Client.keys

[Chris Lauritzen]

When installing the agent it is my understanding that the install will look at the client.keys file and read in the proper key. This is not happening. I have to push this out to 3500 PC in the next couple of weeks, I am using LANDesk as the controler. Why is it not reading in the key? Also how do I add the ipaddress to the agent?

[Michael Starks]

Have you established a key for the agent using manage_agents?

[dan (ddp)]

Are these windows agents? Are there multiple keys in the client.keys?
Were the keys added using the OSSEC utilities?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Chris Lauritzen]

Yes the Key have been made. There is a new twist to this now. The install is reading the client.keys but is only reading in the first key listed. Every install is pulling only the first key. If I manually add the key it works fine. When creating the key I see that the name is optional but is it possible that it's looking for the device name and when not finding it defaulting to the first entry?

[Chris Lauritzen]

Yes these are Windows Agents. Yes there are multiple keys in the client.keys file. What utilities are you talking about. I am not the one creating the key file, I am the Landesk admin pushing it out to the 3500 systems. I have created a batch file that installs it and it does work if you look at my other post.

[Michael Starks]

On 09/18/2013 04:08 PM, Chris Lauritzen wrote:
> Yes the Key have been made. There is a new twist to this now. The
> install is reading the client.keys but is only reading in the first key
> listed. Every install is pulling only the first key. If I manually add
> the key it works fine. When creating the key I see that the name is
> optional but is it possible that it's looking for the device name and
> when not finding it defaulting to the first entry?

There should only be one key in the agent's client.keys file--the key
for that agent.

[James M. Pulver]

I have just tested an amalgation of AutoIT on the Windows side, with some help from plink and some batch scripting on the linux side to log in and create the appropriate key, extract it and put it in client.keys.

 

However, you do need sudo permissions for the login account you use from the windows side so it can run the OSSEC programs.

 

According to some on IRC, you may be able to compile agent-auth for Windows, but I haven’t tried that solution yet.

 

--

James Pulver

CLASSE Computer Group

Cornell University

--

[Chris Lauritzen]

James let get this straight, if I have 3500 pc's to push this out to I need 3500 client.keys files?

[Chris Lauritzen]

James so in this option the agent installs and then creates the keys during the install?

[James M. Pulver]

Yes, each client has a unique client.keys.

 

--

James Pulver

CLASSE Computer Group

Cornell University

 

From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of Chris Lauritzen
Sent: Thursday, September 19, 2013 9:46 AM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] Client.keys

 

James let get this straight, if I have 3500 pc's to push this out to I need 3500 client.keys files?

--

[Jared Greene]

Chris,

Agent / Client = 1 client.keys file with a single entry in it.
C:\Program Files (x86)\ossec-agent\client.keys = 1 entry

Server / Manager = 1 client.keys files with an entry for every agent that is registered.
/var/ossec/etc/client.keys

If you are tying to copy the client.keys file from the server to every agent, it will not work (only reads the first line).

If you need some scripting automation for installing/configuring OSSEC on Windows and Linux, and can run powershell from your Windows Landesk instance, I can help. Just need to come up with what "success" would look like from requirements perspective and the scripting part is easy.

Jared

--
Thank you,

Jared R. Greene

[Michael Starks]

On 19.09.2013 08:46, Chris Lauritzen wrote:
> James let get this straight, if I have 3500 pc's to push this out to
> I
> need 3500 client.keys files?

Just to jump in here, let's consider for a moment that the compromise
of one machine would mean the compromise of all keys in your
infrastructure if every key existed on one agent.

Now, I get what your saying--it shouldn't be this hard. That's why
agent-auth was created, but unfortunately, it doesn't work in Windows
right now. Some effort was recently made to get OpenSSL to compile and
that was successful. OSSEC just needs to be built with it now and then
it will probably work. So if you or someone has the time to step in and
make this work, everyone would benefit.

[Chris Lauritzen]

Jared,

Thanks for the info. I can get Landesk to run powershell so what scripting would I need.

[Chris Lauritzen]

Mike  I agree that have the Key file on the PC with all the keys is not a good idea. I will look into OpenSSL.

