[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] OSSEC agent.conf not getting updated for Linux
From: Kumar Mg <mkgaao () gmail ! com>
Date: 2016-03-23 16:47:42
Message-ID: 11b3f9f3-cea4-4ed3-9bec-da1c0d94bafa () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Dan.
Yes, the write mode fixed. Worked for below permission set for
shared/agent.conf
# ls -lt agent*
-rw-r----- 1 ossec ossec 610 Mar 23 11:40 agent.conf
If the file is owned by root for the same set of permission, the conf
wasn't updating.
-rw-r----- 1 root ossec 516 Mar 23 11:35 agent.conf
Thanks & Regards
Kumar
On Wednesday, 23 March 2016 20:39:50 UTC+5:30, dan (ddpbsd) wrote:
>
> On Wed, Mar 23, 2016 at 10:55 AM, Kumar Mg <mkg...@gmail.com <javascript:>>
> wrote:
> > Hi,
> >
> > We have an OSSEC running at 2.8 on RHEL Linux, was looking at the
> > centralized config control and was able to push the changes to the agent
> > system. Did modification on the OSSEC server shared/agent.conf and the
> file
> > was pushed to the agent merged.mg file but not updating to the
> agent.conf
> > file. I have gone through the old posts and validated the permissions
> for
> > agent.conf on the server / agent side. Am I missing something here?
> >
> > OSSEC SERVER:
> > # ls -ltr
> > total 172
> > -r--r----- 1 root ossec 4929 Jun 10 2015 win_malware_rcl.txt
> > -r--r----- 1 root ossec 3859 Jun 10 2015 win_audit_rcl.txt
> > -r--r----- 1 root ossec 4682 Jun 10 2015 win_applications_rcl.txt
> > -r--r----- 1 root ossec 4457 Jun 10 2015 system_audit_rcl.txt
> > -r--r----- 1 root ossec 5193 Jun 10 2015 rootkit_trojans.txt
> > -r--r----- 1 root ossec 14872 Jun 10 2015 rootkit_files.txt
> > -r--r----- 1 root ossec 14251 Jun 10 2015 cis_rhel_linux_rcl.txt
> > -r--r----- 1 root ossec 8192 Jun 10 2015 cis_rhel5_linux_rcl.txt
> > -r--r----- 1 root ossec 9501 Jun 10 2015 cis_debian_linux_rcl.txt
> > -r--r----- 1 root ossec 351 Mar 23 07:19 agent.conf
> > -rw-r--r-- 1 ossecr ossec 70553 Mar 23 07:38 merged.mg
> > -r--r----- 1 root root 77 Mar 23 07:38 ar.conf
> >
> > AGENT:
> > # ls -ltr
> > total 164
> > -rwxrwx--- 1 root ossec 4929 Mar 23 07:39 win_malware_rcl.txt
> > -rwxrwx--- 1 root ossec 3859 Mar 23 07:39 win_audit_rcl.txt
> > -rwxrwx--- 1 root ossec 4682 Mar 23 07:39 win_applications_rcl.txt
> > -rwxrwx--- 1 root ossec 4457 Mar 23 07:39 system_audit_rcl.txt
> > -rwxrwx--- 1 root ossec 5193 Mar 23 07:39 rootkit_trojans.txt
> > -rwxrwx--- 1 root ossec 14872 Mar 23 07:39 rootkit_files.txt
> > -rw-r--r-- 1 ossec ossec 70553 Mar 23 07:39 merged.mg
> > -rwxrwx--- 1 root ossec 14251 Mar 23 07:39 cis_rhel_linux_rcl.txt
> > -rwxrwx--- 1 root ossec 8192 Mar 23 07:39 cis_rhel5_linux_rcl.txt
> > -rwxrwx--- 1 root ossec 9501 Mar 23 07:39 cis_debian_linux_rcl.txt
> > -r--r----- 1 root ossec 0 Mar 23 08:59 agent.conf
> >
>
> Does the situation improve if you make agent.conf writable?
