Atomicorp

Newbie here... Trying to understand the various events in the event log and notice that the dominating event is 1002. Did a report and have found the following types of causes:

WARNING: Error opening directory: `/etc/asl/whitelist.078111540`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.057576963`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.472905928`: No such file or directory
...etc...

AND..

ERROR: Invalid integrity message in the database.

There are 326 pages of these for a single day...

There is a folder at /etc/asl/whitelist that contains my whitelist settings but there is no other files or folders as indicated in the error message. As far as the integrity message.. the dominate event in the log is "550 : Integrity checksum changed" which may or may not be related. Most all of those that I examined related to changing of various ASL property file settings. For example "Integrity checksum changed for: `/etc/asl/system.properties`" is one of the most common.

Any pointers on how to clean these up?? Seems I can't see the forest for the trees and am concerned that I'll be missing more important issues with respect to being attacked.

Thanks.. John..

Are you in a position to try our testing builds?

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

scott wrote:Are you in a position to try our testing builds?

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

Well, this is a production server so, I'm assuming that would not be advisable.

Any other suggestions??

This build will go into stable next week.

We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.

mikeshinn wrote:This build will go into stable next week.

We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.

Is there an update process that I can review...? Thanks!!

Yes, that build is the testing channel, you can install it with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

Its a minor change, so should be fine to use on a production system. It will be moved to the stable channel next Monday.

You can install the update now with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

mikeshinn wrote:You can install the update now with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

Has this location changed since you posted it... I'm getting an..

https://<mike removed your username and password)@www6.atomicorp.com/channels/asl-4.0/centos/7/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized

...error (there where many repeats of this as it appeared to try different mirrors..) I cut and pasted the command so I know there was no typo at my end...

Thanks..

a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:

https://wiki.atomicorp.com/wiki/index.p ... n_Required

mikeshinn wrote:a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:

https://wiki.atomicorp.com/wiki/index.p ... n_Required

I checked and my license is current and my password/username is correct while logging into ASL..

Still getting that same error..

I'm guessing that I need to somehow add my username and password to the yum request..??? How else would it know who I am???

Sorry...

You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.

https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME

https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD

mikeshinn wrote:You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.

https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME

https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD

Checked that and it seems to be set correctly.. So.. I changed the password in the license manager and then updated that in the Authentication Information page..

Also I notice that this part of the error "creatarich:<mike redacted your password>" did not change after I reset the password.. In fact the <mike redacted your password> does not match the original password (close but not quite) ???

Still getting that error.. Sorry for my thick headedness.. I'm obviously missing something, obvious...

Good afternoon,

Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:

aum -u
yum upgrade
yum --enablerepo=asl-4.0-testing upgrade ossec-hids


All commands ran successfully, however we did select "N" (for no) when prompted/asked if we wanted to apply the updates.

Very best,
-Ben

all work fine, so whatever issue he was having, guessing it was a transient/resolved on its own

[quote="BSimmons"]Good afternoon,

Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
/quote]

Ben,

Just tested it and it updated just fine.. Don't know what changed..but here is my guess. The old password had an & (ampersand) in it and that is a no, no in a query string so that may have caused the password to not match.. I had changed the password earlier but the old password kept showing up so my guess from that is something was not updating very quickly from the GUI to the command line (caching..??)

Anyway.. working now..

Thanks so much for the fantastic support..

John..

Yeah the password is used in the yum configuration, and it doesnt handle metacharacters very well, even when encoded. Its a limitation of the software management system in Linux unfortunately.