > configuration the following way: > > <command> > <name>purge-integrity</name> > <executable>purge-integrity.sh</executable> > <expect /> > <timeout_allowed>no</timeout_allowed> > </command> > > > <!-- Active Response Config --> > <active-response> > <disabled>no</disabled> > <command>purge-integrity</command> > <location>server</location> > <rules_id>2902</rules_id> > </active-response> > > > > Since I want to run the script on the server, I just modified the ossec > server. > > I created a script with exec rights: >> ls -l active-response/bin/purge-integrity.sh > -rwxr-xr-x 1 root ossec 363 Jul 28 16:31 > active-response/bin/purge-integrity.sh > > > > The script creates a simple entry in logs/active-responses.log: >> active-response/bin/purge-integrity.sh >> cat logs/active-responses.log > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh > > > > After restarting ossec, the active response appears to be available: >> bin/agent_control -L > > > OSSEC HIDS agent_control. Available active responses: > > Response name: purge-integrity0, command: purge-integrity.sh > > > > (why is there a 0 after purge-integrity?) > > It also appears possible to start the response: >> bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity > > OSSEC HIDS agent_control: Running active response 'purge-integrity' on: 000 > >>bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity0 > > OSSEC HIDS agent_control: Running active response 'purge-integrity0' on: 000 > > > > However, the script is not called and the active-responses.log remains > unchanged (similarly, nothing happens if rule 2902 fires): > cat logs/active-responses.log > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh > > > > I set the agent to run in debug mode (agent.debug=2 in > internal_options.conf) but do not see related messages in logs/ossec.log > > At this point, I'm out of ideas on how to further track this down. So, how > do I go about further debugging this? >
Is ossec-execd running? Do you use the full paths for files in the script? > > While I'm posting this problem, I can also share the broader idea: > The messages about changing integrity checksums on every update makes it > hard to detect real issues. To avoid these messages, I had the following > idea: > > rule 2902 is triggered when software is installed. I can use active response > to remember the system on which new software is installed. After some delay, > I would then (for example with a cron job) run > /var/ossec/bin/syscheck_control -u AGENT_ID > > as suggested on the FAQ: > http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/#how-do-i-stop-syscheck-alerts-during-system-updates > > Does anybody have experience with connecting rule 2902 to purging the > database with integrity check sums? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
