grep: conf/security_events.conf : No such file or directory grep: conf/security_events.conf.defaults : No such file or directory
On Wed, Mar 10, 2021, 18:18 Ludovic Zammit <[email protected]> wrote: > Hello, > > Show me the output of those commands: > > grep -i -A7 scan conf/security_events.conf > > And > > grep -i -A7 scan conf/security_events.conf.defaults > > Thanks, > > > Ludovic Zammit > [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > > > > On Mar 9, 2021, at 2:50 AM, NITISH AGGARWAL <[email protected]> > wrote: > > The error is removed but still wmi scan is not triggered on my end points > > On Tue, Mar 9, 2021, 12:34 NITISH AGGARWAL <[email protected]> > wrote: > >> I can one error log in my PacketFence.log file. >> >> It is pfperl-api(10859) ERROR: 1: parameter found outside a section >> (pfconfig:: namespaces::config::Wmi::cleanup_after_read) >> >> Multiple events generated having same information. >> Wmi rule is as:- >> >> Namespace : ROOT\cimv2 >> Request : select NAME from WIN32_Process >> Action : [ccSvcHst] >> Attribute = Name >> Operator = match >> Value = ccSvcHst.exe >> [1:ccSvcHst] >> Action = trigger_security_event >> Action_param = mac = $mac, tid = 1200345, type = Internal >> On_tab = 1 >> >> I was using EOT previously, but in logs it was showing error against that >> so I removed it but still wmi rule has not triggered. Any suggestions >> please.... >> >> On Mon, Mar 8, 2021, 20:33 NITISH AGGARWAL <[email protected]> >> wrote: >> >>> I was type incorrectly in email. As per configurations on PacketFence it >>> is ccSvcHst.exe >>> This is not working. >>> >>> >>> On Mon, Mar 8, 2021, 20:15 NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>>> Yes...it was an typo >>>> >>>> On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> Hello, >>>>> >>>>> Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>> But I am using option "Scan on registration". >>>>> >>>>> In PacketFence log, there is no log for scanning or of any security >>>>> event generation. I guess, I am doing something wrong with WMI rule setup. >>>>> Can you help me with there? >>>>> >>>>> I am using rule as :- >>>>> >>>>> [ccSvcHst] >>>>> Attribute = Name >>>>> Operator = match >>>>> Value = ccSvcHst.exd >>>>> [1:ccSvcHst] >>>>> Action = trigger_security_event >>>>> Action_param =mac = $mac, tid= 1300987, type = custom >>>>> on_tab = 1 >>>>> >>>>> >>>>> Tid as I mentioned here is also configure in one security events, that >>>>> detects this tid under condition and executes events as described in it. >>>>> >>>>> >>>>> >>>>> On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> There is a grace time period for the security event that trigger the >>>>>> scan, in your case it’s the "Post Reg System Scan” and it has 1 hour >>>>>> grace >>>>>> time, meaning that it would only do a scan per hour. >>>>>> >>>>>> Lower it maybe to 2 mins. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Hello all, >>>>>> >>>>>> I have setup WMI scan in my PacketFence but I can't see any results, >>>>>> no tab generated for wmi scan under nodes neither I can see anything logs >>>>>> for scan. >>>>>> >>>>>> When using wmic command from PacketFence server, I can see the >>>>>> results but nothing in my Web API. What could be the problem? >>>>>> >>>>>> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Sorry to disturb you again, Ludovic. >>>>>>> >>>>>>> I have setup WMI scan in PacketFence. In WMI rule I am using >>>>>>> antivirus check rule and added wmi scan engine in connection profile as >>>>>>> well. >>>>>>> >>>>>>> After this, I cant see any event generated by wmi scan on my node, >>>>>>> neither can I see security event generated nor new tab created for wmi >>>>>>> scan. >>>>>>> >>>>>>> When I check wmi connectivity to end point using "wmic" command from >>>>>>> PacketFence server, I can see successful response. Can you help me what >>>>>>> went wrong with this? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I believe it’s because it’s an internal check to see if that. Node >>>>>>>> needs something to be done. >>>>>>>> >>>>>>>> You can try it out to see if it works, for a Symantec check that >>>>>>>> could work because it does not requires the IP address of the device >>>>>>>> to do >>>>>>>> that check on the Symantec service. >>>>>>>> >>>>>>>> Most of the Scans requires the IP address of the device in order to >>>>>>>> start to scan the host for example the WMI, that why the DHCP ACK is >>>>>>>> very >>>>>>>> important. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Thank you Ludovic for your help so far. >>>>>>>> >>>>>>>> I have one more question, if PacketFence is not checking for >>>>>>>> provisioning without DHCP then why it is generating security events as >>>>>>>> Provisioning Enforcement against node. >>>>>>>> >>>>>>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Yes, you could do a WMI scan on post registration that checks if a >>>>>>>>> process is there or not. >>>>>>>>> >>>>>>>>> You need a account that has administrative rights on the device >>>>>>>>> that you check. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> But I can see security event triggered for SEPM provisioning on >>>>>>>>> node. But the problem is it actually not restricting access. >>>>>>>>> >>>>>>>>> Can I use wmi scan in my environment?? >>>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> No DHCP, no provisioner. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Ludovic Zammit >>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> I donot have DHCP server installed, no provisioning for DHCP. >>>>>>>>>> It's all static ip. >>>>>>>>>> >>>>>>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>>>>>>> >>>>>>>>>>> Did you install the DHCP sensor ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Ludovic Zammit >>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> As such there is no restriction on when to check for >>>>>>>>>>> provisioning although I have selected option of checking after >>>>>>>>>>> registration >>>>>>>>>>> of device. >>>>>>>>>>> >>>>>>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Provisioner workflow are triggered by DHCP traffic seen from >>>>>>>>>>>> the Production or Registration networks. >>>>>>>>>>>> >>>>>>>>>>>> When do you want to check if Symantec is installed ? >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Ludovic Zammit >>>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Yes....as I connects the device it went into registration vlan >>>>>>>>>>>> and then if it is in domain it gets authenticated and vlan changes >>>>>>>>>>>> as per >>>>>>>>>>>> switch. >>>>>>>>>>>> >>>>>>>>>>>> Dot1x is working fine...but problem is with Symantec. How to >>>>>>>>>>>> check if end device has Symantec client installed and working. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello, >>>>>>>>>>>>> >>>>>>>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Ludovic Zammit >>>>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via >>>>>>>>>>>>> PacketFence-users <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users >>>>>>>>>>>>> are not >>>>>>>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>>>>>>> connection profile. >>>>>>>>>>>>> >>>>>>>>>>>>> Second, I have to check for Symantec in my endpoints. I have >>>>>>>>>>>>> setup SEPM provisioning as per document. During authentication, I >>>>>>>>>>>>> can see >>>>>>>>>>>>> security event generated for provisioning on my node in >>>>>>>>>>>>> PacketFence but my >>>>>>>>>>>>> end device got access to intranet no matter symantec installed on >>>>>>>>>>>>> it or not. >>>>>>>>>>>>> >>>>>>>>>>>>> I have tried everything I could. I need some help in this >>>>>>>>>>>>> case. I am using static ips and cisco 2960. >>>>>>>>>>>>> >>>>>>>>>>>>> I need devices to be registered if they have both domain >>>>>>>>>>>>> connected and SEPM installed. >>>>>>>>>>>>> >>>>>>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> >>>>>> >>>>>> >>>>> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
