How to Install OSSEC Agent on Solaris 11.4

|
Last Updated:
|
|
Install OSSEC Agent on Solaris

In this tutorial, we are going to learn how to install OSSEC agent on Solaris 11.4. Note that this is not an official guide but rather a documentation of the steps that I took myself in order to get OSSEC agent working on Solaris 11.4.

How to Install OSSEC Agent on Solaris 11.4

Just like we have explained in our other tutorials regarding installation of OSSEC HIDS agent on Linux hosts, OSSEC is an opensource host intrusion detection system that can be used to actively monitor all aspects of system activity including file integrity monitoring, log monitoring, rootkit detection, Windows registry monitoring and process monitoring.

Prerequisites

To install OSSEC agent on Solaris 11.4, you need to compile and build it from the source and consequently, you need have the build utilities;  gcc and make.

For the case of Solaris, GNU C compiler, gmake is used instead of the traditional make utility.

Hence before you can proceed, verify that you have these utilities installed on your system.

which gcc
which: no gcc in (/usr/bin:/usr/sbin)
which gmake
/usr/bin/gmake

As you can see above, we don’t have the GNU compiler installed. Hence run the command below to install it.

pkg install gcc

Once the installation is done, you can run the command below to verify the installed version.

gcc -v

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/gcc/7/lib/gcc/x86_64-pc-solaris2.11/7.3.0/lto-wrapper
Target: x86_64-pc-solaris2.11
Configured with: /builds/ulhg/workspace/Solaris_11u4/Userland/full-build/02a-build-i386/components/gcc7/gcc-7.3.0/configure --prefix=/usr/gcc/7 --mandir=/usr/gcc/7/share/man --bindir=/usr/gcc/7/bin --sbindir=/usr/gcc/7/sbin --libdir=/usr/gcc/7/lib --infodir=/usr/gcc/7/share/info --libexecdir=/usr/gcc/7/lib --enable-languages=c,c++,fortran,objc --enable-shared --enable-initfini-array --disable-rpath --with-system-zlib --with-build-config=no --with-gmp-include=/usr/include --with-mpfr-include=/usr/include --without-gnu-ld --with-ld=/usr/bin/ld --with-gnu-as --with-as=/usr/gnu/bin/as --disable-bootstrap 'BOOT_CFLAGS=-g -O2' x86_64-pc-solaris2.11
Thread model: posix
gcc version 7.3.0 (GCC) 

Next, link the GNU C compiler to Sun C++ compiler

which gcc
/usr/bin/gcc
ln -s /usr/bin/gcc /usr/bin/cc

Now that the you have what is required to install OSSEC HIDS on Solaris 11.4, proceed as follows.

Download OSSEC Tarball

OSSEC tarball can be downloaded from the OSSEC downloads page. You can simply run the command below to download it;

Replace the value of the VER variable with the current version of OSSEC agent;

VER=3.7.0
wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz -P /tmp

Install OSSEC Agent on Solaris 11.4

Extract the Source Code

Navigate to the tarball download directory and extract OSSEC HIDS.

cd /tmp
tar xzf ${VER}.tar.gz

Update OSSEC Agent Install Script

Before you can proceed to install OSSEC agent on Solaris 11.4, you need to make a few changes on the installation files.

By default, OSSEC is set to be compiled using the traditional make utility. Since Solaris utilizes the GNU make utility,gmake,  we are going to configure OSSEC to use gmake instead so as to avoid possible misinterpretations of GNU make extensions. If you fail to do this, you may encounter such an error.


5- Installing the system
 - Running the Makefile
make: Fatal error in reader: Makefile, line 3: Unexpected end of line seen

 Error 0x5.
 Building error. Unable to finish the installation.

Thus, navigate to OSSEC source directory and edit the install.sh script.

cd ossec-hids-3.7.0/
vi install.sh

Replace the value of MAKEBIN=make on the install() section to MAKEBIN=gmake.


##########
# install()
##########
Install()
{
    echo ""
    echo "5- ${installing}"

    echo "DIR=\"${INSTALLDIR}\"" > ${LOCATION}

    # Changing Config.OS with the new C flags
    # Checking if debug is enabled
    if [ "X${SET_DEBUG}" = "Xdebug" ]; then
        CEXTRA="${CEXTRA} -DDEBUGAD"
    fi

    echo "CEXTRA=${CEXTRA}" >> ./src/Config.OS

    #MAKEBIN=make
    MAKEBIN=gmake
    ## Find make/gmake
...

Save and exit the file.

