In this tutorial, we are going to learn how to install and configure AlienVault HIDS (Host Intrusion Detection) agents on a Linux as well as a Windows system.
AlienVault uses OSSEC HIDS agents for Host Intrusion Detection. To actively monitor all aspects of system activity; file integrity monitoring, log monitoring, rootcheck, and process monitoring, OSSEC agents that collect all these information and reports back to the server via encrypted message protocol needs to be installed.
Before you can monitor any host, you need to import the hosts to AlienVault OSSIM server. You may want to check our previous article on how to do that. Once the host is imported, add the HIDS agent for every host to to OSSIM server as described below.
Adding the HIDS agent to OSSIM server
1. Login to OSSIM server web dashboard and navigate to Environment > Detection.
2. Under Detection, navigate to HIDS > Agents > Agent Control > Add Agent.
3. When you click on ADD AGENTS, a NEW HIDS AGENT windows opens up.
4. On the NEW HIDS AGENT, enter the hostname/IP address of the host on serach bar or select it from asset tree.
5. When you select a host, the Agent Name and IP address fields are populated automatically.
6. Click Save to save the agent information.
Once the agent is added, you can see the Agent Information. For instance the agent we just added is the first one and has an ID of 001.
Install OSSEC HIDS agent on a Linux Host
1. Login to your Linux host and download the OSSEC HIDS agent installer from here and extract it as shown below.
# wget https://github.com/ossec/ossec-hids/archive/3.0.0.tar.gz -P /tmp/ # cd /tmp/ # tar xzf 3.0.0.tar.gz
2. Install OSSEC HIDS agent.
Once you have extracted, Navigate to extracted agent directory and execute the installation script.
# cd ossec-hids-3.0.0/ # ./install.sh
When the installation launches, you will be prompted to provide some input. In most of those cases, just press ENTER to accept the default values.
The first prompts asks you to select the installation language which by default is English abbreviated as [en]. Press Enter to accept the default.
The next prompt asks you verify the type of installation for which in our case, we are installing ossec-hids agent.
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
Once you chose the type of installation, press enter to continue. For the next prompt, chose /var/ossec as the installation environment.
Next, enter the IP address of the server.
3- Configuring the OSSEC HIDS. 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.101
For the next prompts, press ENTER to accept defaults. You may need to dsiable Active Response.
If installation is successful, you should get this output:
- System is Redhat Linux. - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf ... --- Press ENTER to finish (maybe more information below). ---
Once the agent is installed, you need to Import the key for the agent from the server.
Login to server web dashboard and navigate to Environment > Detection > HIDS > Agent and extract the key of specific agent by clicking on the key button, and copy the key.
On the host, run the following command to import the key, enter option I, paste the key and confirm adding the key. Then enter Q to exit.
# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.9.0 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIGRyc2VydmVyIDE5Mi4xNjguNDMuMjM3IGM5MmVmZTBlMmY5ODMyNzc3ZjhmOGJhYTNhNzk4OGI1MzllZTIxYzMxMmYyZmNiNjZkYzA3ODU0NGI0M2MzOTI= Agent information: ID:001 Name:drserver IP Address:192.168.43.237 Confirm adding it?(y/n): y Added.
Start and Enable OSSEC agent to start on system reboot
# systemctl enable ossec # systemctl start ossec
You can verify that the agent is communicating with the server by checking the ossec agent logs as shown below.
# tail /var/ossec/logs/ossec.log 2018/09/03 17:18:17 ossec-agentd: INFO: Started (pid: 3677). 2018/09/03 17:18:17 ossec-agentd: INFO: Server 1: 192.168.43.101 2018/09/03 17:18:17 ossec-agentd: INFO: Trying to connect to server 192.168.43.101, port 1514. 2018/09/03 17:18:17 INFO: Connected to 192.168.43.101 at address 192.168.43.101, port 1514
On the Server, restart OSSEC HIDS
Navigate to Environment > Detection > HIDS > HIDS Control > HIDS service is UP > RESTART.
If you check the status of the agent on Environment > Detection > HIDS > Agent, it should be active and it should now be able to send logs to OSSIM server.
In case you experience any hitch, you can use the log path mentioned above to find out what the issue is.
You can also check HIDS logs from the server, Environment > Detection > HIDS > HIDS Control > HIDS LOG.
You have now successfully installed and set up OSSEC HIDS agent on a Linux host and should be able to monitor the host. In our next tutorial, we will learn how to Install and Configure AlienVault HIDs Agent on Windows System Host.
You may also want to check our other article on how to install OSSEC agent on Ubuntu 18.04/CentOS 7.