[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] issue with installing ossec agent

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] issue with installing ossec agent
From: "Thanh Han The" <hanthethanh@xxxxxxxxx>
Date: Mon, 16 Apr 2007 12:06:45 +0200
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=EMfMJx7fz2QWcl5TDTYwYr7OOZ3RHe8e0LoAdDaWw5e2VmW2XH33nhyOR4OzDzzd92J2q1hvEffJAdYe2klsTp9P73u9T5XE8Sx2s4oNXEdw+LIzQTPrsKikXgQivhY2noi0lzv+EMnm+oIYPgVgm2v8RkTbkNjaJ67Sc+vyYMI=


Hi,

I tried to install ossec in agent mode on an debian machine,
with the module rootkit only (I said 'no' to the system
integrity module). After importing a key from the server, I
started ossec and got the following warnings:

,--------
| # /etc/init.d/ossec start
| Starting OSSEC HIDS v1.1 (by Daniel B. Cid)...
| 2007/04/13 16:16:05 ossec-syscheckd(1702): No directory provided for
'directories' element.
| Started ossec-execd...
| Started ossec-agentd...
| Started ossec-logcollector...
| 2007/04/13 16:16:05 ossec-syscheckd(1702): No directory provided for
'directories' element.
| 2007/04/13 16:16:05 ossec-syscheckd: Syscheck disabled.
| Exiting.
| Started ossec-syscheckd...
| Completed.
`--------

and 'ps ax' shows

,--------
| 13673 ?        S      0:00 /opt/ossec/bin/ossec-agentd
| 13677 ?        S      0:00 /opt/ossec/bin/ossec-logcollector
`--------

I have 2 questions please:

- during installation I didn't see an option not to install
  the log monitoring module. Is there a way to leave out
  that module, or is it always required?

- since ossec-syscheckd is not running, I am not sure whether
  the rootkit module is being activated. How can I verify
  it?


Thanks,
Thanh

PS: I wrote a little script to uninstall ossec in case one
needs to upgrade or reinstall ossec. I post it here, in case
someone might find it useful.

,--------
| #!/bin/sh
|
| . /etc/ossec-init.conf
|
| dirs="$DIRECTORY"
| files=`ls /etc/init.d/ossec /etc/rc[0-9S].d/[SK][0-9][0-9]ossec`
| users=`egrep '^ossec' /etc/passwd | sed 's/:.*//'`
| groups=`egrep '^ossec' /etc/group | sed 's/:.*//'`
|
| echo ""
| echo "I am going to remove the following:"
|
| echo ""
| echo ">>> Files:"
| for f in $files; do
|     ls -l $f
| done
|
| echo ""
| echo ">>> Directory:"
| for f in $dirs; do
|     ls -ld $f
| done
|
| echo ""
| echo ">>> Users:"
| echo $users
|
| echo ""
| echo ">>> Group:"
| echo $groups
|
| echo ""
| echo "If you have not backed up your config file(s), they will be
lost forever!"
|
| read -p "Is this want you want (yes/no)? "
| if [ "$REPLY" = "yes" ]; then
|     /etc/init.d/ossec stop
|     rm -f $files
|     rm -rf $dirs
|     for u in $users; do
|         deluser $u
|     done
|     for g in $groups; do
|         delgroup $g
|     done
| fi
`--------

Follow-Ups:
- [ossec-list] Re: issue with installing ossec agent
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Mod Security 2.1.x
Next by Date: [ossec-list] OSSEC Featured on nCircle's corporate blog.
Previous by thread: [ossec-list] Re: timestamp for modified files
Next by thread: [ossec-list] Re: issue with installing ossec agent
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.