OSSEC Agentless not working on AIX 7

[Zohaib Tasnim]

Hi All,

Any help is appreciated. thanks in advance.

I have the ossec installation 2.9 as a manage server and with agent all works fine but facing difficulties with agentless in AIX 7. below are my details.

ossec.config

<agentless>
      <type>ssh_generic_diff</type>
      <frequency>5</frequency>
      <host>us...@x.x.x.x</host>
      <state>periodic</state>
      <arguments>/etc /usr/bin /usr/sbin /var/ossec/etc/ /var/ossec/bin/ /bin /sbin /boot</arguments>
  </agentless>

output for the ossec.log

2017/11/16 21:57:33 ossec-agentlessd: INFO: ssh_generic_diff: us...@x.x.x.x: Started.
2017/11/16 21:57:33 ossec-agentlessd: INFO: ssh_generic_diff: us...@x.x.x.x: Starting.
2017/11/16 21:57:33 ossec-agentlessd: INFO: ssh_generic_diff: us...@x.x.x.x: Finished.

but nothing happens. and if i try to do manual testing i get the following errors. i am using NOPASS authenticating with rsa keys. and i can login with ssh without any difficulties using the command  ssh user@IP

Running the following command to test

sudo -u ossec expect -d agentless/ssh_generic_diff zoh...@10.1.31.24 /home

OUTPUT:

expect version 5.45
argv[0] = expect  argv[1] = -d  argv[2] = agentless/ssh_generic_diff  argv[3] = zoh...@10.1.31.24  argv[4] = /home
set argc 2
set argv0 "agentless/ssh_generic_diff"
set argv "zoh...@10.1.31.24 /home"
executing commands from command file agentless/ssh_generic_diff
spawn ssh zoh...@10.1.31.24
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {36725}

expect: does "" (spawn_id exp6) match glob pattern "WARNING: REMOTE HOST"? no
"*sure you want to continue connecting*"? no
"ssh: connect to host*"? no
"no address associated with name"? no
"*Connection refused*"? no
"*Connection closed by remote host*"? no
"* password:*"? no
"*\$"? no
"*#"? no
Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh from 10.1.36.156
Last login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim

expect: does "Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh from 10.1.36.156\r\nLast login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim\r\n" (spawn_id exp6) match glob pattern "WARNING: REMOTE HOST"? no
"*sure you want to continue connecting*"? no
"ssh: connect to host*"? no
"no address associated with name"? no
"*Connection refused*"? no
"*Connection closed by remote host*"? no
"* password:*"? no
"*\$"? no
"*#"? no
-bsh: PS1=osectest:$PWD>:
expect: does "Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh from 10.1.36.156\r\nLast login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim\r\n-bsh: PS1=osectest:$PWD>: " (spawn_id exp6) match glob pattern "WARNING: REMOTE HOST"? no
"*sure you want to continue connecting*"? no
"ssh: connect to host*"? no
"no address associated with name"? no
"*Connection refused*"? no
"*Connection closed by remote host*"? no
"* password:*"? no
"*\$"? yes
expect: set expect_out(0,string) "Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh from 10.1.36.156\r\nLast login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim\r\n-bsh: PS1=osectest:$"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh from 10.1.36.156\r\nLast login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim\r\n-bsh: PS1=osectest:$"

INFO: Started.
INFO: Starting.

STORE: now
send: sending "/home\r" to { exp6 }
send: sending "exit\r" to { exp6 }
0402-026 The specified data is not a valid identifier.
$ /home
exit
/home: 0402-021 Cannot run the command as specified.
$ Connection to 10.1.31.24 closed.
expect: read eof
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "PWD>: 0402-026 The specified data is not a valid identifier.\r\n$ /home\r\nexit\r\n/home: 0402-021 Cannot run the command as specified.\r\n$ Connection to 10.1.31.24 closed.\r\r\n"

INFO: Finished.