How to Install and Setup OSSEC agent on Ubuntu 18.04/CentOS 7

By
koromicha
-
0
11643

Last updated on July 22nd, 2020 at 01:27 pm

In this guide, we are going to learn how to install and configure OSSEC agent on Ubuntu 18.04/CentOS 7.
OSSEC is an open source Intrusion Detection System (HIDS)  that runs across multiple OS platforms such as Linux,Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX.

It monitors all aspects of system activity such as;

  • file integrity monitoring
  • Windows registry monitoring
  • log monitoring
  • rootcheck
  • process monitoring

It can also be configured to notify on a suspicious activity via alert logs or email alerts. OSSEC can be integrated with SIEM solutions such as AlienVault. You can therefore have a look at our previous article on setting up AlienVault HIDs agent on a Linux system by following the link below;

How to Install and Configure AlienVault HIDs Agent on a Linux Host.

Prerequisites

To install OSSEC agent on a Ubuntu 18.04/CentOS 7 or any other Linux/Unix system, ensure that you have the C compiler as well as the make utility installed;

  • The distribution specific package manager such as YUM, APT, PKG, DNF. For example;
yum install gcc make << On RHEL derivatives (CentOS 7)
apt-get install gcc make unzip wget  << Debian Derivatives (Ubuntu 18.04)
  • Download the RPM version and install it locally. This may fail if package dependencies are not met. For example

On RHEL derivatives (CentOS 7)

wget http://mirror.centos.org/centos/7/os/x86_64/Packages/gcc-4.8.5-36.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/make-3.82-24.el7.x86_64.rpm

Once the download is done, install it locally by running the command;

yum localinstall gcc-4.8.5-36.el7.x86_64.rpm
yum localinstall make-3.82-24.el7.x86_64.rpm

On Debian Derivatives (Ubuntu 18.04)

wget http://archive.ubuntu.com/ubuntu/pool/main/g/gcc-defaults/gcc_7.3.0-3ubuntu2_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/m/make-dfsg/make_4.1-9.1ubuntu1_amd64.deb

Once the download is done, install it by running the command;

apt install gcc_7.3.0-3ubuntu2_amd64.deb
apt install make_4.1-9.1ubuntu1_amd64.deb

You can download the compiler and make utilities for a specific Unix/Linux distribution from the Packages Search page.

Download OSSEC Agent Tarball

To download OSSEC agent for Linux, navigate to OSSEC download page. You can simply run the command below to download it to /tmp folder.;

wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz -P /tmp

Install OSSEC Agent on Ubuntu 18.04/CentOS 7

Navigate to the /tmp folder and extract the agent tarball

cd /tmp
tar xzf 3.1.0.tar.gz

Navigate to the Agent source directory

cd ossec-hids-3.1.0

Launch the OSSEC agent installer;

./install.sh

The installer will first prompts you to select the installation language, English by default,  abbreviated as [en]. Press Enter to accept the default

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:

The next prompt asks you verify the type of installation. In our case, we are installing ossec-hids agent. You can select local if it is not going to connect to a server.

ossec agent type

Once you chose the type of installation, press enter to continue. For the next prompt, press Enter chose /var/ossec  as the default install location.

ossec-install-path

Next, enter the IP address of the Sensor on which the agent should forward the logs for analysis. In this case, it can be you OSSEC server or AlienVault Server.

ossec-server-ip

Enable system integrity check.

enable-system-integrity-check

Enable rootkit detection Engine

enable-rootkit-detection-engine

Disable Active response by typing n unless you have a good understanding of the alerts you can see in your server.

disable-active-response

Press Enter to finalize the installation. If the installation is successful, you see such an output in the screenshot below;

ossec-installation-done

Connect the Agent to the Server

Now that the agent is installed, run the following command to add the server-agent connection key. You can extract the Key for the specific host from the server. Enter option I, paste the key and confirm adding the key. Then type Q and press enter to exit.

/var/ossec/bin/manage_agents

manage-ossec-agent

Start the OSSEC Agent

Now that the server-agent key is installed, run the command below to start the OSSEC agent;

/var/ossec/bin/ossec-control start

You can verify that the agent is communicating with the server by checking the ossec agent logs as shown below.

tail /var/ossec/logs/ossec.log

You should be able to see a line stating that the agent has connected to the server. If that is not the case, check the firewall issues.

server-agent-connection

That is all. You have successfully installed OSSEC agent on Ubuntu 1804/CentOS 7. In our next tutorials, we discuss how to configure OSSEC to monitor various log files and email notifications. Stay connected.

RELATED ARTICLESMORE FROM AUTHOR