Agentless monitoring

[emcpa07]

Hello,
I'm trying to use the agentless functionality on my OpenSuse 11.1 box
and I'm receiving a timeout when ssh'ng to my host which is running
Fedora10. I'm using the ssh_integrity_check_linux and ssh_generic_diff
and both have passed the agentless test. I've tried using all
connection methods listed, NOPASS, with PASS etc... However, I can ssh
to my host using the "accounts/boxes" created using the supplied
command/script: /var/ossec/agentless/register_host.sh add ro...@xx.net
mypass1 and /var/ossec/agentless/register_host.sh add ro...@xx.net
NOPASS

any help would be appreciated.

Thanks,
Ron

[pzenge]

I have a similar issue... Trying to use ssh_generic_diff on a couple
of Netscreen firewalls. The error in the ossec.log looks like this:

2009/04/21 15:53:27 ossec-agentlessd: ERROR: ssh_generic_diff:
os...@x.x.x.x: Timeout while connecting to host: os...@x.x.x.x

but on the Netscreens, it claims that the user ossec logged in
successfully. What's the next step to troubleshoot this timeout?

On Apr 21, 10:38 am, emcpa07 <emcp...@gmail.com> wrote:
> Hello,
> I'm trying to use the agentless functionality on my OpenSuse 11.1 box
> and I'm receiving a timeout when ssh'ng to my host which is running
> Fedora10. I'm using the ssh_integrity_check_linux and ssh_generic_diff
> and both have passed the agentless test. I've tried using all
> connection methods listed, NOPASS, with PASS etc... However, I can ssh
> to my host using the "accounts/boxes" created using the supplied

> command/script: /var/ossec/agentless/register_host.sh add r...@xx.net
> mypass1 and /var/ossec/agentless/register_host.sh add r...@xx.net

[emcpa07]

Yep..that's exactly what I'm experiencing

[davidr521]

That's the same issue I had when I tried to get this working with my
Cisco box in the first place...a timeout message.

> > > Ron- Hide quoted text -
>
> - Show quoted text -

[Gansert, Matthew A]

This may be a stretch, but make sure that both machines can resolve the other's FQDN. I've seen SSH connections can hang if if cannot resolve the client's name.

An entry in the hosts file or DNS may help with your problem.

I would also see if there is an existing bug file out on the OSSEC website.

Matthew Gansert

------------------------------------------
The contents of this message, together with any attachments, are
intended only for the use of the person(s) to which they are
addressed and may contain confidential and/or privileged
information. Further, any medical information herein is
confidential and protected by law. It is unlawful for unauthorized
persons to use, review, copy, disclose, or disseminate confidential
medical information. If you are not the intended recipient,
immediately advise the sender and delete this message and any
attachments. Any distribution, or copying of this message, or any
attachment, is prohibited.

[theresa mic-snare]

hi there,

i have a similar problem with adding an agentless host.

in the ossec.log i found the following entry:
2014/07/22 14:43:43 ossec-agentlessd: ERROR: ssh_integrity_check_linux: os...@example.net: Password for 'os...@example.net' not found.
2014/07/22 14:43:44 ossec-agentlessd: ERROR: ssh_generic_diff: os...@example.net: Password for 'os...@example.net' not found.

I added the host by:
/var/ossec/agentless/register_host.sh add os...@example.net NOPASS

I then SCP'd the public key to the remote host
scp id_rsa.pub os...@example.net:/home/ossec/.ssh/authorized_keys2

i can even ssh to this very machine with the key mentioned above without any problems.

*Available hosts:
os...@example.net

Is there even a way to unregister a host?
if so, how?

thanks and looking forward to hearing from you,
theresa

[dan (ddp)]

On Tue, Jul 22, 2014 at 9:03 AM, theresa mic-snare
<rockpr...@gmail.com> wrote:
> hi there,
>
> i have a similar problem with adding an agentless host.
>
> in the ossec.log i found the following entry:
> 2014/07/22 14:43:43 ossec-agentlessd: ERROR: ssh_integrity_check_linux:
> os...@example.net: Password for 'os...@example.net' not found.
> 2014/07/22 14:43:44 ossec-agentlessd: ERROR: ssh_generic_diff:
> os...@example.net: Password for 'os...@example.net' not found.
>
> I added the host by:
> /var/ossec/agentless/register_host.sh add os...@example.net NOPASS
>
> I then SCP'd the public key to the remote host
> scp id_rsa.pub os...@example.net:/home/ossec/.ssh/authorized_keys2
>

Does the OSSEC manager have access to the keys in order to connect?

> i can even ssh to this very machine with the key mentioned above without any
> problems.
>
> *Available hosts:
> os...@example.net
>
> Is there even a way to unregister a host?
> if so, how?
>

Delete it from /var/ossec/agentless/.passlist I think.

