Question

To get started with these processes, OSSEC has many different options for installation. From the www.ossec.net website, you can choose from a server/agent tar.gz file, a virtual appliance, a Docker container, and an .exe file for the Windows agents.

The easiest install for a new user is the virtual appliance. Inside the virtual appliance, which is based on a CentOS Linux 7 distribution, you have the files needed, so getting the .ova file set up is fairly easy. Do not forget: When you download an .ova file, there is usually a .readme file. Be sure to open and read the file for any helpful hints such as default passwords, ports to open or connect on, or ways to bridge with your host network. Two CentOS users are predefined in the virtual appliance: ossec and root . The root password is _0ssec_ . The ossec user does not have a password, so you can just press Enter to log on.

If you are working with the OSSEC Virtual Appliance 2.9.3 and downloaded it from OSSEC's GitHub, it already contains the following:

• OSSEC 2.9.3
• Elasticsearch‐Logstash‐Kibana (ELK) 6.1.1
• Cerebro 0.7.2
• CentOS 7.4

You can import this virtual appliance into most virtual systems. OSSEC recommends VirtualBox for creating and running the appliance, but VMware works as well. The appliance network interface is configured to NAT mode. To use this as a server, you must configure the network to use bridged mode and set a static IP. In Figure 5.4 , you see the Kibana OSSEC dashboard is built to visualize alerts, including how many over time, top alerts per agent deployed, and alert data.

Figure 5.4 : The OSSEC dashboard

Two types of agents will feed data into OSSEC: installable and agentless. Installable agents are installed on hosts, and they report to the server; agentless agents require no installation on a remote host. Both of these processes are started and maintained from the OSSEC manager. After information is gathered, it uses SSH, RDP, SNMP, or WMI to send the data to the manager for processing and decoding.

To add an agent, you will need to do the following:

1. Run manage_agents .
2. Add an agent.
3. Extract and copy the key for the agent.
4. Run manage_agents on the agent.
5. Import the key.
6. Restart the OSSEC server.
7. Start the agent.

In Figure 5.5 , you can see the OSSEC agent manager. To run manage_agents from the terminal, ensure that you have root privileges and type in the following:

Figure 5.5 : OSSEC agent manager

# /var/ossec/bin/manage_agents

Several options are available in the agent manager. You can choose to add an agent, extract a key for an agent, list existing agents, remove an agent, and quit. Each of these has a corresponding letter to those actions.

Adding an Agent

To perform this action, type a at the Choose Your Action prompt on the manage_agents screen and press Enter.

You are then prompted to provide a name for the new agent. This can be the hostname or another string to identify the system. Figure 5.6 shows an example of how to create a name for an agent. For best practice, create a constant naming convention using some type of spreadsheet that allows you to track your agents.

Figure 5.6 : An example of a representative agent name

From this agent name, I know that it is an agent in Denver in rack 3. It's a server, and the agent sequence number is 01. Too many times organizations will name their machines what they are and give a road map to exploitation to the hacker on a silver platter. Security through obfuscation is a pillar of our industry. You wouldn't name a machine WIN2K8SQL, would you?

After you have named the agent, you have to specify the IP address for the agent. This can be either a single IP address or an entire range of IPs. If you use a specific IP address, it should be unique. If you duplicate any IP addresses, it will most definitely cause issues in the future.

Using a network range is preferable when the IP of an agent changes frequently because of DHCP or if different systems appear to come from the same IP address (NAT). For ease of use, you can use CIDR notation when specifying ranges.

After you specify the ID you want to assign to the agent, manage_agents will suggest a value for the ID. This value will be the lowest number that is not already assigned to another agent. The ID 000 is assigned to the OSSEC server. To accept the suggestion, simply press Enter. To choose another value, type it in and then press Enter.

As the final step in creating an agent, you have to confirm adding the agent. For example, you would enter the values shown in bold here:

ID:   001 Name:   ADENRK3SVR01 IP Address:   192.168.100.1 Confirm adding it?(y/n):   y Agent added.

After that, manage_agents appends the agent information to /var/ossec/etc/client.keys and goes back to the start screen. If this is the first agent added to this server, the server's OSSEC processes should be restarted by running the command /var/ossec/bin/ossec‐control restart .

Extracting the Key for an Agent

Each agent shares a key pair with the manager. If you have 100 agents, you need 100 keys. After you add an agent, a key is created. To extract the key, type e at the Choose Your Action prompt on the manage_agents screen. You will be given a list of all agents on the server. To extract the key for an agent, simply type in the agent ID as shown in bold in the following code snippet (note that you have to enter all digits of the ID):

Available agents:    ID: 001, Name: ADENRK3SVR01, IP: 192.168.100.1 Provide the ID of the agent to extract the key (or '\q' to quit):   001   Agent key information for '001' is: WERifgh50weCbNwiohg'oixjHOIIWIsdv1437i82370skdfosdFrghhbdfQWE332dJ234

The key is encoded in the string and includes information about the agent. This string can be added to the agent through the agent version of manage_agents , and the best approach is to cut and paste it.

Removing an Agent

If you want to remove an OSSEC agent from the server, type r at the Choose Your Action prompt on the manage_agents screen. You will be given a list of all agents already added to the server. Type in the ID of the agent, press Enter, and then confirm the deletion when prompted to do so. It is important to note that you have to enter all digits of the ID. Here's an example:

Choose your action: A,E,L,R or Q:   r Available agents:    ID: 001, Name: ADENRK3SVR01, IP: 192.168.100.1 Provide the ID of the agent to be removed (or '\q' to quit):   001 Confirm deleting it?(y/n):   y

There is no secondary confirmation. Please double‐check that you are removing the proper agent because once manage_agents invalidates the agent information in /var/ossec/etc/client.keys , you will have to start all over again if you have made a mistake. Yes, I have done it. Learn from my mistakes. Only the values for ID and the key are kept to avoid conflicts when adding agents. The deleted agent can no longer communicate with the OSSEC server.

When you have installed your agents on Windows and Linux machines, they should automatically start checking in with the manager. When you open up the Kibana OSSEC dashboard, you will see there are three major panels.

• OSSEC Alerts Over Time—There is a bar graph that displays the number of events by a unit of time.
• Top Alerts Per Agent—This pie chart shows the top alerts for each active agent.
• OSSEC Alert Data—This table displays the individual alerts and the fields being alerted on, as you see in Figure 5.7 .

Figure 5.7 : OSSEC individual agent alert