[Jared]

I am not surer that everyone wants to see the gory details, but with Powershell you can accomplish anythign that you would do normally via the cmd line or interactively, on linux (ssh) and Windows (WMI).

 

Here is an example that will migrate servers from a test OSSEC server to a Productin OSSEC server and then register them with the new server (I have another script that fixes the "any' in the client.keys):

 

# You must download the module and install it per the directions (google)
Import-Module SSH-Sessions
# Implies that you have a .csv file with all of your servers in it with the following headers (Product,address,Hostname,Key,User)
# Implies that you have an account on your linux servers with TTY ability (google sudoers & TTY)
# Load data from .csv into a variable called $servers
$Servers = Import-Csv C:\ISCO\Automate\bin\test_Servers.csv
# loop throuhg each of the lines in the .CSV file and do "Some work"
ForEach ($S in $Servers)
{
    # Get IP address from line in file
    $I = $S.Address; Write-host $I
    #Get Hostname from line in file
    $H = $S.Hostname; Write-host $H
    #Same ...
    $K = $S.key; Write-host $K
    #Same ...
    $U = $S.user; Write-host $U
   
    # Connect to each computer and provide username and Private key
    New-SshSession -ComputerName $I -Username $U -KeyFile $k
    #Stop the agent
    Invoke-SshCommand -ComputerName $i -Command "sudo /var/ossec/bin/ossec-control stop" -Verbose
    # Replace the Test Server IP with with the Production server IP
    Invoke-SshCommand -ComputerName $i -Command "sudo sed -i 's/1.1.1.1/2.2.2.2/g' /var/ossec/etc/ossec.conf" -Verbose
    #Register the server with agent with the Production OSSEC manager server with the host name from the .csv file
    Invoke-SshCommand -ComputerName $i -Command "sudo /var/ossec/bin/agent-auth -m 2.2.2.2-p 1515 -A $H" -Verbose
    # Restart the agent
    Invoke-SshCommand -ComputerName $i -Command "sudo /var/ossec/bin/ossec-control start" -Verbose
    # display the status of the agent post restart in the Powershell console.
    Invoke-SshCommand -ComputerName $i -Command "sudo /var/ossec/bin/ossec-control status" -Verbose
    # Close and clean up the session
    Remove-SshSession $I -Verbose
    # As this is a Foreach Loop, it will parse each line of your .csv file and perform this work on every server until the list is ehausted.
}

 

 

So, we can take this offline or keep it here, but I would need to get the details (requirements) for each process that you are trying to automate. I am not following what you are trying to do with the Client.Keys on the agent, but I believe that there is a programatic solution.  

 

Jared

[Chris Lauritzen]

Jared,

What I am trying to do it automate the install. We use LANDesk to push out apps to over 3500 PC/servers in our company. LANDesk can use batch, msi, exe, vbs and Powershell scripts  to install. I have the install working, it pushes to the PC's and installs the agent. Where it was failing initially was importing the Key file. I have resolved that issue and during the install the key is being read. What I come to find out is OSSEC requires one key file per PC with only one key entry. I under the security reasons for this. So what I am looking to do is to find a way to not create 3500 Client.keys files. I have a script that works but it does not play well because we are running DHCP. I am not the admin for the OSSEC server, I am the LANDesk admin so I am dealing with the desktop/server level. Looking over your powershell script I see where it could work. If you would like you can email me directly..

Thanks

Chris

[Michael Starks]

On 09/20/2013 08:48 AM, Chris Lauritzen wrote:
> So what I am looking to do is to find a way
> to not create 3500 Client.keys files.

You could create a file on a share with all of the keys and have a
post-install script that finds the right key and puts it in the keys
file on the agent. Something like (pseudo-code) find "hostname"
\\share\master_file > client.keys. You'll just need to be very careful
and make sure that the account used to do the find is the only account
that can access that file on the share.

[Chris Lauritzen]

Michael,

That sounds like an option. I'm looking at it now.

[Jared]

Okay, off line then via email.

