Event 1002 - dominate event

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Event 1002 - dominate event

Unread post by jbmoore »

Newbie here... Trying to understand the various events in the event log and notice that the dominating event is 1002. Did a report and have found the following types of causes:

WARNING: Error opening directory: `/etc/asl/whitelist.078111540`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.057576963`: No such file or directory
WARNING: Error opening directory: `/etc/asl/whitelist.472905928`: No such file or directory
...etc...

AND..

ERROR: Invalid integrity message in the database.

There are 326 pages of these for a single day...

There is a folder at /etc/asl/whitelist that contains my whitelist settings but there is no other files or folders as indicated in the error message. As far as the integrity message.. the dominate event in the log is "550 : Integrity checksum changed" which may or may not be related. Most all of those that I examined related to changing of various ASL property file settings. For example "Integrity checksum changed for: `/etc/asl/system.properties`" is one of the most common.

Any pointers on how to clean these up?? Seems I can't see the forest for the trees and am concerned that I'll be missing more important issues with respect to being attacked.

Thanks.. John..
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8338
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Event 1002 - dominate event

Unread post by scott »

Are you in a position to try our testing builds?

yum --enablerepo=asl-4.0-testing upgrade ossec-hids
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: Event 1002 - dominate event

Unread post by jbmoore »

scott wrote:Are you in a position to try our testing builds?

yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Well, this is a production server so, I'm assuming that would not be advisable.

Any other suggestions??
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Event 1002 - dominate event

Unread post by mikeshinn »

This build will go into stable next week.

We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: Event 1002 - dominate event

Unread post by jbmoore »

mikeshinn wrote:This build will go into stable next week.

We have determined though that isnt a bug, those files do exist for a tiny fraction of a second but are gone before they can be copied into the diff store. The update will supress this message.
Is there an update process that I can review...? Thanks!!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Event 1002 - dominate event

Unread post by mikeshinn »

Yes, that build is the testing channel, you can install it with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids

Its a minor change, so should be fine to use on a production system. It will be moved to the stable channel next Monday.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Event 1002 - dominate event

Unread post by mikeshinn »

You can install the update now with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: Event 1002 - dominate event

Unread post by jbmoore »

mikeshinn wrote:You can install the update now with this command:

yum --enablerepo=asl-4.0-testing upgrade ossec-hids
Has this location changed since you posted it... I'm getting an..

https://<mike removed your username and password)@www6.atomicorp.com/channels/asl-4.0/centos/7/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized

...error (there where many repeats of this as it appeared to try different mirrors..) I cut and pasted the command so I know there was no typo at my end...

Thanks..
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Event 1002 - dominate event

Unread post by mikeshinn »

a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:

https://wiki.atomicorp.com/wiki/index.p ... n_Required
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: Event 1002 - dominate event

Unread post by jbmoore »

mikeshinn wrote:a 401 error means either your username or password is incorrectly, or that account doesnt have an active license. What happens when you reset your password per the URL below:

https://wiki.atomicorp.com/wiki/index.p ... n_Required
I checked and my license is current and my password/username is correct while logging into ASL..

Still getting that same error..

I'm guessing that I need to somehow add my username and password to the yum request..??? How else would it know who I am???

Sorry...
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Event 1002 - dominate event

Unread post by mikeshinn »

You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.

https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME

https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: Event 1002 - dominate event

Unread post by jbmoore »

mikeshinn wrote:You just need to set these to your license manager username and password in the ASL gui. If you're having trouble doing that, just let us know and we'd be happy to help you with that.

https://wiki.atomicorp.com/wiki/index.p ... n#USERNAME

https://wiki.atomicorp.com/wiki/index.p ... n#PASSWORD
Checked that and it seems to be set correctly.. So.. I changed the password in the license manager and then updated that in the Authentication Information page..

Also I notice that this part of the error "creatarich:<mike redacted your password>" did not change after I reset the password.. In fact the <mike redacted your password> does not match the original password (close but not quite) ???

Still getting that error.. Sorry for my thick headedness.. I'm obviously missing something, obvious...
BSimmons

Re: Event 1002 - dominate event

Unread post by BSimmons »

Good afternoon,

Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:

aum -u
yum upgrade
yum --enablerepo=asl-4.0-testing upgrade ossec-hids


All commands ran successfully, however we did select "N" (for no) when prompted/asked if we wanted to apply the updates.

Very best,
-Ben

all work fine, so whatever issue he was having, guessing it was a transient/resolved on its own
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: Event 1002 - dominate event

Unread post by jbmoore »

[quote="BSimmons"]Good afternoon,

Are you still experiencing this issue? We were able to log into your system using previously provided info and ran the following commands:
/quote]

Ben,

Just tested it and it updated just fine.. Don't know what changed..but here is my guess. The old password had an & (ampersand) in it and that is a no, no in a query string so that may have caused the password to not match.. I had changed the password earlier but the old password kept showing up so my guess from that is something was not updating very quickly from the GUI to the command line (caching..??)

Anyway.. working now..

Thanks so much for the fantastic support..

John..
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Event 1002 - dominate event

Unread post by mikeshinn »

Yeah the password is used in the yum configuration, and it doesnt handle metacharacters very well, even when encoded. Its a limitation of the software management system in Linux unfortunately.
Post Reply