>
> > I zeroed out the agent.conf and merge.mg files on agent side and
> restarted
> > the OSSEC server as well as the agent processes. The agent merged was
> > updated and could see the updates from the OSSEC server, however this
> did
> > not update the agent.conf even after multiple agent restarts. I could
> see
> > from the agent ossec.log with following lines.
> >
> > # grep merge /var/ossec/logs/ossec.log*
> > 2016/03/23 06:44:03 ossec-agentd: ERROR: Unable to unmerge file
> > '/etc/shared/agent.conf'.
> > 2016/03/23 06:55:19 ossec-agentd: ERROR: Unable to unmerge file
> > '/etc/shared/agent.conf'.
> > 2016/03/23 07:17:38 ossec-agentd: ERROR: Unable to unmerge file
> > '/etc/shared/agent.conf'.
> > 2016/03/23 07:22:16 ossec-agentd: ERROR: Unable to unmerge file
> > '/etc/shared/agent.conf'.
> > 2016/03/23 07:39:32 ossec-agentd: ERROR: Unable to unmerge file
> > '/etc/shared/agent.conf'.
> >
> >
> > Thanks & Regards
> > Kumar
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Thanks Dan. <br><br>Yes, the write mode fixed. Worked for below \
permission set for shared/agent.conf <br><br># ls -lt agent*<br>-rw-r----- 1 ossec \
ossec 610 Mar 23 11:40 agent.conf<br><br>If the file is owned by root for the same \
set of permission, the conf wasn't updating. <br>-rw-r----- 1 root ossec \
516 Mar 23 11:35 agent.conf<br><br><br>Thanks & Regards<br>Kumar<br><br>On \
Wednesday, 23 March 2016 20:39:50 UTC+5:30, dan (ddpbsd) wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;">On Wed, Mar 23, 2016 at 10:55 AM, Kumar Mg <<a \
href="javascript:" target="_blank" gdf-obfuscated-mailto="Usns8CgDBQAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">mkg...@gmail.com</a>> \
wrote: <br>> Hi,
<br>>
<br>> We have an OSSEC running at 2.8 on RHEL Linux, was looking at the
<br>> centralized config control and was able to push the changes to the agent
<br>> system. Did modification on the OSSEC server shared/agent.conf and the file
<br>> was pushed to the agent <a href="http://merged.mg" target="_blank" \
rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F \
merged.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNFfDgVaaQO-9bcM51AgaUAG47JpHA';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fmerged.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNFfDgVaaQO-9bcM51AgaUAG47JpHA';return \
true;">merged.mg</a> file but not updating to the agent.conf <br>> file. I have \
gone through the old posts and validated the permissions for <br>> agent.conf on \
the server / agent side. Am I missing something here? <br>>
<br>> OSSEC SERVER:
<br>> # ls -ltr
<br>> total 172
<br>> -r--r----- 1 root ossec 4929 Jun 10 2015 win_malware_rcl.txt
<br>> -r--r----- 1 root ossec 3859 Jun 10 2015 win_audit_rcl.txt
<br>> -r--r----- 1 root ossec 4682 Jun 10 2015 win_applications_rcl.txt
<br>> -r--r----- 1 root ossec 4457 Jun 10 2015 system_audit_rcl.txt
<br>> -r--r----- 1 root ossec 5193 Jun 10 2015 rootkit_trojans.txt
<br>> -r--r----- 1 root ossec 14872 Jun 10 2015 rootkit_files.txt
<br>> -r--r----- 1 root ossec 14251 Jun 10 2015 cis_rhel_linux_rcl.txt
<br>> -r--r----- 1 root ossec 8192 Jun 10 2015 cis_rhel5_linux_rcl.txt
<br>> -r--r----- 1 root ossec 9501 Jun 10 2015 cis_debian_linux_rcl.txt
<br>> -r--r----- 1 root ossec 351 Mar 23 07:19 agent.conf
