On Mon, Apr 23, 2018 at 6:34 PM, Cooper Graf <[email protected]> wrote: > Haha hmm. So any idea why it's throwing an error for me? Is a new release > slated to come out soon? >
It's supposed to be soon, I'll have to prod the release manager. It happens in glob() somewhere, but I haven't looked at it further than that yet. > On Mon, Apr 23, 2018 at 4:29 PM dan (ddp) <[email protected]> wrote: >> >> On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) <[email protected]> wrote: >> > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf <[email protected]> >> > wrote: >> >> Is there documentation that explains what a glob is? This worked fine >> >> with >> >> 2.7. >> >> >> > >> > I don't think so. I just tried it on a 3.x system and didn't get the >> > error. Still waiting on results to see if it checks properly. >> > >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 hours >> > --> >> > <frequency>1800</frequency> >> > <auto_ignore>no</auto_ignore> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories check_all="yes">/bin,/sbin,/boot</directories> >> > <directories check_all="yes">/var/test</directories> >> > <directories check_all="yes">/var/test2</directories> >> > <directories check_all="yes">/home/*/.ssh</directories> >> > >> > ix# grep home /var/ossec/logs/ossec.log >> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ansible/.ssh', with options perm | size | owner | group | >> > md5sum | sha256sum. >> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum | >> > sha256sum. >> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum >> > | sha256sum. >> > >> >> Hit send too early, the files were successfully checked and catalogued >> on this system. >> >> > >> > And on a slightly older agent: >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 hours >> > --> >> > <frequency>79200</frequency> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories check_all="yes">/bin,/sbin,/boot</directories> >> > <directories check_all="yes">/home/*/.ssh</directories> >> > >> > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log >> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ansible/.ssh', with options perm | size | owner | group | >> > md5sum | sha1sum. >> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/checker/.ssh', with options perm | size | owner | group | >> > md5sum | sha1sum. >> > >> > >> >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) <[email protected]> wrote: >> >>> >> >>> >> >>> >> >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper <[email protected]> wrote: >> >>>> >> >>>> I am getting the following error from syscheckd when starting up >> >>>> OSSEC >> >>>> 2.9.3: >> >>>> >> >>>> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: >> >>>> 'sshd_rules.xml' >> >>>> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid >> >>>> pattern: '/home/*/.ssh'. >> >>>> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: >> >>>> 'sshd_rules.xml' >> >>>> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid >> >>>> pattern: '/home/*/.ssh/'. >> >>>> >> >>>> Inside of my ossec.conf file, I have this line, which seems to be >> >>>> generating the error: >> >>>> >> >>>> <directories check_all="yes">/home/*/.ssh/</directories> >> >>>> >> >>>> Any idea what is invalid about that pattern? >> >>>> >> >>>> -- >> >>> >> >>> >> >>> I don't think globs are valid in the syscheck configuration. >> >>> >> >>> >> >>>> >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups >> >>>> "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> >>>> send an >> >>>> email to [email protected]. >> >>>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to [email protected]. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
