ossec-authd "-i" option
161 views
Skip to first unread message
gkspranger
Aug 5, 2014, 7:26:22 PM8/5/14
to ossec...@googlegroups.com
hi there !!
i promise i searched the intertubes for examples of this -- but are there any good examples out there related to ossec-authd's "-i" option ??
the only real examples i am seeing are related to creating the cert and starting the service using the "-p" option -- for example:
but i would like to learn more about how to limit which agents can connect and register .. for example -- can you do entire subnets ?? or are you defining only ONE IP address that is allowed to connect and register ??
your help/examples are super appreciated ..
thanks,
greg
dan (ddp)
Aug 6, 2014, 7:40:46 AM8/6/14
to ossec...@googlegroups.com
> thanks,
> greg
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
gkspranger
Aug 7, 2014, 11:40:56 AM8/7/14
to ossec...@googlegroups.com
i did .. but that really doesn't tell me anything -- it just runs .. and like i said, i am just looking for some documentation about expected behavior and hopefully even an example or two ..
thanks,
greg
Nick Turley
Aug 7, 2014, 5:23:00 PM8/7/14
to ossec...@googlegroups.com
I just tested this in a vagrant environment. On the OSSEC server, I ran:
/var/ossec/bin/ossec-authd -i -p 1515
On my Ubuntu tests box, I ran:
./agent-auth -m 192.168.20.25 -p 1515
Now, when I run ./agent-control -l or ./manage_agents -l I see:
Available agents:
  ID: 001, Name: test.ucr.edu, IP: 138.23.1.1
  ID: 1047, Name: wheeze.ucr.edu, IP: any
  ID: 1048, Name: centsx64.ucr.edu, IP: any
  ID: 1049, Name: wheeze, IP: 192.168.20.20
You can see agent ID 1049 now includes the IP. ID 1048 (CentOS box) was registered prior to running ossec-authd with the -i argument. Hope this helps.
dan (ddp)
Aug 8, 2014, 7:53:30 AM8/8/14
to ossec...@googlegroups.com
On Thu, Aug 7, 2014 at 5:23 PM, Nick Turley <nickt...@gmail.com> wrote:
> I just tested this in a vagrant environment. On the OSSEC server, I ran:
>
> /var/ossec/bin/ossec-authd -i -p 1515
>
> On my Ubuntu tests box, I ran:
>
> ./agent-auth -m 192.168.20.25 -p 1515
>
> Now, when I run ./agent-control -l or ./manage_agents -l I see:
>
> Available agents:
> ID: 001, Name: test.ucr.edu, IP: 138.23.1.1
> ID: 1047, Name: wheeze.ucr.edu, IP: any
> ID: 1048, Name: centsx64.ucr.edu, IP: any
> ID: 1049, Name: wheeze, IP: 192.168.20.20
>
> You can see agent ID 1049 now includes the IP. ID 1048 (CentOS box) was
> registered prior to running ossec-authd with the -i argument. Hope this
> helps.
>
So the question is, what about this really needs to be documented?
> I just tested this in a vagrant environment. On the OSSEC server, I ran:
>
> /var/ossec/bin/ossec-authd -i -p 1515
>
> On my Ubuntu tests box, I ran:
>
> ./agent-auth -m 192.168.20.25 -p 1515
>
> Now, when I run ./agent-control -l or ./manage_agents -l I see:
>
> Available agents:
> ID: 001, Name: test.ucr.edu, IP: 138.23.1.1
> ID: 1047, Name: wheeze.ucr.edu, IP: any
> ID: 1048, Name: centsx64.ucr.edu, IP: any
> ID: 1049, Name: wheeze, IP: 192.168.20.20
>
> You can see agent ID 1049 now includes the IP. ID 1048 (CentOS box) was
> registered prior to running ossec-authd with the -i argument. Hope this
> helps.
>
I'll do the work (since I don't think greg is interested in
contributing), but I don't know what about this needs to be in
writing.
Gregory K. Spranger
Aug 8, 2014, 9:32:06 AM8/8/14
to ossec...@googlegroups.com
haha -- zing !! nice one dan ;-) i figured out what i was looking for ..
have a great friday !!
greg
> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/kgpVimE3dqU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
have a great friday !!
greg
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/kgpVimE3dqU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Aug 8, 2014, 9:35:57 AM8/8/14
to ossec...@googlegroups.com
On Fri, Aug 8, 2014 at 9:29 AM, Gregory K. Spranger <gr...@spranger.us> wrote:
> haha -- zing !! nice one dan ;-) i figured out what i was looking for ..
