ssh_asa-fwsmconfig_diff

[Yurii Shatylo]

Dear Colleagues,

Could you give me a hand with my issue?

I've put credentials to the ssh_asa-fwsmconfig_diff and as the result I've got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed for 'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa but nothing happened. It seems like script which produces difference is not working. 

There is my general config file:

<agentless>
      <type>ssh_asa-fwsmconfig_diff</type>
      <frequency>300</frequency>
      <host>user...@192.168.0.1</host>
      <state>periodic_diff</state>

    </agentless> 

Thank you in advance.

Yurii

[Brent Morris]

Hi Yurii,

Did you use the register_host.sh script as documented http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html ?  If so, there should be a file called .passlist in the /var/ossec/agentless folder.  open that file and ensure the information is correct.

You can test your agentless with this method.

be sure your current working directory is /var/ossec

pwd

/var/ossec

from there..

./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1

Check the output and see where the trouble is.

Hope this helps!!!

-Brent

[Yurii Shatylo]

Hi Brent!

I have provided authentication information follow the document. As the result I got:

*Host isha...@192.168.1.1 added

After that started ./ssh_asa-fwsmconfig_diff isha...@192.168.1.1 but got an error:

ERROR: Password list not present (use "register_host" first)

Do you know how to fix it?

Yurii 

[Yurii Shatylo]

Dear Colleagues,

Some time ago I setup Cisco ASA agentless monitoring. After Brent’s clarification I found out that I have missed some settings which I successfully setup. When the settings were implemented I tried to check by “./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1” command but result was unsuccessful. The first authentication level is OK but when the script pushed “enable” command I got error:

 

“enable

Password:

Invalid password

Password: ERROR: Incorrect enable password to remote host: isha...@192.168.0.1 “

 

I guess it connected with some missing information in the scrip or maybe else. Could you please help me?

Thank you in advance.

KR, Yurii

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/FXo7fizdOII/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

С уважением,
Юрий

[Eero Volotinen]

You need to configure correct enable password in cisco and script too. (or to password list)

--

Eero

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[Yurii Shatylo]

Hello,

Cisco settings is setup correctly because I manually logon to ASA without any issues and run the command "show ran conf".

Do you which line has to be configure in script? In password list I have registered login and password by "register_host.sh" and I successfully authenticate (without ENABLE mode) when I start checking the script. I have only issue with ENABLE mode password.

KR, Yurii

[Eero Volotinen]

you need to supply both passwords to register_host.sh

--

Eero

[Yurii Shatylo]

Did you mean I need to add second line to .psslist with same credentials for ENABLE mode?

KR, Yurii 

[Eero Volotinen]

Please read docs and scripts used for this functionality. You need to supply enable password too.

[Yurii Shatylo]

I have read ossec-docs but nothing found about how to set user credentials for enables mode. If you know, please send me the doc.

Thank you in advance.

KR, Yurii

[dan (ddp)]

On Mon, Mar 28, 2016 at 8:07 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> I have read ossec-docs but nothing found about how to set user credentials
> for enables mode. If you know, please send me the doc.
> Thank you in advance.
>

http://ossec.github.io/docs/manual/agent/agentless-monitoring.html?highlight=agentless#getting-started-with-agentless
I haven't tested it or anything, but the above link mentions
enablepass being added when you add the agentless host.

[Yurii Shatylo]

I have done it when I added host (ASA). 

In my file called .passlist I have the following record: user...@192.168.0.1|password|enablepass

When I start checking I got error only with enable authentication, the first authentication is OK.

Also I tried to put enable password to ssh_asa... but without successful result.

KR,

Yurii 

[dan (ddp)]

On Mon, Mar 28, 2016 at 10:00 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> I have done it when I added host (ASA).
> In my file called .passlist I have the following record:
> user...@192.168.0.1|password|enablepass
> When I start checking I got error only with enable authentication, the first
> authentication is OK.
> Also I tried to put enable password to ssh_asa... but without successful
> result.
>

Somewhere after line 71 in the expect script, you could print out the
$addpass to make sure it's using the correct password.

[Brent Morris]

When you use a standard SSH client, and go into enable mode.

Does it have an uppercase P on password?

I vaguely recall an issue with the case sensitivity of that script. 

send "enable\r"
expect {
    "Password:" {
        send "$addpass\r"
        expect {

I believe that should be....

send "enable\r"

expect {

    "*assword:" {

        send "$addpass\r"

        expect {

 I've seen PIX and ASAs go both ways with upper and lower case P's....   

Let me know!

[Yurii Shatylo]

Hi Brent,

I have modified configuration and now it looks:

# Going into enable mode.

send "enable\r"
expect {
         "*assword:" {

        send "$addpass\r"

        expect {
            "*asswor*" {
                send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
                exit 1;

When I have pushed the testing I got the same:

fw-415-1/pri/act> INFO: Starting.
enable
Password: **********
Invalid password
Password: ERROR: Incorrect enable password to remote host: isha...@192.168.0.1 .

