Am Donnerstag, 28. Juli 2016 17:51:23 UTC+2 schrieb dan (ddpbsd):
>
> On Thu, Jul 28, 2016 at 11:25 AM, Dominik <[email protected]
> <javascript:>> wrote:
> > Dear all
> > somehow I'm missing something fundamental on Active Response - it just
> does
> > not work for me.
> >
> > I'm working on an ubuntu ossec server V2.8.3
> >
> > I want to run an active response on rule 2902. So I changed the
> > configuration the following way:
> >
> > <command>
> > <name>purge-integrity</name>
> > <executable>purge-integrity.sh</executable>
> > <expect />
> > <timeout_allowed>no</timeout_allowed>
> > </command>
> >
> >
> > <!-- Active Response Config -->
> > <active-response>
> > <disabled>no</disabled>
> > <command>purge-integrity</command>
> > <location>server</location>
> > <rules_id>2902</rules_id>
> > </active-response>
> >
> >
> >
> > Since I want to run the script on the server, I just modified the ossec
> > server.
> >
> > I created a script with exec rights:
> >> ls -l active-response/bin/purge-integrity.sh
> > -rwxr-xr-x 1 root ossec 363 Jul 28 16:31
> > active-response/bin/purge-integrity.sh
> >
> >
> >
> > The script creates a simple entry in logs/active-responses.log:
> >> active-response/bin/purge-integrity.sh
> >> cat logs/active-responses.log
> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh
> >
> >
> >
> > After restarting ossec, the active response appears to be available:
> >> bin/agent_control -L
> >
> >
> > OSSEC HIDS agent_control. Available active responses:
> >
> > Response name: purge-integrity0, command: purge-integrity.sh
> >
> >
> >
> > (why is there a 0 after purge-integrity?)
> >
> > It also appears possible to start the response:
> >> bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity
> >
> > OSSEC HIDS agent_control: Running active response 'purge-integrity' on:
> 000
> >
> >>bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity0
> >
> > OSSEC HIDS agent_control: Running active response 'purge-integrity0' on:
> 000
> >
> >
> >
> > However, the script is not called and the active-responses.log remains
> > unchanged (similarly, nothing happens if rule 2902 fires):
> > cat logs/active-responses.log
> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh
> >
> >
> >
> > I set the agent to run in debug mode (agent.debug=2 in
> > internal_options.conf) but do not see related messages in logs/ossec.log
> >
> > At this point, I'm out of ideas on how to further track this down. So,
> how
> > do I go about further debugging this?
> >
>
> Is ossec-execd running?
>
Yes, it is:
> ps -A | grep ossec
64637 ? 00:00:00 ossec-maild
64641 ? 00:00:00 ossec-execd
64645 ? 00:00:21 ossec-analysisd
64649 ? 00:00:01 ossec-logcollec
64654 ? 00:00:18 ossec-remoted
64660 ? 00:00:10 ossec-syscheckd
64663 ? 00:00:06 ossec-monitord
> Do you use the full paths for files in the script?
>
Not for the binaries - but otherwise yes:
#!/bin/bash
# Deletes the checksum table for the integrity upon installs
# Author: Dominik Reusser
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
AGENT=$6
FILENAME=$7
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
echo "Hello world" >> /var/ossec/test.log
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.
log
> >
> > While I'm posting this problem, I can also share the broader idea:
> > The messages about changing integrity checksums on every update makes it
> > hard to detect real issues. To avoid these messages, I had the following
> > idea:
> >
> > rule 2902 is triggered when software is installed. I can use active
> response
> > to remember the system on which new software is installed. After some
> delay,
> > I would then (for example with a cron job) run
> > /var/ossec/bin/syscheck_control -u AGENT_ID
> >
> > as suggested on the FAQ:
> >
> http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/#how-do-i-stop-syscheck-alerts-during-system-updates
>
> >
> > Does anybody have experience with connecting rule 2902 to purging the
> > database with integrity check sums?
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
