Installing OSSEC from RPMs

OSSEC InstallWhen I first started playing around with OSSEC I downloaded the agent and server source packages then proceeded to install them by hand. This method was fine when I had a server and 1 or 2 agent systems, but for a large network of systems it is tedious and error prone.

The OSSEC Project offers RPM packages that can be installed with yum on RedHat derived Linux distributions. Using these packages and the ossec-authd system, you can script the installation of OSSEC and automatically register agents with the server.

OSSEC RPM Repositories

OSSEC yum repositories and RPM packages are maintained by OSSEC team member Scott Shinn and his company AtomiCorp - makers of Atomic Secured Linuxtm. You can download RPMs that are compatible with a variety of 32 and 64 bit platforms. The OSSEC Downloads page has a nice break out of various platforms so you can jump directly to the repository you want.

To install with yum, the basic procedure is to download the ossec-release RPM for the type of RedHat based distro you have – el5 or el6 AND 32 bit or 64 bit – which sets up the OSSEC repo file.

Server Installation

Let’s create a BASH script to carry out the server installation commands that consist of the following steps:

  1. Get the OS type – 32 or 64 bit – AND RedHat version – el5 or el6 – then set the ${os} and ${el} variables accordingly.
    #!/bin/bash
    os=`uname -i`
    if [[ `uname -r` == *"el6"* ]]; then
        el="el6"
    else
        el="el5"
    fi
  2. Get repos and dependencies based on OS type and RedHat version. The ossec-release RPM requires inotify-tools from the Fedora epel package so that is downloaded first. The code shown below will install OSSEC 2.7.1.
    if [ ${os} == "x86_64" ]; then
        if [ ${el} == "el6" ]; then
            rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/6/x86_64/RPMS/ossec-release-1.0-2.el6.art.noarch.rpm
        else
            rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm 
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/5/x86_64/RPMS/ossec-release-1.0-2.el5.art.noarch.rpm
        fi
    else
        if [ ${el} == "el6" ]; then
            rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm 
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/6/i386/RPMS/ossec-release-1.0-2.el6.art.noarch.rpm
        else
            rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm 
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/5/i386/RPMS/ossec-release-1.0-2.el5.art.noarch.rpm
        fi
    fi
  3. Install the OSSEC server RPM. The OSSEC repo gets the
    yum install ossec-hids-server -y
  4. Restart the OSSEC agent
    /var/ossec/bin/ossec-control restart
  5. Set up keys for remote agent registration.
    openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
    openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

When you are ready to install the OSSEC agents, run ossec-authd as follows to enable the agents to register with the server remotely:

/var/ossec/bin/ossec-authd -p 1515

This starts ossec-authd listening on port 1515 for registration requests from agents. I left this step out of the server installation script so you can register agents at your leisure.

One more thing to note, when an OSSEC server is installed with yum email notification is disabled. If you want to use email notifications, you’ll have to enable them by hand. See the OSSEC documentation for more information on how to do that.

Agent Installation

On the agent side I also use a script to go through the installation steps. Note that the last step will be to use agent-auth to register with the server, so make sure ossec-authd is up running before executing this script.

  1. First get the server IP address from the command line so that the agent-authd will know how to connect to the OSSEC server. Check to make sure that the server IP is entered on the command line.
    #!/bin/bash
    if [ $# != 1 ]; then
        echo "usage: install_agent.sh <server IP>"
        exit -1
    fi
  2. Get the OS type – 32 or 64 bit – AND RedHat version – el5 or el6 – then set the ${os} and ${el} variables accordingly.
    #!/bin/bash
    os=`uname -i`
    if [[ `uname -r` == *"el6"* ]]; then
        el="el6"
    else
        el="el5"
    fi
  3. Get repos and dependencies based on OS type and RedHat version. Again, the ossec-release RPM requires inotify-tools from the Fedora epel package so that is downloaded first. The code shown below will install OSSEC 2.7.1.
    if [ ${os} == "x86_64" ]; then
        if [ ${el} == "el6" ]; then
            rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/6/x86_64/RPMS/ossec-release-1.0-2.el6.art.noarch.rpm
        else
            rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm 
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/5/x86_64/RPMS/ossec-release-1.0-2.el5.art.noarch.rpm
        fi
    else
        if [ ${el} == "el6" ]; then
            rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm 
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/6/i386/RPMS/ossec-release-1.0-2.el6.art.noarch.rpm
        else
            rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm 
            rpm -Uvh http://www5.atomicorp.com/channels/ossec/centos/5/i386/RPMS/ossec-release-1.0-2.el5.art.noarch.rpm
        fi
    fi
  4. Install the OSSEC agent RPM.
    yum install ossec-hids-client -y
  5. When first installed, agent points to a dummy server. Set the OSSEC server IP address in ossec.conf from the one specified on the command line. This part of the script backs up the original ossec.conf then reads all the lines from the original ossec.conf and replaces the one with the <server-ip> specification with another that contains the OSSEC server IP address.
    conf=/var/ossec/etc/ossec.conf 
    mv $conf $conf.bak echo >> $conf.bak 
    while read line 
    do 
        if [[ "$line" == *"<server-ip>"* ]]; then 
            echo "<server-ip>$1</server-ip>" >> $conf 
        else 
            echo "$line" >> $conf 
        fi 
    done < $conf.bak
  6. Register agent with server then start the agent.
    /var/ossec/bin/agent-auth -m $1 -p 1515
    /var/ossec/bin/ossec-control restart
    exit $?

When the agent registers with the server, you’ll see output from ossec-authd indicating whether or not the registration succeeded. You check which agents are connected with the server by running the agent-control command on the server system:

/var/ossec/bin/agent-control -l

The -l option displays all the agents that are registered and whether each connected to the server.

To save you the trouble of copying and pasting, here are the scripts in a nice neat tarball – install_ossec.tgz. Note that both scripts are run as root on their respective systems. The server script is run like this:

./install_server.sh

The client script is run by specifying the IP address of the OSSEC server on the command line:

./install_agent.sh <server IP>

Author: 

Print Friendly

4 Comments

yaniv on January 25, 2014 at 1:14 pm.

Hi
Thanks for the post :
small fix
/var/ossec/bin/agent_control -lc

Reply

vic on January 25, 2014 at 2:34 pm.

Actually that’s the command I used in the blog (originally). Instead I think it is better to use the -l option which displays a list of all the agents, whether or not they are connected with the server. So I’m going to change that.

Reply

yaniv on January 26, 2014 at 2:27 pm.

I am getting many errors as

2014/01/26 03:00:55 ossec-analysisd: Rules in an inconsistent state. Exiting.
and
2014/01/26 03:01:51 ossec-syscheckd(1224): ERROR: Error sending message to queue.
2014/01/26 03:01:54 ossec-syscheckd(1210): ERROR: Queue ‘/var/ossec/queue/ossec/queue’ not accessible: ‘Connection refused’.
2014/01/26 03:01:54 ossec-syscheckd(1211): ERROR: Unable to access queue: ‘/var/ossec/queue/ossec/queue’. Giving up..

isnt it more simple to use rsyslog + ossec standalone ?

Reply

vic on January 26, 2014 at 5:07 pm.

To tell you the truth I’m not sure what you are trying to do. Are you trying to get the agent to connect to the server or send alerts to another system via syslog?

Reply

Leave Your Comment

Your email will not be published or shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>