Unable to disable active-response using group config
262 views
Skip to first unread message
Seth Friederich
May 24, 2023, 1:44:29 PM5/24/23
to Wazuh mailing list
Hello,
I am using the built in firewall-drop active response, and it's working very well. I am attempting to disable active-response for specific agents using the centralized configuration. For example, if I create a group with the following config:
<agent_config>
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
I can see that the agent picks up the change, but the active response still takes place. If I directly edit the /var/ossec/etc/ossec.conf file like this:
<!-- Active response -->
<active-response>
<disabled>yes</disabled>
<ca_store>etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<active-response>
<disabled>yes</disabled>
<ca_store>etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
Then the response is disabled as expected, nothing shows in the active-responses.log file. I have checked the agent's /var/ossec/etc/local_internal_options.conf and confirmed agent.remote_conf=0 is not set. Any recommendations on what to check next?
Jörg Schin.
Jun 4, 2023, 7:53:25 AM6/4/23
to Wazuh mailing list
Hey Seth,
still facing into this problems? I had some weeks, the same problems. I minimized the client ossec.conf with the server-config/config-profile/crypto?method/enrollment tags. So i can customized every client via the groups options.
Everything works great, but the Active Response gave me a real pain in the a..
My Setup:
Groups Manager Site:
/var/ossec/etc/shared/ar-true/agent.conf
<agent_config>
<!-- Active response enabled-->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem location</ca_store>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
/var/ossec/etc/shared/ar-false/agent.conf
<agent_config>
still facing into this problems? I had some weeks, the same problems. I minimized the client ossec.conf with the server-config/config-profile/crypto?method/enrollment tags. So i can customized every client via the groups options.
Everything works great, but the Active Response gave me a real pain in the a..
My Setup:
Groups Manager Site:
/var/ossec/etc/shared/ar-true/agent.conf
<agent_config>
<!-- Active response enabled-->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem location</ca_store>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
/var/ossec/etc/shared/ar-false/agent.conf
<agent_config>
<!-- Active response -->
<active-response>
<disabled>yes</disabled>
<ca_store>etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
</agent_config>
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/local_internal_options.conf
logcollector.remote_commands=1
wazuh_command.remote_commands=1
sca.remote_commands=1
wazuh_command.remote_commands=1
sca.remote_commands=1
I always have a second Terminal open and tail-f the agent /var/ossec/logs/ossec.log to see if the client is restarting.
Check if the agent is only in one of the groups, to avoid AR Overlaps Conffigurations. Check it the .pem .key on Agent and Client is matching, in case you working with a dev environment.
I noticed the AR issue, by checking the agent.conf in the /var/ossec/etc/shared/agent.conf
If working with centralized configuration, always check the /var/ossec/etc/shared/agent.conf and not /var/ossec/etc/ossec.conf
Every Group need to be in a single <agent_config></agent_config> section. In my fixed cased the files look like this:
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: ar-true/agent.conf -->
<agent_config>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem location</ca_store>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: ar-false/agent.conf -->
<agent_config>
<ca_store>wpk_root.pem location</ca_store>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: ar-false/agent.conf -->
<agent_config>
<!-- Active response -->
<active-response>
<disabled>yes</disabled>
<active-response>
<disabled>yes</disabled>
<ca_store>wpk_root.pem location</ca_store>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
Have a look at the /var/ossec/etc/shared/ar.conf file
if you can see the
firewall-drop300 - firewall-drop - 300
Active Response is still enabled!
I guess your Problem is the same as i had and you messed up the shared/agent.conf like this
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: ar-false/agent.conf -->
<!-- this line is not in the config <agent_config> -->
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
<!-- Source file: default/agent.conf -->
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
Have a look at the /var/ossec/etc/shared/ar.conf file
if you can see the
firewall-drop300 - firewall-drop - 300
Active Response is still enabled!
I guess your Problem is the same as i had and you messed up the shared/agent.conf like this
<agent_config>
<!-- Random Group Configuration -->
</agent_config>
<!-- Source file: ar-false/agent.conf -->
<!-- this line is not in the config <agent_config> -->
<!-- Active response -->
<active-response>
<disabled>yes</disabled>
<active-response>
<disabled>yes</disabled>
<ca_store>wpk_root.pem location</ca_store>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
<ca_verification>yes</ca_verification>
<repeated_offenders>Your Repeat Options</repeated_offenders>
</active-response>
</agent_config>
Hope it will help fixing your Problems :)
Greez
Seth Friederich
Jun 5, 2023, 2:48:29 PM6/5/23
to Wazuh mailing list
Hello Jörg,
Thank you for your comments! I had opened an issue for this as well, and they clarified that this isn't expected to work from central config. I only have a few agents I need to disable this on, so I'm just modifying the local agent's ossec.conf file.
Thanks again.
Reply all
Reply to author
Forward
0 new messages