Installation

Installation is handled through bash or powershell installers to identify the operating system(Windows, CentOS, Redhat, Ubuntu, AIX, OSX, etc), download the agent software, register the agent, and finally set the default server/cluster IP address in the individual agent.

Each AEO hub server acts as a software repository for all agent software. In addition it contains bash shell and powershell script installers.

../../../_images/ossec-auto-install.png

Linux

The linux shell script installer will install the agent on the system using a private Yum or Apt repo contained on the AEO Hub server. It will then configure the agent (ossec.conf), and register the agent to the hub.

Requirements

  • Root or Sudo permissions

  • bash

Command Line Parameters

ossec-installer.sh <IP.ADDRESS.HUB> <IP.ADDRESS.AUTHD.SERVER> <PROTOCOL> <PORT>

<IP.ADDRESS.HUB> - (Required) IP address of the AP Hub Worker/Master, or Cluster Load balancer

<IP.ADDRESS.AUTHD.SERVER> - (Optional)  IP address of the AP Hub Master, or Cluster Load balancer for agent registration

<PROTOCOL> - (Optional) tcp or udp

<PORT> - (Optional) port

Step 1: Log into the system, and download the installer from the AEO Hub

wget https://<IP.ADDRESS.HUB>/installers/ossec-installer.sh

Step 2: Change permissions of the installer

chmod +x ossec-installer.sh

Step 3: Execute the script with the IP address of the AEO Hub server

sudo ./ossec-installer.sh <IP.ADDRESS.HUB>

Step 4: (Optional) Configure SELinux (RHEL/Centos)

If SELinux was enabled before the agent was installed, the RPM package will automatically add SELinux agent policy. This can be confirmed with:

semodule -l |grep ossec

If SELinux was enabled after the agent was installed, the policy can be reapplied with:

yum reinstall ossec-hids-agent

Windows: Manual Installation with Powershell

The windows powershell script installer will install the agent on the system using a private HTTP/HTTPS repo contained on the AEO Hub server, or a shared drive. It will then configure the agent (ossec.conf), and register the agent to the hub.

Requirements

  • Administrator rights

  • Powershell 5.1 or higher for HTTP/HTTPS installations

Command Line Parameters

agent_deployV2.ps1 -ossec_exec <path/url> -server_ip <IP>

-ossec_exec <path/url> - path or url to agent software

-server_ip <IP> - IP address of the AP Hub, or Cluster load balancer

-agent_name <name> - (optional) name to use for the agent. Default: windows hostname

-port <port> - (optional) Agent registration port. Default: 1515/TCP

-password <password> - (optional) password for authenticated agent registration

-secure_port <secure_port> - (optional) port for agent traffic. Default: 1514/UDP

-prompt_agent_name [0|1] -  (optional) interactive mode to prompt for the agent name. Cannot be used in a GPO

-use_fqdns [0|1] - (optional) Use the Fully Qualified DNS Name (FQDN) for the agent name

-update_agent - (optional) Update agent to specified version. Default: ossec-agent-latest

-reinstall [0|1] - (optional) reinstall the agent. Note this will replace the existing key and config

-rekey [0|1] - (optional) forces an existing installation to request a new key

-default_name - (optional) use <external IP>-<hostname> naming key for the agent.

-help - display help

Step 1: Open Powershell as an Administrator and run the following command to download the agent installer

Invoke-WebRequest http://<hub_ip>/installers/agent_deployV2.ps1 -Outfile .\agent_deployV2.ps1

Step 2: For first time agent installs or for scaling agent installs via GPO or other third party tools in a windows environment. Open a CMD shell as an Administrator in the directory where agent_deployV2.ps1 was downloaded and run the following where <hub_ip> is the IP address of the AP hub, or Cluster load balancer

powershell -executionpolicy bypass -file .\agent_deployV2.ps1 -ossec_exe http://<hub ip>/channels/awp-hub-repo/windows/ossec-agent-latest.exe -server_ip <hub ip>

Example 1: Installation via network share at E:sharing

powershell -executionpolicy bypass -file .\agent_deployV2.ps1 -ossec_exe E:\sharing\ossec-agent-latest.exe -server_ip 192.168.1.10

Example 2: Install from AEO Hub, and set an alternate agent name  to myexample

powershell -executionpolicy bypass -file .\agent_deployV2.ps1 -ossec_exe http://192.168.1.10/channels/awp-hub-repo/windows/ossec-agent-latest.exe -server_ip 192.168.1.10 -agent_name myexample

Windows: MSI Installer

The MSI installation method allows for variables to be passed directly to an MSI file for the AEO Hub server, authd server, and agent name.