>
Actually I'm completely serious. If people have questions about this
> haha -- zing !! nice one dan ;-) i figured out what i was looking for ..
>
that can be answered in the documentation, I'd love to add it. I just
don't understand what needs to be further documented, probably because
of my closeness to the project and the amount of time I've been using
it.
Gregory K. Spranger
Aug 8, 2014, 9:54:31 AM8/8/14
to ossec...@googlegroups.com
ok .. well maybe i should have explained more of what i hoped to do,
but cannot decipher whether or not this is possible .. here is the
doc:
http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html
it talks about options -- specifically the "-i" option -- which
states: "Add agents with a specific IP address instead of using any."
well, i figured out what "any" is simply by trial and error .. what i
don't/didn't understand simply was HOW TO DEFINE agents with specific
IP addresses .. BUT -- what i would REALLY like to do/was hoping for
is just to define a subnet (10.159.3.0/24) and not have to worry about
the specifics ..
so in my journey, while i knew about client.keys before, it wasn't
clear to me this is where i should define these agents with specific
IP addresses .. and yes, while better than doing
server-export/agent-import manually, it would be really sexy if i
could just define above subnet and not worry about the rest ..
anyway -- really didn't want to stir any trouble within the group --
being i am literally 3 days old in it ;-P but at the same time -- i am
too dense on ossec to just "know" what "-i" is and what it means and
where the defined agents with IP addresses should go -- which is why i
asked, hence the tit-for-tat we are in now ..
thanks and have a great weekend,
greg
but cannot decipher whether or not this is possible .. here is the
doc:
http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html
it talks about options -- specifically the "-i" option -- which
states: "Add agents with a specific IP address instead of using any."
well, i figured out what "any" is simply by trial and error .. what i
don't/didn't understand simply was HOW TO DEFINE agents with specific
IP addresses .. BUT -- what i would REALLY like to do/was hoping for
is just to define a subnet (10.159.3.0/24) and not have to worry about
the specifics ..
so in my journey, while i knew about client.keys before, it wasn't
clear to me this is where i should define these agents with specific
IP addresses .. and yes, while better than doing
server-export/agent-import manually, it would be really sexy if i
could just define above subnet and not worry about the rest ..
anyway -- really didn't want to stir any trouble within the group --
being i am literally 3 days old in it ;-P but at the same time -- i am
too dense on ossec to just "know" what "-i" is and what it means and
where the defined agents with IP addresses should go -- which is why i
asked, hence the tit-for-tat we are in now ..
thanks and have a great weekend,
greg
dan (ddp)
Aug 11, 2014, 12:53:37 PM8/11/14
to ossec...@googlegroups.com
On Fri, Aug 8, 2014 at 9:53 AM, Gregory K. Spranger <gr...@spranger.us> wrote:
> ok .. well maybe i should have explained more of what i hoped to do,
> but cannot decipher whether or not this is possible .. here is the
> doc:
>
> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html
>
> it talks about options -- specifically the "-i" option -- which
> states: "Add agents with a specific IP address instead of using any."
> well, i figured out what "any" is simply by trial and error .. what i
I thought that "any" was mentioned in some part of the managing agents
> ok .. well maybe i should have explained more of what i hoped to do,
> but cannot decipher whether or not this is possible .. here is the
> doc:
>
> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html
>
> it talks about options -- specifically the "-i" option -- which
> states: "Add agents with a specific IP address instead of using any."
> well, i figured out what "any" is simply by trial and error .. what i
documentation, but I'll double check.
> don't/didn't understand simply was HOW TO DEFINE agents with specific
> IP addresses .. BUT -- what i would REALLY like to do/was hoping for
ossec-authd makes it so you don't have to define the agents.
> is just to define a subnet (10.159.3.0/24) and not have to worry about
> the specifics ..
>
> so in my journey, while i knew about client.keys before, it wasn't
> clear to me this is where i should define these agents with specific
> IP addresses .. and yes, while better than doing
> server-export/agent-import manually, it would be really sexy if i
> could just define above subnet and not worry about the rest ..
>
> anyway -- really didn't want to stir any trouble within the group --
> being i am literally 3 days old in it ;-P but at the same time -- i am
> too dense on ossec to just "know" what "-i" is and what it means and
> where the defined agents with IP addresses should go -- which is why i
> asked, hence the tit-for-tat we are in now ..
>
more clear.
Having used OSSEC for so long, it's sometimes difficult for me to
write documentation that is accessible to newer users. I make a lot of
assumptions that I shouldn't, so I definitely appreciate the detailed
feedback.
Reply all
Reply to author
Forward
0 new messages