Re: [ossec-list] my problem with rootcheck_control (part 2)
anyone? rootcheck is still an unresolved mystery to me Am Dienstag, 5. April 2016 12:07:40 UTC+2 schrieb theresa mic-snare: > > Yes, I'm 100% positive, Dan! > I've just reproduced my steps, and it seems that whenever I run the > rootcheck update (rootcheck_control -u 000) and wait for a rootcheck run to > complete (Ending rootcheck scan.) > > I don't see any log entries similar to the syscheck can like this > 2016/04/05 08:24:50 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2016/04/05 08:25:02 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > > does this mean that rootcheck does not forward its results to the database? > > maybe I am doing something fundamentally wrong here, but at the moment > rootcheck does not write its results into the database unless I restart > OSSEC manually. > > rootcheck frequency is set to 300 (5 minutes) > syscheck frequency is set to 79200 (22 hours) > > does rootcheck rely on syscheck in order to update the events in the > database? > > Am Montag, 4. April 2016 14:41:56 UTC+2 schrieb dan (ddpbsd): >> >> On Sat, Apr 2, 2016 at 5:36 PM, theresa mic-snare >> wrote: >> > Hi, >> > >> > I have to say I'm particularly unfortunate with the rootcheck >> daemon...am I >> > the only one who keeps running into those problems? >> > >> > On my manager I was checking against the system_audit_ssh.txt that >> checks >> > the sshd_config. >> > I first started with the following unresolved issues >> > >> > [root@manager bin]# ./rootcheck_control -q -i 000 >> > >> > Policy and auditing events for local system 'manager - 127.0.0.1': >> > >> > Outstanding events: >> > >> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 5: Password Authentication >> > {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . >> > >> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for >> > authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: >> 7 . >> > >> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time >> {PCI_DSS: >> > 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . >> > >> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of >> > authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. >> > Reference: 9 . >> > >> > >> > So far, so good. >> > I set the correct values inside sshd_config, restarted the sshd service >> > and waited until the rootcheck run ran again... For the troubleshooting >> sake >> > I set the interval to 5 minutes. >> > >> > But for some reason it didn't update the Outstanding events. only >> > updated the time. >> > >> > [root@manager bin]# ./rootcheck_control -q -i 000 >> > >> > Policy and auditing events for local system 'manager - 127.0.0.1': >> > >> > Outstanding events: >> > >> > 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 5: Password Authentication >> > {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . >> > >> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for >> > authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: >> 7 . >> > >> > 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time >> {PCI_DSS: >> > 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . >> > >> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) >> > System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of >> > authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. >> > Reference: 9 . >> > >> > >> > I checked the syntax of the system_audit_ssh.txt but this seemed good >> to me >> > For instance the MaxAuthTries has this syntax >> > >> > # MaxAuthTries 3 >> > # The MaxAuthTries parameter specifices the maximum number of >> authentication >> > attempts permitted per connection. Once the number of failures reaches >> half >> > this value, additional failures are logged. >> > # This should be set to 3. >> > [SSH Hardening - 9: Wrong Maximum number of authentication attempts >> > {PCI_DSS: 2.2.4}] [any] [9] >> > f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$; >> > f:$sshd_file -> r:^#\s*MaxAuthTries; >> > f:$sshd_file -> !r:MaxAuthTries; >> > >> > my sshd_config has exact this value set "MaxAuthTries 3" >> > >> > At the end I simply ran >> > [root@manager bin]# ./rootcheck_control -u 000 >> > >> > and waited for another rootcheck run. >> > Unfortunately it needed a full osse
[ossec-list] Re: List of logged in users AND List of the last logged in users
The windows systems do not have the same commands for looking at users. Your commands for looking at both logged in and last, will only work on *nix platforms. Kat On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of > users, i need to monitoring when they are working or drink coffee > > in ossec_rules.xml > > i have next rules > > > 530 > ossec: output: 'w' > > alert_by_email > List of logged in users. It will not be alerted by > default. > > > > 530 > ossec: output: 'last -n > > alert_by_email > List of the last logged in users. > > > i have linux and windows machines but mail is coming just from one > machine(linux) how about the rest > what i did wrong? > > i appreciate your help, and a lot of respect for developers and community! > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later
did you look to maillog of your server ? When were actual sent notifications ? Email may be deferred by couple of reasons: * graylisting * mail server overloading or even inactivvity. If you want fast and reliable delivery - try to setup additional notification engine. We choose slack, but there're couple of chat systems, that can receive notifications by their api. среда, 6 апреля 2016 г., 17:33:03 UTC+4 пользователь thak написал: > > Any idea what the likely reason would be for this? We were installing some > diagnostic packages yesterday afternoon, but I didn't get email > notifications until 0430 today. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Windows Agent Compilation
