Still having problems with OSSEC 2.8 on FreeBSD 10.3
175 views
Skip to first unread message
Eponymous -
Dec 3, 2016, 4:54:55 PM12/3/16
to ossec-list
Hi all,
I've had many problems getting the OSSEC agent to start up correctly on FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/VDT4cTObDPQ - "Chroot directory change option.) I figured it would best to start a separate discussion.
I've done a completely fresh install of ossec-hids-client-2.8.2 from pkg.freebsd.org and then simply changed the IP address to the correct server address in ossec.conf and then added the key using manage-agents.
Every time I start I get issues with permissions.
/usr/local/ossec-hids/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-execd already running...
2016/12/03 21:42:08 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
2016/12/03 21:42:11 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2016/12/03 21:42:11 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2016/12/03 21:42:19 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2016/12/03 21:42:19 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2016/12/03 21:42:32 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.
2016/12/03 21:42:32 ossec-rootcheck(1211): ERROR: Unable to access queue: '/usr/local/ossec-hids/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start
This page: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html talks about checking that "ossec-analysisd" is running, but I can't see that file anywhere in the install location so my guess is it was removed and possibly merged into another binary.
Using tree, I checked all the permissions:
# tree -ugap /usr/local/ossec-hids/
/usr/local/ossec-hids/
|-- [drwx------ ossec ossec ] .ssh
|-- [drwxr-xr-x root ossec ] active-response
| `-- [drwxr-xr-x root ossec ] bin
| |-- [-rwxr-xr-x root wheel ] disable-account.sh
| |-- [-rwxr-xr-x root wheel ] firewall-drop.sh
| |-- [-rwxr-xr-x root wheel ] host-deny.sh
| |-- [-rwxr-xr-x root wheel ] ip-customblock.sh
| |-- [-rwxr-xr-x root wheel ] ipfw.sh
| |-- [-rwxr-xr-x root wheel ] ipfw_mac.sh
| |-- [-rwxr-xr-x root wheel ] ossec-tweeter.sh
| |-- [-rwxr-xr-x root wheel ] pf.sh
| |-- [-rwxr-xr-x root wheel ] restart-ossec.sh
| `-- [-rwxr-xr-x root wheel ] route-null.sh
|-- [drwxr-xr-x root ossec ] agentless
| |-- [-rwxr-x--- root ossec ] main.exp
| |-- [-rwxr-x--- root ossec ] register_host.sh
| |-- [-rwxr-x--- root ossec ] ssh.exp
| |-- [-rwxr-x--- root ossec ] ssh_asa-fwsmconfig_diff
| |-- [-rwxr-x--- root ossec ] ssh_foundry_diff
| |-- [-rwxr-x--- root ossec ] ssh_generic_diff
| |-- [-rwxr-x--- root ossec ] ssh_integrity_check_bsd
| |-- [-rwxr-x--- root ossec ] ssh_integrity_check_linux
| |-- [-rwxr-x--- root ossec ] ssh_nopass.exp
| |-- [-rwxr-x--- root ossec ] ssh_pixconfig_diff
| |-- [-rwxr-x--- root ossec ] sshlogin.exp
| `-- [-rwxr-x--- root ossec ] su.exp
|-- [drwxr-xr-x root ossec ] bin
| |-- [-rwxr-x--- root wheel ] agent-auth
| |-- [-rwxr-x--- root wheel ] manage_agents
| |-- [-rwxr-x--- root wheel ] ossec-agentd
| |-- [-rwxr-x--- root wheel ] ossec-control
| |-- [-rwxr-x--- root wheel ] ossec-execd
| |-- [-rwxr-x--- root wheel ] ossec-logcollector
| |-- [-rwxr-x--- root wheel ] ossec-lua
| |-- [-rwxr-x--- root wheel ] ossec-luac
| |-- [-rwxr-x--- root wheel ] ossec-syscheckd
| `-- [-rwxr-x--- root wheel ] util.sh
|-- [drwxr-xr-x root ossec ] etc
| |-- [-r--r----- root ossec ] client.keys
| |-- [-r--r----- root ossec ] internal_options.conf
| |-- [-rwxr-xr-x root ossec ] ossec.conf
| |-- [-rwxr-xr-x root ossec ] ossec.conf.sample
| `-- [drwxr-xr-x root ossec ] shared
| |-- [-rwxrwx--- root ossec ] cis_debian_linux_rcl.txt
| |-- [-rwxrwx--- root ossec ] cis_rhel5_linux_rcl.txt
| |-- [-rwxrwx--- root ossec ] cis_rhel_linux_rcl.txt
| |-- [-rwxrwx--- root ossec ] rootkit_files.txt
| |-- [-rwxrwx--- root ossec ] rootkit_trojans.txt
| |-- [-rwxrwx--- root ossec ] system_audit_rcl.txt
| |-- [-rwxrwx--- root ossec ] win_applications_rcl.txt
| |-- [-rwxrwx--- root ossec ] win_audit_rcl.txt
| `-- [-rwxrwx--- root ossec ] win_malware_rcl.txt
|-- [drwxr-xr-x root ossec ] logs
| `-- [-rw-rw-r-- ossec ossec ] ossec.log
|-- [drwxr-xr-x root ossec ] queue
| |-- [drwxr-xr-x root ossec ] alerts
| | `-- [srw-rw---- root ossec ] execq
