Koozali.org: home of the SME Server

OSSEC HIDS Notification

Offline Teviot

  • *
  • 610
  • +0/-0
OSSEC HIDS Notification
« on: February 15, 2011, 10:18:20 PM »
I am recieving the follow email from my server and I'm not sure what ot how to fix it if it need fixing.

Code: [Select]
OSSEC HIDS Notification.
2011 Feb 16 07:57:48

Received From: saint->/var/log/messages
Rule: 31412 fired (level 5) -> "PHP internal error (missing file)."
Portion of the log(s):

Feb 16 07:57:46 saint php: PHP Warning:  fopen(/etc/shorewall/sark_rules): failed to open stream: No such file or directory in /opt/sark/generator/edsw.php on line 81

 --END OF NOTIFICATION

Anyone got any idea's


This is a new install this morning SME8.0b6 and Sail (From the ISO http://forums.contribs.org/index.php/topic,46995.0.html)  anmd updated to Sail 3.1.0-101
« Last Edit: February 15, 2011, 10:27:34 PM by M0GLJ »
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: OSSEC HIDS Notification
« Reply #1 on: February 16, 2011, 09:48:27 AM »
Thanks for reporting this.

You can ignore this for now but it is fixed in 103.

Kind Regards

S
« Last Edit: February 16, 2011, 09:50:41 AM by SARK devs »

Offline Teviot

  • *
  • 610
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #2 on: February 16, 2011, 10:18:22 AM »
S

103 isn't available on the website yet ... Any idea when it will?

Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: OSSEC HIDS Notification
« Reply #3 on: February 16, 2011, 11:04:35 PM »
It is in test here

It will be realeased as 103 or 104 in a few days

Kind Regards

S

Offline Teviot

  • *
  • 610
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #4 on: February 17, 2011, 09:59:15 PM »
S

Just to let you know after installing the vew version of SAIL 104 I did recieve the following error about 2 hrs later via email

Quote
OSSEC HIDS Notification.
2011 Feb 18 06:27:04

Received From: saint->/var/log/messages
Rule: 31412 fired (level 5) -> "PHP internal error (missing file)."
Portion of the log(s):

Feb 18 06:27:03 saint php: PHP Warning:  fopen(/etc/shorewall/sark_rules): failed to open stream: No such file or directory in /opt/sark/generator/edsw.php on line 81
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: OSSEC HIDS Notification
« Reply #5 on: February 18, 2011, 01:43:46 AM »
That's interesting

what do find in the script

/opt/sark/scripts/srkgenAst

?

Kind Regards

S

Offline Teviot

  • *
  • 610
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #6 on: February 18, 2011, 05:18:24 AM »
Hi S

I don't know what I'm looking for but here is the script.

Quote
#!/bin/bash
/usr/bin/logger Regenerating Asterisk
#
/usr/bin/php /opt/sark/generator/agentSQL.php
/usr/bin/php /opt/sark/generator/cdr_mysql.php
/usr/bin/php /opt/sark/generator/extensions.php
/usr/bin/php /opt/sark/generator/iaxSQL.php
/usr/bin/php /opt/sark/generator/queuesSQL.php
/usr/bin/php /opt/sark/generator/sipSQL.php
/usr/bin/php /opt/sark/generator/featuresSQL.php
/usr/bin/php /opt/sark/generator/vmailSQL.php
/usr/bin/php /opt/sark/generator/tftpSQL.php
# el5 and PIKA only
if [ ! -e "/etc/e-smith" ]; then
        /usr/bin/php /opt/sark/generator/edsw.php
fi
#
/usr/bin/logger Regenerating Asterisk Finished

« Last Edit: February 18, 2011, 05:25:48 AM by M0GLJ »
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #7 on: May 05, 2011, 07:40:00 PM »
Even in SAIL v3.1 Build 109, the file /etc/shorewall/sark_rules is absent on an SME - it may be present in a pure CentOS install.

Possible PHP Syntax error in the file /opt/sark/generator/edsw.php at lines 23-26:
Code: [Select]
$file = '/etc/shorewall/sark_rules' or die('Could not read file!');
$change = false;

$handle = @fopen($file, "r");
which should be:
Code: [Select]
$file = '/etc/shorewall/sark_rules';
$change = false;

$handle = @fopen($file, "r") or die('Could not read file!');

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: OSSEC HIDS Notification
« Reply #8 on: May 05, 2011, 10:46:10 PM »
good spot on the php error

shorewall is present only on the Warp and vanilla el5 platforms, which is why you can't see the rules files in SME.

Kind Regards

S

Offline odmen01

  • *
  • 10
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #9 on: May 18, 2011, 12:35:13 AM »
Good job SARK devs pointing out this...............
hello

Offline Teviot

  • *
  • 610
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #10 on: May 29, 2011, 05:18:15 AM »
Hi All

So how do we fix this?

I'm now getting emails every minute
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: OSSEC HIDS Notification
« Reply #11 on: May 29, 2011, 09:46:22 PM »
please post the output from the following

rpm -q sail
rpm -qa | grep sailenv
cat /etc/cron.d/sark

Kind Regards

S



Offline Teviot

  • *
  • 610
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #12 on: June 03, 2011, 11:39:58 PM »
please post the output from the following

rpm -q sail

Quote
sail-3.1.0-116

rpm -qa | grep sailenv
Quote
smesailenv-1.0.0-19

cat /etc/cron.d/sark

Quote
# SARK pinger
*/5 * * * * root perl /opt/sark/scripts/perlarp.pl
# SARK timer
* * * * * root php /opt/sark/generator/srktimer.php
# SARK check cmd daemon
* * * * * root perl /opt/sark/scripts/srkrestrtdm.pl
# SARK spin off regression copies
0 4 * * * root sh /opt/sark/scripts/spin.sh
# SARK age regressions
0 4 * * * root sh /opt/sark/scripts/age.sh


Thanks for helping S
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline Teviot

  • *
  • 610
  • +0/-0
Re: OSSEC HIDS Notification
« Reply #13 on: June 12, 2011, 02:24:02 AM »
Bump
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: OSSEC HIDS Notification
« Reply #14 on: June 12, 2011, 05:52:01 PM »
I have no idea why you are receiving these errors.  The only place I can see the code being triggered is in /opt/sark/scripts/srkgenAst and it should only exec the shorewall generator in a non-SME environment (EL5 and warp).  You can try removing the exec lines from the script to see if it cures the problem.

remove

Code: [Select]
if [ ! -e "/etc/e-smith" ]; then
        /usr/bin/php /opt/sark/generator/edsw.php
fi


Kind Regards

s