Hi, We are in the process of getting the OSSEC agents compiled on different platforms (UNIX and Windows). To start with we were getting the Windows agent compilation and was trying it out in the Windows 7 as well as Windows 2008 versions. Followed the steps mentioned here - http://ossec-docs.readthedocs.org/en/latest/manual/installation/compile-ossec-on-windows.html. The win-pkg folders were created and it failed with following messages at the time of make.sh. C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>make.bat C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>echo Maki ng windows agent Making windows agent C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\windres.exe" -i icofile.rc -o icon.o C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o "ossec-agent" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 - DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.8/*.c config/*.c s hared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/* .c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -I. -Iheaders/ -lwsock32 rootcheck/win-common.c: In function '__os_winreg_querykey': rootcheck/win-common.c:212:11: warning: variable 'sub_key_name_b' set but not us ed [-Wunused-but-set-variable] TCHAR sub_key_name_b[MAX_KEY_LENGTH +1]; ^ In file included from run_realtime.c:45:0: headers/shared.h:181:0: warning: "os_calloc" redefined #define os_calloc(x,y,z) ((z = calloc(x,y)))?(void)1:ErrorExit(MEM_ERROR, ARGV0 ) ^ run_realtime.c:29:0: note: this is the location of the previous definition #define os_calloc(x,y,z) (z = calloc(x,y))?(void)1:ErrorExit(MEM_ERROR, ARGV0) ^ In file included from run_realtime.c:45:0: headers/shared.h:183:0: warning: "os_strdup" redefined #define os_strdup(x,y) ((y = strdup(x)))?(void)1:ErrorExit(MEM_ERROR, ARGV0) ^ run_realtime.c:30:0: note: this is the location of the previous definition #define os_strdup(x,y) (y = strdup(x))?(void)1:ErrorExit(MEM_ERROR, ARGV0) ^ seechanges.c: In function 'seechanges_addfile': seechanges.c:347:5: warning: implicit declaration of function 'symlink' [-Wimpli cit-function-declaration] if (symlink(old_location, old_tmp) == -1) { ^ C:\Users\ossec\AppData\Local\Temp\cc4a5eCY.o:seechanges.c:(.text+0x6f5): undefin ed reference to `symlink' C:\Users\ossec\AppData\Local\Temp\cc4a5eCY.o:seechanges.c:(.text+0x75f): undefin ed reference to `symlink' C:\Users\ossec\AppData\Local\Temp\cc4a5eCY.o:seechanges.c:(.text+0x7c9): undefin ed reference to `symlink' collect2.exe: error: ld returned 1 exit status C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o "ossec-rootcheck" -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT - DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_servi ce.c rootcheck/*.c -Iheaders/ -I. -lwsock32 rootcheck/rootcheck-config.c: In function 'Read_Rootcheck_Config': rootcheck/rootcheck-config.c:69:18: warning: variable 'xml_time' set but not use d [-Wunused-but-set-variable] const char *(xml_time[])={xml_rootcheck, "frequency", NULL}; ^ rootcheck/win-common.c: In function '__os_winreg_querykey': rootcheck/win-common.c:212:11: warning: variable 'sub_key_name_b' set but not us ed [-Wunused-but-set-variable] TCHAR sub_key_name_b[MAX_KEY_LENGTH +1]; ^ C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o "manage_agents" -Wall -DARGV0=\"manage-agents\" -DCLIENT -DWIN 32 -DMA os_regex/*.c zlib-1.2.8/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I. -lwsock32 -ls hlwapi C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o setup-windows -Wall os_regex/*.c -DARGV0=\"setup-windows\" -DCL IENT -DWIN32 win_service.c shared/file_op.c shared/debug_op.c setup/setup-win.c setup/setup-shared.c -Iheaders/ -I. -lwsock32 C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o setup-syscheck -Wall os_regex/*.c os_xml/*.c setup/setup-sysche ck.c setup/setup-shared.c -I. -Iheaders/ C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o setup-iis -Wall os_regex/*.c setup/setup-iis.c -I. C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>"C:\MinGW \bin\gcc.exe" -o add-localfile -Wall os_regex/*.c setup/add-localfile.c -I. C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg>cd ui\ C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg\ui>make C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pkg\ui>echo M aking windows agent UI Making windows agent UI C:\Users\ossec\Downloads\ossec-hids-2.8.2\ossec-hids-2.8.2\src\win-pk
[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later
Hi thak, have you enabled the 'realtime="yes" ' option for the directories that you're monitoring in ?? There's probably only the frequency set to run once every few day/hours... -- theresa Am Mittwoch, 6. April 2016 15:33:03 UTC+2 schrieb thak: > > Any idea what the likely reason would be for this? We were installing some > diagnostic packages yesterday afternoon, but I didn't get email > notifications until 0430 today. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Email notification for adding new users, new packages, triggering hours later
Any idea what the likely reason would be for this? We were installing some diagnostic packages yesterday afternoon, but I didn't get email notifications until 0430 today. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] List of logged in users AND List of the last logged in users
Hi dear community, i install and configure about 10 agents, and of course i have a lot of users, i need to monitoring when they are working or drink coffee in ossec_rules.xml i have next rules 530 ossec: output: 'w' alert_by_email List of logged in users. It will not be alerted by default. 530 ossec: output: 'last -n alert_by_email List of the last logged in users. i have linux and windows machines but mail is coming just from one machine(linux) how about the rest what i did wrong? i appreciate your help, and a lot of respect for developers and community! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.