How to Install OSSEC Agent on Solaris 11.4

0
1864

In this tutorial, we are going to learn how to install and configure OSSEC agent on Solaris 11.4. Note that this is not an official guide but rather a documentation of the steps that I took myself in order to get OSSEC agent working on Solaris 11.4.

Just like we have explained in our other tutorials regarding installation of OSSEC HIDS agent on Linux hosts, OSSEC is an opensource host intrusion detection system that can be used to actively monitor all aspects of system activity including file integrity monitoring, log monitoring, rootkit detection, Windows registry monitoring and process monitoring.

Prerequisites

Installation of OSSEC HIDS involves compilation and consequently, you need have the build utilities;  gcc and make. For the case of Solaris, GNU C compiler, gmake is used instead of the traditional make utility.

Hence before you can proceed, verify that you have these utilities installed on your system.

which gcc
which: no gcc in (/usr/bin:/usr/sbin)
which gmake
/usr/bin/gmake

As you can see above, we don’t have the GNU compiler installed. Hence run the command below to install it.

pkg install gcc

Once the installation is done, you can run the command below to verify the installed version.

gcc -v
...
gcc version 7.3.0 (GCC)

Next, link the GNU C compiler to Sun C++ compiler

which gcc
/usr/bin/gcc
ln -s /usr/bin/gcc /usr/bin/cc

Now that the you have what is required to install OSSEC HIDS on Solaris 11.4, proceed as follows.

Download OSSEC Tarball

OSSEC tarball can be downloaded from the OSSEC downloads page. You can simply run the command below to download it;

wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz -P /tmp

Install OSSEC Agent on Solaris 11.4

Navigate to the tarball download directory and extract OSSEC HIDS.

cd /tmp
tar xzf 3.1.0.tar.gz

Before you can proceed to install OSSEC agent on Solaris 11.4, you need to make a few changes on the installation files.

By default, OSSEC is set to be compiled using the traditional make utility. Since Solaris utilizes the GNU make utility,gmake,  we are going to configure OSSEC to use gmake instead so as to avoid possible misinterpretations of GNU make extensions. If you fail to do this, you may encounter such an error.

...
5- Installing the system
 - Running the Makefile
make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen

 Error 0x5.
 Building error. Unable to finish the installation.

Navigate to OSSEC source directory and edit the install.sh script replacing the value of MAKEBIN=make on line 78 with MAKEBIN=gmake.

...
    echo "CEXTRA=${CEXTRA}" >> ./src/Config.OS

    #MAKEBIN=make
    MAKEBIN=gmake
    ## Find make/gmake
    if [ "X$NUNAME" = "XOpenBSD" ]; then
        MAKEBIN=gmake
    fi
    if [ "X$NUNAME" = "XFreeBSD" ]; then
        MAKEBIN=gmake
    fi
...

Next, you need to sort out the Makefile communication socket function issues. Under the OSSEC source directory, edit the file src/os_net/os_net.c and replace the sa->sa_len  with sizeof (sa) under the comment,  BSD systems require the value in sa->sa_len or error 4 occurs.

...
#endif
/* BSD systems require the value in sa->sa_len or error 4 occurs */
    rc = getnameinfo ((struct sockaddr *) sa, sizeof (sa), ipaddr,
                      sizeof (ipaddr), ipport, sizeof (ipport),
                      NI_NUMERICHOST | NI_NUMERICSERV);

#endif
...

What prompted me to make this change is the following error that I got while compiling OSSEC.

...
CC os_net/os_net.o
os_net/os_net.c: In function ‘OS_DecodeSockaddr’:
os_net/os_net.c:738:49: error: ‘struct sockaddr’ has no member named ‘sa_len’
     rc = getnameinfo ((struct sockaddr *) sa, sa->sa_len, ipaddr,
                                                 ^~
gmake: *** [Makefile:762: os_net/os_net.o] Error 1

 Error 0x5.
 Building error. Unable to finish the installation.

After making the above changes, launch the OSSEC installer script.

./install.sh 
...
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:

Press Enter to accept English as the installation language. Press Enter again to proceed with installation.

Choose the kind of installation;

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

  - Agent(client) installation chosen.

Set the default installation environment. Press Enter to accept the default.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: press ENTER

    - Installation will be made at  /var/ossec .

Set the OSSEC server IP address.

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.101

   - Adding Server IP 192.168.43.101

Enable system integrity check and rootkit detection

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

Disable active response unless you have a clear understanding of what to be alerted on.

  3.4 - Do you want to enable active response? (y/n) [y]: n

   - Active response disabled.

After that press enter to finalize on the installation. If everything goes well, you should see an output confirming the proper installation of OSSEC agent on Solaris 11.4

...
 - System is Solaris (SunOS).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
      /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
...

Hurray!! You have successfully install OSSEC agent on Solaris 11.4. The OSSEC HIDS agent configuration files are now located under /var/ossec/.

ls /var/ossec/
active-response  etc              queue            var
agentless        logs             tmp
bin              lua              usr

Import the Agent Key from the server, be it OSSEC server or AlienVault USM.

/var/ossec/bin/manage_agents

After that, start the OSSEC agent

/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-execd...
2018/12/12 23:58:41 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.

Happy monitoring!!