Jared

[Bjoern...@easycash.de]

Hello,

 

sorry, when I disturbing the discussion. We have the same problem with windows agents.

Under *NIX os we could register the agent automaticly during installation using: /var/ossec/bin/agent-auth -m $ossecserver  -A $::fqdn -D /var/ossec/ and on the server site the ossec-authd.

 

Is there still no command for windows os? Is this in planning?

 

Thanks Jared for the howto, it’s should be better as our situation under windows now J

 

Mit freundlichen Grüßen / Best regards
Björn

[Chris Lauritzen]

First off thanks to everyone that has helped here. I have a new twist to my problem. I have created a macro that pulls the correct key from the server and writes it to a file named with the computer id. I have a batch script that copies the file from the server share to the client workstation by reading the computer name and copying the corresponding file. This is all working correctly and pushes out nicely via LANDesk.

Now here is the new issue, when the client installs it should read in the client.keys file when the service starts. If you read my orginal question you can see that is was working except I was trying to embed all the keys in a single file. The file that is copied now only has the one key in the file. The agent is NOT reading in the client.keys file now. If I open the file on the workstation and copy and paste it imports the key correctly so I know that the client.keys file that is being copied is correct. So why is it not reading in the file during the install as it was before? The file is a standard txt file, it's named correctly, the key that is in the file works if I manually add it so what I am missing here?

I am soo close to getting this to work I can taste it.

[dan (ddp)]

Check permissions?

[dan (ddp)]

On Tue, Sep 24, 2013 at 7:57 AM, <Bjoern...@easycash.de> wrote:
> Hello,
>
>
>
> sorry, when I disturbing the discussion. We have the same problem with
> windows agents.
>
> Under *NIX os we could register the agent automaticly during installation
> using: /var/ossec/bin/agent-auth -m $ossecserver -A $::fqdn -D /var/ossec/
> and on the server site the ossec-authd.
>
>
>
> Is there still no command for windows os? Is this in planning?
>

I believe it was mentioned in this thread that the command might be
ready, but no one will test it.

[James M. Pulver]

The problem is there is (as far as I can tell in 2.7.1 install) no agent-auth.exe ... so how do we test it?

--
James Pulver
CLASSE Computer Group
Cornell University

[dan (ddp)]

On Tue, Sep 24, 2013 at 10:54 AM, James M. Pulver <jmp...@cornell.edu> wrote:
> The problem is there is (as far as I can tell in 2.7.1 install) no agent-auth.exe ... so how do we test it?
>

Build it.

[Jared]

I believe that this is what you need in your batch file after you echo into the file:

cacls "C:\Program Files (x86)\ossec-agent\client.keys" /T /E /G everyone:F

Alternately, the file may still be open/locked, but you should still be able to read it. Error handling should let you know if you are missing a prompt from the GUI as you are using the cmd line.  

[Chris Lauritzen]

I have checked and the user has full access.

[James M. Pulver]

Yes, I have no Windows build environment. Maybe it can cross compile from Linux?

[Chris Lauritzen]

Jared,

Thanks again... this didn't work. I am not injecting the key into the file during the batch process. The key is extracted from the server via an Excel Macro. It is a standard TXT file.

[dan (ddp)]

On Tue, Sep 24, 2013 at 11:10 AM, James M. Pulver <jmp...@cornell.edu> wrote:
> Yes, I have no Windows build environment. Maybe it can cross compile from Linux?
>

Based on the current source I'm guessing it's not actually work-able.
wait.h isn't a thing on windows?

[Michael Starks]

On 24.09.2013 09:54, James M. Pulver wrote:
> The problem is there is (as far as I can tell in 2.7.1 install) no
> agent-auth.exe ... so how do we test it?

The current status is that OpenSSL was compiled (see
http://www.michaelboman.org/how-to/building-openssl-on-windows for a
how-to), but it has not been linked to OSSEC. No one seems to have the
time right now, so if someone wants to spend the time getting this
working, or at least debugging it, it would be very helpful to everyone.

