'Re: [ossec-list] Re: Ossec active response on agent'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Re: Ossec active response on agent
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2015-10-13 13:02:30
Message-ID: CAMyQvMoN1Pur4VuMSMgvkO14PMHpE6pv1H61CRCKMWW32N=EVw () mail ! gmail ! com
[Download RAW message or body]

On Tue, Oct 13, 2015 at 8:17 AM, Kévin Printz <printz.kevin@gmail.com> wrote:
> Yes, I created it with the same owner / rights that the default active
> response scripts :
> 
> 
> [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh
> -r-xr-x--- 1 root ossec 59 Oct  8 08:49
> /var/ossec/active-response/bin/restart.sh
> 
> Does some others config files or logs can help to debug ?
> 

Not that I know of. Try restarting the OSSEC processes on the manager
and the agent.
I'll try to wake up more and think of something to help troubleshoot this.

> Le mardi 13 octobre 2015 13:29:48 UTC+2, dan (ddpbsd) a écrit :
> > 
> > On Tue, Oct 13, 2015 at 4:57 AM, Kévin Printz <printz...@gmail.com> wrote:
> > > Hello @dan
> > > 
> > > Thank you for your answer.
> > > 
> > > Yes, it seems that ossec-execd is running on my agent :
> > > [root@hostname etc]# ps -edf | grep ossec-exec[d]
> > > root     20235     1  0 08:36 ?        00:00:00
> > > /var/ossec/bin/ossec-execd
> > > 
> > > And yes, the restart.sh is listed on the agent :
> > > [root@hostname etc]# cat /var/ossec/etc/shared/ar.conf
> > > 3restart-ossec0 - restart-ossec.sh - 0
> > > restart-ossec0 - restart-ossec.cmd - 0
> > > restart-ossec0 - restart-ossec.sh - 0
> > > restart0 - restart.sh - 0
> > > restart-remoted0 - check_process.sh - 0
> > > 
> > > But the script doens't start on my agent that triggered the rule. (I
> > > tried
> > > to make an echo in a file to debug, but nothing happened ...). Any ideas
> > > on
> > > why ?
> > > 
> > 
> > 
> > Does the script exist on the agent, and is it executable?
> > 
> > > Thanks,
> > > Kevin
> > > 
> > > Le vendredi 9 octobre 2015 13:35:37 UTC+2, dan (ddpbsd) a écrit :
> > > > 
> > > > On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz <printz...@gmail.com>
> > > > wrote:
> > > > > Hello (again)
> > > > > 
> > > > > I made other tests to try to understand why it's not working. If I
> > > > > setup
> > > > > the
> > > > > <localfile> section into my server ossec.conf file, and I try to stop
> > > > > the
> > > > > NTPD process on my server, the rule is fired, and the active response
> > > > > is
> > > > > executed in my server.
> > > > > But, when the rules is fired by the agent, the active response is
> > > > > never
> > > > > executed (not in the server, neither on the agent).
> > > > > 
> > > > 
> > > > Is ossec-execd running on the agent?
> > > > Make sure the restart.sh is listed in the
> > > > /var/ossec/etc/shared/ar.conf file on the agent.
> > > > 
> > > > > Any ideas ?
> > > > > Thanks,
> > > > > Kevin.
> > > > > 
> > > > > Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit :
> > > > > > 
> > > > > > Hi !
> > > > > > 
> > > > > > I have an OSSEC server, connected with a remote agent. And I want to
> > > > > > have
> > > > > > an active response setup on the agent, according to a process state
> > > > > > change.
> > > > > > For instance, I have a ntpd process running on my agent, and I want
> > > > > > to
> > > > > > start it if the process change to the stop state (using the service
> > > > > > command
> > > > > > - it's only for test in order to realize a POC)
> > > > > > 
> > > > > > So, I setup the following configuration into my ossec.conf file on
> > > > > > the
> > > > > > agent side :
> > > > > > <localfile>
> > > > > > <log_format>full_command</log_format>
> > > > > > <command>service ntpd status</command>
> > > > > > </localfile>
> > > > > > 
> > > > > > And, for the test, I create a script to start the ntpd service :
> > > > > > [root@agenthostname scripts]# ll
> > > > > > /var/ossec/active-response/bin/restart.sh
> > > > > > -r-xr-x--- 1 root ossec 40 Oct  6 13:33
> > > > > > /var/ossec/active-response/bin/restart.sh
> > > > > > 
> > > > > > [root@agenthostname scripts]# cat
> > > > > > /var/ossec/active-response/bin/restart.sh
> > > > > > #!/bin/bash
> > > > > > service ntpd start
> > > > > > exit 0
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Then, on the server side, I setup the following rule :
> > > > > > <rule id="90000" level="7">
> > > > > > <if_sid>530</if_sid>
> > > > > > <match>ossec: output: 'service ntpd status</match>
> > > > > > <check_diff />
> > > > > > <description>ntpd change state - starting it</description>
> > > > > > </rule>
> > > > > > 
> > > > > > And, on the ossec.conf on the server, I setup the following command,
> > > > > > and
> > > > > > active response :
> > > > > > <command>
> > > > > > <name>restart</name>
> > > > > > <executable>restart.sh</executable>
> > > > > > <expect></expect>
> > > > > > </command>
> > > > > > <active-response>
> > > > > > <command>restart</command>
> > > > > > <location>local</location>
> > > > > > <rules_id>90000</rules_id>
> > > > > > </active-response>
> > > > > > 
> > > > > > So, when I stop the ntpd process on the server, some time later, I
> > > > > > got
> > > > > > the
> > > > > > following message on my server alerts file :
> > > > > > ==> /var/ossec/logs/alerts/alerts.log <==
> > > > > > ** Alert 1444138866.25874: mail  - ossec,
> > > > > > 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status
> > > > > > Rule: 90000 (level 7) -> 'automatic restart of agent to load new
> > > > > > configuration'
> > > > > > ossec: output: 'service ntpd status':
> > > > > > ntpd is stopped
> > > > > > Previous output:
> > > > > > ossec: output: 'service ntpd status':
> > > > > > ntpd (pid  1418) is running...
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > So, the rule is detected, but it's all. The active response doesn't
> > > > > > start
> > > > > > on my agent. (the NTPD process is still stopped, and nothing appear
> > > > > > in
> > > > > > the
> > > > > > client /var/ossec/logs/active-responses.log file ...)
> > > > > > Perhaps I have make a mistake on the active response setup ?
> > > > > > 
> > > > > > Thank you,
> > > > > > Kevin
> > > > > > 
> > > > > 
> > > > > --
> > > > > 
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> > > > > Groups
> > > > > "ossec-list" group.
> > > > > To unsubscribe from this group and stop receiving emails from it,
> > > > > send
> > > > > an
> > > > > email to ossec-list+...@googlegroups.com.
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > 
> > > --
> > > 
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups
> > > "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an
> > > email to ossec-list+...@googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic