X
    Categories: Tutorials

Install OSSEC agent on Ubuntu 14.04

This article is the second part of our Install OSSEC on Ubuntu 14.04 tutorial.

In the first part, we installed OSSEC as server and it’s web user interface on an Ubuntu 14.04 VPS.

Today, we will install the Analogi Web Dashboard and cover the OSSEC agent installation on another Ubuntu 14.04 VPS. Then we will add the installed agent (client) to the OSSEC server.

So, let’s start.

Log in to the Linux VPS where you installed OSSEC as server:

# ssh root@server_ip

Update the package index and check whether you have available upgrades for the server:

# apt-get update && apt-get upgrade

Once that is out of the picture, let’s install the Analogi Web Dashboard. Enter the default document root for Apache which is ‘/var/www/html’ :

# cd /var/www/html/

Clone the Analogi GIT repo:

# git clone https://github.com/ECSC/analogi.git

Copy the database config file and modify the database settings with the values of the database created in part one of this tutorial:

# cp analogi/db_ossec.php.new analogi/db_ossec.php

# nano analogi/db_ossec.php

Once you modify the values, they should look like this:

define ('DB_USER_O', 'ossecuser');
define ('DB_PASSWORD_O', 'your_password');
define ('DB_HOST_O', '127.0.0.1');
define ('DB_NAME_O', 'ossec');

Save and close the file.

You can now visit the Analogi dashboard from your favorite web browser. Open http://your_IP_address/analogi

OSSEC AGENT INSTALLATION

Next, you need to install OSSEC as agent on your other Ubuntu instance. But first, install the modules as shown in the first part of this tutorial. If you happen to already have the LAMP stack installed on your Ubuntu 14.04 instance, then proceed and execute the following command:

# apt-get install libmysqlclient-dev libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Download OSSEC into the ‘/opt’ directory, unpack the archive and enter the unpacked directory:

# cd /opt

# wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz

# tar -xzf ossec-hids-2.8.3.tar.gz

# cd ossec-hids-2.8.3

Now, start the OSSEC installation script and follow the easy instructions as shown in the output below:

# ./install.sh
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

  - Agent(client) installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: enter the IP address of the OSSEC server machine

   - Adding Server IP xxx.xxx.xx.xxx

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

   - Running rootcheck (rootkit detection).

  3.4 - Do you want to enable active response? (y/n) [y]:


  3.5- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/mail.info
    -- /var/log/dpkg.log
    -- /var/log/apache2/error.log (apache log)
    -- /var/log/apache2/access.log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .


   - System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at contact@ossec.net or using our public maillist at
    ossec-list@ossec.net
    ( http://www.ossec.net/main/support/ ).

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---

- You first need to add this agent to the server so they
   can communicate with each other. When you have done so,
   you can run the 'manage_agents' tool to import the
   authentication key from the server.

   /var/ossec/bin/manage_agents

As the above statement shows, you should now add the agent to the OSSEC server. Go back to your OSSEC server console and generate a key for the agent. Use the below command:

# /var/ossec/bin/manage_agents

Now choose the A option, enter the name for the new agent, it’s IP address and ID. Follow the underneath output:

****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: ossec-client
   * The IP Address of the new agent: here you should enter the IP address of the OSSEC agent
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:ossec-client
   IP Address:xxx.xx.xxx.xxx

Confirm adding it?(y/n): y
Agent added.

Run the /var/ossec/bin/manage_agents command again and extract the key for the agent:

# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents:
   ID: 001, Name: ossec-client, IP: enter the IP address of the OSSEC agent
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAxIG9==......

** Press ENTER to return to the main menu.

Copy the key and switch to your OSSEC agent console. Execute the /var/ossec/bin/manage_agents command:

# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): paste the key that you generated on your OSSEC server

Agent information:
   ID:001
   Name:ossec-client
   IP Address: IP address of the OSSEC agent

Confirm adding it?(y/n): y
Added.

You can check the OSSEC config file to see if the OSSEC server has been added successfully:

# nano /var/ossec/etc/ossec.conf

The IP address of the OSSEC server is added at the beginning of the file:

<client>
  <server-hostname>xxx.xxx.xx.xxx</server-hostname>
</client>

Once that is done, restart OSSEC on both server and agent machines:

# /var/ossec/bin/ossec-control restart

You can now monitor the agent from either the standard Web UI or the Analogi dashboard. It is up to you. Of course OSSEC is a complex intrusion detection system and you can twitch it’s configuration and agents, so for more info please check OSSEC thorough documentation.

Congratulations. You have successfully configured and integrated an OSSEC agent with the OSSEC server. You should follow this same procedure if you want to add another agent to OSSEC.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to do this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.