Awhile back, I wrote a blog post on how to compile OSSEC on Windows, so
that may also be helpful:
http://www.immutablesecurity.com/index.php/2010/07/06/compiling-the-ossec-agent-on-windows/

[Michael Starks]

On 24.09.2013 10:08, Jared wrote:
> I believe that this is what you need in your batch file after you
> echo
> into the file:
>

> cacls "C:Program Files (x86)ossec-agentclient.keys" /T /E /G
> everyone:F

I wouldn't recommend this. This grants everyone full access. That means
an attacker can read/delete that file. The file should only need to be
readable by SYSTEM and Administrators. We have an open bug about
permissions currently, but they at least work correctly in the default
install.

[Jared]

You are correct Mike, that is ill advised as a permanent config, bout would rule out perms and complete the proper closing of the file for debugging.

[Michael Starks]

On 24.09.2013 09:29, Chris Lauritzen wrote:
> Now here is the new issue, when the client installs it should read in
> the client.keys file when the service starts. If you read my orginal
> question you can see that is was working except I was trying to embed
> all the keys in a single file. The file that is copied now only has
> the one key in the file. The agent is NOT reading in the client.keys
> file now. If I open the file on the workstation and copy and paste it
> imports the key correctly so I know that the client.keys file that is
> being copied is correct. So why is it not reading in the file during
> the install as it was before? The file is a standard txt file, it's
> named correctly, the key that is in the file works if I manually add
> it so what I am missing here?

Let me throw some things out there...

Perhaps this is an issue with CR/LF vs LF only?
Double extension with extensions hidden?
Are you adding the encoded representation of the key/hostname/agent ID
or does it look just like the entry that is on the manager?
Are there any messages in ossec.log?
Have you enabled debugging in internal_options.conf?

[James M. Pulver]

Well, I gave it a few hours using SL and mingw and mostly failed horribly. So I like my somewhat hackish solution using Autoit and plink. I'm just not a C++ developer.

--
James Pulver
CLASSE Computer Group
Cornell University


-----Original Message-----

[Chris Lauritzen]

Sorry to say it is still not working. I have checked the file name and there are no double extensions

[Chris Lauritzen]

Thank you everyone for your help. I have resolved my issue and have pushed out the agent to 3500 PC's today in just over an hour.

[Michael Starks]

On 26.09.2013 16:40, Chris Lauritzen wrote:
> Thank you everyone for your help. I have resolved my issue and have
> pushed out the agent to 3500 PC's today in just over an hour.

Inquiring minds want to know! :)

[Chris Lauritzen]

In a nut shell:

Auto populate the keys on the server. Copy the key files to a windows Pc and using a excel batch file it extracted each key to a txt file name with the PC name. I then used a batch to copy the file from the share based on the the computer name and and then renamed the file to client.keys. Then using LANDesk to push out the agent and run the batch installer. Using this method I installed the agent on 3486 pc in 10 minutes.

[Chris Lauritzen]

As a follow up: Only to find out there is a 1500 record limit in each instance OSSEC.

[James M. Pulver]

Not really – you can recompile the server for a higher limit rather easily and non-destructively for your configuration.

 

--

James Pulver

CLASSE Computer Group

Cornell University

 

From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of Chris Lauritzen
Sent: Friday, September 27, 2013 2:26 PM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] Client.keys

 

As a follow up: Only to find out there is a 1500 record limit in each instance OSSEC.

--

[Chris Lauritzen]

Thanks James, yes we got it all working. The server is seeing 3572 agents.

[koby yakov]

Hi Chris,

 

i'm facing with the same issue that you were having here,

 

my current status is:

 

i'm abling to install the agents on the windows machine, copy the conf file and create the agents on the server side.

 

i need your assistence with extracting the keys from the server side and insert each key to each agent.

 

i would appriciate if you could share your codes (scripts and other staff).

 

thanks a lot

koby.

[Chris Lauritzen]

Koby,

If you can contact me directly I will send you what I used.

[Ed Gonzo]

Hi Chris,

I know i am late to the party, but i was wondering if you still had the excel batch file you used to parse the client.keys file?

Thank you