<br>> -rw-r--r-- 1 ossecr ossec 70553 Mar 23 07:38 <a href="http://merged.mg" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fmerged.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNFfDgVaaQO-9bcM51AgaUAG47JpHA';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fmerged.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNFfDgVaaQO-9bcM51AgaUAG47JpHA';return \
true;">merged.mg</a> <br>> -r--r----- 1 root root 77 Mar 23 07:38 ar.conf
<br>>
<br>> AGENT:
<br>> # ls -ltr
<br>> total 164
<br>> -rwxrwx--- 1 root ossec 4929 Mar 23 07:39 win_malware_rcl.txt
<br>> -rwxrwx--- 1 root ossec 3859 Mar 23 07:39 win_audit_rcl.txt
<br>> -rwxrwx--- 1 root ossec 4682 Mar 23 07:39 win_applications_rcl.txt
<br>> -rwxrwx--- 1 root ossec 4457 Mar 23 07:39 system_audit_rcl.txt
<br>> -rwxrwx--- 1 root ossec 5193 Mar 23 07:39 rootkit_trojans.txt
<br>> -rwxrwx--- 1 root ossec 14872 Mar 23 07:39 rootkit_files.txt
<br>> -rw-r--r-- 1 ossec ossec 70553 Mar 23 07:39 <a href="http://merged.mg" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fmerged.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNFfDgVaaQO-9bcM51AgaUAG47JpHA';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fmerged.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNFfDgVaaQO-9bcM51AgaUAG47JpHA';return \
true;">merged.mg</a> <br>> -rwxrwx--- 1 root ossec 14251 Mar 23 07:39 \
cis_rhel_linux_rcl.txt <br>> -rwxrwx--- 1 root ossec 8192 Mar 23 07:39 \
cis_rhel5_linux_rcl.txt <br>> -rwxrwx--- 1 root ossec 9501 Mar 23 07:39 \
cis_debian_linux_rcl.txt <br>> -r--r----- 1 root ossec 0 Mar 23 08:59 \
agent.conf <br>>
<br>
<br>Does the situation improve if you make agent.conf writable?
<br>
<br>> I zeroed out the agent.conf and <a href="http://merge.mg" target="_blank" \
rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F \
merge.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNGlQGiSsLJy7dfhV_J3qotjmlGjPg';return \
true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fmerge.mg\46sa\75D\46sntz\0751\46usg\75AFQjCNGlQGiSsLJy7dfhV_J3qotjmlGjPg';return \
true;">merge.mg</a> files on agent side and restarted <br>> the OSSEC server as \
well as the agent processes. The agent merged was <br>> updated and could see the \
updates from the OSSEC server, however this did <br>> not update the agent.conf \
even after multiple agent restarts. I could see <br>> from the agent ossec.log \
with following lines. <br>>
<br>> # grep merge /var/ossec/logs/ossec.log*
<br>> 2016/03/23 06:44:03 ossec-agentd: ERROR: Unable to unmerge file
<br>> '/etc/shared/agent.conf'.
<br>> 2016/03/23 06:55:19 ossec-agentd: ERROR: Unable to unmerge file
<br>> '/etc/shared/agent.conf'.
<br>> 2016/03/23 07:17:38 ossec-agentd: ERROR: Unable to unmerge file
<br>> '/etc/shared/agent.conf'.
<br>> 2016/03/23 07:22:16 ossec-agentd: ERROR: Unable to unmerge file
<br>> '/etc/shared/agent.conf'.
<br>> 2016/03/23 07:39:32 ossec-agentd: ERROR: Unable to unmerge file
<br>> '/etc/shared/agent.conf'.
<br>>
<br>>
<br>> Thanks & Regards
<br>> Kumar
<br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="Usns8CgDBQAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>. <br>> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_2650_1633071194.1458751662941--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic