USB auditing
57 views
Skip to first unread message
GeorgeY
Jul 22, 2011, 6:11:07 AM7/22/11
to ossec-list
Hi,
I enabled USB auditing using the guide displayed in the following
link:
http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage
It seems to be working well. However, I noticed one thing on Win2k
based machines...
The OSSEC service fails to start when it is enabled...
Here is what is shown in the ossec.log on the Win2k machine
ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM
\CurrentControlSetEnum\USBSTOR'.
I am guessing Win2k machines do not have this key. However, is there a
way to make it ignore if the key doesn't exist so that the OSSEC
service can continue to start?
Or do I need to specify another class of OS type in my agent.conf?
i.e. <agent_config os="Windows 2000">
Thanks in advance.
George
I enabled USB auditing using the guide displayed in the following
link:
http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage
It seems to be working well. However, I noticed one thing on Win2k
based machines...
The OSSEC service fails to start when it is enabled...
Here is what is shown in the ossec.log on the Win2k machine
ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM
\CurrentControlSetEnum\USBSTOR'.
I am guessing Win2k machines do not have this key. However, is there a
way to make it ignore if the key doesn't exist so that the OSSEC
service can continue to start?
Or do I need to specify another class of OS type in my agent.conf?
i.e. <agent_config os="Windows 2000">
Thanks in advance.
George
Michael Starks
Jul 22, 2011, 10:41:47 AM7/22/11
to ossec...@googlegroups.com
On Fri, 22 Jul 2011 03:11:07 -0700 (PDT), GeorgeY wrote:
> ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM
> \CurrentControlSetEnum\USBSTOR'.
>
> I am guessing Win2k machines do not have this key. However, is there
> a
> way to make it ignore if the key doesn't exist so that the OSSEC
> service can continue to start?
Untested, but this may work to stop it from executing on Windows 2000:
ver | find "Windows 2000" >nul || reg QUERY
HKLM\SYSTEM\CurrentControlSetEnum\USBSTOR
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
Daniel Cid
Jul 22, 2011, 10:35:57 AM7/22/11
to ossec...@googlegroups.com
It shouldn't cause any issues to the agent, besides the warning. Is it
crashing after that error?
crashing after that error?
Thanks,
GeorgeY
Jul 24, 2011, 10:38:32 PM7/24/11
to ossec-list
Hi Dan,
Yes, it crashes after that error. I get a pop up on the Windows
machine stating something along the lines of "OSSEC has detected an
error and has failed to start". After that error in ossec.log, the
program "crashes" and i don't see it connected on the server too.
Seems this behavior is common across all Win2k. Any ideas?
Thanks!
George
On Jul 22, 10:35 pm, Daniel Cid <daniel....@gmail.com> wrote:
> It shouldn't cause any issues to the agent, besides the warning. Is it
> crashing after that error?
>
> Thanks,
>
Yes, it crashes after that error. I get a pop up on the Windows
machine stating something along the lines of "OSSEC has detected an
error and has failed to start". After that error in ossec.log, the
program "crashes" and i don't see it connected on the server too.
Seems this behavior is common across all Win2k. Any ideas?
Thanks!
George
On Jul 22, 10:35 pm, Daniel Cid <daniel....@gmail.com> wrote:
> It shouldn't cause any issues to the agent, besides the warning. Is it
> crashing after that error?
>
> Thanks,
>
> On Fri, Jul 22, 2011 at 7:11 AM, GeorgeY <george....@gmail.com> wrote:
> > Hi,
>
> > I enabled USB auditing using the guide displayed in the following
> > link:
> >http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#de...
> > Hi,
>
> > I enabled USB auditing using the guide displayed in the following
> > link:
GeorgeY
Jul 31, 2011, 11:55:04 PM7/31/11
to ossec-list
Hi Dan/all,
Anyone face the same issue and any resolution tips?
Thanks,
George
Anyone face the same issue and any resolution tips?
Thanks,
George
blacklight
Aug 1, 2011, 9:39:32 AM8/1/11
to ossec-list
I haven't had to face that issue but here is my advice: either go into
regedit and search for the key. Or from the domain controller, run
psexec \\agenthost reg QUERY HKLM\SYSTEM\CurrentControlSetEnum
\USBSTOR'.
where \\agenthost is whatever the host name is for the host where the
OSSEC agent is installed
Investigate any error message that is generated from running this
command and let us know the results of your investigation - Yeah, we
ae still in fact gathering mode.
regedit and search for the key. Or from the domain controller, run
psexec \\agenthost reg QUERY HKLM\SYSTEM\CurrentControlSetEnum
\USBSTOR'.
where \\agenthost is whatever the host name is for the host where the
OSSEC agent is installed
Investigate any error message that is generated from running this
command and let us know the results of your investigation - Yeah, we
ae still in fact gathering mode.
Reply all
Reply to author
Forward
0 new messages