AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts



Similar documents
Deploying HIDS Client to Windows Hosts

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

How to send s triggered by events

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

Monitoring VMware ESX Virtual Switches

AlienVault Unified Security Management (USM) x. Configuring High Availability (HA)

Creating a DUO MFA Service in AWS

User Management Guide

How to enable File Integrity Monitoring (FIM)

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

Device Integration: Checkpoint Firewall-1

Device Integration: Citrix NetScaler

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Computer Science and Engineering Linux Cisco VPN Client Installation and Setup Guide

AlienVault. Unified Security Management (USM) x Initial Setup Guide

Device Integration: Cisco Wireless LAN Controller (WLC)

Device Integration: CyberGuard SG565

1. Install a Virtual Machine Download Ubuntu Ubuntu LTS Create a New Virtual Machine... 2

IBM WebSphere Application Server Version 7.0

Netflow Collection with AlienVault Alienvault 2013

SETTING UP A LAMP SERVER REMOTELY

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)

Network Load Balancing

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Assets, Groups & Networks

Moxa Device Manager 2.3 User s Manual

Quick Start Guide for Parallels Virtuozzo

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

1. Install a Virtual Machine Download Ubuntu Ubuntu LTS Create a New Virtual Machine... 2

Configuring MailArchiva with Insight Server

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

To read more Linux Journal or start your subscription, please visit

BF2CC Daemon Linux Installation Guide

Installing and Configuring vcloud Connector

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

Deploy the ExtraHop Discover Appliance with Hyper-V

Using Virtual Machines

Quick Start Guide for VMware and Windows 7

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Netop Remote Control for Linux Installation Guide Version 12.22

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Moxa Device Manager 2.0 User s Guide

CASHNet Secure File Transfer Instructions

Suricata IDS. What is it and how to enable it

Security Correlation Server Quick Installation Guide

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

NetIQ Sentinel Quick Start Guide

Monitoring Clearswift Gateways with SCOM

The Barracuda Network Connector. System Requirements. Barracuda SSL VPN

Partek Flow Installation Guide

Installing and Configuring vcenter Support Assistant

Networking Guide Redwood Manager 3.0 August 2013

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

NexentaConnect for VMware Virtual SAN

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Smart Cloud Integration Pack. For System Center Operation Manager. v User's Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

Installing SQL Express. For CribMaster 9.2 and Later

Immotec Systems, Inc. SQL Server 2005 Installation Document

Contents Set up Cassandra Cluster using Datastax Community Edition on Amazon EC2 Installing OpsCenter on Amazon AMI References Contact

AlienVault Offline Key Activation

Signiant Agent installation

Test Case 3 Active Directory Integration

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

CycleServer Grid Engine Support Install Guide. version 1.25

Big Data Operations Guide for Cloudera Manager v5.x Hadoop

Configuration Guide for SQL Server This document explains the steps to configure LepideAuditor Suite to add and audit SQL Server.

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

2. Boot using the Debian Net Install cd and when prompted to continue type "linux26", this will load the 2.6 kernel

HP Device Manager 4.6

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

SSH and Basic Commands

Getting Started with RES Automation Manager Agent for Linux

NAS 109 Using NAS with Linux

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

Wolfr am Lightweight Grid M TM anager USER GUIDE

Department of Veterans Affairs VistA Integration Adapter Release Enhancement Manual

Information Security Training. Assignment 1 Networking

RSA Security Analytics

XMPP Instant Messaging and Active Directory

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

Administering Jive for Outlook

Local Caching Servers (LCS): User Manual

MOODLE Installation on Windows Platform

Specops Command. Installation Guide

IBM WebSphere Application Server Communications Enabled Applications Setup guide

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

CommandCenter Secure Gateway

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Installing and Configuring vcloud Connector

Transcription:

AlienVault Unified Security Management (USM) 4.x-5.x Deploying HIDS Agents to Linux Hosts

USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. AlienVault, Unified Security Management, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, OTX Reputation Monitor, AlienVault OTX Reputation Monitor AlertSM, OTX Reputation Monitor Alert SM, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date of Issue May, 2013 August 18, 2015 August 18, 2015 Description of Change(s) Original document based on the 4.x release. Updated for the 5.x release. Styling updates. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 2 of 11

Contents Contents Introduction... 4 Prerequisites... 4 For Debian-Based-Systems: (e.g. Ubuntu)... 5 For Redhat-Based-Systems: (e.g CentOS)... 5 Agent Installation... 5 Download... 5 Unpacking... 6 Compilation... 6 Agent Configuration... 7 Generating a Agent Key... 8 Importing the Agent Key... 8 Restarting the AlienVault HIDS Service... 10 Validation... 10 On the HIDS Agent... 10 On the HIDS Server... 10 August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 3 of 11

Introduction Introduction AlienVault HIDS is a host-based Intrusion Detection system, with the following core functionality: Log Monitoring and Collection File Integrity Checking Windows Registry Integrity Checking Active Response The currently supported version of AlienVault HIDS distributed with AlienVault USM/OSSIM is 2.8.2. AlienVault USM/OSSIM integrates AlienVault HIDS as a key component for providing extended visibility to monitored systems via these functions and to assign in Identity Management - mapping user accounts to actions via the information gathered by AlienVault HIDS. AlienVault HIDS operates via server/agent architecture, with some limited support for agentless operation with certain operating systems for log retrieval only. Agents are deployed to client systems and run as a continuous in-memory service, communicating with the central server via UDP port 1514. AlienVault HIDS agentless checks are run periodically, communicating with monitored devices via TCP port 22 using the SSH protocol. Agent/Server authentication is done via Keys, which resemble the following: 6687cf219a97c5ccf5b476f1f1283bfe18901c12516b3c124dd0e8ae78a46fd2 Agentless authentication, however, is done using username and password. In case of some network devices, e.g. Cisco, you'll also need to supply additional credentials in order to switch to priviledged mode. Prerequisites The AlienVault HIDS client will be required to be built from source code files on the target platform. Many production Linux systems will have the code compilation tools removed from them however. You may perform the build on a staging system, and then move over the source build directory to the target system to install the binaries this is an advanced installation method however and this guide assumes that the operator understands the mechanics of doing such an installation, and thus this method will not be covered in this document. Acquiring a basic software build environment will depend upon the Linux platform you install to deploy on, but at a minimal will require a C compiler, and basic Kernel and LibC include files. These may be installed via the appropriate package manager commands. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 4 of 11

