Deploying HIDS Agents to Linux Hosts - Unified Security Management (USM) 4.x-5.x AlienVault
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
AlienVault Unified Security Management (USM)™ 4.x-5.x Deploying HIDS Agents to Linux Hosts
USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright © 2015 AlienVault, Inc. All rights reserved. AlienVault™, Unified Security Management™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, OTX Reputation Monitor™, AlienVault OTX Reputation Monitor AlertSM, OTX Reputation Monitor Alert SM, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date of Issue Description of Change(s) May, 2013 Original document based on the 4.x release. August 18, 2015 Updated for the 5.x release. August 18, 2015 Styling updates. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 2 of 11
Contents
Contents
Introduction ................................................................................................................................. 4
Prerequisites ............................................................................................................................... 4
For Debian-Based-Systems: (e.g. Ubuntu) ............................................................................. 5
For Redhat-Based-Systems: (e.g CentOS)............................................................................. 5
Agent Installation ........................................................................................................................ 5
Download ............................................................................................................................... 5
Unpacking .............................................................................................................................. 6
Compilation ............................................................................................................................ 6
Agent Configuration................................................................................................................ 7
Generating a Agent Key ......................................................................................................... 8
Importing the Agent Key ......................................................................................................... 8
Restarting the AlienVault HIDS Service ................................................................................ 10
Validation .................................................................................................................................. 10
On the HIDS Agent............................................................................................................... 10
On the HIDS Server ............................................................................................................. 10
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 3 of 11Introduction
Introduction
AlienVault HIDS is a host-based Intrusion Detection system, with the following core functionality:
Log Monitoring and Collection
File Integrity Checking
Windows Registry Integrity Checking
Active Response
The currently supported version of AlienVault HIDS distributed with AlienVault USM/OSSIM is
2.8.2.
AlienVault USM/OSSIM integrates AlienVault HIDS as a key component for providing extended
visibility to monitored systems via these functions and to assign in Identity Management -
mapping user accounts to actions via the information gathered by AlienVault HIDS.
AlienVault HIDS operates via server/agent architecture, with some limited support for agentless
operation with certain operating systems for log retrieval only.
Agents are deployed to client systems and run as a continuous in-memory service,
communicating with the central server via UDP port 1514. AlienVault HIDS agentless checks
are run periodically, communicating with monitored devices via TCP port 22 using the SSH
protocol.
Agent/Server authentication is done via Keys, which resemble the following:
6687cf219a97c5ccf5b476f1f1283bfe18901c12516b3c124dd0e8ae78a46fd2
Agentless authentication, however, is done using username and password. In case of
some network devices, e.g. Cisco, you'll also need to supply additional credentials in order to
switch to priviledged mode.
Prerequisites
The AlienVault HIDS client will be required to be built from source code files on the target
platform. Many production Linux systems will have the code compilation tools removed from
them however.
You may perform the build on a staging system, and then move over the source build directory
to the target system to install the binaries – this is an advanced installation method however and
this guide assumes that the operator understands the mechanics of doing such an installation,
and thus this method will not be covered in this document.
Acquiring a basic software build environment will depend upon the Linux platform you install to
deploy on, but at a minimal will require a C compiler, and basic Kernel and LibC include files.
These may be installed via the appropriate package manager commands.
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 4 of 11Agent Installation
For Debian-Based-Systems: (e.g. Ubuntu)
sudo apt-get install build-essential
For Redhat-Based-Systems: (e.g CentOS)
sudo yum groupinstall "Development Tools" -y &&
sudo yum install kernel-devel –y
AlienVault HIDS should require no additional library or header files beyond those installed by
these package commands.
Agent Installation
The installation requires administrative privileges – switch to the root account either via:
su (this will require the root user password)
or
sudo /bin/bash (this will require a password and root sudo privileges)
Download
Change the working directory to a location suitable for building and installing software from
cd /usr/src
Use the wget or curl commands to download the agent install:
wget –U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
or
curl http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
If the machine the agent is being deployed to, does not have internet access, acquire the
archive file and copy it to a suitable directory on the target system through whatever means you
would normally perform this task.
