In this guide, we are going to learn how to install OSSEC Agent on Debian 10 Buster. OSSEC is an open source host intrusion detection system (HIDS) that can be used to performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.
OSSEC is build upon server-agent model. This means that to monitor systems using an OSSEC, you need some OSSEC server, and an agent installed on the servers to monitor. However, you can as well be able to do the monitoring via agentless monitoring, which in this case you do not need install any agents on the endpoint you are monitoring.
Install OSSEC Agent on Debian 10 Buster
To begin with, run system update.
apt update apt upgrade
Before you can go ahead and install OSSEC agent, there are some package dependencies that are required. Run the command below to install them
apt install inotify-tools gcc zlib1g-dev
Download OSSEC Tarball
Navigate to OSSEC downloads page and download OSSEC tarball. Yiu can simply get the download link and use wget as shown below;
Next, download the OSSEC binary GPG signature for verifying its integrity.
Once the download is complete, import the package signing key.
wget https://www.atomicorp.com/OSSEC-ARCHIVE-KEY.asc gpg --import OSSEC-ARCHIVE-KEY.asc
Run the verification;
gpg --verify ossec-hids-3.3.0.tar.gz.asc 3.3.0.tar.gz
gpg: Signature made Fri 19 Apr 2019 02:44:23 PM EDT gpg: using RSA key EE1B0E6B2D8387B7 gpg: Good signature from "Scott R. Shinn <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B50F B194 7A0A E311 45D0 5FAD EE1B 0E6B 2D83 87B7
If the signature is good, proceed with installation.
Install OSSEC Agent on Debian 10 Buster
Extract the OSSEC tarball.
tar xzf 3.3.0.tar.gz -C /tmp/
As another prerequisite, the OSSEC 3.3.0 has been update to use PCRE2 regular expression. Therefore, you need to set OSSEC to use PCRE when doing the installation. You can work around this at the moment by downloading the PCRE and placing it on the OSSEC source directory as shown below.
tar zxf pcre2-10.32.tar.gz -C /tmp/ossec-hids-3.3.0/src/external/
If you skip this step, you may encounter the error;
/bin/sh: 1: cd: can't cd to external/pcre2-10.32/
Next, navigate to the extracted source directory and run the OSSEC install.sh script to install OSSEC agent.
When the script runs, you are prompted to choose the installation language. You can simply press ENTER to choose English.
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
Next, you are prompted on what type of installation this is. Since we are setting up an OSSEC agent, type agent.
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
Choose the OSSEC HIDS install directory. This is usually /var/ossec by default. You can press enter to select the default directory.
2- Setting up the installation environment. Choose where to install the OSSEC HIDS [/var/ossec]: ENTER
Set the IP address of the OSSEC server
3- Configuring the OSSEC HIDS. 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.62 - Adding Server IP 192.168.43.62
Enable System integrity check and rootkit detection.
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection).
Choose whether to enable Active response. It is disabled in this guide.
3.4 - Do you want to enable active response? (y/n) [y]: n - Active response disabled.
The installer then gives you a summary of the files the Agent monitors by default.
3.5- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log
To monitor any other file, just change the ossec.conf and add a new localfile entry.
Press ENTER to install OSSEC agent. If everything goes well, you should be able to see such an output.
- System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Press ENTER to finish the installation.
The OSSEC agent is now installed on Debian 10 buster. To connect the agent to OSSEC server, add the agent to the server and generate agent keys.
Once you have the keys, import it on the server with the agent installed by running the command below;
**************************************** * OSSEC HIDS v3.3.0 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIHNlcnZlci1iIDE5Mi4xNjguNDMuMTM2IGYwOWRiZmFhZTI0MzBmYTYyODAyZWRjM2IzMmMwMjI5Y2M0MTVkMWVlYTQ4YTFmODUzMzQ2NDBiZWJmOTZkY2Y= Agent information: ID:001 Name:server-b IP Address:192.168.43.136 Confirm adding it?(y/n): y Added. ** Press ENTER to return to the main menu.
Next, start the agent by running the command below;
Starting OSSEC HIDS v3.3.0... Started ossec-execd... 2019/07/23 15:44:27 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 Started ossec-agentd... Started ossec-logcollector... Started ossec-syscheckd... Completed.
You can also be able to check the OSSEC logs by running the command below to verify if the agent has connected to the server.
You have successfully installed OSSEC agent on Debian 10 Buster.