Agent Installation For Debian-Based-Systems: (e.g. Ubuntu) sudo apt-get install build-essential For Redhat-Based-Systems: (e.g CentOS) sudo yum groupinstall "Development Tools" -y && sudo yum install kernel-devel y AlienVault HIDS should require no additional library or header files beyond those installed by these package commands. Agent Installation The installation requires administrative privileges switch to the root account either via: su (this will require the root user password) or sudo /bin/bash (this will require a password and root sudo privileges) Download Change the working directory to a location suitable for building and installing software from cd /usr/src Use the wget or curl commands to download the agent install: wget U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz or curl http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz If the machine the agent is being deployed to, does not have internet access, acquire the archive file and copy it to a suitable directory on the target system through whatever means you would normally perform this task. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 5 of 11

Agent Installation Unpacking Extract the downloaded archive using tar: tar xzvf ossec-hids-2.8.2.tar.gz Compilation The software must be compiled into working binary executables before installation: Change the current directory to the unpacked install directory cd./ossec-hids-2.8.2 Run the installation script /bin/bash./install.sh Important: Ubuntu uses /bin/dash as the default shell this will cause the installer to break and install the server component of AlienVault HIDS instead of the agent as requested directly calling /bin/bash in the command above prevents this error from occurring. Pick a language, default is English (en). Begin the Installation. Select Agent as the installation type. Unless you have a pre-established good reason to choose otherwise, accept the default installation location: /var/ossec. Enter the IP address or Hostname of your USM/OSSIM All-in-One or Sensor. Note: Each USM/OSSIM Sensor component has an instance of AlienVault HIDS (a server and a local agent) running on it. Choose whether you want to run the Integrity Check Daemon, default is yes. Choose whether you want to run the Root Kit Detection Engine, default is yes. Choose whether you want to run the Active Response Engine (enables execution of external commands when particular alerts trigger), default is yes. AlienVault HIDS will display the configured defaults: August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 6 of 11

Agent Installation The AlienVault HIDS installation script will now begin the compilation and installation process. Assuming that all prerequisites were met before the installation began, the compilation should run and finish, displaying a summary of what was performed. Agent Configuration With the agent binaries installed on the client system, a new client key must be issued to connect this new agent to the AlienVault HIDS server running on AlienVault OSSIM or USM. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 7 of 11

Agent Installation Generating a Agent Key Switch over to the AlienVault Web User Interface. Go to Environment -> Detection. Click the Agents tab. Click Add Agent to add a new agent. Enter the hostname of the new agent, and either its fixed IP address, or the subnet it will be assigned an address on via DHCP. Click the key icon to extract the newly created agent key assigned to this agent Select and copy the client key to the clipboard or a text editor. Importing the Agent Key Return to the console on the Linux host. Execute the manage_agents program (as root): /var/ossec/bin/manage_agents Enter I to import the key. Paste the agent key extracted from the server previously: Confirm that the key is correct. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 8 of 11

Agent Installation Quit out of the key management tool As instructed, restart the AlienVault HIDS agent on the Linux host: /var/ossec/bin/ossec-control restart The agent can also be started and stopped via the init.d script at: /etc/init.d/ossec {start stop restart} This script is used to launch the agent at system boot. You many now exit from the session on the Linux Host. The installation is complete. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 9 of 11

Validation Restarting the AlienVault HIDS Service Once you have finished adding agents, restarting the AlienVault HIDS service on the AlienVault Server is recommended to bring everything into sync. Switch over to the AlienVault Web User Interface. Go to Environment -> Detection. Click the AlienVault HIDS Control tab. Click the Restart button. Allow the services to restart Validation Validating a successful pairing between the new HIDS client and the HIDS Server can be performed from both sides of the connection. On the HIDS Agent The agent maintains a local log file regarding its operation, which will open in your system s default application for.txt files. You will find it in /var/ossec/logs/ossec.log. A successful connection to the server will create a log entry similar to this: 2014/05/28 10:53:42 ossec-agentd: INFO: Using IPV4 for: 192.168.1.240. 2014/05/28 10:53:42 ossec-agentd(4102): INFO: Connected to the server (192.168.1.240:1514)1 Should the HIDS client not able to connect to the HIDS service on the AlienVault Sensor, you will instead see log entries like these: 2013/05/28 12:20:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.240'. 2013/05/28 12:25:05 ossec-agentd: INFO: Trying to connect to server (192.168.1.240:1514). 2013/05/28 12:25:05 ossec-agentd: INFO: Using IPv4 for: 192.168.1.240. On the HIDS Server Return to the AlienVault Web UI. Go to Environment > Detection. Click the Agents tab. Look for the Agent s listing at the bottom of the main panel, for your newly created agent to be marked as Active August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 10 of 11

Validation The Trend chart will not populate immediately, because it requires logs to be received from the client for a period of time. Your HIDS client Installation is now completed. August 18, 2015 USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information