Command Line Parameters

ossec-agent-latest.msi ADDRESS=<IP>

/q - quiet/unattended mode

ADDRESS=<IP> - Address of the AP Hub, or Cluster Load Balancer

AUTHD_SERVER=<IP> - (Optional)  Address of the AP Hub, or Master Cluster node

AGENT_NAME=<name> - (Optional)  Name to assign this agent

Example: HUB server at 192.168.1.1, setting agent name to W2012

ossec-agent-latest.msi /q ADDRESS="192.168.1.1" AUTHD_SERVER="192.168.1.1" AGENT_NAME="W2012"

Windows: Automated Installation using Active Directory (GPO)

Bulk installation can be automated in a windows environment through an active directory Group Policy Object configured from the active directory server. These can be added to startup/shutdown scripts or the scheduled task manager. Workflow for this mechanism follows:

  • Installs and configures the agent on a host reboot

  • Runs 1 time

  • copies  agent_deployV2.ps1 from a share drive to the system

  • Agent runs agent_deployV2.ps1 locally as SYSTEM

  • Downloads software to C:ossec-agent-latest.exe

  • Installs application

  • Registers the agent with the hub server

  • Configures and starts the agent on the host

Step 1: Copy the atomicorp agent_deployV2.ps1 to a share drive available to all hosts in the domain. Ex: \WIN-GR3UV2QCST8.atomicorp.comsharingagent_deployV2.ps1

Step 2: From server manager Dashboard select: Tools-> Group Policy management

Step 3: Select your domain. Ex: atomicorp.com

Step 4: Right click on your domain, create GPO in this domain and link it here. Ex: install1

../../../_images/windows-gpo-installation1.png

Step 5: Right click on install1, select edit

../../../_images/windows-gpo-installation2.png

Step 6: 6. Select Computer Configuration->Preferences->Windows Settings->Files

Step 7: Right click and select New->File

Step 8: Set Action to Create

Step 9: Select path to source file, ExSelect path to destination on host, Ex: C:agent_deployV2.ps1

../../../_images/windows-gpo-installation3.png

Step 10: Click OK

Step 11: Select Computer Configuration->Preferences->Control Panel Settings->Scheduled Tasks

Step 12: Right click and select New->Immediate Scheduled Task (At least windows 7)

Step 13: Enter name, Ex: install-agent

Step 14: Enter description, Ex: install Atomicorp agent

Step 15: Select When running the task, use the following user account, enter: SYSTEM

Step 16: Select Run whether user is logged on or not

Step 17: Select Run with highest privileges

Step 18: Select configure for Windows 7, Windows Server 2008R2

../../../_images/windows-gpo-installation4.png

Step 19: Select the Actions tab, and click New

Step 20: Enter in Program/Script: powershell.exe

Step 21: Enter in Add arguments (optional), replacing <IP> with the IP address of the AP Hub, or cluster load balancer. Ex:

-executionpolicy bypass -file C:\agent_deployV2.ps1 -ossec_exe http://192.168.1.101/channels/awp-hub-repo/windows/ossec-agent-latest.exe -server_ip 192.168.1.101

Step 22: Click OK

../../../_images/windows-gpo-installation5.png

Step 23: Select the Common tab, and check Apply once and do not reapply

Step 24: Click OK

Step 25: Reboot hosts in this domain to run this GPO

AIX

AIX installations leverage RPM and/or yum, similiar to Redhat and Centos Linux environments.

RPM Installation

  1. Download AIX rpm package from the AEO Hub

wget https://<hub_ip>/channels/awp-hub-repo/aix/7/ppc/ossec-hids-4.0.0-1.art.aix7.2.ppc.rpm
wget https://<hub_ip>/channels/awp-hub-repo/aix/7/ppc/ossec-hids-agent-4.0.0-1.art.aix7.2.ppc.rpm
  1. rpm -Uvh ossec-hids*rpm

  2. Set <hub_ip> in /var/ossec/etc/ossec.conf

  3. Provision agent key with:

/var/ossec/bin/agent-auth -m <hub_ip>
  1. Start agent:

/var/ossec/bin/ossec-control start

Yum installation

  1. Add yum repo to /etc/yum.repos.d/atomicorp.repo

    [atomicorp-ossec]
    name=attomicorp ossec
    baseurl=https://<hub_ip>/channels/awp-hub-repo/aix/7/ppc
    
  2. Install agent:

    yum install ossec-hids-agent
    
  3. Configure ossec.conf:

    vim /var/ossec/etc/ossec.conf
    Set <server-ip> to the hub ip
    
  4. Register agent:

    /var/ossec/bin/agent-auth -m <hub_ip>
    
  5. Start Agent

    /var/ossec/bin/ossec-control start
    

Solaris

Requirements

  • root or sudo access

  • bash

  • wget

Step 1: Download package from hub

wget https://<hub_ip>/channels/awp-hub-repo/solaris/11/sparc/ossec-hids-agent-4.0-1.sol11.art.sparc

Step 2: Install with pkgadd

pkgadd -d /path/to/ossec-hids-agent-4.0-1.sol11.art.sparc

Step 3: Configure hub ip

vim /var/ossec/etc/ossec.conf
<address>hub_ip</address>
Example:
<address>1.2.3.4</address>

Step 4: Register agent

/var/ossec/bin/agent-auth -m <hub_ip>

Step 5 Start agent

/var/ossec/bin/ossec-control start

OSX

Requirements

  • root or sudo access

  • bash

  • wget

Command Line Parameters

osx-agent-installer.sh

–server_ip <IP> - IP address of the AP Hub, or Cluster Load balancer

—agent_name <name> - (Optional) specify a name for the agent. Default: System hostname

–port <port> - (Optional)

Step 1: Download the installer

wget http://<hub_ip>/installers/osx-agent-installer.sh

Step 2: Set execute permissions

chmod +x osx-agent-installer.sh

Step 3: Run the installer with root privileges

./osx-agent-installer.sh --server_ip=<hub_ip> --agent_name=”<name_of_agent>”