By Rory Bray, Daniel Cid and Andrew Hay
Service provider takeaway: Open source security (OSSEC) is a commonly used host-based intrusion detection software that detects unauthorized activity on any particular computer. This section of the chapter excerpt from the book OSSEC Host-Based Intrusion Detection Guide reviews how to streamline the installation of the OSSEC HIDS.
Download the .pdf of the chapter here.
Because the installation script is menu-driven, it does not lend itself well to an automated installation. On the server side, this is not a significant issue because there are fewer servers. On the agent side, however, this can be cumbersome. Fortunately, the OSSEC HIDS file structure and configuration is reasonably simple, and therefore there are a few tricks we can play.
Install once, copy everywhere
With the agents in particular, almost all the files are identical for every agent. The one significant exception is the client.keys file, which must be unique for each host. Assuming a mass installation is required and that the host operating system is virtually identical for all agents, we can install to one agent and then replicate the files to all agents.
Similarly, if you or your organization has a standard system image, the files can be added to the image and therefore automatically installed on each host. This is a common strategy for many organizations or enterprises, and works well for the OSSEC HIDS. The only customization required is to properly import the agent key on each host. This, too, can be done more directly than with the cut-and-paste method, which is difficult to automate.
In the case of Unix-based hosts, SSH is used for file transfers and remote access. Virtually every Unix administrator is familiar with its use and utility.
Unix, Linux, and BSD
Because all of the OSSEC HIDS files (excluding the initialization scripts) are contained the directory where it is installed, we can copy this entire directory structure (excluding etc/
client.keys) to each host using whichever file transfer method is most convenient. It is important, however, to preserve file permissions and ownership during the transfer. Typically, this means using tar to package the files, transferring the tar file to the destination host, and then extracting on the host. Assuming the OSSEC HIDS is installed at /var/ossec and the agent hosts are all Linux, the tar fie can be created using:
# cd /; tar --exclude client.keys -cf /tmp/ossec.tar var/ossec
etc/init.d/ossec 'find etc -name "S[0-9][0-9]ossec"'
'find etc -name "K[0-9][0-9]ossec" '
Now, assuming that the target host is --> .168.65.30, we can transfer the full OSSEC HIDS install in one long line. The ossec user must be created on the target to preserve permission so this is included:
# cat /tmp/ossec.tar | ssh email@example.com
"groupadd ossec; useradd -g ossec -d /var/ossec ossec; cd / ; tar -xf - "
The full OSSEC HIDS installation, configuration, and rules have been transferred to the remote agent, including initialization scripts and proper permissions. These commands also work similarly with any Unix-based operating system that has SSH installed. All that remains now is to import the keys to each agent.
Push the Keys
With all the files in place on the agents, each agent needs a key. The only difference between the client.keys file on the server and the file on an agent host is the number of lines. The server copy of the client.keys file has all agent keys, with one per line. The agent client.keys file has only the one line belonging to that agent.
Configuring the keys on the agent simply requires you to extract the single line for that agent to a file and then copy that file to the agent host. On the server side, because it is always Unix or Linux based, extracting the key for a single agent is the first step. Assuming the agent name provided when creating the key is mars and that the OSSEC HIDS is installed at /var/ossec:
# grep 192.168.65.30 /var/ossec/etc/client.keys > /tmp/agent.key
Unix, Linux, and BSD
Pushing the key to a Unix- or Linux-based host is also a one-line command. Assuming the
OSSEC HIDS is installed to /var/ossec on the agent:
# scp /tmp/agent.key firstname.lastname@example.org:/var/ossec/etc/client.keys
Alternatively, if the agent is accessible using a networked file system, a file copy can be performed. While this approach does not provide a complete solution, you can see that the steps required to perform a remote installation and configuration of the OSSEC HIDS are easy.
OSSEC Host-Based Intrusion Detection Guide
Downloading OSSEC HIDS
Performing local installation
Performing server agent installations
Installing the Windows agent
Streamlining the installations
Summary and FAQs
About the book
OSSEC Host-Based Intrusion Detection Guide is specifically devoted to Open Source Security (OSSEC) and is a comprehensive and exhaustive guide to the often complicated procedures of installing and implementing such an intrustion detection software. Purchase the book from Syngress Publishing.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "OSSEC Host-Based Intrusion Detection Guide" by Rory Bray, Daniel Cid and Andrew Hay. For more information about this title and other similar books, please visit www.elsevierdirect.com.