OSSEC HIDS Agent Installation

Prepare system for building packages(compilers etc) .:

sudo apt-get install build-essential

Step 1. Installing ossec as agent on a system(client) Step 2. Adding agent on alienvault-ossim using dashboard & extracting key for communication b/w server and client(agent). Step 3. Importing authentication key into client side.
1. Download the latest version and verify its checksum :
# wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz # wget http://www.ossec.net/files/ossec-hids-2.6_checksum.txt # cat ossec-hids-2.6_checksum.txt MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e MD5 (ossec-agent-win32-2.6.exe) = 7d2392459aeab7490f28a10bba07d8b5 SHA1 (ossec-agent-win32-2.6.exe) = fdb5225ac0ef631d10e5110c1c1a8aa473e62ab4 # md5sum ossec-hids-2.6.tar.gz MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a # sha1sum ossec-hids-2.6.tar.gz SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e 2. Extract the compressed package and run the ./install.sh script. (Installation script will start) # tar -zxvf ossec-hids-*.tar.gz # cd ossec-hids-* # ./install.sh ** ** ** ** ** ** ** ** ** ** ** ** Para instalao em portugus, escolha [br]. , [cn]. Fur eine deutsche Installation wohlen Sie [de]. , [el]. For installation in English, choose [en]. Para instalar en Espaol , eliga [es]. Pour une installation en franais, choisissez [fr] Per l'installazione in Italiano, scegli [it]. [jp]. Voor installatie in het Nederlands, kies [nl]. Aby instalowa w jzyku Polskim, wybierz [pl]. , [ru].

** Za instalaciju na srpskom, izaberi [sr]. ** Trke kurulum iin sein [tr]. (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en OSSEC HIDS v2.6 Installation Script - http://www.ossec.net

1- What kind of installation do you want (server, agent, local or help)? agent - Agent(client) installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec - Installation will be made at /opt/ossec . 3- Configuring the OSSEC HIDS. 3.1- What's the IP Address of the OSSEC HIDS server?: 169.144.105.90 - Adding Server IP 169.144.105.90 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4 - Do you want to enable active response? (y/n) [y]: 3.5- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/vsftpd.log -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) 4- Installing the system - Running the Makefile INFO: Little endian set. . . <Output Truncated> - System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /opt/ossec/bin/ossec-control start - To stop OSSEC HIDS: /opt/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /opt/ossec/etc/ossec.conf

Step 2. Adding agent :

Method 1. using dashboard and extracting key for communication.

1. Go to Analysis > Detection > HIDS Tab> Agents(upper right ) and click on Add agent.

2. Adding client information on which ossec agent is installed.

3. Extracting key for the new agent by clicking on the Golden Key Icon under actions section.

Method 2. Using Terminal on server side to add agent 1. # /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.6 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: A - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: test1 * The IP Address of the new agent: 169.144.105.91 * An ID for the new agent[001]: 001

Agent information: ID:001 Name:test1 IP Address:169.144.105.91 Confirm adding it?(y/n): y 2. Extracting agent key **************************************** * OSSEC HIDS v2.6 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents:

ID: 001, Name: test1, IP: 169.144.105.91 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: MDAxIHRlc3QxIDE2OS4xNDQuMTA1LjkxIGY2MmE2OTZlYWUxM2JjNzBmNjY4Zj MxOTA1Mzk3N2VhZTdmYjU2ZTI5MWRjNDc4MmYzN2NmMGM3NDhiMTE3NzA =

Step 3. Importing authentication key into client side.

1. # /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.6 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIHRlc3QxIDE2OS4xNDQuMTA1LjkxIGY2MmE2OTZlYWUxM2JjNzBmNjY4Zj MxOTA1Mzk3N2VhZTdmYjU2ZTI5MWRjNDc4MmYzN2NmMGM3NDhiMTE3NzA = Agent information: ID:001 Name:test1 IP Address:169.144.105.91 Confirm adding it?(y/n): y Added.

After adding ossec agent on client restart both the server and client to make them communicate: on client terminal : # /var/ossec/bin/ossec-control start on server terminal: # /var/ossec/bin/ossec-control restart