Monday, February 8, 2016

OSSEC Deployment

OSSEC HIDS Manager/Agent Installation


Download the latest version and verify its checksum.
Note
On some systems, the command md5, sha1 or wget may not exist, so try md5sum, sha1sum or lynx respectively instead.
# wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
# wget http://www.ossec.net/files/ossec-hids-2.6_checksum.txt
# cat ossec-hids-2.6_checksum.txt
MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a
SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e
MD5 (ossec-agent-win32-2.6.exe) = 7d2392459aeab7490f28a10bba07d8b5
SHA1 (ossec-agent-win32-2.6.exe) = fdb5225ac0ef631d10e5110c1c1a8aa473e62ab4
# md5sum ossec-hids-2.6.tar.gz
MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a
# sha1sum ossec-hids-2.6.tar.gz
SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e

Installing the Server

  1. Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).
# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
# cd ossec-hids-*
# ./install.sh
What kind of installation do you want (server, agent, local or help)?
 Server
Server installation chosen.
Setting up the installation environment.
  1.  Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
Installation will be made at /var/ossec .
  1. Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y
What’s your e-mail address? Gnanamani.h@payoda.com
We found your SMTP server as: 192.168.1.8
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
3.4- Do you want to enable active response? (y/n) [y]: y
- Do you want to enable the firewall-drop response? (y/n) [y]: y
- Do you want to add more IPs to the white list? (y/n)? [n]: n
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
– /var/log/messages
– /var/log/auth.log
– /var/log/syslog
– /var/log/mail.info
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
–— Press ENTER to continue —–
  1. 4.    # /opt/ossec/bin/ossec-control start

Managing Agents
            Add an agent
  1. # /opt/ossec/bin/manage_agents
***************************************
* OSSEC HIDS v1.4 Agent manager.
*
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
  1. Choose your action: A,E,L,R or Q: A
  2. Adding a new agent (use ‘\q’ to return to the main menu).
Please provide the following:
* A name for the new agent: Username/ClientMachinename
* The IP Address of the new agent: ClientIpaddress(eg:192.168.4.61 )
* An ID for the new agent[001]: 001
Agent information:
ID:001
Name:Username/ClientMachinename
IP Address:ClientIpaddress(eg:192.168.4.61 )
Confirm adding it?(y/n): y
Agent added.
  1. Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: Username/ClientMachinename, IP: ClientIpaddress(eg:192.168.4.61 )
Provide the ID of the agent to extract the key (or ‘\q’ to quit): 001
Agent key information for ‘001’ is:
MDAxIG1hcnMgMTkyLjE2OC42NS40MCBmY2UzMjM4OTc1ODgzYTU4ZWM3YTRkYWJiZTJmMjQ2Y2ViODhmMzl mYjE3MmI4OGUzMTE0MDczMzVhYjk2OTRh
** Press ENTER to return to the main menu.

Note:Agent Key must Copy & Paste in Client Machine

Client Machine

Installing Agents
1- What kind of installation do you want (server, agent, local or help)? agent
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- What’s the IP Address of the OSSEC HIDS server?: IPaddress of server
-        Adding Server IP
-        (Note: if not shown this option put server ip entry manually after installation in /var/ossec/etc/ossec.conf
<client>
<server-ip>192.168.1.160</server-ip>
</client>)
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).
3.4 – Do you want to enable active response? (y/n) [y]: y
3.5- Setting the configuration to analyze the following logs:
– /var/log/messages
– /var/log/authlog
– /var/log/secure
– /var/log/xferlog
– /var/log/maillog
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
–— Press ENTER to continue —–
  1. # /opt/ossec/bin/ossec-control start
# /opt/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v1.3 Agent manager.
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or ‘\q’ to quit):
MDAxIG1hcnMgMTkyLjE2OC42NS40MCBmY2UzMjM4OTc1ODgzYTU4ZWM3YTRkYWJiZTJmMjQ2Y2ViODhmMzl mYjE3MmI4OGUzMTE0MDczMzVhYjk2OTRh
Agent information:
ID:001
Name:Username/ClientMachinename
IP Address:ClientIpaddress(eg:192.168.4.61 )
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v1.3 Agent manager.
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: Q
** You must restart the server for your changes to have effect.
manage_agents: Exiting ..
Now that the agent installation is complete, we can start the OSSEC HIDS service by
running the following command:
# /opt/ossec/bin/ossec-control start
The agent starts and connects to the server. You can verify this by checking the agent
logs (/var/ossec/logs/ossec.log) and finding messages similar to the following near the end
of the file:
2007/10/10 23:25:48 ossec-agentd: Connecting to server (192.168.4.61:1514).
2007/10/10 23:25:48 ossec-agentd(4102): Connected to the server.

Installing the Windows Agent

Begin by running the installation executable ossec-agent-win32-1.4.exe as seen in Figure 2.1,
to open the wizard.
Launching the Installer
Click Next to start the installation.
Review the license agreement and then click I Agree to continue
Accepting the License Text
Choose the components you want to install, and click Next
Selecting Components

Managing the Agent

Connecting to the Server (PuTTY )

Running manage_agents (Enter E to extract the agent key for the current Windows host )
Copying the Key to the Clipboard ( Enter your ID(eg: 002), select the key information,
and copy it to the clipboard )


Pasting the Key
Confirming the Import


 Starting the OSSEC HIDS
Confirming the Server Connection

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)