Disable the ossec-agent for OS updates.
264 views
Skip to first unread message
andrii.p...@gmail.com
May 23, 2017, 3:37:41 PM5/23/17
to ossec-list
I am going to update my Linux servers and I tried to disable the ossec-agent for this time.
I was the following workarounds:
1. stop agent on a host
2. run /var/ossec/bin/syscheck_control -u AGENT_ID
3. update
4. up agent
But after start agent I got lots of trigger "new files in the server" alarms.
How to properly disable the ossec-agent on a host during the Linux update or for modifying files?
I was the following workarounds:
1. stop agent on a host
2. run /var/ossec/bin/syscheck_control -u AGENT_ID
3. update
4. up agent
But after start agent I got lots of trigger "new files in the server" alarms.
(alert_new_file - yes)How to properly disable the ossec-agent on a host during the Linux update or for modifying files?
Pedro Sanchez
May 24, 2017, 11:28:45 AM5/24/17
to ossec...@googlegroups.com
Hi,
If you want to disable syscheck component for specific folders, you could push an <ignore> setting for syscheck block using agent.conf centralized configuration.
For example, you could ignore something like:
<ignore>/etc/</ignore>
Reference here.
Same way you could totally disable syscheck using <disabled> setting.
When the OS update be done, modify again agent.conf to restore back the configuration.
To prevent alerts for "new file" you could:
/var/ossec/bin/syscheck_control -u AGENT_ID
Remove .cpt files in /var/ossec/queue/syscheck
Restart Manager.
I hope someone could add more ideas for this use case.
Best,
Pedro.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
andrii.p...@gmail.com
May 31, 2017, 12:12:24 PM5/31/17
to ossec-list
Hi, Pedro.
I tested it again few days ago. I followed the next steps:
1. Stop agent on the host.
2. update OS or what are you going to do?
3. run /var/ossec/bin/syscheck_control -u AGENT_ID - on the ossec-server
4. restart ossec-server ( In my case : systemct restart ossec-hids )
5. start agent on the host.
It works well. I did not get any alerts.
I tested it again few days ago. I followed the next steps:
1. Stop agent on the host.
2. update OS or what are you going to do?
3. run /var/ossec/bin/syscheck_control -u AGENT_ID - on the ossec-server
4. restart ossec-server ( In my case : systemct restart ossec-hids )
5. start agent on the host.
It works well. I did not get any alerts.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Pedro Sanchez
May 31, 2017, 1:22:24 PM5/31/17
to ossec...@googlegroups.com
Great! Good to know its working!
Thanks for coming back to tell us.
I believe we will develop a easier way to do this on the future, something like "Disable Syscheck for 2h starting day 05/20/2017" for example, so we can plan massive upgrades on a enterprise environment.
Best,
Pedro.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
0x2A
Jun 1, 2017, 10:43:56 AM6/1/17
to ossec...@googlegroups.com
Hi,
It might be better to adjust the rule level temporarily, to disable alerting but still generate logs.andrii.p...@gmail.com
Jun 2, 2017, 3:45:20 AM6/2/17
to ossec-list
It will be great if you implement this.
I'll wait with impatience.
I'll wait with impatience.
dan (ddp)
Jun 2, 2017, 4:06:09 PM6/2/17
to ossec...@googlegroups.com
We have a pull request to allow for a whitelist of hashes to be stored
in an sqlite database. I think Wazuh already has this feature.
(https://github.com/ossec/ossec-hids/pull/1091)
You could pre-populate it with the appropriate hashes before an upgrade.
in an sqlite database. I think Wazuh already has this feature.
(https://github.com/ossec/ossec-hids/pull/1091)
You could pre-populate it with the appropriate hashes before an upgrade.
Reply all
Reply to author
Forward
0 new messages