store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Aug 25, 2019 8:19 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: which agent reported the event?
Unread postPosted: Wed Jun 12, 2019 3:29 pm 
Offline
New Forum User
New Forum User

Joined: Wed Jun 12, 2019 2:33 pm
Posts: 2
Location: Chicago IL, USA
Hey;

New atomicorp customer - at least will be once the PO's cut - and am working on a freshly installed POC implementation with 6 clients atm.

Within the ASL security events browser, how do I identify the agent that's reporting an event? Example: I see this event in the alert log:

Quote:
** Alert 1560366039.18365655: - ossec,rootcheck,
2019 Jun 12 15:00:39 walvdevmpwl2854
Rule: 510 (level 6) -> 'Host-based anomaly detection event (rootcheck).'
File '/etc/init/swiagent.update.override' is owned by root and has written permissions to anyone.
title: File is owned by root and has written permissions to anyone.
file: /etc/init/swiagent.update.override


From that, I can easily tell the source agent is walvdevmpwl2854. When looking at the security events browser and the details for event 1560366039.18365655 - nothing says 'walvdevmpwl2854'.

Did I miss a configuration somewhere?

Thanks

Doug O'Leary


Top
 Profile  
Reply with quote  
 Post subject: Re: which agent reported the event?
Unread postPosted: Thu Jun 13, 2019 4:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
Doug I see whats happening, it is a setting but a bug is causing it to be hidden in the current GUI. We're pushing an update out into QA to enable this column, and itll be in the testing channel Monday. As soon as its available I'll post that its out. Youll be able to install the update from "testing" by switching the repo and I'll post the instructions to use that repo.

Once it goes from testing to the stable repo, the hub will upgrade automatically.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: which agent reported the event?
Unread postPosted: Thu Jun 13, 2019 5:09 pm 
Offline
New Forum User
New Forum User

Joined: Wed Jun 12, 2019 2:33 pm
Posts: 2
Location: Chicago IL, USA
Excellent, sir! Thank you very much.

Doug


Top
 Profile  
Reply with quote  
 Post subject: Re: which agent reported the event?
Unread postPosted: Tue Jun 18, 2019 3:57 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
Just a followup, the QA build will be released tomorrow into testing.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: which agent reported the event?
Unread postPosted: Thu Jun 20, 2019 12:34 pm 
Offline
Atomicorp Support Staff
Atomicorp Support Staff

Joined: Mon Sep 14, 2009 12:15 pm
Posts: 39
The QA build may be installed with the following command:

Code:
yum -y --enablerepo=asl-4.0-testing upgrade asl


This update will be in the normal release channel on Monday.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group