OSSEC Agentless Questions

[Keith]

Hey Everyone,

I have two questions related to agentless configurations. I can't seem to find a good answer on either.

First Question:

How do I removed a host from the ossecagentless  config. I did remove it from ossec.conf and from .passlist but the hosts are still showing. Two of them were typos I'd like to remove..output from syscheck:

# ./bin/syscheck_control -l

OSSEC HIDS syscheck_control. List of available agents:

<hosts removed>

List of agentless devices:

   ID: na, Name: (ssh_asa-fwsmconfig_diff) ssecb...@X.X.X.X, IP: X.X.X.X, agentless

   ID: na, Name: (ssh_pixconfig_diff) ssecb...@X.X.X.X, IP: X.X.X.X, agentless

   ID: na, Name: (ssh_asa-fwsmconfig_diff) ossecb...@X.X.X.X, IP: X.X.X.X, agentless

The red devices I need to remove as they are typo's.

Second Question:

The final host in the agentless output is correct but ossec is not logging into the host. I am getting the following error:

# ./agentless/ssh_asa-fwsmconfig_diff ossecb...@X.X.X.X

ERROR: Password for 'ossecb...@X.X.X.X' not found.

Output from the .passlist file

# cat agentless/.passlist 

ossecb...@X.X.X.X|<passwordwasherebutIremovedit>

Manually logging into the target switch using the ossec account

# ssh ossecb...@X.X.X.X

<warning banner here but removed for brevity>

Password: 

router# exit

Connection to X.X.X.X closed.

[dan (ddp)]

On Thu, Sep 15, 2016 at 10:35 AM, Keith <enfor...@gmail.com> wrote:
> Hey Everyone,
>
> I have two questions related to agentless configurations. I can't seem to
> find a good answer on either.
>
> First Question:
>
> How do I removed a host from the ossecagentless config. I did remove it
> from ossec.conf and from .passlist but the hosts are still showing. Two of
> them were typos I'd like to remove..output from syscheck:
>
> # ./bin/syscheck_control -l
>
> OSSEC HIDS syscheck_control. List of available agents:
> <hosts removed>
>
> List of agentless devices:
> ID: na, Name: (ssh_asa-fwsmconfig_diff) ssecb...@X.X.X.X, IP: X.X.X.X,
> agentless
> ID: na, Name: (ssh_pixconfig_diff) ssecb...@X.X.X.X, IP: X.X.X.X,
> agentless
> ID: na, Name: (ssh_asa-fwsmconfig_diff) ossecb...@X.X.X.X, IP:
> X.X.X.X, agentless
>
> The red devices I need to remove as they are typo's.
>

Do files exist for these systems in /var/ossec/queue/syscheck? If so,
remove the files (you may have to restart the OSSEC processes on the
server).

> Second Question:
>
> The final host in the agentless output is correct but ossec is not logging
> into the host. I am getting the following error:
> # ./agentless/ssh_asa-fwsmconfig_diff ossecb...@X.X.X.X
> ERROR: Password for 'ossecb...@X.X.X.X' not found.
>
> Output from the .passlist file
> # cat agentless/.passlist
> ossecb...@X.X.X.X|<passwordwasherebutIremovedit>
>

Is there a pipe ("|") at the end of that line? If not, that seems to
provide that error for me.

> Manually logging into the target switch using the ossec account
> # ssh ossecb...@X.X.X.X
> <warning banner here but removed for brevity>
> Password:
> router# exit
> Connection to X.X.X.X closed.
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.