OSSEC is an open source host-based IDS/IPS that has two major modes of operation. In my last tip, I discussed how to install a stand-alone instance of OSSEC to run on a single machine. In this tip, I will look at OSSEC's other mode of operation -- a server and agent model.
In this mode, a central OSSEC server manages a series of remote OSSEC agents. The agents generate alerts and regular status reports, and these are forwarded to the central server and notifications generated.
These agents are connected to the server via an encrypted and secured connection that runs on UDP port 1514. The server and agents are encrypted (and authenticated) using a symmetric key that is defined on the server and then exported and copied to the agent. When started, the agents connect and register to the server and send back alerts and log data.
To get started, we need to install a central OSSEC server. This is done using the server-type installation of OSSEC. Follow the steps specified in the first part of this tip using the install.sh script.
In step 1 of the installation process, select the server installation method as you can see on the following lines:
The remaining portion of the installation process follows the pattern shown in part one of the tip. The server is installed by default into the /var/ossec directory and you will be prompted to configure alerting and the components of OSSEC that will be installed and activated.
With the server installation, there is also an additional option to allow OSSEC to listen on UDP port 514 as a remote syslog daemon and receive incoming syslog entries.
After the installation of the server is complete you can start it, like so:
The server adds and manages agents using the manage_agents command, located in the /var/ossec/bin directory.
Five options are available in the manage_agents menu. The first option, A,...
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseLinux.com
adds an agent. You need to specify a name for the agent (usually the hostname), the IP address of the host and an ID for the agent. The ID is auto-incremented starting from 001 but can be overridden if required.
You can see the dialog for adding an agent below:
Once you've added an agent to the server, you need to use the E option to export the agent key. You will be prompted to select the ID of the agent whose key you wish to export. The key will be displayed and you can copy it. You can see the key exportation process below:
Now that you have the agent's key, you can install OSSEC in agent mode on the remote host. Run the installation script and select the agent option in Step 1.
After the installation is completed, you need to start OSSEC and run the manage_agents command on the remote host to add the key to the agent. Using this command, select option I to import the key; when prompted, paste in the key and confirm the addition of the agent. You can see this process here:
Once you have added the key to the agent, the connection to the server can be initiated. You need to ensure that any firewall on the agent or between the agent and server allows a connection on UDP port 1514 between the agent and the server. The server will only allow connections on this port from the IP addresses of agents you have added.
You can confirm that the connection has succeeded by reviewing the contents of the /var/ossec/logs/ossec.log log files on the agent and server respectively. Further troubleshooting can be achieved using a command like tcpdump to monitor the traffic flow.
At this stage, the OSSEC server/agent model is relatively simple and consists of reporting and alerting from the agents to the server. Configuration management is still maintained on the local agents and not centrally on the server as is true of many other distributed HIDS/HIPS models.
If you have large numbers of agents I recommend looking at a tool like cfengine or Puppet to centrally manage your agent configuration and rules. These sorts of tools should also aid you in installing and distributing new agents across an enterprise.
