Am Freitag, 29. Juli 2016 14:20:41 UTC+2 schrieb dan (ddpbsd):
>
> On Fri, Jul 29, 2016 at 2:50 AM, Dominik <[email protected] <javascript:>>
> wrote:
> >
> >
> > Am Donnerstag, 28. Juli 2016 17:51:23 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Thu, Jul 28, 2016 at 11:25 AM, Dominik <[email protected]> wrote:
> >> > Dear all
> >> > somehow I'm missing something fundamental on Active Response - it
> just
> >> > does
> >> > not work for me.
> >> >
> >> > I'm working on an ubuntu ossec server V2.8.3
> >> >
> >> > I want to run an active response on rule 2902. So I changed the
> >> > configuration the following way:
> >> >
> >> > <command>
> >> > <name>purge-integrity</name>
> >> > <executable>purge-integrity.sh</executable>
> >> > <expect />
> >> > <timeout_allowed>no</timeout_allowed>
> >> > </command>
> >> >
> >> >
> >> > <!-- Active Response Config -->
> >> > <active-response>
> >> > <disabled>no</disabled>
> >> > <command>purge-integrity</command>
> >> > <location>server</location>
> >> > <rules_id>2902</rules_id>
> >> > </active-response>
> >> >
> >> >
> >> >
> >> > Since I want to run the script on the server, I just modified the
> ossec
> >> > server.
> >> >
> >> > I created a script with exec rights:
> >> >> ls -l active-response/bin/purge-integrity.sh
> >> > -rwxr-xr-x 1 root ossec 363 Jul 28 16:31
> >> > active-response/bin/purge-integrity.sh
> >> >
> >> >
> >> >
> >> > The script creates a simple entry in logs/active-responses.log:
> >> >> active-response/bin/purge-integrity.sh
> >> >> cat logs/active-responses.log
> >> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh
> >> >
> >> >
> >> >
> >> > After restarting ossec, the active response appears to be available:
> >> >> bin/agent_control -L
> >> >
> >> >
> >> > OSSEC HIDS agent_control. Available active responses:
> >> >
> >> > Response name: purge-integrity0, command: purge-integrity.sh
> >> >
> >> >
> >> >
> >> > (why is there a 0 after purge-integrity?)
> >> >
> >> > It also appears possible to start the response:
> >> >> bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity
> >> >
> >> > OSSEC HIDS agent_control: Running active response 'purge-integrity'
> on:
> >> > 000
> >> >
> >> >>bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity0
> >> >
> >> > OSSEC HIDS agent_control: Running active response 'purge-integrity0'
> on:
> >> > 000
> >> >
> >> >
> >> >
> >> > However, the script is not called and the active-responses.log
> remains
> >> > unchanged (similarly, nothing happens if rule 2902 fires):
> >> > cat logs/active-responses.log
> >> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh
> >> >
> >> >
> >> >
> >> > I set the agent to run in debug mode (agent.debug=2 in
> >> > internal_options.conf) but do not see related messages in
> logs/ossec.log
> >> >
> >> > At this point, I'm out of ideas on how to further track this down.
> So,
> >> > how
> >> > do I go about further debugging this?
> >> >
> >>
> >> Is ossec-execd running?
> >
> >
> > Yes, it is:
> >> ps -A | grep ossec
> > 64637 ? 00:00:00 ossec-maild
> > 64641 ? 00:00:00 ossec-execd
> > 64645 ? 00:00:21 ossec-analysisd
> > 64649 ? 00:00:01 ossec-logcollec
> > 64654 ? 00:00:18 ossec-remoted
> > 64660 ? 00:00:10 ossec-syscheckd
> > 64663 ? 00:00:06 ossec-monitord
> >
> >
> >
> >
> >>
> >> Do you use the full paths for files in the script?
> >
> >
> > Not for the binaries - but otherwise yes:
> >
>
> Try using the full paths. I don't know what the PATH is for the execd
> process.
>
>
Still no success with the following script:
#!/bin/bash
# Deletes the checksum table for the integrity upon installs
# Author: Dominik Reusser
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
AGENT=$6
FILENAME=$7
LOCAL=`/usr/bin/dirname $0`;
cd $LOCAL
cd ../
PWD=`/bin/pwd`
/bin/echo "Hello world" >> /var/ossec/test.log
# Logging the call
/bin/echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-
responses.log
bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity
does not create the expected output.
Can I debug the communication between agent_control and the local process
receiving the commands (ossec-execd? are messages created? where?)
Are active-response calls logged?
Can I run a service in foreground-mode to receive more messages?
How could I go more basic than this?
Greetings
Dominik
> > #!/bin/bash
> > # Deletes the checksum table for the integrity upon installs
> > # Author: Dominik Reusser
> >
> > ACTION=$1
> > USER=$2
> > IP=$3
> > ALERTID=$4
> > RULEID=$5
> > AGENT=$6
> > FILENAME=$7
> >
> > LOCAL=`dirname $0`;
> > cd $LOCAL
> > cd ../
> > PWD=`pwd`
> >
> > echo "Hello world" >> /var/ossec/test.log
> >
> >
> > # Logging the call
> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
> > ${PWD}/../logs/active-responses.log
> >
> >
> >
> >
> >>
> >> >
> >> > While I'm posting this problem, I can also share the broader idea:
> >> > The messages about changing integrity checksums on every update makes
> it
> >> > hard to detect real issues. To avoid these messages, I had the
> following
> >> > idea:
> >> >
> >> > rule 2902 is triggered when software is installed. I can use active
> >> > response
> >> > to remember the system on which new software is installed. After some
> >> > delay,
> >> > I would then (for example with a cron job) run
> >> > /var/ossec/bin/syscheck_control -u AGENT_ID
> >> >
> >> > as suggested on the FAQ:
> >> >
> >> >
> http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/#how-do-i-stop-syscheck-alerts-during-system-updates
>
> >> >
> >> > Does anybody have experience with connecting rule 2902 to purging the
> >> > database with integrity check sums?
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
