Where does agentless data go? No alerts on hash changes.

[Jeff Blaine]

I'm confused. I have a working agentless setup for my 1 test node, but I am not seeing any data in logs/alerts/alerts.log indicating that an alert was triggered when I modify files that are being integrity checked.

The stanza in the manager's ossec.conf (then I restarted ossec of course):

<agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>30</frequency>
    <host>use_sudo admin@agentless-test-rh6</host>
    <state>periodic</state>
    <arguments>/var/www</arguments>
</agentless>

On the remote host, I change the contents of a monitored file:

[root@agentless-test-rh6 log]# echo eoweho34rt34 > /var/www/html/new.txt
[root@agentless-test-rh6 log]#

I see agentlessd do its thing as reported in logs/ossec.log:

2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Login seems okay
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: use_sudo specified and 'sudo sh;' worked.
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Arguments: /var/www
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Starting.
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Finished.

Yet:

root@ossec:/var/ossec/logs# grep agentless-test-rh6 alerts/alerts.log
root@ossec:/var/ossec/logs#

If I change the contents of the monitored file again and run ssh_integrity_check_linux by hand, I see this and can confirm the hash being reported here has in fact changed and that the script is doing its work:

root@ossec:/var/ossec# sudo -u ossec agentless/ssh_integrity_check_linux use_sudo admin@agentless-test-rh6 /var/www

...
FWD: 18:600:0:0:2b7c78d8e06d2bf9c141140d08def55b:172e523b4603eecd3d18aa1d68bd4811077339fb /var/www/html/new.txt
FWD: 584:600:0:0:ab8c863437db6318a3b5a9f98a0dac76:91b00d2b0f00dea53daf063e500df2bb4c1050d7 /var/www/html/index.html
...

Any thoughts on why there's no alert recorded? I have no trouble getting hash change alerts from hosts that are running the agents.

[dan (ddp)]

I use agents for systems that can run them, so I don't know. Try
turning on the logall option to see if the output ends up in
archives.log.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jeff Blaine]

I use agents for systems that can run them, so I don't know. Try
turning on the logall option to see if the output ends up in
archives.log.

Nothing there with <logall>yes</logall>. Bummer.

[Chris Young]

hi there,

Jeff - I see that you can get

'2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: use_sudo specified and 'sudo sh;' worked.'

out in the log.

when I try use_sudo I get no reference what so ever.

have you managed to progress this any further? I really want to be able to run with out opening root up.

I've tried 2.9RC2 as well - no joy.

[Chris Young]

I've worked round it by not running with use_sudo but by adding a extra send command to the integrity script.

send sudo sh

this then runs the rest as root. I will be adding a check to confirm the sudo sh worked, but this at least works without having to open root up.

cheers

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/sBC4vIpHM3E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.