On Fri, Jul 29, 2016 at 2:50 AM, Dominik <[email protected]> wrote:
>
>
> Am Donnerstag, 28. Juli 2016 17:51:23 UTC+2 schrieb dan (ddpbsd):
>>
>> On Thu, Jul 28, 2016 at 11:25 AM, Dominik <[email protected]> wrote:
>> > Dear all
>> > somehow I'm missing something fundamental on Active Response - it just
>> > does
>> > not work for me.
>> >
>> > I'm working on an ubuntu ossec server V2.8.3
>> >
>> > I want to run an active response on rule 2902. So I changed the
>> > configuration the following way:
>> >
>> > <command>
>> > <name>purge-integrity</name>
>> > <executable>purge-integrity.sh</executable>
>> > <expect />
>> > <timeout_allowed>no</timeout_allowed>
>> > </command>
>> >
>> >
>> > <!-- Active Response Config -->
>> > <active-response>
>> > <disabled>no</disabled>
>> > <command>purge-integrity</command>
>> > <location>server</location>
>> > <rules_id>2902</rules_id>
>> > </active-response>
>> >
>> >
>> >
>> > Since I want to run the script on the server, I just modified the ossec
>> > server.
>> >
>> > I created a script with exec rights:
>> >> ls -l active-response/bin/purge-integrity.sh
>> > -rwxr-xr-x 1 root ossec 363 Jul 28 16:31
>> > active-response/bin/purge-integrity.sh
>> >
>> >
>> >
>> > The script creates a simple entry in logs/active-responses.log:
>> >> active-response/bin/purge-integrity.sh
>> >> cat logs/active-responses.log
>> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh
>> >
>> >
>> >
>> > After restarting ossec, the active response appears to be available:
>> >> bin/agent_control -L
>> >
>> >
>> > OSSEC HIDS agent_control. Available active responses:
>> >
>> > Response name: purge-integrity0, command: purge-integrity.sh
>> >
>> >
>> >
>> > (why is there a 0 after purge-integrity?)
>> >
>> > It also appears possible to start the response:
>> >> bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity
>> >
>> > OSSEC HIDS agent_control: Running active response 'purge-integrity' on:
>> > 000
>> >
>> >>bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity0
>> >
>> > OSSEC HIDS agent_control: Running active response 'purge-integrity0' on:
>> > 000
>> >
>> >
>> >
>> > However, the script is not called and the active-responses.log remains
>> > unchanged (similarly, nothing happens if rule 2902 fires):
>> > cat logs/active-responses.log
>> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh
>> >
>> >
>> >
>> > I set the agent to run in debug mode (agent.debug=2 in
>> > internal_options.conf) but do not see related messages in logs/ossec.log
>> >
>> > At this point, I'm out of ideas on how to further track this down. So,
>> > how
>> > do I go about further debugging this?
>> >
>>
>> Is ossec-execd running?
>
>
> Yes, it is:
>> ps -A | grep ossec
> 64637 ? 00:00:00 ossec-maild
> 64641 ? 00:00:00 ossec-execd
> 64645 ? 00:00:21 ossec-analysisd
> 64649 ? 00:00:01 ossec-logcollec
> 64654 ? 00:00:18 ossec-remoted
> 64660 ? 00:00:10 ossec-syscheckd
> 64663 ? 00:00:06 ossec-monitord
>
>
>
>
>>
>> Do you use the full paths for files in the script?
>
>
> Not for the binaries - but otherwise yes:
>
Try using the full paths. I don't know what the PATH is for the execd process.
> #!/bin/bash
> # Deletes the checksum table for the integrity upon installs
> # Author: Dominik Reusser
>
> ACTION=$1
> USER=$2
> IP=$3
> ALERTID=$4
> RULEID=$5
> AGENT=$6
> FILENAME=$7
>
> LOCAL=`dirname $0`;
> cd $LOCAL
> cd ../
> PWD=`pwd`
>
> echo "Hello world" >> /var/ossec/test.log
>
>
> # Logging the call
> echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
> ${PWD}/../logs/active-responses.log
>
>
>
>
>>
>> >
>> > While I'm posting this problem, I can also share the broader idea:
>> > The messages about changing integrity checksums on every update makes it
>> > hard to detect real issues. To avoid these messages, I had the following
>> > idea:
>> >
>> > rule 2902 is triggered when software is installed. I can use active
>> > response
>> > to remember the system on which new software is installed. After some
>> > delay,
>> > I would then (for example with a cron job) run
>> > /var/ossec/bin/syscheck_control -u AGENT_ID
>> >
>> > as suggested on the FAQ:
>> >
>> > http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/#how-do-i-stop-syscheck-alerts-during-system-updates
>> >
>> > Does anybody have experience with connecting rule 2902 to purging the
>> > database with integrity check sums?
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