| |-- [drwxr-x--- ossec ossec ] diff
| |-- [drwxrwx--- ossec ossec ] ossec
| | `-- [srw-rw---- ossec ossec ] queue
| |-- [drwxr-xr-x root ossec ] rids
| `-- [drwxr-xr-x root ossec ] syscheck
|-- [drwxr-xr-x root ossec ] tmp
`-- [drwxr-xr-x root ossec ] var
`-- [drwxr-xr-x root ossec ] run
|-- [-rw-r----- root ossec ] ossec-execd-5576.pid
`-- [-rw-r----- root ossec ] ossec-logcollector-29444.pid
This is my server.conf:
<!-- OSSEC example config -->
<ossec_config>
<client>
<server-ip>10.0.64.2</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/system.log</location>
</localfile>
</ossec_config>
I'm really at the point of giving up as I've spent weeks trying to get this working.
Can anyone point me in the right direction?
dan (ddp)
Dec 3, 2016, 7:27:51 PM12/3/16
to ossec...@googlegroups.com
On Dec 3, 2016 4:54 PM, "Eponymous -" <the....@gmail.com> wrote:
Hi all,I've had many problems getting the OSSEC agent to start up correctly on FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/VDT4cTObDPQ - "Chroot directory change option.) I figured it would best to start a separate discussion.I've done a completely fresh install of ossec-hids-client-2.8.2 from pkg.freebsd.org and then simply changed the IP address to the correct server address in ossec.conf and then added the key using manage-agents.Every time I start I get issues with permissions./usr/local/ossec-hids/bin/ossec-control startStarting OSSEC HIDS v2.8 (by Trend Micro Inc.)...ossec-execd already running...2016/12/03 21:42:08 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800Started ossec-agentd...Started ossec-logcollector...2016/12/03 21:42:11 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.2016/12/03 21:42:11 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.2016/12/03 21:42:19 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.2016/12/03 21:42:19 ossec-rootcheck(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.2016/12/03 21:42:32 ossec-syscheckd(1210): ERROR: Queue '/usr/local/ossec-hids/queue/ossec/queue' not accessible: 'Connection refused'.2016/12/03 21:42:32 ossec-rootcheck(1211): ERROR: Unable to access queue: '/usr/local/ossec-hids/queue/ossec/queue'. Giving up..ossec-syscheckd did not startThis page: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html talks about checking that "ossec-analysisd" is running, but I can't see that file anywhere in the install location so my guess is it was removed and possibly merged into another binary.
That advice is for the server install or local install only.
Does itbwork if you compile from source?
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Victor Fernandez
Dec 5, 2016, 4:13:16 AM12/5/16
to ossec...@googlegroups.com
Hello,
The "ossec/queue" file is actually a socket that ossec-agentd creates to allow Syscheck and Logcollector to send data. Then ossec-agentd delivers that data to the manager.
When you launched "/usr/local/ossec-hids/bin/ossec-control start", the application logged that ossec-execd was already running, but ossec-agend doesn't. This makes me think that there is an issue with the ossec-agentd program and, since it can't create the "ossec/queue" socket, no other program can continue working.
So, please make sure that a valid key is installed. For this, run
cat /usr/local/ossec-hids/etc/client.keys
There should be any content. If no such content is shown, reinstall the key (with manage_agents). If everything is OK, restart the complete OSSEC agent, wait for about a minute, check the logs related to ossec-agent and check whether it's yet running:
/usr/local/ossec-hids/bin/ossec-control restartcat ossec-agentd /usr/local/ossec-hids/logs/ossec.log/usr/local/ossec-hids/bin/ossec-control status
If, after restarting the OSSEC agent, you see an error with "cat", share it with us so we may help you. But if you don't see any error log, and "ossec-control status" tells that ossec-agentd isn't running, this means that the program has crashed and then it would be interesting to reinstall it from sources with debugging features enabled and re-run it with the valgrind utility, in order to search for bugs.
Hope it helps.
Regards.
--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.
Reply all
Reply to author
Forward
0 new messages