just found out, that the integrity checks even with the agentless setup are not working, because on this remote box I only have a VERY restricted shell. this means, i can't even run a "find" or md5sum ... how on earth should i possibly run a file integrity check with such a restricted environment :(
cool, I will email you a first draft, once I've some progress ;) Am Dienstag, 22. Juli 2014 16:41:31 UTC+2 schrieb dan (ddpbsd): > > On Tue, Jul 22, 2014 at 10:17 AM, theresa mic-snare > <rockpr...@gmail.com <javascript:>> wrote: > > unfortunately i have to use agentless because of some appliances (IBM > > hardware management console HMC) i don't have root access or sudo there. > > also analysis these non-standardized logfiles will probably be a major > pain > > in the ass. > > i will post the customized rules and decoders, once i'm finished. > > > > That would be great! > > > also i'm writing my thesis in english, so you'd like to read the final > > version in january then just let me know ;) > > > > Yes please, I'm very interested. > > > Am Dienstag, 22. Juli 2014 16:12:37 UTC+2 schrieb dan (ddpbsd): > >> > >> On Tue, Jul 22, 2014 at 10:09 AM, theresa mic-snare > >> <rockpr...@gmail.com> wrote: > >> > Thank you very much Dan! > >> > you pointed me into the right direction :) > >> > > >> > I had in my configuration <host>os...@example.net</host> > >> > > >> > and registered i had only ossec@example > >> > > >> > so this didn't match. > >> > corrected the ossec.conf and reloaded ossec > >> > > >> > now the ossec.log confirmed that it works: > >> > 2014/07/22 16:06:25 ossec-agentlessd: INFO: Test passed for > >> > 'ssh_integrity_check_linux'. > >> > 2014/07/22 16:06:26 ossec-agentlessd: INFO: Test passed for > >> > 'ssh_generic_diff'. > >> > > >> > >> Glad that helped. I don't use agentless, so it took me a while to > >> figure that out. > >> > >> > Many thanks for helping me out. > >> > I'm documenting this right now, because I'm basing my Bachelor thesis > on > >> > OSSEC :) > >> > > >> > >> That's great. Don't hesitate to post if you have other issues. > >> > >> > > >> > Am Dienstag, 22. Juli 2014 16:00:46 UTC+2 schrieb dan (ddpbsd): > >> >> > >> >> On Tue, Jul 22, 2014 at 9:23 AM, theresa mic-snare > >> >> <rockpr...@gmail.com> wrote: > >> >> > Hi dan, > >> >> > > >> >> > thanks for your speedy reply. > >> >> > > >> >> > Hmm, the keys and even the .ssh directory belong to user and group > >> >> > ossec: > >> >> > -rw-------. 1 ossec ossec 1675 22. Jul 09:17 id_rsa > >> >> > -rw-r--r--. 1 ossec ossec 407 22. Jul 09:17 id_rsa.pub > >> >> > > >> >> > I create the keys like this: > >> >> > > >> >> > sudo -u ossec ssh-keygen > >> >> > > >> >> > >> >> Verify the .passlist looks something like: > >> >> os...@example.net|NOPASS| > >> >> > >> >> Check that your configuration has <host>os...@example.net</host>, > not > >> >> just example.net. > >> >> > >> >> What happens if you try running the commands manually? > >> >> > >> >> cd /var/ossec > >> >> expect agentless/ssh_integrity_check_linux os...@example.net /etc > >> >> > >> >> > >> >> > >> >> > thanks, > >> >> > theresa > >> >> > > >> >> > > >> >> > Am Dienstag, 22. Juli 2014 15:16:08 UTC+2 schrieb dan (ddpbsd): > >> >> >> > >> >> >> On Tue, Jul 22, 2014 at 9:03 AM, theresa mic-snare > >> >> >> <rockpr...@gmail.com> wrote: > >> >> >> > hi there, > >> >> >> > > >> >> >> > i have a similar problem with adding an agentless host. > >> >> >> > > >> >> >> > in the ossec.log i found the following entry: > >> >> >> > 2014/07/22 14:43:43 ossec-agentlessd: ERROR: > >> >> >> > ssh_integrity_check_linux: > >> >> >> > os...@example.net: Password for 'os...@example.net' not found. > >> >> >> > 2014/07/22 14:43:44 ossec-agentlessd: ERROR: ssh_generic_diff: > >> >> >> > os...@example.net: Password for 'os...@example.net' not found. > >> >> >> > > >> >> >> > I added the host by: > >> >> >> > /var/ossec/agentless/register_host.sh add os...@example.net > NOPASS > >> >> >> > > >> >> >> > I then SCP'd the public key to the remote host > >> >> >> > scp id_rsa.pub > os...@example.net:/home/ossec/.ssh/authorized_keys2 > >> >> >> > > >> >> >> > >> >> >> Does the OSSEC manager have access to the keys in order to > connect? > >> >> >> > >> >> >> > i can even ssh to this very machine with the key mentioned > above > >> >> >> > without > >> >> >> > any > >> >> >> > problems. > >> >> >> > > >> >> >> > *Available hosts: > >> >> >> > os...@example.net > >> >> >> > > >> >> >> > Is there even a way to unregister a host? > >> >> >> > if so, how? > >> >> >> > > >> >> >> > >> >> >> Delete it from /var/ossec/agentless/.passlist I think. > >> >> >> > >> >> >> > thanks and looking forward to hearing from you, > >> >> >> > theresa > >> >> >> > > >> >> >> > Am Dienstag, 21. April 2009 19:38:09 UTC+2 schrieb emcpa07: > >> >> >> >> > >> >> >> >> Hello, > >> >> >> >> I'm trying to use the agentless functionality on my OpenSuse > 11.1 > >> >> >> >> box > >> >> >> >> and I'm receiving a timeout when ssh'ng to my host which is > >> >> >> >> running > >> >> >> >> Fedora10. I'm using the ssh_integrity_check_linux and > >> >> >> >> ssh_generic_diff > >> >> >> >> and both have passed the agentless test. I've tried using all > >> >> >> >> connection methods listed, NOPASS, with PASS etc... However, I > >> >> >> >> can > >> >> >> >> ssh > >> >> >> >> to my host using the "accounts/boxes" created using the > supplied > >> >> >> >> command/script: /var/ossec/agentless/register_host.sh add > >> >> >> >> ro...@xx.net > >> >> >> >> mypass1 and /var/ossec/agentless/register_host.sh add > >> >> >> >> ro...@xx.net > >> >> >> >> NOPASS > >> >> >> >> > >> >> >> >> any help would be appreciated. > >> >> >> >> > >> >> >> >> Thanks, > >> >> >> >> Ron > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