Similarly, you may encounter issues with PCRE;


5- Installing the system
 - Running the Makefile
cc -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DSunOS -DSOLARIS -DHIGHFIRST -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBOPENSSL_ENABLED -DCLIENT -Wall -Wextra -I./ -I./headers/ -I./client-agent   -DARGV0=\"ossec-agentd\" -c client-agent/notify.c -o client-agent/notify.o
In file included from ./headers/shared.h:215:0,
                 from client-agent/notify.c:10:
./os_regex/os_regex.h:19:10: fatal error: pcre2.h: No such file or directory
 #include <pcre2.h>
          ^~~~~~~~~
compilation terminated.
gmake: *** [Makefile:1015: client-agent/notify.o] Error 1

 Error 0x5.
 Building error. Unable to finish the installation.

To fix this on Solaris;

  • Download PCRE source code;

You can find out which PCRE version the agent is using as follows;

grep EXTERNAL_PCRE2= /tmp/ossec-hids-3.7.0/src/Makefile

Sample output;

EXTERNAL_PCRE2=external/pcre2-10.32/

As you can see, OSSEC agent 3.7.0 requires PCRE 10.32;

You can download from Github repository as follows;

wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.32/pcre2-10.32.tar.gz
  • Extract it;
tar xzf pcre2-10.32.tar.gz
  • Move the extracted source to OSSEC src/external directory.
mv pcre2-10.32 /tmp/ossec-hids-3.7.0/src/external/
  • Next, edit the file
vim src/Makefile

and change the line;

PCRE2_SYSTEM?=yes

to;

PCRE2_SYSTEM?=no

Save and exit.

Install OSSEC Agent on Solaris 11.4

After making the above changes, launch the OSSEC installer script.

./install.sh
...
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]

Press Enter to accept English as the installation language. Press Enter again to proceed with installation.

Choose the kind of installation;

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

  - Agent(client) installation chosen.

Set the default installation environment. Press Enter to accept the default.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: press ENTER

    - Installation will be made at  /var/ossec .

Set the OSSEC server IP address.

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.101

   - Adding Server IP 192.168.43.101

Enable system integrity check and rootkit detection

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

Disable active response unless you have a clear understanding of what to be alerted on.

  3.4 - Do you want to enable active response? (y/n) [y]: n

   - Active response disabled.

The press ENTER to proceed with installation.

After that press enter to finalize on the installation. If everything goes well, you should see an output confirming the proper installation of OSSEC agent on Solaris 11.4


...
 - System is Solaris (SunOS).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
      /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at https://github.com/ossec/ossec-hids or using
    our public maillist at  
    https://groups.google.com/forum/#!forum/ossec-list

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---
    


 - You first need to add this agent to the server so they 
   can communicate with each other. When you have done so,
   you can run the 'manage_agents' tool to import the 
   authentication key from the server.
   
   /var/ossec/bin/manage_agents

   More information at: 
   http://www.ossec.net/docs/docs/programs/manage_agents.html

Hurray!! You have successfully install OSSEC agent on Solaris 11.4.

The OSSEC HIDS agent configuration files are now located under /var/ossec/.

ls -1 /var/ossec/

active-response
agentless
bin
etc
logs
queue
tmp
usr
var

Register and Import OSSEC Agent

Import the Agent Key from the server, be it OSSEC server or AlienVault USM.

/var/ossec/bin/manage_agents

You can obtain help on various command options for manage_agents command;

/var/ossec/bin/manage_agents -h

...
  manage_agents: -[Vhlj] [-a <ip> -n <name>] [-d sec] [-e id] [-r id] [-i id] [-f file]
    -V          Version and license message
    -h          This help message
    -j          Use JSON output
    -l          List available agents.
    -a <ip>     Add new agent
    -e <id>     Extracts key for an agent (Manager only)
    -r <id>     Remove an agent (Manager only)
    -i <id>     Import authentication key (Agent only)
    -n <name>   Name for new agent
    -F <sec>    Remove agents with duplicated IP if disconnected since <sec> seconds
    -f <file>   Bulk generate client keys from file (Manager only)
                <file> contains lines in IP,NAME format
                <file> should also exist within /var/ossec due to manage_agents chrooting

Running OSSEC agent on Solaris 11

After you have imported and connected the agent to OSSEC server, start the OSSEC agent

/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.7.0...
Started ossec-execd...
2023/05/30 18:05:57 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.

Happy monitoring!!

That concludes our guide on how to Install OSSEC Agent on Solaris 11.4.

Other Tutorials

How to install OSSEC agent on Ubuntu/Debian/CentOS