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 5 of 11Agent Installation
Unpacking
Extract the downloaded archive using tar:
tar –xzvf ossec-hids-2.8.2.tar.gz
Compilation
The software must be compiled into working binary executables before installation:
Change the current directory to the unpacked install directory
cd ./ossec-hids-2.8.2
Run the installation script
/bin/bash ./install.sh
Important: Ubuntu uses /bin/dash as the default shell – this will cause the installer to
break and install the server component of AlienVault HIDS instead of the agent as
requested – directly calling /bin/bash in the command above prevents this error from
occurring.
Pick a language, default is English (en).
Begin the Installation.
Select ‘Agent’ as the installation type.
Unless you have a pre-established good reason to choose otherwise, accept the default
installation location: /var/ossec.
Enter the IP address or Hostname of your USM/OSSIM All-in-One or Sensor.
Note: Each USM/OSSIM Sensor component has an instance of AlienVault HIDS (a server
and a local agent) running on it.
Choose whether you want to run the Integrity Check Daemon, default is ‘yes’.
Choose whether you want to run the Root Kit Detection Engine, default is ‘yes’.
Choose whether you want to run the Active Response Engine (enables execution of external
commands when particular alerts trigger), default is ‘yes’.
AlienVault HIDS will display the configured defaults:
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 6 of 11Agent Installation
The AlienVault HIDS installation script will now begin the compilation and installation
process.
Assuming that all prerequisites were met before the installation began, the compilation
should run and finish, displaying a summary of what was performed.
Agent Configuration
With the agent binaries installed on the client system, a new client key must be issued to
connect this new agent to the AlienVault HIDS server running on AlienVault OSSIM or USM.
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 7 of 11Agent Installation
Generating a Agent Key
Switch over to the AlienVault Web User Interface.
Go to Environment -> Detection.
Click the Agents tab.
Click ‘Add Agent’ to add a new agent.
Enter the hostname of the new agent, and either its fixed IP address, or the subnet it will be
assigned an address on via DHCP.
Click the key icon to extract the newly created agent key assigned to this agent
Select and copy the client key to the clipboard or a text editor.
Importing the Agent Key
Return to the console on the Linux host.
Execute the manage_agents program (as root):
/var/ossec/bin/manage_agents
Enter ‘I’ to import the key.
Paste the agent key extracted from the server previously:
Confirm that the key is correct.
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 8 of 11Agent Installation
Quit out of the key management tool
As instructed, restart the AlienVault HIDS agent on the Linux host:
/var/ossec/bin/ossec-control restart
The agent can also be started and stopped via the init.d script at:
/etc/init.d/ossec {start|stop|restart}
This script is used to launch the agent at system boot.
You many now exit from the session on the Linux Host. The installation is complete.
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 9 of 11Validation
Restarting the AlienVault HIDS Service
Once you have finished adding agents, restarting the AlienVault HIDS service on the AlienVault
Server is recommended to bring everything into sync.
Switch over to the AlienVault Web User Interface.
Go to Environment -> Detection.
Click the AlienVault HIDS Control tab.
Click the Restart button.
Allow the services to restart
Validation
Validating a successful pairing between the new HIDS client and the HIDS Server can be
performed from both sides of the connection.
On the HIDS Agent
The agent maintains a local log file regarding its operation, which will open in your system’s
default application for .txt files. You will find it in /var/ossec/logs/ossec.log.
A successful connection to the server will create a log entry similar to this:
2014/05/28 10:53:42 ossec-agentd: INFO: Using IPV4 for: 192.168.1.240 .
2014/05/28 10:53:42 ossec-agentd(4102): INFO: Connected to the server
(192.168.1.240:1514)1
Should the HIDS client not able to connect to the HIDS service on the AlienVault Sensor, you
will instead see log entries like these:
2013/05/28 12:20:15 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '192.168.1.240'.
2013/05/28 12:25:05 ossec-agentd: INFO: Trying to connect to server
(192.168.1.240:1514).
2013/05/28 12:25:05 ossec-agentd: INFO: Using IPv4 for: 192.168.1.240 .
On the HIDS Server
Return to the AlienVault Web UI.
Go to Environment > Detection.
Click the Agents tab.
Look for the Agent’s listing at the bottom of the main panel, for your newly created agent to
be marked as Active
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 10 of 11Validation
The Trend chart will not populate immediately, because it requires logs to be received from
the client for a period of time.
Your HIDS client Installation is now completed.
August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 11 of 11You can also read
