Koozali.org: home of the SME Server

Obsolete Releases => SME VoIP (Asterisk, SAIL etc) => Topic started by: Teviot on February 15, 2011, 10:18:20 PM

Title: OSSEC HIDS Notification
Post by: Teviot on February 15, 2011, 10:18:20 PM: I am recieving the follow email from my server and I'm not sure what ot how to fix it if it need fixing.

Code: [Select]
OSSEC HIDS Notification. 2011 Feb 16 07:57:48 Received From: saint->/var/log/messages Rule: 31412 fired (level 5) -> "PHP internal error (missing file)." Portion of the log(s): Feb 16 07:57:46 saint php: PHP Warning: fopen(/etc/shorewall/sark_rules): failed to open stream: No such file or directory in /opt/sark/generator/edsw.php on line 81 --END OF NOTIFICATION
Anyone got any idea's

This is a new install this morning SME8.0b6 and Sail (From the ISO http://forums.contribs.org/index.php/topic,46995.0.html (http://forums.contribs.org/index.php/topic,46995.0.html)) anmd updated to Sail 3.1.0-101
Title: Re: OSSEC HIDS Notification
Post by: SARK devs on February 16, 2011, 09:48:27 AM: Thanks for reporting this.

You can ignore this for now but it is fixed in 103.

Kind Regards

S
Title: Re: OSSEC HIDS Notification
Post by: Teviot on February 16, 2011, 10:18:22 AM: S

103 isn't available on the website yet ... Any idea when it will?
Title: Re: OSSEC HIDS Notification
Post by: SARK devs on February 16, 2011, 11:04:35 PM: It is in test here

It will be realeased as 103 or 104 in a few days

Kind Regards

S
Title: Re: OSSEC HIDS Notification
Post by: Teviot on February 17, 2011, 09:59:15 PM: S

Just to let you know after installing the vew version of SAIL 104 I did recieve the following error about 2 hrs later via email

Quote
OSSEC HIDS Notification.
2011 Feb 18 06:27:04

Received From: saint->/var/log/messages
Rule: 31412 fired (level 5) -> "PHP internal error (missing file)."
Portion of the log(s):

Feb 18 06:27:03 saint php: PHP Warning: fopen(/etc/shorewall/sark_rules): failed to open stream: No such file or directory in /opt/sark/generator/edsw.php on line 81
Title: Re: OSSEC HIDS Notification
Post by: SARK devs on February 18, 2011, 01:43:46 AM: That's interesting

what do find in the script

/opt/sark/scripts/srkgenAst

?

Kind Regards

S
Title: Re: OSSEC HIDS Notification
Post by: Teviot on February 18, 2011, 05:18:24 AM: Hi S

I don't know what I'm looking for but here is the script.

Quote
#!/bin/bash
/usr/bin/logger Regenerating Asterisk
#
/usr/bin/php /opt/sark/generator/agentSQL.php
/usr/bin/php /opt/sark/generator/cdr_mysql.php
/usr/bin/php /opt/sark/generator/extensions.php
/usr/bin/php /opt/sark/generator/iaxSQL.php
/usr/bin/php /opt/sark/generator/queuesSQL.php
/usr/bin/php /opt/sark/generator/sipSQL.php
/usr/bin/php /opt/sark/generator/featuresSQL.php
/usr/bin/php /opt/sark/generator/vmailSQL.php
/usr/bin/php /opt/sark/generator/tftpSQL.php
# el5 and PIKA only
if [ ! -e "/etc/e-smith" ]; then
/usr/bin/php /opt/sark/generator/edsw.php
fi
#
/usr/bin/logger Regenerating Asterisk Finished
Title: Re: OSSEC HIDS Notification
Post by: apmuthu on May 05, 2011, 07:40:00 PM: Even in SAIL v3.1 Build 109, the file /etc/shorewall/sark_rules is absent on an SME - it may be present in a pure CentOS install.

Possible PHP Syntax error in the file /opt/sark/generator/edsw.php at lines 23-26:
Code: [Select]
$file = '/etc/shorewall/sark_rules' or die('Could not read file!'); $change = false; $handle = @fopen($file, "r");which should be:
Code: [Select]
$file = '/etc/shorewall/sark_rules'; $change = false; $handle = @fopen($file, "r") or die('Could not read file!');
Title: Re: OSSEC HIDS Notification
Post by: SARK devs on May 05, 2011, 10:46:10 PM: good spot on the php error

shorewall is present only on the Warp and vanilla el5 platforms, which is why you can't see the rules files in SME.

Kind Regards

S
Title: Re: OSSEC HIDS Notification
Post by: odmen01 on May 18, 2011, 12:35:13 AM: Good job SARK devs pointing out this...............
Title: Re: OSSEC HIDS Notification
Post by: Teviot on May 29, 2011, 05:18:15 AM: Hi All

So how do we fix this?

I'm now getting emails every minute
Title: Re: OSSEC HIDS Notification
Post by: SARK devs on May 29, 2011, 09:46:22 PM: please post the output from the following

rpm -q sail
rpm -qa | grep sailenv
cat /etc/cron.d/sark

Kind Regards

S
Title: Re: OSSEC HIDS Notification
Post by: Teviot on June 03, 2011, 11:39:58 PM: Quote from: SARK devs on May 29, 2011, 09:46:22 PM
please post the output from the following

rpm -q sail

Quote
sail-3.1.0-116

rpm -qa | grep sailenv
Quote
smesailenv-1.0.0-19

cat /etc/cron.d/sark

Quote
# SARK pinger
*/5 * * * * root perl /opt/sark/scripts/perlarp.pl
# SARK timer
* * * * * root php /opt/sark/generator/srktimer.php
# SARK check cmd daemon
* * * * * root perl /opt/sark/scripts/srkrestrtdm.pl
# SARK spin off regression copies
0 4 * * * root sh /opt/sark/scripts/spin.sh
# SARK age regressions
0 4 * * * root sh /opt/sark/scripts/age.sh

Thanks for helping S
Title: Re: OSSEC HIDS Notification
Post by: Teviot on June 12, 2011, 02:24:02 AM: Bump
Title: Re: OSSEC HIDS Notification
Post by: SARK devs on June 12, 2011, 05:52:01 PM: I have no idea why you are receiving these errors. The only place I can see the code being triggered is in /opt/sark/scripts/srkgenAst and it should only exec the shorewall generator in a non-SME environment (EL5 and warp). You can try removing the exec lines from the script to see if it cures the problem.

remove

Code: [Select]
if [ ! -e "/etc/e-smith" ]; then /usr/bin/php /opt/sark/generator/edsw.php fi

Kind Regards

s