ossec-authd "-i" option

161 views
Skip to first unread message

gkspranger

unread,
Aug 5, 2014, 7:26:22 PM8/5/14
to ossec...@googlegroups.com
hi there !!

i promise i searched the intertubes for examples of this -- but are there any good examples out there related to ossec-authd's "-i" option ??


the only real examples i am seeing are related to creating the cert and starting the service using the "-p" option -- for example:


but i would like to learn more about how to limit which agents can connect and register .. for example -- can you do entire subnets ?? or are you defining only ONE IP address that is allowed to connect and register ??

your help/examples are super appreciated ..

thanks,
greg

dan (ddp)

unread,
Aug 6, 2014, 7:40:46 AM8/6/14
to ossec...@googlegroups.com
Have you tried running it with the -i flag? `/var/ossec/bin/ossec-authd -i`?

> thanks,
> greg
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

gkspranger

unread,
Aug 7, 2014, 11:40:56 AM8/7/14
to ossec...@googlegroups.com
i did .. but that really doesn't tell me anything -- it just runs .. and like i said, i am just looking for some documentation about expected behavior and hopefully even an example or two ..


thanks,
greg

Nick Turley

unread,
Aug 7, 2014, 5:23:00 PM8/7/14
to ossec...@googlegroups.com
I just tested this in a vagrant environment. On the OSSEC server, I ran:

/var/ossec/bin/ossec-authd -i -p 1515

On my Ubuntu tests box, I ran:

./agent-auth -m 192.168.20.25 -p 1515

Now, when I run ./agent-control -l or ./manage_agents -l I see:

Available agents:
   ID: 001, Name: test.ucr.edu, IP: 138.23.1.1
   ID: 1047, Name: wheeze.ucr.edu, IP: any
   ID: 1048, Name: centsx64.ucr.edu, IP: any
   ID: 1049, Name: wheeze, IP: 192.168.20.20

You can see agent ID 1049 now includes the IP. ID 1048 (CentOS box) was registered prior to running ossec-authd with the -i argument. Hope this helps.

dan (ddp)

unread,
Aug 8, 2014, 7:53:30 AM8/8/14
to ossec...@googlegroups.com
On Thu, Aug 7, 2014 at 5:23 PM, Nick Turley <nickt...@gmail.com> wrote:
> I just tested this in a vagrant environment. On the OSSEC server, I ran:
>
> /var/ossec/bin/ossec-authd -i -p 1515
>
> On my Ubuntu tests box, I ran:
>
> ./agent-auth -m 192.168.20.25 -p 1515
>
> Now, when I run ./agent-control -l or ./manage_agents -l I see:
>
> Available agents:
> ID: 001, Name: test.ucr.edu, IP: 138.23.1.1
> ID: 1047, Name: wheeze.ucr.edu, IP: any
> ID: 1048, Name: centsx64.ucr.edu, IP: any
> ID: 1049, Name: wheeze, IP: 192.168.20.20
>
> You can see agent ID 1049 now includes the IP. ID 1048 (CentOS box) was
> registered prior to running ossec-authd with the -i argument. Hope this
> helps.
>

So the question is, what about this really needs to be documented?
I'll do the work (since I don't think greg is interested in
contributing), but I don't know what about this needs to be in
writing.

Gregory K. Spranger

unread,
Aug 8, 2014, 9:32:06 AM8/8/14
to ossec...@googlegroups.com
haha -- zing !! nice one dan ;-) i figured out what i was looking for ..

have a great friday !!

greg
> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/kgpVimE3dqU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

dan (ddp)

unread,
Aug 8, 2014, 9:35:57 AM8/8/14
to ossec...@googlegroups.com
On Fri, Aug 8, 2014 at 9:29 AM, Gregory K. Spranger <gr...@spranger.us> wrote:
> haha -- zing !! nice one dan ;-) i figured out what i was looking for ..
>

Actually I'm completely serious. If people have questions about this
that can be answered in the documentation, I'd love to add it. I just
don't understand what needs to be further documented, probably because
of my closeness to the project and the amount of time I've been using
it.

Gregory K. Spranger

unread,
Aug 8, 2014, 9:54:31 AM8/8/14
to ossec...@googlegroups.com
ok .. well maybe i should have explained more of what i hoped to do,
but cannot decipher whether or not this is possible .. here is the
doc:

http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html

it talks about options -- specifically the "-i" option -- which
states: "Add agents with a specific IP address instead of using any."
well, i figured out what "any" is simply by trial and error .. what i
don't/didn't understand simply was HOW TO DEFINE agents with specific
IP addresses .. BUT -- what i would REALLY like to do/was hoping for
is just to define a subnet (10.159.3.0/24) and not have to worry about
the specifics ..

so in my journey, while i knew about client.keys before, it wasn't
clear to me this is where i should define these agents with specific
IP addresses .. and yes, while better than doing
server-export/agent-import manually, it would be really sexy if i
could just define above subnet and not worry about the rest ..

anyway -- really didn't want to stir any trouble within the group --
being i am literally 3 days old in it ;-P but at the same time -- i am
too dense on ossec to just "know" what "-i" is and what it means and
where the defined agents with IP addresses should go -- which is why i
asked, hence the tit-for-tat we are in now ..

thanks and have a great weekend,
greg

dan (ddp)

unread,
Aug 11, 2014, 12:53:37 PM8/11/14
to ossec...@googlegroups.com
On Fri, Aug 8, 2014 at 9:53 AM, Gregory K. Spranger <gr...@spranger.us> wrote:
> ok .. well maybe i should have explained more of what i hoped to do,
> but cannot decipher whether or not this is possible .. here is the
> doc:
>
> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html
>
> it talks about options -- specifically the "-i" option -- which
> states: "Add agents with a specific IP address instead of using any."
> well, i figured out what "any" is simply by trial and error .. what i

I thought that "any" was mentioned in some part of the managing agents
documentation, but I'll double check.

> don't/didn't understand simply was HOW TO DEFINE agents with specific
> IP addresses .. BUT -- what i would REALLY like to do/was hoping for

If you want to define the agents, you'd looking at the wrong thing.
ossec-authd makes it so you don't have to define the agents.

> is just to define a subnet (10.159.3.0/24) and not have to worry about
> the specifics ..
>
> so in my journey, while i knew about client.keys before, it wasn't
> clear to me this is where i should define these agents with specific
> IP addresses .. and yes, while better than doing
> server-export/agent-import manually, it would be really sexy if i
> could just define above subnet and not worry about the rest ..
>
> anyway -- really didn't want to stir any trouble within the group --
> being i am literally 3 days old in it ;-P but at the same time -- i am
> too dense on ossec to just "know" what "-i" is and what it means and
> where the defined agents with IP addresses should go -- which is why i
> asked, hence the tit-for-tat we are in now ..
>

Thanks for the info. I think this will help me make the documentation
more clear.
Having used OSSEC for so long, it's sometimes difficult for me to
write documentation that is accessible to newer users. I make a lot of
assumptions that I shouldn't, so I definitely appreciate the detailed
feedback.
Reply all
Reply to author
Forward
0 new messages