In this guide, we are going to learn how to install and configure OSSEC agent on Ubuntu 18.04/CentOS 7.
OSSEC is an open source Intrusion Detection System (HIDS) that runs across multiple OS platforms such as Linux,Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX.
It monitors all aspects of system activity such as;
- file integrity monitoring
- Windows registry monitoring
- log monitoring
- process monitoring
It can also be configured to notify on a suspicious activity via alert logs or email alerts. OSSEC can be integrated with SIEM solutions such as AlienVault. You can therefore have a look at our previous article on How to Install and Configure AlienVault HIDs Agent on a Linux Host.
To install OSSEC agent on a Ubuntu 18.04/CentOS 7 or any other Linux/Unix system, ensure that you have the C compiler as well as the make utility installed. If for some reasons the compiler is not installed, you can install it via;
- The distribution specific package manager such as YUM, APT, PKG, DNF. For example;
yum install gcc << On RHEL derivatives (CentOS 7)
apt-get install gcc << Debian Derivatives (Ubuntu 18.04)
- Download the RPM version and install it locally. This may fail if package dependencies are not met. For example
On RHEL derivatives (CentOS 7)
Once the download is done, install it locally by running the command;
yum localinstall gcc-4.8.5-36.el7.x86_64.rpm
On Debian Derivatives (Ubuntu 18.04)
Once the download is done, install it by running the command;
apt install gcc_7.3.0-3ubuntu2_amd64.deb
You can however download the compiler for a specific distribution from the Gcc Download for Linux page.
Download OSSEC Agent Tarball
To download OSSEC agent for Linux, navigate to OSSEC download page. You can simply run the command below to download it to /tmp folder.;
wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz -P /tmp
Install OSSEC Agent on Ubuntu 18.04/CentOS 7
Navigate to the /tmp folder and extract the agent tarball
cd /tmp tar xzf 3.1.0.tar.gz
Navigate to the Agent source directory
Launch the OSSEC agent installer;
The installer will first prompts you to select the installation language, English by default, abbreviated as [en]. Press Enter to accept the default
The next prompt asks you verify the type of installation. In our case, we are installing ossec-hids
agent. You can select
local if it is not going to connect to a server.
Once you chose the type of installation, press enter to continue. For the next prompt, press Enter chose
/var/ossec as the default install location.
Next, enter the IP address of the Sensor on which the agent should forward the logs for analysis. In this case, it can be you OSSEC server or AlienVault Server.
Enable system integrity check.
Enable rootkit detection Engine
Disable Active response by typing n unless you have a good understanding of the alerts you can see in your server.
Press Enter to finalize the installation. If the installation is successful, you see such an output in the screenshot below;
Connect the Agent to the Server
Now that the agent is installed, run the following command to add the server-agent connection key. You can extract the Key for the specific host from the server. Enter option I, paste the key and confirm adding the key. Then type Q and press enter to exit.
Start the OSSEC Agent
Now that the server-agent key is installed, run the command below to start the OSSEC agent;
You can verify that the agent is communicating with the server by checking the ossec agent logs as shown below.
You should be able to see a line stating that the agent has connected to the server. If that is not the case, check the firewall issues.
That is all. You have successfully installed OSSEC agent on Ubuntu 1804/CentOS 7. In our next tutorials, we discuss how to configure OSSEC to monitor various log files and email notifications. Stay connected.