On Fri, Jan 24, 2014 at 12:47 PM, Jeremiah Brock <jeremiah.j.br...@gmail.com> wrote: > > Hello Dan, > > Yes, fresh install of 2.7 server mode. > > I confirmed this again this am on another ubuntu 12.04 system doing the > following : > > su root > cd /root/installs > wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz > tar -zxvf ossec-hids-2.7.tar.gz > cd ossec-hids-2.7 > ./install.sh > > > In the prompts I enabled Active Response resulting with the following > ar.conf root:root ownership which is wrong : > > > > ~Jeremy >
Thanks, I'll look into it. > > > > On 1/24/2014 4:59 AM, dan (ddp) wrote: > > On Thu, Jan 23, 2014 at 8:10 PM, Jeremiah Brock > <jeremiah.j.br...@gmail.com> wrote: > > Hi All, > > Just a follow up, I was able to get around this strange issue by doing > the following : > > Was this a new install? > > On the Server : > chown root:ossec ar.conf > service ossec restart > > On the Agent : > service ossec restart > > The Agent /var/ossec/etc/shared now magically downloaded the proper ar.conf > file : > root@host1:/var/ossec/etc/shared# ls -l > total 168 > -rw-r--r-- 1 ossec ossec 153 Jan 23 16:41 ar.conf > -rwxrwx--- 1 root ossec 9501 Jan 23 16:41 cis_debian_linux_rcl.txt > -rwxrwx--- 1 root ossec 8192 Jan 23 16:41 cis_rhel5_linux_rcl.txt > -rwxrwx--- 1 root ossec 14251 Jan 23 16:41 cis_rhel_linux_rcl.txt > -rw-r--r-- 1 ossec ossec 70352 Jan 23 16:41 merged.mg > -rwxrwx--- 1 root ossec 14872 Jan 23 16:41 rootkit_files.txt > -rwxrwx--- 1 root ossec 5193 Jan 23 16:41 rootkit_trojans.txt > -rwxrwx--- 1 root ossec 4457 Jan 23 16:41 system_audit_rcl.txt > -rwxrwx--- 1 root ossec 4682 Jan 23 16:41 win_applications_rcl.txt > -rwxrwx--- 1 root ossec 3859 Jan 23 16:41 win_audit_rcl.txt > -rwxrwx--- 1 root ossec 4929 Jan 23 16:41 win_malware_rcl.txt > > > No more errors in my logs!! > > ~Jeremy > > > > On 1/23/2014 4:32 PM, Jeremiah Brock wrote: > > Hi All, > > I am running ossec 2.7 on Ubuntu and have run into some surprising > issues with the Active Response. > > Server : Linux mercury 2.6.32-33-server #72-Ubuntu SMP Fri Jul 29 > 21:21:55 UTC 2011 x86_64 GNU/Linux > > Client : Linux host1 3.2.0-56-virtual #86-Ubuntu SMP Wed Oct 23 18:12:10 > UTC 2013 i686 athlon i386 GNU/Linux > > Server available active responses : > /var/ossec/bin/agent_control -L > > OSSEC HIDS agent_control. Available active responses: > > No active response available. > > > Server ossec.log errors : > 2014/01/23 14:58:50 ossec-remoted: Error accessing file > '/etc/shared/ar.conf' > > Agent ossec.log errors : > 2014/01/23 14:30:13 ossec-execd(1103): ERROR: Unable to open file > '/var/ossec/etc/shared/ar.conf'. > 2014/01/23 14:30:13 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop600' provided. > > Server ossec.conf : > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > Server etc/shared directory : > root@mercury:/var/ossec/etc/shared# ls -l > total 168 > -r--r----- 1 root root 153 Jan 23 14:58 ar.conf > -r--r----- 1 root ossec 9501 Nov 8 2012 cis_debian_linux_rcl.txt > -r--r----- 1 root ossec 8192 Nov 8 2012 cis_rhel5_linux_rcl.txt > -r--r----- 1 root ossec 14251 Nov 8 2012 cis_rhel_linux_rcl.txt > -rw-r--r-- 1 ossecr ossec 70186 Jan 23 14:58 merged.mg > -r--r----- 1 root ossec 14872 Nov 8 2012 rootkit_files.txt > -r--r----- 1 root ossec 5193 Nov 8 2012 rootkit_trojans.txt > -r--r----- 1 root ossec 4457 Nov 8 2012 system_audit_rcl.txt > -r--r----- 1 root ossec 4682 Nov 8 2012 win_applications_rcl.txt > -r--r----- 1 root ossec 3859 Nov 8 2012 win_audit_rcl.txt > -r--r----- 1 root ossec 4929 Nov 8 2012 win_malware_rcl.txt > > > Client etc/shared directory : > root@host1:/var/ossec/etc/shared# ls -l > total 88 > -rwxrwx--- 1 root ossec 9501 Jan 1 15:21 cis_debian_linux_rcl.txt > -rwxrwx--- 1 root ossec 8192 Jan 1 15:21 cis_rhel5_linux_rcl.txt > -rwxrwx--- 1 root ossec 14251 Jan 1 15:21 cis_rhel_linux_rcl.txt > -rwxrwx--- 1 root ossec 14872 Jan 1 15:21 rootkit_files.txt > -rwxrwx--- 1 root ossec 5193 Jan 1 15:21 rootkit_trojans.txt > -rwxrwx--- 1 root ossec 4457 Jan 1 15:21 system_audit_rcl.txt > -rwxrwx--- 1 root ossec 4682 Jan 1 15:21 win_applications_rcl.txt > -rwxrwx--- 1 root ossec 3859 Jan 1 15:21 win_audit_rcl.txt > -rwxrwx--- 1 root ossec 4929 Jan 1 15:21 win_malware_rcl.txt > > > Does Active Response not work out of the box? > > ~Jeremy > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.