Adding OSSEC Agents for Vulnerability and Files Integrity Scanning:
In this tutorial I’ll be installing OSSEC agents on Windows and Linux Client machines to be monitored by OSSIM SIEM. For configuring OSSEC clients with OSSIM, we need OSSEC agent be downloaded and installed on hosts, but first, we’ll enable/activate OSSEC Plugin on OSSIM Server.
To enable OSSEC Plugin on OSSIM Server, follow the steps shown below:
Configure Sensor > Configure Data Source Plugins > Select “ossec-single-line”(if not already enabled) > select OK
3- Select “YES” on next confirmation Screen.
4- It may take some time to complete and restart server as shown below:
Generate OSSEC Client Keys:
1- Select “Jailbreak System” and then “OK”.
– Enter “A” to Add new OSSEC Agent.
– Provide Required information like ClientName to Show, IP Address and ClientID (leave default if not want to change).
– Press “y” to save the information of client.
– Enter “E” to Extract client’s Key.
– Enter Client’s ID, in my case it is 001 as shown below:
– Copy the extracted key as shown below and exit.
Restart OSSEC Control Services by:
Installing OSSEC Agent on Windows Host:
Download latest stable release of OSSEC Agent for windows from following link:
>>> http://www.ossec.net/?page_id=19 <<<
1- Execute downloaded “ossec-agent-win32XXXX.exe” file.
Installing OSSEC Agent on Linux/Unix Host:
The OSSEC agent will be required to be built from source code files on the linux OS. Many production Linux systems will have the code compilation tools removed from them however.
Acquiring a basic software build environment will depend upon the Linux platform you install to deploy on, but at a minimal will require a C compiler, and basic Kernel and LibC include files. These may be installed via the appropriate package manager commands.
For Debian-Based-Systems: (e.g. Ubuntu)
For Redhat -Based-Systems: [e.g CentOS]
# yum install kernel-devel –y
Change the working directory to a location suitable for building and installing software from:
Download latest version available, currently, 2.7 is the latest version.
Extract the downloaded archive using tar:
Change Directory to OSSEC-Agent and Compile Script:
# /bin/bash ./install.sh
– Pick your language for OSSEC, default is English and is what I’ve selected.
– Press Enter key to begin the Installation.
– Select “Installation Type” as ” Agent“.
– Enter the path where to install OSSEC client, default location is /var/ossec.
– Enter the IP Address or Host Name of the OSSIM Server. Remember, in case of using Hostname, DNS or local hosts file must have IP of the OSSIM host name.
– In next steps:
– Choose whether you want File Integrity Check to be enabled or Not.
– Choose whether you want Rootkit Detection enabled or not.
– Choose whether you want to run the Active Response Engine (enables execution of external commands when particular alerts trigger)
– Then OSSEC will display configured options:
– Now installation Script will start installation of OSSEC Client Agent.
– If no Dependency issue arise, setup will be finished smoothly and press Enter to Finish when asked for as shown below:
– First of all generate Client Key using Steps shown above.
– Now on client, being a Root user, execute the following command to add Generated OSSEC client key for communication with OSSIM Server.
– Enter ‘I’ to import key from Server
– Provide the Client Key extracted from the server previously:
– Confirm when asked that key is correct.
– Quit the OSSEC Agent Management Tool by entering Q.
– Restart OSSEC Agent on Client Host by following command:
– After Configuring OSSEC Agents, it is recommended to Restart OSSEC Agent on OSSIM Server as well. Use the same procedure used above by Jailbreak into the OSSIM Console or you can also use OSSIM Server Web Interface for that.
Environment > Detection > OSSEC Control
Click “Restart” as shown in below Figure.