It was agent version 1.6.1. I just checked the config and that entry is
not in there. Is there something I should have done differently during
the install process other than choosing not to enable active response?
I can send you config files or the original installer files we used if
that would be helpful to you in some way.
3.4 - Do you want to enable active response? (y/n) [y]: n
- Active response disabled.
Thanks,
-Tony
Daniel Cid wrote:
> Hi Tony,
>
> I am looking at this issue now and I can't reproduce it in here. When
> I set to "no" in the
> installer, it adds the following lines to my ossec.conf:
>
> <active-response>
> <disabled>yes</disabled>
> </active-response>
>
>
> And when OSSEC starts it logs:
>
> 2009/03/25 10:45:02 ossec-execd(1350): INFO: Active response disabled.
> Exiting.
>
>
> Can you check if that entry is in your config? Also, which version of
> ossec were you using?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On Fri, Feb 20, 2009 at 1:22 PM, Tony Lastowka <t...@mail.med.upenn.edu>
> wrote:
>
>> A few weeks back we had a problem with active response on a specific
>> machine and decided we didn't need it running on that machine.
>>
>> I reinstalled the ossec agent on that machine, and specifically told it
>> NOT to enable active response in the installer.
>>
>> Today it was noticed it was still running firewall/host.deny add/drops.
>>
>> I thought maybe it had somehow carried over settings from the old
>> installation, so this time I completely removed ossec from the machine,
>> deleted the source, deleted the agent from the server and reinstalled it
>> entirely fresh with a new agent id. I answered no again to the active
>> response question and confirmed it replied " - Active response disabled."
>>
>> We then ran another test, and it is STILL executing active response.
>> For the time being, i've removed execute permissions from the
>> active-response scripts on the machine so active response just fails,
>> but the question remains, why is it running at all when the question
>> about enabling active response is specifically answered no during the
>> installation?
>>
>> ossec.log with the execute permissions removed
>> ----
>> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/maillog'.
>> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/httpd/error_log'.
>> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/httpd/access_log'.
>> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
>> '/etc/httpd/logs/access_log'.
>> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
>> '/etc/httpd/logs/error_log'.
>> 2009/02/20 11:10:18 ossec-logcollector: INFO: Started (pid: 745).
>> 2009/02/20 11:11:39 ossec-execd: INFO: Active response command not
>> present: '/usr/local/ossec/active-response/bin/test-command.sh'. Not
>> using it on this system.
>> 2009/02/20 11:11:39 ossec-execd(1312): ERROR: Error executing
>> '/usr/local/ossec/active-response/bin/host-deny.sh': Permission denied
>> 2009/02/20 11:11:39 ossec-execd(1312): ERROR: Error executing
>> '/usr/local/ossec/active-response/bin/firewall-drop.sh': Permission denied
>>
>>
>> Termcap of the install q/a
>> ----
>> 1- What kind of installation do you want (server, agent, local or help)?
>> agent
>>
>> - Agent(client) installation chosen.
>>
>> 2- Setting up the installation environment.
>>
>> - Choose where to install the OSSEC HIDS [/var/ossec]: /usr/local/ossec
>>
>> - Installation will be made at /usr/local/ossec .
>>
>> - The installation directory already exists. Should I delete it?
>> (y/n) [y]:
>>
>> 3- Configuring the OSSEC HIDS.
>>
>> 3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.5.235
>>
>> - Adding Server IP 192.168.5.235
>>
>> 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
>>
>> - Running syscheck (integrity check daemon).
>>
>> 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
>>
>> - Running rootcheck (rootkit detection).
>>
>> 3.4 - Do you want to enable active response? (y/n) [y]: n
>>
>> - Active response disabled.
>>
>>
>>
>>
>>
