Last updated on January 2nd, 2019 at 04:28 pm
In this tutorial, we are going to learn how to install and configure OSSEC agent on Solaris 11.4. Note that this is not an official guide but rather a documentation of the steps that I took myself in order to get OSSEC agent working on Solaris 11.4.
Just like we have explained in our other tutorials regarding installation of OSSEC HIDS agent on Linux hosts, OSSEC is an opensource host intrusion detection system that can be used to actively monitor all aspects of system activity including file integrity monitoring, log monitoring, rootkit detection, Windows registry monitoring and process monitoring.
Prerequisites
Installation of OSSEC HIDS involves compilation and consequently, you need have the build utilities; gcc and make. For the case of Solaris, GNU C compiler, gmake is used instead of the traditional make utility.
Hence before you can proceed, verify that you have these utilities installed on your system.
which gcc which: no gcc in (/usr/bin:/usr/sbin)
which gmake /usr/bin/gmake
As you can see above, we don’t have the GNU compiler installed. Hence run the command below to install it.
pkg install gcc
Once the installation is done, you can run the command below to verify the installed version.
gcc -v ... gcc version 7.3.0 (GCC)
Next, link the GNU C compiler to Sun C++ compiler
which gcc /usr/bin/gcc
ln -s /usr/bin/gcc /usr/bin/cc
Now that the you have what is required to install OSSEC HIDS on Solaris 11.4, proceed as follows.
Download OSSEC Tarball
OSSEC tarball can be downloaded from the OSSEC downloads page. You can simply run the command below to download it;
wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz -P /tmp
Install OSSEC Agent on Solaris 11.4
Navigate to the tarball download directory and extract OSSEC HIDS.
cd /tmp tar xzf 3.1.0.tar.gz
Before you can proceed to install OSSEC agent on Solaris 11.4, you need to make a few changes on the installation files.
By default, OSSEC is set to be compiled using the traditional make utility. Since Solaris utilizes the GNU make utility,gmake, we are going to configure OSSEC to use gmake instead so as to avoid possible misinterpretations of GNU make extensions. If you fail to do this, you may encounter such an error.
... 5- Installing the system - Running the Makefile make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen Error 0x5. Building error. Unable to finish the installation.
Navigate to OSSEC source directory and edit the install.sh script replacing the value of MAKEBIN=make on line 78 with MAKEBIN=gmake.
...
echo "CEXTRA=${CEXTRA}" >> ./src/Config.OS
#MAKEBIN=make
MAKEBIN=gmake
## Find make/gmake
if [ "X$NUNAME" = "XOpenBSD" ]; then
MAKEBIN=gmake
fi
if [ "X$NUNAME" = "XFreeBSD" ]; then
MAKEBIN=gmake
fi
...
Next, you need to sort out the Makefile communication socket function issues. Under the OSSEC source directory, edit the file src/os_net/os_net.c and replace the sa->sa_len with sizeof (sa) under the comment, BSD systems require the value in sa->sa_len or error 4 occurs.
...
#endif
/* BSD systems require the value in sa->sa_len or error 4 occurs */
rc = getnameinfo ((struct sockaddr *) sa, sizeof (sa), ipaddr,
sizeof (ipaddr), ipport, sizeof (ipport),
NI_NUMERICHOST | NI_NUMERICSERV);
#endif
...
What prompted me to make this change is the following error that I got while compiling OSSEC.
...
CC os_net/os_net.o
os_net/os_net.c: In function ‘OS_DecodeSockaddr’:
os_net/os_net.c:738:49: error: ‘struct sockaddr’ has no member named ‘sa_len’
rc = getnameinfo ((struct sockaddr *) sa, sa->sa_len, ipaddr,
^~
gmake: *** [Makefile:762: os_net/os_net.o] Error 1
Error 0x5.
Building error. Unable to finish the installation.
After making the above changes, launch the OSSEC installer script.
./install.sh ... (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
Press Enter to accept English as the installation language. Press Enter again to proceed with installation.
Choose the kind of installation;
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent - Agent(client) installation chosen.
Set the default installation environment. Press Enter to accept the default.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: press ENTER
- Installation will be made at /var/ossec .
Set the OSSEC server IP address.
3- Configuring the OSSEC HIDS. 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.101 - Adding Server IP 192.168.43.101
Enable system integrity check and rootkit detection
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y - Running rootcheck (rootkit detection).
Disable active response unless you have a clear understanding of what to be alerted on.
3.4 - Do you want to enable active response? (y/n) [y]: n - Active response disabled.
After that press enter to finalize on the installation. If everything goes well, you should see an output confirming the proper installation of OSSEC agent on Solaris 11.4
...
- System is Solaris (SunOS).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
...
Hurray!! You have successfully install OSSEC agent on Solaris 11.4. The OSSEC HIDS agent configuration files are now located under /var/ossec/.
ls /var/ossec/ active-response etc queue var agentless logs tmp bin lua usr
Import the Agent Key from the server, be it OSSEC server or AlienVault USM.
/var/ossec/bin/manage_agents
After that, start the OSSEC agent
/var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-execd... 2018/12/12 23:58:41 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 Started ossec-agentd... Started ossec-logcollector... Started ossec-syscheckd... Completed.
Happy monitoring!!