KR, Yurii

[dan (ddp)]

On Mon, Mar 28, 2016 at 2:09 PM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> Hi Brent,
>
> I have modified configuration and now it looks:
>
> # Going into enable mode.
> send "enable\r"
> expect {
> "*assword:" {
> send "$addpass\r"
> expect {
> "*asswor*" {
> send_user "ERROR: Incorrect enable password to remote host:
> $hostname .\n"
> exit 1;
>
> When I have pushed the testing I got the same:
>
> fw-415-1/pri/act> INFO: Starting.
> enable
> Password: **********
> Invalid password
> Password: ERROR: Incorrect enable password to remote host:

Are you using special characters in the password? I wonder if they
could be conflicting with expect in some strange way.

[Yurii Shatylo]

Yes, I am using.

KR,

Yurii

[Yurii Shatylo]

Dear Colleagues,

I have done all mentions but nothing is helped. Now I have enable password with digits and letters without special symbols. 

After the testing I have got the same error. Do you know what's wrong?

Yurii   

[dan (ddp)]

On Thu, Mar 31, 2016 at 10:51 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> Dear Colleagues,
>
> I have done all mentions but nothing is helped. Now I have enable password
> with digits and letters without special symbols.
> After the testing I have got the same error. Do you know what's wrong?
>

Did you try printing out the password it uses in the script to see if
it's the correct one?

> Yurii
>
>
> On Wednesday, March 16, 2016 at 5:24:29 PM UTC+2, Yurii Shatylo wrote:
>>
>> Dear Colleagues,
>>
>> Could you give me a hand with my issue?
>> I've put credentials to the ssh_asa-fwsmconfig_diff and as the result I've
>> got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed for
>> 'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa but
>> nothing happened. It seems like script which produces difference is not
>> working.
>> There is my general config file:
>>
>> <agentless>
>> <type>ssh_asa-fwsmconfig_diff</type>
>> <frequency>300</frequency>
>> <host>user...@192.168.0.1</host>
>> <state>periodic_diff</state>
>> </agentless>
>>
>> Thank you in advance.
>> Yurii
>

[Yurii Shatylo]

I have checked password is the correct password in *.passlist and everything looks like OK. 

I'm sorry but I didn't understand what do you mean about print out password? Could you please clarify more detail what I should do?

Yurii 

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/FXo7fizdOII/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

С уважением,
Юрий

[dan (ddp)]

On Thu, Mar 31, 2016 at 11:05 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> I have checked password is the correct password in *.passlist and everything
> looks like OK.
> I'm sorry but I didn't understand what do you mean about print out password?
> Could you please clarify more detail what I should do?
>

Add a line to the ssh_asa-fwsmconfig_diff script to print out the
password before it is used. I'm not familiar enough with expect to
know whether it needs to be printed out after it's read but before the
connection starts, but that's probably where I'd put it.

[Yurii Shatylo]

when I have put clear password to script I have got error related to timeout while running enable on host.

This is very fantastic situation :-(

Yurii

[dan (ddp)]

On Thu, Mar 31, 2016 at 11:23 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> when I have put clear password to script I have got error related to timeout
> while running enable on host.
> This is very fantastic situation :-(
> Yurii
>

Assuming this means you added a statement to print the enable
password, how did you do it?
It should be (at line 72), something like:
send_user "DEBUG: $addpass\n"

Then run the script manually. If you could, copy the output and send
it to us (Change the password it prints to X's).

Troubleshooting agentless stuff is very difficult. We don't have
access to your systems, and probably don't have access to similar
systems.
That combined with likely language barriers and the
speed/incompleteness of email, it gets very difficult.

[Yurii Shatylo]

I've fixed the issue. 

I had as you sent me.

And I have:

send "enable 3\r"

expect {

    "*assword:" {

        send "$pass\r"

#        send "$addpass\r"

[dan (ddp)]

On Thu, Mar 31, 2016 at 11:44 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> I've fixed the issue.
> I had as you sent me.
>
> And I have:
>
> send "enable 3\r"
> expect {
> "*assword:" {
> send "$pass\r"
> # send "$addpass\r"
>

Are you using the same password for logging in and getting into the enable mode?

[Yurii Shatylo]

yes, I have written about before, 

I asked my network colleagues to setup the same password to avoid some issues.

Do you know how can I monitor status of execution this script. Where can I find out about result?

Thank you in advance. 

[dan (ddp)]

On Thu, Mar 31, 2016 at 11:52 AM, Yurii Shatylo <yuriis...@gmail.com> wrote:
> yes, I have written about before,
> I asked my network colleagues to setup the same password to avoid some
> issues.
>

It would still be interesting to know why the addpass didn't work.

> Do you know how can I monitor status of execution this script. Where can I
> find out about result?
>

I don't, sorry. I don't use the agentless feature.

[Yurii Shatylo]

Hello All,

Now I have successfully log on to the ASA with enable mode. Before I put configuration to ossec global configuration:

<agentless>
      <type>ssh_asa-fwsmconfig_diff</type>
      <frequency>300</frequency>
      <host>user...@192.168.0.1</host>
      <state>periodic_diff</state>

    </agentless> 

What the next stage? Where I am able to find the result of asa script?

[Yurii Shatylo]

Hello All.

Do you have any recommendation?