Setting up OSSEC Server and Agents - serate-actual/sec350final GitHub Wiki

Summary

  • Install the OSSEC Server
  • Add Agents to the OSSEC Server

Installation of OSSEC prereqs and repos

  • Install the prerequisite packages with yum
    • yum install zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel
  • Add the repository for OSSEC
    • wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

Installing OSSEC Server

  • The OSSEC Server receives all the logs and organizes them
  • There is one server for many agents
  • Install OSSEC server with yum
    • yum install ossec-hids ossec-hids-server
  • Run /var/ossec/bin/ossec-control start
  • Run the program at /var/ossec/bin/ossec-configure
    • Make sure to select server when prompted
    • Do not use firewall drops
    • Follow the defaults for the rest of the options
  • Open port 1514/udp on the firewall

Installing OSSEC-WUI (OUTDATED AND GROSS)

  • OSSEC-WUI is a quick-and-dirty solution to check OSSEC functionality. For a more complete log, we will be using graylog.
  • Install apache, git, and php
    • yum -y install git httpd php
  • Use git to pull down the ossec-wui repository
    • git clone https://github.com/ossec/ossec-wui.git
  • Move the ossec-wui repository to /var/www/html
  • Run the setup.sh script in the folder
  • Open port 80/tcp on the firewall
    • firewall-cmd --add-port=80/tcp --permanent
    • firewall-cmd --reload
  • Enable and restart the httpd service
    • systemctl enable httpd
    • systemctl restart httpd

Installing OSSEC Agent

  • The OSSEC agent sends logs back to the server
  • There are many agents for one server
  • Installed on endpoints
  • Install OSSEC agent with yum
    • yum install ossec-hids ossec-hids-agent
  • Run /var/ossec/bin/ossec-control start
  • Run the program at /var/ossec/bin/ossec-configure
    • Make sure to select agent when prompted
    • Do not use firewall drops
    • Follow the defaults for the rest of the option
  • Open port 1514/udp on the firewall

Installing OSSEC Agent Windows

Add OSSEC Linux Agents on log01

  • Run /var/ossec/bin/manage_agents
  • Select Add an Agent
  • Fill in the details with that of your desired agent
  • Run the program again and extract the key for your agent and write it to a file in the user's home directory
    • ./manage_agents -e (agent number) | tail -n 1 > /home/david/agentkey
  • Push it with SCP
    • scp agentkey (remote login)@(remote server)
  • cd to /var/ossec/bin and run this command to import the key
  • ./manage_agents -i $( cat /home/david/agentkey)
  • Run /var/ossec/bin/ossec-control restart on the server and the agent

Add OSSEC Windows Agents on log01

  • Run /var/ossec/bin/manage_agents
  • Select Add an Agent
  • Fill in the details with that of your desired agent
  • Run the program again and extract the key for your agent and write it to a file in the user's home directory
    • ./manage_agents -e (agent number) | tail -n 1 > /home/david/agentkey
  • Use mgmt01 to SSH to log01, cat the file, and then copy the text over to a file on usr01
  • Run the OSSEC agent manager and input the appropriate server IP and authentication key.
  • Use the OSSEC agent manager to restart the OSSEC server on the agent
  • Run /var/ossec/bin/ossec-control restart on the server

Add OSSEC Agentless monitoring

  • On log01, enable agentless monitoring
    • /var/ossec/bin/ossec-control enable agentless
  • The program at /var/ossec/agentless/register_host.sh is used to register hosts
    • Note: use IPs, not DNS names.
  • Run the command ./register_host.sh add (username)@(hostname) NOPASS (enable/sudo password)
  • If you mess up, the passwords are stored in /var/ossec/agentless/.passlist
  • This should be done for your firewalls, fw-edge and fw-mgmt

Setting up agentless monitoring for fw-edge and fw-mgmt

  • You will need to edit the ossec.conf file
  • Add a similar section
<agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>36000</frequency>
    <host>[email protected]</host>
</agentless>
  • Frequency is measured in seconds
  • Type can be one of the four below
    • ssh_integrity_check_bsd is used to check the integrity of a directory specified in the <arguments> tags on a bsd system
    • ssh_integrity_check_linux is the same as above, but is used for linux systems
    • ssh_generic_diff runs the commands in <arguments> and alerts if there is a change
    • ssh_pixconfig_diff is the same, but runs on PIX/Cisco systems.
  • To monitor our VyOS boxes for changes in the firewall commands, we would create this config
<agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>36000</frequency>
    <host>vyos@(vyos hostname)</host>
    <state>periodic</state>
    <arguments>/config/</arguments>
</agentless>
  • Restart OSSEC
    • If there are logs in /var/ossec/logs/ossec.log that reference the Expect command being missing, use yum to install expect.
    • Install expect if you are getting error code 126 on lines in that reference ossec-agentlessd in /var/ossec/log/ossec.log
  • For further reference, read the docs
⚠️ **GitHub.com Fallback** ⚠️