|
Tribute to Heriyanto, for making this manual and ask me to put in my blog
Prepare RPMs required by ossec:
libprelude-0.9.24-3.el5.x86_64.rpm [1] ossec-hids-2.5.1-2.x86_64.rpm ossec-hids-server-2.5.1-2.x86_64.rpm ossec-hids-client-2.5.1-2.x86_64.rpm
Install the main ossec RPMs:
On the ossec server:
yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ossec-hids-server-2.5.1-2.x86_64.rpm
On the ossec agent:
yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ssec-hids-client-2.5.1-2.x86_64.rpm
Make symbolic link on ossec server and agent:
ln -s /etc/init.d/ossec-hids /usr/bin/
Edit ossec.conf, make sure fill this property base on your environment:
On the server:
[root@ossec ~]#vi /var/ossec/etc/ossec.conf <global> <email_notification>yes</email_notification> <email_to>root@localhost</email_to> <smtp_server>127.0.0.1</smtp_server> <email_from>ossec@asoy.com</email_from> </global>
On the agent:
[root@client ~]#vi /var/ossec/etc/ossec.conf <client> <server-ip>192.168.0.2</server-ip> # make sure this your ossec server IP. </client>
Generate key for new agent:
Add agent on the ossec server
The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side. Create a key for each agent by adding the agent using the manage_agents utility. Run the utility and then choose Add an agent by entering A.
[root@ossec ~]# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.5.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: A - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: client.ossec.net * The IP Address of the new agent: 192.168.1.3 * An ID for the new agent[001]: 001 Agent information: ID:001 Name:client.ossec.net IP Address:192.168.1.3 Confirm adding it?(y/n): y Agent added.
Extract key for an agent
From the manage agents menu, enter E to extract a key. You are provided with a list of already configured agents. Choose your agent by entering the correct ID. The key is displayed so you can copy it to your clipboard.
[root@ossec ~]# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.5.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents: ID: 001, Name: client.ossec.net, IP: 192.168.1.3 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw== ** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager
On the ossec agent
To import the key, run the manage_agents utility on the agent host. The menu for agents is much simpler, because importing keys is the only option. Enter I to import and then paste the key value previously saved to your clipboard.
[root@client ~]# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.5.1 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw== Agent information: ID:001 Name:client.ossec.net IP Address:192.168.1.3 Confirm adding it?(y/n): y Added. ** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager
note: Libprelude is the Prelude library. Prelude is a Universal "Security Information Management" (SIM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".
HID lights include mercury vapor, metal halide, high-pressure sodium, low-pressure sodium and, the less common, xenon short-arc lamps. The light producing element of HID is an arc discharge in an arc tube. Compared to incandescent and fluorescent lights, HIDs light produce a much higher quantity of light per unit area.
ReplyDeletegreat man great thoughts i like it for my car and find irresistible it like a follower so your
ReplyDeleteeffort is appreciate capable and in the last i would like to thank you dear for sharing
it with us so nicely hid