OSSEC: Ubuntu 20.04

From OnnoWiki
Jump to navigation Jump to search

Sumber: https://kifarunix.com/install-ossec-hids-agent-on-ubuntu-20-04/


Install OSSEC HIDS Agent on Ubuntu 20.04 By koromicha -June 22, 202001948 This tutorial will guide you on how to install OSSEC HIDS agent on Ubuntu 20.04 system from the source tarball. 

OSSEC is an Open Source Host based Intrusion Detection System that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs across multiple platforms including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows etc.

Install OSSEC HIDS Agent on Ubuntu 20.04 Run System Update To begin with, ensure that your system package cache is up-to-date.

apt update Install Required Dependencies A successful build and installation of OSSEC HIDS agent on Ubuntu 20.04 from the source requires quite a number of dependencies to be installed on the system. Run the command below to install these dependencies. apt install gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget tar -y Download Latest OSSEC Source Code OSSEC 3.6 is the latest stable release version as of this writing. Check the releases page for the latest releases.

wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz -P /tmp Extract OSSEC Source Code Once the OSSEC source download is completed, extract it as follows; cd /tmp tar xzf 3.6.0.tar.gz Install OSSEC HIDS Agent on Ubuntu 20.04 To install OSSEC agent, navigate to the source code directory and run the installation script.

cd ossec-hids-3.6.0/ Execute the installation group;

./install.sh Select you installation language. In this case, we choose the default install language, English.

Press ENTER to choose default installation options or select your language from the list. (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: ENTER Again, press ENTER to continue.

-- Press ENTER to continue or Ctrl-C to abort. -- Specify the type of installation. In our case, we are installing ossec-hids agent, hence select agent.

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent 

 - Agent(client) installation chosen.

Choose the installation path. We go with the default, /var/ossec.

2- Setting up the installation environment. 

- Choose where to install the OSSEC HIDS [/var/ossec]: ENTER

   - Installation will be made at  /var/ossec .

Enter the OSSEC-HIDs Server IP address or hostname. Replace the IP used here accordingly.

3- Configuring the OSSEC HIDS. 

 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.56.11                  

  - Adding Server IP 192.168.56.11

Enable system integrity check 

 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

  - Running syscheck (integrity check daemon).

Enable rootkit detection engine. 

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

  - Running rootcheck (rootkit detection).

Disable active response. Otherwise, you can enable it if you an understanding of the type and number of alerts you want. 

 3.4 - Do you want to enable active response? (y/n) [y]: n

  - Active response disabled.

The agent installer then displays the log files that are read by default. You can add more later on ossec.conf file. 

 3.5- Setting the configuration to analyze the following logs:
   -- /var/log/messages
   -- /var/log/secure
   -- /var/log/maillog

... Once you are done defining the default options, proceed to install OSSEC agent on Ubuntu 20.04 by pressing ENTER.

Once the agent is installed, you will see an output similar to; 

- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
     /var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
     /var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf



   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at https://github.com/ossec/ossec-hids or using
   our public maillist at  
   https://groups.google.com/forum/#!forum/ossec-list

   More information can be found at http://www.ossec.net

   ---  Press ENTER to finish (maybe more information below). ---

Press ENTER to close the installer.

Connect the OSSEC Agent to OSSEC Server For the agent to communicate with the server;

You can need to first add it to the HIDS server, in our case we used AlienVault OSSIM. After that extract the agent authentication key from the server. Once you have extracted the key, Import the key on the agent by running the command below;

/var/ossec/bin/manage_agents Enter option I, paste the key and confirm adding the key. Then type Q and press enter to exit.

  • OSSEC HIDS v3.6.0 Agent manager. *
  • The following options are available: * 
  (I)mport key from the server (I).
  (Q)uit.

Choose your action: I or Q: I

  • Provide the Key generated by the server.
  • The best approach is to cut and paste it.
      • OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): NSttstGSTsgspsgsjshsYmV5a2ktb3Blbnzk999383nndZwbiAxMC43LjMuNTggMWQyNzBjZTZlNzI2OGI2MWUzOWQ4NTg4YjgwM2ZjNDhhZWY2OTQxZTU2OWE2M2U3MjQ1N2Y1w==

Agent information: 

  ID:10
  Name:koromicha
  IP Address:192.168.43.17

Confirm adding it?(y/n): y 2020/06/22 20:16:03 manage_agents: ERROR: Cannot unlink /queue/rids/sender: No such file or directory Added.

    • Press ENTER to return to the main menu.


  • OSSEC HIDS v3.6.0 Agent manager. *
  • The following options are available: * 
  (I)mport key from the server (I).
  (Q)uit.

Choose your action: I or Q: q

    • You must restart OSSEC for your changes to take effect.

manage_agents: Exiting. manage_agents: Exiting. Running OSSEC Agent Once the installation completes, the installer displays how to run OSSEC agent.

To start the agent;

/var/ossec/bin/ossec-control start Or

systemctl start ossec To stop the agent;

/var/ossec/bin/ossec-control stop Or

systemctl stop ossec Other unit service control commands;

/var/ossec/bin/ossec-control {start|stop|reload|restart|status} To check the status;

/var/ossec/bin/ossec-control status ossec-logcollector is running... ossec-syscheckd is running... ossec-agentd is running... ossec-execd not running... Check the logs to see if the agent has connected to the server;

tail -f /var/ossec/logs/ossec.log 2020/06/22 20:20:54 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.56.11'. 2020/06/22 20:20:56 ossec-agentd: INFO: Trying to connect to server 192.168.56.11, port 1514. 2020/06/22 20:20:56 INFO: Connected to 192.168.56.11 at address 192.168.56.11, port 1514 2020/06/22 20:20:56 ossec-agentd: DEBUG: agt->sock: 14 ... You have successfully installed OSSEC agent on Ubuntu 20.04 and connected it to the HIDS server. Login back to the HIDs server, restart the HIDS server service and check if the agent is active. That brings us to the end of our guide on how to install OSSEC HIDS agent on Ubuntu 20.04.





Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=OSSEC:_Ubuntu_20.04&oldid=62807"