Install OSSEC Agent on Debian 10 Buster

1
1222

In this guide, we are going to learn how to install OSSEC Agent on Debian 10 Buster. OSSEC is an open source host intrusion detection system (HIDS) that can be used to performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.

OSSEC is build upon server-agent model. This means that to monitor systems using an OSSEC, you need some OSSEC server, and an agent installed on the servers to monitor. However, you can as well be able to do the monitoring via agentless monitoring, which in this case you do not need install any agents on the endpoint you are monitoring.

Install OSSEC Agent on Debian 10 Buster

Prerequisites

To begin with, run system update.

apt update
apt upgrade

Before you can go ahead and install OSSEC agent, there are some package dependencies that are required. Run the command below to install them

apt install inotify-tools gcc zlib1g-dev

Download OSSEC Tarball

Navigate to OSSEC downloads page and download OSSEC tarball. Yiu can simply get the download link and use wget as shown below;

wget https://github.com/ossec/ossec-hids/archive/3.3.0.tar.gz

Next, download the OSSEC binary GPG signature for verifying its integrity.

wget https://github.com/ossec/ossec-hids/releases/download/3.3.0/ossec-hids-3.3.0.tar.gz.asc

Once the download is complete, import the package signing key.

wget https://www.atomicorp.com/OSSEC-ARCHIVE-KEY.asc
gpg --import OSSEC-ARCHIVE-KEY.asc

Run the verification;

gpg --verify ossec-hids-3.3.0.tar.gz.asc 3.3.0.tar.gz
gpg: Signature made Fri 19 Apr 2019 02:44:23 PM EDT
gpg:                using RSA key EE1B0E6B2D8387B7
gpg: Good signature from "Scott R. Shinn <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B50F B194 7A0A E311 45D0  5FAD EE1B 0E6B 2D83 87B7

If the signature is good, proceed with installation.

Install OSSEC Agent on Debian 10 Buster

Extract the OSSEC tarball.

tar xzf 3.3.0.tar.gz -C /tmp/

As another prerequisite, the OSSEC 3.3.0 has been update to use PCRE2 regular expression. Therefore, you need to set OSSEC to use PCRE when doing the installation. You can work around this at the moment by downloading the PCRE and placing it on the OSSEC source directory as shown below.

wget https://ftp.pcre.org/pub/pcre/pcre2-10.32.tar.gz
tar zxf pcre2-10.32.tar.gz -C /tmp/ossec-hids-3.3.0/src/external/

If you skip this step, you may encounter the error;

/bin/sh: 1: cd: can't cd to external/pcre2-10.32/

Next, navigate to the extracted source directory and run the OSSEC install.sh script to install OSSEC agent.

cd /tmp/ossec-hids-3.3.0/
./install.sh

When the script runs, you are prompted to choose the installation language. You can simply press ENTER to choose English.

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en

Next, you are prompted on what type of installation this is. Since we are setting up an OSSEC agent, type agent.

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

Choose the OSSEC HIDS install directory. This is usually /var/ossec by default. You can press enter to select the default directory.

2- Setting up the installation environment.
 Choose where to install the OSSEC HIDS [/var/ossec]: ENTER

Set the IP address of the OSSEC server

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.62

   - Adding Server IP 192.168.43.62

Enable System integrity check and rootkit detection.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 

   - Running rootcheck (rootkit detection).

Choose whether to enable Active response. It is disabled in this guide.

3.4 - Do you want to enable active response? (y/n) [y]: n

   - Active response disabled.

The installer then gives you a summary of the files the Agent monitors by default.

  3.5- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/dpkg.log

To monitor any other file, just change the ossec.conf and add a new localfile entry.

Press ENTER to install OSSEC agent. If everything goes well, you should be able to see such an output.

 - System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
      /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Press ENTER to finish the installation.

The OSSEC agent is now installed on Debian 10 buster. To connect the agent to OSSEC server, add the agent to the server and generate agent keys.

Once you have the keys, import it on the server with the agent installed by running the command below;

/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.3.0 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIHNlcnZlci1iIDE5Mi4xNjguNDMuMTM2IGYwOWRiZmFhZTI0MzBmYTYyODAyZWRjM2IzMmMwMjI5Y2M0MTVkMWVlYTQ4YTFmODUzMzQ2NDBiZWJmOTZkY2Y=

Agent information:
   ID:001
   Name:server-b
   IP Address:192.168.43.136

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

Next, start the agent by running the command below;

/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.3.0...
Started ossec-execd...
2019/07/23 15:44:27 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.

You can also be able to check the OSSEC logs by running the command below to verify if the agent has connected to the server.

tail /var/ossec/logs/ossec.log

You have successfully installed OSSEC agent on Debian 10 Buster.

Related Guides;

How to install and configure AlienVault OSSIM 5.5 on VirtualBox

How to Install and Setup AlienVault HIDS Agent on a Windows Host

Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM

How to Install OSSEC Agent on Mac OS

How to Install OSSEC Agent on Solaris 11.4

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here