This guide presents a step-by-step tutorial on how to install OSSEC Agent on Rocky Linux 8. OSSEC is an Open Source Host based Intrusion Detection System that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs across multiple platforms including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows etc.
Installing OSSEC Agent on Rocky Linux 8
Run system Update
Before you proceed with installation, run system update.
dnf updateInstall Required Build Tools
A successful installation of OSSEC on Rocky Linux 8 requires quite a number of dependencies to be installed on the system. Run the command below to install these dependencies.
dnf install gcc make libevent-devel zlib-devel openssl-devel pcre2-devel wget tar -yDownload Latest OSSEC Source Code
OSSEC 3.6 is the latest stable release as of this writing. Check the releases page for the latest releases.
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gzExtract OSSEC Source Code
Once the OSSEC source download is completed, extract it as follows;
tar xzf 3.6.0.tar.gzInstall OSSEC Agent
There are two ways in which you can now install OSSEC agent.
Manual Installation of OSSEC agent on Rocky Linux 8
To manually install OSSEC agent, navigate to the source code directory and run the installation script.
cd ossec-hids-3.6.0/Execute the installation group;
./install.shSelect you installation language. In this case, we choose the default install language, English.
Press ENTER to choose default installation options.
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: ENTERAgain, press ENTER to continue.
-- Press ENTER to continue or Ctrl-C to abort. --Specify the type of installation. In our case, we are installing ossec-hids agent, hence select agent.
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
- Agent(client) installation chosen.Choose the installation path. We go with the default, /var/ossec.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .Enter the OSSEC-HIDs Server IP address or hostname. Replace the IP used here accordingly.
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.60.20
- Adding Server IP 192.168.60.20
Enable system integrity check
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).Enable rootkit detection engine.
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).Disable active response. Otherwise, you can enable it if you an understanding of the type and number of alerts you want.
3.4 - Do you want to enable active response? (y/n) [y]: n
- Active response disabled.The agent installer then displays the log files that are read by default. You can add more later on ossec.conf file.
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
...Once you are done defining the default options, proceed to install OSSEC agent by pressing ENTER.
- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at https://github.com/ossec/ossec-hids or using
our public maillist at
https://groups.google.com/forum/#!forum/ossec-list
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
Automated Installation of OSSEC Agent
To automate the installation of OSSEC agent, navigate to the source code directory and run the command below;
cd ossec-hids*cp etc/preloaded-vars.conf{.example,}sed -i -e 's/#USER_LANGUAGE="en"/USER_LANGUAGE="en"/' -e 's/#USER_NO_STOP="y"/USER_NO_STOP="y"/' \
-e 's/#USER_INSTALL_TYPE="agent"/USER_INSTALL_TYPE="agent"/' -e 's/#USER_DIR="\/var\/ossec"/USER_DIR="\/var\/ossec"/'\
-e 's/#USER_ENABLE_ACTIVE_RESPONSE="y"/USER_ENABLE_ACTIVE_RESPONSE="n"/' -e 's/#USER_ENABLE_SYSCHECK="y"/USER_ENABLE_SYSCHECK="y"/' \
-e 's/#USER_ENABLE_ROOTCHECK="y"/USER_ENABLE_ROOTCHECK="y"/' \
-e 's/# USER_AGENT_SERVER_IP="1.2.3.4"/ USER_AGENT_SERVER_IP="192.168.60.20"/' etc/preloaded-vars.confReplace the 192.168.60.20 above with the IP address of your OSSEC server.
Next, run the installation;
./install.shConnect the OSSEC Agent to OSSEC Server
For the agent to communicate with the server, you can need to first add it to the server.
After that extract the agent authentication key from the server.
Once you have extracted the key, Import the key on the agent by running the command below;
/var/ossec/bin/manage_agentsEnter option I, paste the key and confirm adding the key. Then type Q and press enter to exit.
Running OSSEC Agent
Once the installation completes, the installer displays how to run OSSEC agent.
To start the agent;
/var/ossec/bin/ossec-control startOr
systemctl start ossecTo stop the agent;
/var/ossec/bin/ossec-control stopOr
systemctl stop ossecOther unit service control commands;
/var/ossec/bin/ossec-control {start|stop|reload|restart|status}You have successfully installed OSSEC agent on Rocky Linux 8 and that marks the end of our guide on how to install OSSEC agent. Stay connected for more similar tutorials.
Further Reading
Related Tutorials
Install OSSEC Agent on Debian 10 Buster
How to Install OSSEC Agent on Mac OS
How to Install OSSEC Agent on Solaris 11.4
How to Install and Setup OSSEC agent on Ubuntu 18.04/CentOS 7
