FreeBSD 10, jail, pf, ossec

frankit60 said:
This is the new /etc/jail.conf issue from version 10.
You can read about it in man jail.conf.
I read that from version 11 will be the only method used.

Oh, thanks for the info, didn't know ;)

When I have time I try to connect a real machine.
Thanks for the support.

Wish I could have been of better help.
Still I don't get why you don't see the agent/server key validation through tcpdump, because when you are adding a key on the agent a connection is made to get the agent name and IP.
Also there is a requested feature for security/ossec-hids-agent being able to bind to an ip through ossec.conf, this lack can cause problems in multiple IPs environment (like in a host<>jails configuration) where a solution seems to add route. But this shouldn't be a problem in your case as the agent has one IP only.
 
Just to let you know I got the server in host, client in jail configuration working.
It's kinda tricky because you need to put the jail ip as the server ip in the agent ossec.conf.
 
Hi mecano,

Would you mind sharing your agent configuration file with us? I use sysutils/ezjail and when I put the jail IP as the server IP in the agent ossec.conf, I get the following error:
Code:
2014/12/01 13:37:41 ossec-syscheckd: socket busy ..
2014/12/01 13:37:42 ossec-logcollector: socket busy ..
2014/12/01 13:37:51 ossec-syscheckd: socket busy ..
2014/12/01 13:37:51 ossec-syscheckd(1224): ERROR: Error sending message to queue.
pf(4) is currently disabled with pfctl -d.
 
Last edited by a moderator:
Hi frankit60,

I had the same problem and I managed to get it to work in the end..
Look at my thread https://forums.freebsd.org/threads/freebsd-10-ossec-jail-problem.49228/#post-277873.

* When communication is happening on the local machine, it will not use the ExtIf interface but lo0
* As a result pf firewall is not blocking the communication
* Explicitly set OSSEC server to use the host IP with the <local_ip> option
* sockstat | grep ossec and tcpdump -n -i lo0 are your friends here.

By the way, what mecano suggested didn't work for me. I had to keep the FreeBSD host IP as the server IP in the agent file.
Just to let you know I got the server in host, client in jail configuration working.
It's kinda tricky because you need to put the jail IP as the server IP in the agent ossec.conf.

Hope this helps. :)

Fred
 
Back
Top