store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Nov 21, 2019 9:18 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: Event 1002 - dominate event
Unread postPosted: Wed Mar 07, 2018 3:41 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
Newbie here... Trying to understand the various events in the event log and notice that the dominating event is 1002. Did a report and have found the following types of causes:

WARNING: Error opening directory: `/etc/asl/whitelist.078111540`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.057576963`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.472905928`: No such file or directory
...etc...

AND..

ERROR: Invalid integrity message in the database.

There are 326 pages of these for a single day...

There is a folder at /etc/asl/whitelist that contains my whitelist settings but there is no other files or folders as indicated in the error message. As far as the integrity message.. the dominate event in the log is "550 : Integrity checksum changed" which may or may not be related. Most all of those that I examined related to changing of various ASL property file settings. For example "Integrity checksum changed for: `/etc/asl/system.properties`" is one of the most common.

Any pointers on how to clean these up?? Seems I can't see the forest for the trees and am concerned that I'll be missing more important issues with respect to being attacked.

Thanks.. John..


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Wed Mar 07, 2018 4:10 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Are you in a position to try our testing builds?

yum --enablerepo=asl-4.0-testing upgrade ossec-hids


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Wed Mar 07, 2018 7:10 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
scott wrote:
Are you in a position to try our testing builds?

yum --enablerepo=asl-4.0-testing upgrade ossec-hids


Well, this is a production server so, I'm assuming that would not be advisable.

Any other suggestions??


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Fri Mar 09, 2018 6:32 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
This build will go into stable next week.

We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Fri Mar 09, 2018 7:32 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
This build will go into stable next week.

We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.


Is there an update process that I can review...? Thanks!!


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Mon Mar 12, 2018 4:43 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Yes, that build is the testing channel, you can install it with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

Its a minor change, so should be fine to use on a production system. It will be moved to the stable channel next Monday.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Mon Mar 12, 2018 4:53 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
You can install the update now with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Wed Mar 14, 2018 6:20 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
You can install the update now with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids


Has this location changed since you posted it... I'm getting an..

https://<mike removed your username and password)@www6.atomicorp.com/channels/asl-4.0/centos/7/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized

...error (there where many repeats of this as it appeared to try different mirrors..) I cut and pasted the command so I know there was no typo at my end...

Thanks..


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Sun Mar 18, 2018 8:16 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:

https://wiki.atomicorp.com/wiki/index.p ... n_Required

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Wed Apr 04, 2018 8:27 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:

https://wiki.atomicorp.com/wiki/index.p ... n_Required


I checked and my license is current and my password/username is correct while logging into ASL..

Still getting that same error..

I'm guessing that I need to somehow add my username and password to the yum request..??? How else would it know who I am???

Sorry...


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Fri Apr 06, 2018 8:49 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.

https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME

https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Tue Apr 10, 2018 4:08 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
mikeshinn wrote:
You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.

https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME

https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD


Checked that and it seems to be set correctly.. So.. I changed the password in the license manager and then updated that in the Authentication Information page..

Also I notice that this part of the error "creatarich:<mike redacted your password>" did not change after I reset the password.. In fact the <mike redacted your password> does not match the original password (close but not quite) ???

Still getting that error.. Sorry for my thick headedness.. I'm obviously missing something, obvious...


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Mon Apr 16, 2018 4:55 pm 
Offline
Director of Sales/Support
Director of Sales/Support
User avatar

Joined: Fri Feb 03, 2012 10:41 am
Posts: 8
Location: Chantilly, VA
Good afternoon,

Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:

aum -u
yum upgrade
yum --enablerepo=asl-4.0-testing upgrade ossec-hids


All commands ran successfully, however we did select "N" (for no) when prompted/asked if we wanted to apply the updates.

Very best,
-Ben

all work fine, so whatever issue he was having, guessing it was a transient/resolved on its own


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Mon Apr 16, 2018 6:12 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
[quote="BSimmons"]Good afternoon,

Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
/quote]

Ben,

Just tested it and it updated just fine.. Don't know what changed..but here is my guess. The old password had an & (ampersand) in it and that is a no, no in a query string so that may have caused the password to not match.. I had changed the password earlier but the old password kept showing up so my guess from that is something was not updating very quickly from the GUI to the command line (caching..??)

Anyway.. working now..

Thanks so much for the fantastic support..

John..


Top
 Profile  
Reply with quote  
 Post subject: Re: Event 1002 - dominate event
Unread postPosted: Thu Apr 26, 2018 3:10 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Yeah the password is used in the yum configuration, and it doesnt handle metacharacters very well, even when encoded. Its a limitation of the software management system in Linux unfortunately.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group