Hi, everyone. First off, thanks to atomicturtle for helping me in IRC. And thanks to dcid for replying to my tweet, that was pretty awesome. I think it might be better to post my questions here, though, for posterity and maybe to help others.
Mind you, I've googled my pants off and now I'm stumped. I'll try to be as concise yet informative as possible with my questions. Q1: I can't seem to get 'agent_control -r -u <agentid>' to work. It seems like maybe it is working, but it could just be coincidence. - Is there a refactory period before rootcheck will restart on an agent? - The docs say active-response must be enabled, but they don't say in what specific way AR needs to be enabled. Is there a special command file I need to craft to enable AR for agent_control to work? Q2: Is there any additional documentation anywhere on the format of the "rcl" files? There's docs in the header of the existing files, but they are incomplete. For example, I get this error: ERROR: Invalid rk configuration value: '$sshd_file=/etc/ssh/sshd_config;' But as near as I can tell, I'm using the variable the same way as the existing rcl files. My config that produces this error is copied verbatim from here: http://blog.wazuh.com/root-user-access-monitoring-with-ossec/ Q3: Can one have multiple <system_audit> files declared in the rootcheck section? How do they compile together? (i.e. do they all get used, or is it last one, or first one only? etc) I definitely have other questions but I'll ask them separately. Thanks! -JDS -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