> thanks and looking forward to hearing from you,
> theresa
>
> Am Dienstag, 21. April 2009 19:38:09 UTC+2 schrieb emcpa07:
>>
>> Hello,
>> I'm trying to use the agentless functionality on my OpenSuse 11.1 box
>> and I'm receiving a timeout when ssh'ng to my host which is running
>> Fedora10. I'm using the ssh_integrity_check_linux and ssh_generic_diff
>> and both have passed the agentless test. I've tried using all
>> connection methods listed, NOPASS, with PASS etc... However, I can ssh
>> to my host using the "accounts/boxes" created using the supplied
>> command/script: /var/ossec/agentless/register_host.sh add ro...@xx.net
>> mypass1 and /var/ossec/agentless/register_host.sh add ro...@xx.net
>> NOPASS
>>
>> any help would be appreciated.
>>
>> Thanks,
>> Ron
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[theresa mic-snare]

Hi dan,

thanks for your speedy reply.

Hmm, the keys and even the .ssh directory belong to user and group ossec:
-rw-------. 1 ossec ossec 1675 22. Jul 09:17 id_rsa
-rw-r--r--. 1 ossec ossec  407 22. Jul 09:17 id_rsa.pub

I create the keys like this:

sudo -u ossec ssh-keygen

thanks,
theresa

[dan (ddp)]

On Tue, Jul 22, 2014 at 9:23 AM, theresa mic-snare
<rockpr...@gmail.com> wrote:
> Hi dan,
>
> thanks for your speedy reply.
>
> Hmm, the keys and even the .ssh directory belong to user and group ossec:
> -rw-------. 1 ossec ossec 1675 22. Jul 09:17 id_rsa
> -rw-r--r--. 1 ossec ossec 407 22. Jul 09:17 id_rsa.pub
>
> I create the keys like this:
>
> sudo -u ossec ssh-keygen
>

Verify the .passlist looks something like:
os...@example.net|NOPASS|

Check that your configuration has <host>os...@example.net</host>, not
just example.net.

What happens if you try running the commands manually?

cd /var/ossec
expect agentless/ssh_integrity_check_linux os...@example.net /etc

[theresa mic-snare]

Thank you very much Dan!
you pointed me into the right direction :)

I had in my configuration <host>os...@example.net</host>

and registered i had only ossec@example

so this didn't match.
corrected the ossec.conf and reloaded ossec

now the ossec.log confirmed that it works:
2014/07/22 16:06:25 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_linux'.
2014/07/22 16:06:26 ossec-agentlessd: INFO: Test passed for 'ssh_generic_diff'.

Many thanks for helping me out.
I'm documenting this right now, because I'm basing my Bachelor thesis on OSSEC :)

[dan (ddp)]

On Tue, Jul 22, 2014 at 10:09 AM, theresa mic-snare
<rockpr...@gmail.com> wrote:
> Thank you very much Dan!
> you pointed me into the right direction :)
>
> I had in my configuration <host>os...@example.net</host>
>
> and registered i had only ossec@example
>
> so this didn't match.
> corrected the ossec.conf and reloaded ossec
>
> now the ossec.log confirmed that it works:
> 2014/07/22 16:06:25 ossec-agentlessd: INFO: Test passed for
> 'ssh_integrity_check_linux'.
> 2014/07/22 16:06:26 ossec-agentlessd: INFO: Test passed for
> 'ssh_generic_diff'.
>

Glad that helped. I don't use agentless, so it took me a while to
figure that out.

> Many thanks for helping me out.
> I'm documenting this right now, because I'm basing my Bachelor thesis on
> OSSEC :)
>

That's great. Don't hesitate to post if you have other issues.

[theresa mic-snare]

unfortunately i have to use agentless because of some appliances (IBM hardware management console HMC) i don't have root access or sudo there.
also analysis these non-standardized logfiles will probably be a major pain in the ass.
i will post the customized rules and decoders, once i'm finished.

also i'm writing my thesis in english, so you'd like to read the final version in january then just let me know ;)

[dan (ddp)]

On Tue, Jul 22, 2014 at 10:17 AM, theresa mic-snare
<rockpr...@gmail.com> wrote:
> unfortunately i have to use agentless because of some appliances (IBM
> hardware management console HMC) i don't have root access or sudo there.
> also analysis these non-standardized logfiles will probably be a major pain
> in the ass.
> i will post the customized rules and decoders, once i'm finished.
>

That would be great!

> also i'm writing my thesis in english, so you'd like to read the final
> version in january then just let me know ;)
>

Yes please, I'm very interested.

[theresa mic-snare]

just found out, that the integrity checks even with the agentless setup are not working, because on this remote box I only have a VERY restricted shell.
this means, i can't even run a "find" or md5sum ...
how on earth should i possibly run a file integrity check with such a restricted environment :(

cool, I will email you a first draft, once I've some progress ;)

[dan (ddp)]

On Tue, Jul 22, 2014 at 4:11 PM, theresa mic-snare
<rockpr...@gmail.com> wrote:
> just found out, that the integrity checks even with the agentless setup are
> not working, because on this remote box I only have a VERY restricted shell.
> this means, i can't even run a "find" or md5sum ...
> how on earth should i possibly run a file integrity check with such a
> restricted environment :(
>

If you don't have access to any tools, you're not going to be able to do much.