AlienVault OSSIM Agent install how-to



  • I've added some Debian machines that needed the OSSIM agent tools installed. The process is just a little different than the documents state, so I thought I should add it here.

    In your OOSIM interface, go to ENVIRONMENT -> DETECTION -> AGENTS and click ADD AGENT
    alt text

    After the agent is added, click on the key icon for the agent you just added, and copy the line of random junk that it gives you.

    alt text

    Now on the client machine. Install the prerequisites.

    sudo apt-get install inotify-tools build-essential
    

    Download, unzip, and install the OSSIM source.

    wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
    tar xf ossec-hids-2.8.3.tar.gz
    cd ossec-hids-2.8.3
    sudo ./install.sh
    

    The installer will ask you for some things none of the guides I use were up to date with. For this, we just want the client, and it will ask for the server IP or FQDN. Besides that, accept the defaults and let it run.

    The client now needs the agent key entered, and the service restarted.

    sudo /var/ossec/bin/manage_agents
    I
    

    Paste the key we copied from the server.

    y
    Enter
    Q
    /etc/init.d/ossec restart
    

    Finally, we need to restart the HIDS service on the server. This should be in HIDS CONTROL in the same screen we were in before.

    alt text

    All done.

    Sources: https://www.alienvault.com/documentation/usm-v5/ids-configuration/deploying-alienvault-hids.htm#Deployin2
    https://www.linode.com/docs/security/ossec-ids-debian-7



  • Just confirmed this works on Ubuntu as well. I imagine that means Mint would also work, but have not confirmed Mint yet, and probably will not as the only installs of that I have are workstations that don't require quite the same level of monitoring.