syscheck error
19 views
Skip to first unread message
Cooper
Apr 16, 2018, 2:08:02 PM4/16/18
to ossec-list
I am getting the following error from syscheckd when starting up OSSEC 2.9.3:
2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh'.
2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh/'.
Inside of my ossec.conf file, I have this line, which seems to be generating the error:
<directories check_all="yes">/home/*/.ssh/</directories>
Any idea what is invalid about that pattern?
2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh'.
2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh/'.
Inside of my ossec.conf file, I have this line, which seems to be generating the error:
<directories check_all="yes">/home/*/.ssh/</directories>
Any idea what is invalid about that pattern?
Cooper
Apr 22, 2018, 9:50:45 PM4/22/18
to ossec-list
Any idea?
dan (ddp)
Apr 23, 2018, 2:53:13 PM4/23/18
to ossec...@googlegroups.com
--
I don't think globs are valid in the syscheck configuration.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Cooper Graf
Apr 23, 2018, 6:05:56 PM4/23/18
to ossec...@googlegroups.com
Is there documentation that explains what a glob is? This worked fine with 2.7.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Apr 23, 2018, 6:27:02 PM4/23/18
to ossec...@googlegroups.com
On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf <coope...@gmail.com> wrote:
> Is there documentation that explains what a glob is? This worked fine with
> 2.7.
>
I don't think so. I just tried it on a 3.x system and didn't get the
> Is there documentation that explains what a glob is? This worked fine with
> 2.7.
>
error. Still waiting on results to see if it checks properly.
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>1800</frequency>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<directories check_all="yes">/var/test</directories>
<directories check_all="yes">/var/test2</directories>
<directories check_all="yes">/home/*/.ssh</directories>
ix# grep home /var/ossec/logs/ossec.log
2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
'/home/ansible/.ssh', with options perm | size | owner | group |
md5sum | sha256sum.
2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
'/home/ddp/.ssh', with options perm | size | owner | group | md5sum |
sha256sum.
2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
'/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum
| sha256sum.
And on a slightly older agent:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<directories check_all="yes">/home/*/.ssh</directories>
root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log
2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
'/home/ansible/.ssh', with options perm | size | owner | group |
md5sum | sha1sum.
2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
'/home/checker/.ssh', with options perm | size | owner | group |
md5sum | sha1sum.
dan (ddp)
Apr 23, 2018, 6:29:20 PM4/23/18
to ossec...@googlegroups.com
on this system.
Cooper Graf
Apr 23, 2018, 6:35:08 PM4/23/18
to ossec...@googlegroups.com
Haha hmm. So any idea why it's throwing an error for me? Is a new release slated to come out soon?
dan (ddp)
Apr 23, 2018, 6:43:09 PM4/23/18
to ossec...@googlegroups.com
On Mon, Apr 23, 2018 at 6:34 PM, Cooper Graf <coope...@gmail.com> wrote:
> Haha hmm. So any idea why it's throwing an error for me? Is a new release
> slated to come out soon?
>
It's supposed to be soon, I'll have to prod the release manager.
> Haha hmm. So any idea why it's throwing an error for me? Is a new release
> slated to come out soon?
>
It happens in glob() somewhere, but I haven't looked at it further
than that yet.
Reply all
Reply to author
Forward
0 new messages