Howto Install OSSEC HIDS

on


Contents

  • 1 Prepare RPMs required by ossec:
  • 2 Install the main ossec RPMs:
    • 2.1 On the ossec server:
    • 2.2 On the ossec agent:
  • 3 Make symbolic link on ossec server and agent:
  • 4 Edit ossec.conf, make sure fill this property base on your environment:
    • 4.1 On the server:
    • 4.2 On the agent:
  • 5 Generate key for new agent:
    • 5.1 Add agent on the ossec server
    • 5.2 Extract key for an agent
    • 5.3 On the ossec agent

Tribute to Heriyanto, for making this manual and ask me to put in my blog

Prepare RPMs required by ossec:

libprelude-0.9.24-3.el5.x86_64.rpm [1]
ossec-hids-2.5.1-2.x86_64.rpm
ossec-hids-server-2.5.1-2.x86_64.rpm
ossec-hids-client-2.5.1-2.x86_64.rpm

Install the main ossec RPMs:

On the ossec server:

yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ossec-hids-server-2.5.1-2.x86_64.rpm

On the ossec agent:

yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ssec-hids-client-2.5.1-2.x86_64.rpm

Make symbolic link on ossec server and agent:

ln -s /etc/init.d/ossec-hids /usr/bin/

Edit ossec.conf, make sure fill this property base on your environment:

On the server:

[root@ossec ~]#vi /var/ossec/etc/ossec.conf
 <global>
   <email_notification>yes</email_notification>
   <email_to>root@localhost</email_to>
   <smtp_server>127.0.0.1</smtp_server>
   <email_from>ossec@asoy.com</email_from>
 </global>

On the agent:

[root@client ~]#vi /var/ossec/etc/ossec.conf
<client>
   <server-ip>192.168.0.2</server-ip>  # make sure this your ossec server IP.
</client>

Generate key for new agent:

Add agent on the ossec server

The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side. Create a key for each agent by adding the agent using the manage_agents utility. Run the utility and then choose Add an agent by entering A.
[root@ossec ~]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.5.1 Agent manager.     *
* The following options are available: *
****************************************
  (A)dd an agent (A).
  (E)xtract key for an agent (E).
  (L)ist already added agents (L).
  (R)emove an agent (R).
  (Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
 Please provide the following:
  * A name for the new agent: client.ossec.net    
  * The IP Address of the new agent: 192.168.1.3 
  * An ID for the new agent[001]: 001
Agent information:
  ID:001
  Name:client.ossec.net
  IP Address:192.168.1.3
Confirm adding it?(y/n): y
Agent added.

Extract key for an agent

From the manage agents menu, enter E to extract a key. You are provided with a list of already configured agents. Choose your agent by entering the correct ID. The key is displayed so you can copy it to your clipboard.
[root@ossec ~]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.5.1 Agent manager.     *
* The following options are available: *
****************************************
  (A)dd an agent (A).
  (E)xtract key for an agent (E).
  (L)ist already added agents (L).
  (R)emove an agent (R).
  (Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents: 
  ID: 001, Name: client.ossec.net, IP: 192.168.1.3
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is: MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw==
** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager

On the ossec agent

To import the key, run the manage_agents utility on the agent host. The menu for agents is much simpler, because importing keys is the only option. Enter I to import and then paste the key value previously saved to your clipboard.
[root@client ~]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.5.1 Agent manager.     *
* The following options are available: *
****************************************
  (I)mport key from the server (I).
  (Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit):  MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw==
Agent information:
  ID:001
  Name:client.ossec.net
  IP Address:192.168.1.3
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager

note: Libprelude is the Prelude library. Prelude is a Universal "Security Information Management" (SIM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".

Comments

  1. AnonymousNovember 30, 2011 at 10:54 PM

    HID lights include mercury vapor, metal halide, high-pressure sodium, low-pressure sodium and, the less common, xenon short-arc lamps. The light producing element of HID is an arc discharge in an arc tube. Compared to incandescent and fluorescent lights, HIDs light produce a much higher quantity of light per unit area.

    ReplyDelete
  2. AnonymousDecember 15, 2011 at 6:19 AM

    great man great thoughts i like it for my car and find irresistible it like a follower so your
    effort is appreciate capable and in the last i would like to thank you dear for sharing
    it with us so nicely hid

    ReplyDelete

Post a Comment