In this tutorial, we are going to learn how to install OSSEC agent on Solaris 11.4. Note that this is not an official guide but rather a documentation of the steps that I took myself in order to get OSSEC agent working on Solaris 11.4.
Table of Contents
Installing OSSEC Agent on Solaris 11.4
Just like we have explained in our other tutorials regarding installation of OSSEC HIDS agent on Linux hosts, OSSEC is an opensource host intrusion detection system that can be used to actively monitor all aspects of system activity including file integrity monitoring, log monitoring, rootkit detection, Windows registry monitoring and process monitoring.
Prerequisites
To install OSSEC agent on Solaris 11.4, you need to compile and build it from the source and consequently, you need have the build utilities; gcc and make.
For the case of Solaris, GNU C compiler, gmake is used instead of the traditional make utility.
Hence before you can proceed, verify that you have these utilities installed on your system.
which gccwhich: no gcc in (/usr/bin:/usr/sbin)which gmake/usr/bin/gmakeAs you can see above, we don’t have the GNU compiler installed. Hence run the command below to install it.
pkg install gccOnce the installation is done, you can run the command below to verify the installed version.
gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/gcc/7/lib/gcc/x86_64-pc-solaris2.11/7.3.0/lto-wrapper
Target: x86_64-pc-solaris2.11
Configured with: /builds/ulhg/workspace/Solaris_11u4/Userland/full-build/02a-build-i386/components/gcc7/gcc-7.3.0/configure --prefix=/usr/gcc/7 --mandir=/usr/gcc/7/share/man --bindir=/usr/gcc/7/bin --sbindir=/usr/gcc/7/sbin --libdir=/usr/gcc/7/lib --infodir=/usr/gcc/7/share/info --libexecdir=/usr/gcc/7/lib --enable-languages=c,c++,fortran,objc --enable-shared --enable-initfini-array --disable-rpath --with-system-zlib --with-build-config=no --with-gmp-include=/usr/include --with-mpfr-include=/usr/include --without-gnu-ld --with-ld=/usr/bin/ld --with-gnu-as --with-as=/usr/gnu/bin/as --disable-bootstrap 'BOOT_CFLAGS=-g -O2' x86_64-pc-solaris2.11
Thread model: posix
gcc version 7.3.0 (GCC)
Next, link the GNU C compiler to Sun C++ compiler
which gcc/usr/bin/gccln -s /usr/bin/gcc /usr/bin/ccNow that the you have what is required to install OSSEC HIDS on Solaris 11.4, proceed as follows.
Download OSSEC Tarball
OSSEC tarball can be downloaded from the OSSEC downloads page. You can simply run the command below to download it;
Replace the value of the VER variable with the current version of OSSEC agent;
VER=3.7.0wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz -P /tmpInstall OSSEC Agent on Solaris 11.4
Extract the Source Code
Navigate to the tarball download directory and extract OSSEC HIDS.
cd /tmptar xzf ${VER}.tar.gzUpdate OSSEC Agent Install Script
Before you can proceed to install OSSEC agent on Solaris 11.4, you need to make a few changes on the installation files.
By default, OSSEC is set to be compiled using the traditional make utility. Since Solaris utilizes the GNU make utility,gmake, we are going to configure OSSEC to use gmake instead so as to avoid possible misinterpretations of GNU make extensions. If you fail to do this, you may encounter such an error.
5- Installing the system
- Running the Makefile
make: Fatal error in reader: Makefile, line 3: Unexpected end of line seen
Error 0x5.
Building error. Unable to finish the installation.
Thus, navigate to OSSEC source directory and edit the install.sh script.
cd ossec-hids-3.7.0/vi install.shReplace the value of MAKEBIN=make on the install() section to MAKEBIN=gmake.
##########
# install()
##########
Install()
{
echo ""
echo "5- ${installing}"
echo "DIR=\"${INSTALLDIR}\"" > ${LOCATION}
# Changing Config.OS with the new C flags
# Checking if debug is enabled
if [ "X${SET_DEBUG}" = "Xdebug" ]; then
CEXTRA="${CEXTRA} -DDEBUGAD"
fi
echo "CEXTRA=${CEXTRA}" >> ./src/Config.OS
#MAKEBIN=make
MAKEBIN=gmake
## Find make/gmake
...
