Wednesday, February 6, 2013

Add OSSEC agents to Security Onion


OSSEC configuration process is documented on the OSSEC site. 

Run the following on the Security Onion server:
sudo /var/ossec/bin/manage_agents

** You may need to open port 1514 in the firewall using ufw.

After that, you see the start screen:
****************************************
* OSSEC HIDS v2.5-SNP-100809 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q:
You can now choose one of the actions.

Adding an agent

To add an agent type A in the start screen:


Choose your action: A,E,L,R or Q: a

You are then asked to provide a name for the agent to be added. This can for example be the hostname. In this example the agent name will be agent1.


- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: agent1

After that you have to specify the IP address for the agent. This can either be a single IP address (e.g. 192.168.1.25), a range of IPs (e.g. 192.168.2.0/24), or any. Using a network range or any is preferable when the IP of the agent may change frequently by DHCP or other service.
* The IP Address of the new agent: 192.168.2.0/24

The last information you will be asked for is the ID you want to assign to the agent. manage_agents will suggest a value for the ID to you. This value is the lowest positive number that is not already assigned to another agent. The ID 000 is assigned to the OSSEC server. To accept the suggestion, simply press ENTER. To choose another value, type it in and press ENTER.
* An ID for the new agent[001]:
Now you have to confirm adding the agent and you are done with this step.
After that manage_agents appends the agent information to /var/ossec/etc/client.keys and goes back to the start screen.

Extracting the key for an agent

After adding an agent, a key for the agent is created that has to be copied to the agent. To get the key, use the E option in the manage_agents start screen. You will be given a list of all agents already added to the server. To extract the key for an agent, simply type in the ID of the respective agent. It is important to note that you have to enter all digits of the ID.
Choose your action: A,E,L,R or Q: e

Available agents:
   ID: 001, Name: agent1, IP: 192.168.2.0/24
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5MmQ4NDE4MjYwMjJkN2ZkMzNkYzZiOWE5NWY4MzU5YWRlY2JkY2Rm

** Press ENTER to return to the main menu.
You can now copy that key to the agent1 and import it there via the agent version of manage_agents.
Posted by at 2 comments:
Subscribe to: Posts (Atom)