Hello, Show me the output of those commands:
grep -i -A7 scan conf/security_events.conf And grep -i -A7 scan conf/security_events.conf.defaults Thanks, Ludovic Zammit [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 9, 2021, at 2:50 AM, NITISH AGGARWAL <[email protected]> wrote: > > The error is removed but still wmi scan is not triggered on my end points > > On Tue, Mar 9, 2021, 12:34 NITISH AGGARWAL <[email protected] > <mailto:[email protected]>> wrote: > I can one error log in my PacketFence.log file. > > It is pfperl-api(10859) ERROR: 1: parameter found outside a section > (pfconfig:: namespaces::config::Wmi::cleanup_after_read) > > Multiple events generated having same information. > Wmi rule is as:- > > Namespace : ROOT\cimv2 > Request : select NAME from WIN32_Process > Action : [ccSvcHst] > Attribute = Name > Operator = match > Value = ccSvcHst.exe > [1:ccSvcHst] > Action = trigger_security_event > Action_param = mac = $mac, tid = 1200345, type = Internal > On_tab = 1 > > I was using EOT previously, but in logs it was showing error against that so > I removed it but still wmi rule has not triggered. Any suggestions please.... > > On Mon, Mar 8, 2021, 20:33 NITISH AGGARWAL <[email protected] > <mailto:[email protected]>> wrote: > I was type incorrectly in email. As per configurations on PacketFence it is > ccSvcHst.exe > This is not working. > > > On Mon, Mar 8, 2021, 20:15 NITISH AGGARWAL <[email protected] > <mailto:[email protected]>> wrote: > Yes...it was an typo > > On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected] > <mailto:[email protected]>> wrote: > Hello, > > Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? > > Thanks, > > Ludovic Zammit > [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected] >> <mailto:[email protected]>> wrote: >> >> But I am using option "Scan on registration". >> >> In PacketFence log, there is no log for scanning or of any security event >> generation. I guess, I am doing something wrong with WMI rule setup. Can you >> help me with there? >> >> I am using rule as :- >> >> [ccSvcHst] >> Attribute = Name >> Operator = match >> Value = ccSvcHst.exd >> [1:ccSvcHst] >> Action = trigger_security_event >> Action_param =mac = $mac, tid= 1300987, type = custom >> on_tab = 1 >> >> >> Tid as I mentioned here is also configure in one security events, that >> detects this tid under condition and executes events as described in it. >> >> >> >> On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected] >> <mailto:[email protected]>> wrote: >> Hello, >> >> There is a grace time period for the security event that trigger the scan, >> in your case it’s the "Post Reg System Scan” and it has 1 hour grace time, >> meaning that it would only do a scan per hour. >> >> Lower it maybe to 2 mins. >> >> Thanks, >> >> Ludovic Zammit >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users >>> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hello all, >>> >>> I have setup WMI scan in my PacketFence but I can't see any results, no tab >>> generated for wmi scan under nodes neither I can see anything logs for scan. >>> >>> When using wmic command from PacketFence server, I can see the results but >>> nothing in my Web API. What could be the problem? >>> >>> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected] >>> <mailto:[email protected]>> wrote: >>> Sorry to disturb you again, Ludovic. >>> >>> I have setup WMI scan in PacketFence. In WMI rule I am using antivirus >>> check rule and added wmi scan engine in connection profile as well. >>> >>> After this, I cant see any event generated by wmi scan on my node, neither >>> can I see security event generated nor new tab created for wmi scan. >>> >>> When I check wmi connectivity to end point using "wmic" command from >>> PacketFence server, I can see successful response. Can you help me what >>> went wrong with this? >>> >>> >>> >>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected] >>> <mailto:[email protected]>> wrote: >>> Hello, >>> >>> I believe it’s because it’s an internal check to see if that. Node needs >>> something to be done. >>> >>> You can try it out to see if it works, for a Symantec check that could work >>> because it does not requires the IP address of the device to do that check >>> on the Symantec service. >>> >>> Most of the Scans requires the IP address of the device in order to start >>> to scan the host for example the WMI, that why the DHCP ACK is very >>> important. >>> >>> Thanks, >>> >>> Ludovic Zammit >>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>> :: www.inverse.ca <https://www.inverse.ca/> >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>> <http://packetfence.org/>) >>> >>> >>> >>> >>> >>> >>> >>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Thank you Ludovic for your help so far. >>>> >>>> I have one more question, if PacketFence is not checking for provisioning >>>> without DHCP then why it is generating security events as Provisioning >>>> Enforcement against node. >>>> >>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> Yes, you could do a WMI scan on post registration that checks if a process >>>> is there or not. >>>> >>>> You need a account that has administrative rights on the device that you >>>> check. >>>> >>>> Thanks, >>>> >>>> Ludovic Zammit >>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <https://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> But I can see security event triggered for SEPM provisioning on node. But >>>>> the problem is it actually not restricting access. >>>>> >>>>> Can I use wmi scan in my environment?? >>>>> >>>>> Thanks. >>>>> >>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> No DHCP, no provisioner. >>>>> >>>>> Thanks, >>>>> >>>>> Ludovic Zammit >>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) >>>>> :: www.inverse.ca <https://www.inverse.ca/> >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>> <http://packetfence.org/>) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> I donot have DHCP server installed, no provisioning for DHCP. It's all >>>>>> static ip. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>> >>>>>> Did you install the DHCP sensor ? >>>>>> >>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>> >>>>>> <https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>> <http://packetfence.org/>) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> As such there is no restriction on when to check for provisioning >>>>>>> although I have selected option of checking after registration of >>>>>>> device. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>>> Production or Registration networks. >>>>>>> >>>>>>> When do you want to check if Symantec is installed ? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>> <http://packetfence.org/>) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> Yes....as I connects the device it went into registration vlan and >>>>>>>> then if it is in domain it gets authenticated and vlan changes as per >>>>>>>> switch. >>>>>>>> >>>>>>>> Dot1x is working fine...but problem is with Symantec. How to check if >>>>>>>> end device has Symantec client installed and working. >>>>>>>> >>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >>>>>>>> (x145) :: www.inverse.ca <https://www.inverse.ca/> >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>>>>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>>>>>> <http://packetfence.org/>) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via PacketFence-users >>>>>>>>> <[email protected] >>>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are >>>>>>>>> not getting access, which is required. I am using auto-registration >>>>>>>>> in connection profile. >>>>>>>>> >>>>>>>>> Second, I have to check for Symantec in my endpoints. I have setup >>>>>>>>> SEPM provisioning as per document. During authentication, I can see >>>>>>>>> security event generated for provisioning on my node in PacketFence >>>>>>>>> but my end device got access to intranet no matter symantec installed >>>>>>>>> on it or not. >>>>>>>>> >>>>>>>>> I have tried everything I could. I need some help in this case. I am >>>>>>>>> using static ips and cisco 2960. >>>>>>>>> >>>>>>>>> I need devices to be registered if they have both domain connected >>>>>>>>> and SEPM installed. >>>>>>>>> >>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