Save and exit the file.
Similarly, you may encounter issues with PCRE;
5- Installing the system
- Running the Makefile
cc -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DSunOS -DSOLARIS -DHIGHFIRST -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBOPENSSL_ENABLED -DCLIENT -Wall -Wextra -I./ -I./headers/ -I./client-agent -DARGV0=\"ossec-agentd\" -c client-agent/notify.c -o client-agent/notify.o
In file included from ./headers/shared.h:215:0,
from client-agent/notify.c:10:
./os_regex/os_regex.h:19:10: fatal error: pcre2.h: No such file or directory
#include <pcre2.h>
^~~~~~~~~
compilation terminated.
gmake: *** [Makefile:1015: client-agent/notify.o] Error 1
Error 0x5.
Building error. Unable to finish the installation.
To fix this on Solaris;
- Download PCRE source code;
You can find out which PCRE version the agent is using as follows;
grep EXTERNAL_PCRE2= /tmp/ossec-hids-3.7.0/src/MakefileSample output;
EXTERNAL_PCRE2=external/pcre2-10.32/As you can see, OSSEC agent 3.7.0 requires PCRE 10.32;
You can download from Github repository as follows;
wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.32/pcre2-10.32.tar.gz- Extract it;
tar xzf pcre2-10.32.tar.gz- Move the extracted source to OSSEC
src/externaldirectory.
mv pcre2-10.32 /tmp/ossec-hids-3.7.0/src/external/- Next, edit the file
vim src/Makefileand change the line;
PCRE2_SYSTEM?=yesto;
PCRE2_SYSTEM?=noSave and exit.
Install OSSEC Agent on Solaris 11.4
After making the above changes, launch the OSSEC installer script.
./install.sh...
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]Press Enter to accept English as the installation language. Press Enter again to proceed with installation.
Choose the kind of installation;
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
- Agent(client) installation chosen.Set the default installation environment. Press Enter to accept the default.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: press ENTER
- Installation will be made at /var/ossec .Set the OSSEC server IP address.
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.101
- Adding Server IP 192.168.43.101Enable system integrity check and rootkit detection
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).Disable active response unless you have a clear understanding of what to be alerted on.
3.4 - Do you want to enable active response? (y/n) [y]: n
- Active response disabled.The press ENTER to proceed with installation.
After that press enter to finalize on the installation. If everything goes well, you should see an output confirming the proper installation of OSSEC agent on Solaris 11.4
...
- System is Solaris (SunOS).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at https://github.com/ossec/ossec-hids or using
our public maillist at
https://groups.google.com/forum/#!forum/ossec-list
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/docs/docs/programs/manage_agents.html
Hurray!! You have successfully install OSSEC agent on Solaris 11.4.
The OSSEC HIDS agent configuration files are now located under /var/ossec/.
ls -1 /var/ossec/
active-response
agentless
bin
etc
logs
queue
tmp
usr
var
Register and Import OSSEC Agent
Import the Agent Key from the server, be it OSSEC server or AlienVault USM.
/var/ossec/bin/manage_agentsYou can obtain help on various command options for manage_agents command;
/var/ossec/bin/manage_agents -h
...
manage_agents: -[Vhlj] [-a <ip> -n <name>] [-d sec] [-e id] [-r id] [-i id] [-f file]
-V Version and license message
-h This help message
-j Use JSON output
-l List available agents.
-a <ip> Add new agent
-e <id> Extracts key for an agent (Manager only)
-r <id> Remove an agent (Manager only)
-i <id> Import authentication key (Agent only)
-n <name> Name for new agent
-F <sec> Remove agents with duplicated IP if disconnected since <sec> seconds
-f <file> Bulk generate client keys from file (Manager only)
<file> contains lines in IP,NAME format
<file> should also exist within /var/ossec due to manage_agents chrooting
Running OSSEC agent on Solaris 11
After you have imported and connected the agent to OSSEC server, start the OSSEC agent
/var/ossec/bin/ossec-control startStarting OSSEC HIDS v3.7.0...
Started ossec-execd...
2023/05/30 18:05:57 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.Happy monitoring!!
