• Support
  • Forums
  • Blogs

Commandline Access

RussRuss

AlienVault Employee
+10

OSSIM & AlienVault Community!
You may have noticed some changes in the last release ­ namely the way we handle command line access has changed. Why? well, we are not trying to make your life harder, in fact we are trying to make it easier.

The goal of OSSIM is to help reduce the amount of time you spend configuring and administering your security controls ­ the way we do this is by unifying the configuration settings and replicating them to all of the security controls we have included in the product. When a new user starts with OSSIM they often say ‘hey cool, I know how to configure SNORT!’ and they start hacking away at the config. Little do they know, when they touch these files, there is a very good chance they are going to change something that will get overwritten when they change something in the user interface. We have restricted the commandline access so as to help users understand this and make it harder for these mistakes to be made.
But wait! We know that we do not have all of the config options available so when you find yourself in a jam, you can ‘jailbreak’ the system. All we ask is that when you do, leave us a little note here to let us know what you were trying to do. This will help us improve the product - the goal is to simplify and unify the configuration so any bit helps! 

naisanza

Share post:

«1345

Comments

  • Needed to install VMware tools and provide real SSL certificates.
    Also, I noticed a "You have new mail" when I logged onto the console, which prompted me to add a working e-mail alias for root.
  • Looking at issue mentioned in forum with an error when OpenVAS tries to run Nikto.
  • Need to jailbreak to customize Nagios plugins and to update Fortigate plugin to 5.x
  • freis said:
    i think that jailbreak is messing with sftp and scp connections from windows clients. at least in this version i can't do them and on the 4.1 i could
    Yes this is a major concern for me too. Im unable to use Winscp to write plugins with notepad++.


  • Is there a way to remove the jailbreak? Unless it is there for security reasons, it seems odd to have to jailbreak in order to perform what I would consider to be almost necessary tasks for any AV implementations such as creating and modifying plugins, setting local firewall rules, rsyslog entries, logrotate, etc...... unless you are planning on adding some kind of basic and restricted file editor in the GUI to do this in a future release.
  • I do almost everything from the console, as the AV training and exams I recieved this year taught me. Just following your instructions ;-)

  • freis said:

    i think that jailbreak is messing with sftp and scp connections from windows clients. at least in this version i can't do them and on the 4.1 i could



    Yes this is a major concern for me too. Im unable to use Winscp to write plugins with notepad++.


    I have AV Ossim upgraded at last version even are virtualized, and I can use notepad++ to write plugins, and then, I use winscp (via scp) to move them at server/sensors.
  • I have a permanent (apparently, it survived a couple upgrades) option.

    The jailbreak is implemented in /root/.bashrc.

    In order to kill the jailbreak logic comment out the first few lines.

    #if [ "$jailbreak" != "yes" ];then
    #if [[ $- =~ "i" ]];then
    #ossim-setup
    #exit
    #fi
    #fi


    Then change the file to immutable (chattr +i /root/.bashrc).

    The downside to this approach is that if any other code is introduced to root's .bashrc file during an update it won't be applied.
  • After every upgrade, I usually just edit the /etc/passwd file and change root back to /bin/bash

    Kind of a pain on 6 sensors and a server, but it works.

    root:x:0:0:root:/root:/bin/bash
  • edited June 2014
    I Need to configure Postfix to send with internally valid "from" addresses:

    echo "smtp_generic_maps = hash:/etc/postfix/generic" >> /etc/postfix/main.cf
    # Populate /etc/postfix/generic:
    root "valid from address"
    nagios "valid from address"

    service postfix restart
  • I need to jailbreak for configuring ntop and snort on different network interfaces. I don't see how to do this in the web interface. Also, I need it for general administration of the operational system.
  • Had to Jailbreak , UDP port 12001 (Receiving netflow traffic from router, did not show up in Interface) Clean Installed 4.10. and followed https://alienvault.bloomfire.com/posts/618099-netflow-collection-with-alienvault/public post. Problem was a IPTable entry missing, according the document it should not be nessasary after 4.2. However, I didn;t try the reconfigure Firewall option, I went straight to Jailbreak and added the iptable entry.
  • As of version 4.11, still have to add an exception to IPtables manually to allow an external netflow datastream. 'Reconfigure Firewall' and system reboot did not add the newly configured netflow collection port.

    Initially also had to jailbreak the external sensor because /etc/ossim/ossim_config was defaulting to port 555 instead of port 12000.

    Also lacking the ability to configure Ntop options for protocol profiling.
  • Jailbreak to be able to figure out why my ossec-agent wouldn't connect, gave me better access to logs (i.e. grep), tcpdump and allowed me to check the iptables settings.
  • Accessing command line to perform ossim-update -v

    Using the update button and watching something spin is not nearly as informative as seeing what is going on at the command line.
  • Jailbreak required to tune rsyslog.d includes for log filtering
  • JailBreak help me to repair openvas
  • To allow OSSIM to receive my SonicWall syslogs
  • I am forwarding syslogs from our Kiwi Syslog server to OSSIM and they are not being processed.
  • edited January 2015
    Here is my permanent jailbreak solution. I'm sure there are other ways.. Hopefully it'll help you guys. Works perfectly for Bash and sudoing from standard user accounts. 

    /etc/sudoers.d/jailbreak

    %sudo ALL= NOPASSWD: ALL
    Defaults        !env_reset
    Defaults        env_keep =jailbreak

    /etc/profile
    jailbreak="yes"
    ...

    Unlike the option I mentioned previously (editing /root/.bashrc) this will persist across upgrades without being broken. 
  • I was asked to use the command line (Jailbreak) to provide diagnostic information for a support request.
  • Had to install a new certificate. I have no issues with the jailbreak option. 
  • To check whether netflow is listening on port 555 and run tcpdump to see whether the remote netflow generator (fprobe) is being received through a firewall.
  • edited February 2015
    Installed XenServer tools (allows for better memory management).  Installed mk_agent for monitoring.

    BTW, installing OSSIM under XenServer using XenCenter works, just need to select an HVM based container to install to, which would be a Windows container or the like.  It appears the Debian default Xen features are already enabled, but does not support a paravirt based install.  Under a Debian or generic container install (usually defaulting to PVM), the install will bomb out with an error referencing inability to install to a disk.

    There is a newer web gui that I believe states explicitly whether a container is HVM or PVM, so if you don't use XenCenter under Windows and don't like the CLI...
  • To delete the 16,309 email messages that accumulated in root's mailbox.

    blowfish_bill
  • edited February 2015
    As this is an EVAL, I want to replay pcapcs against the interface. The web interfaces does not allow for this, as such local shell and `tcpreplay` is required.
  • Jailbreak required to troubleshoot network connectivity - OSSEC agents not communicating to server.  OSSEC agent deployments failing.
  • Looking to tweak the Mobile responsiveness
  • edited March 2015
    version 4.15.2
    dns server not added to resolv.conf after reboot
    using rc.local to update

    or
     vim /etc/network/interfaces
    add line : dns-nameservers ....
  • custom plugins.
    two ossec agents not connecting properly.
    updates
Sign In or Register to comment.