OSSEC Agent Install - Windows
741 views
Skip to first unread message
ste...@bawks.com
Dec 22, 2014, 2:56:38 PM12/22/14
to ossec...@googlegroups.com
Is there a way to silently install the .exe in windows?
I could not find any form of documentation and or any command line options that I can include but I thought I would reach out and find out.
dan (ddp)
Dec 22, 2014, 3:01:28 PM12/22/14
to ossec...@googlegroups.com
On Mon, Dec 22, 2014 at 2:56 PM, <ste...@bawks.com> wrote:
> Is there a way to silently install the .exe in windows?
>
/s? /S? Something like that, I think.
> Is there a way to silently install the .exe in windows?
>
>
>
> I could not find any form of documentation and or any command line options
> that I can include but I thought I would reach out and find out.
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
David Lang
Dec 22, 2014, 3:29:05 PM12/22/14
to ossec...@googlegroups.com
I have the following .cmd script that I run on each machine. Has the agent-auth
tool for the auto-configuration of keys been ported to windows? I don't see any
sign of it and all the documentation is for linux.
@echo off
setlocal enabledelayedexpansion > NUL 2> NUL
net stop "OSSEC HIDS" > NUL 2> NUL
del "C:\Program Files (x86)\ossec-agent" /s /q > NUL 2> NUL
cmd /c "\\10.1.1.1\ossec\ossec-agent-win32-2.8.exe /S"
findstr /I /C:" %COMPUTERNAME%." \\10.1.1.1\ossec\ossec.keys > "C:\Program Files (x86)\ossec-agent\client.keys"
copy \\10.1.1.1\ossec\ossec.conf "C:\Program Files (x86)\ossec-agent\" /y
net start "OSSEC HIDS"
David Lang
tool for the auto-configuration of keys been ported to windows? I don't see any
sign of it and all the documentation is for linux.
@echo off
setlocal enabledelayedexpansion > NUL 2> NUL
net stop "OSSEC HIDS" > NUL 2> NUL
del "C:\Program Files (x86)\ossec-agent" /s /q > NUL 2> NUL
cmd /c "\\10.1.1.1\ossec\ossec-agent-win32-2.8.exe /S"
findstr /I /C:" %COMPUTERNAME%." \\10.1.1.1\ossec\ossec.keys > "C:\Program Files (x86)\ossec-agent\client.keys"
copy \\10.1.1.1\ossec\ossec.conf "C:\Program Files (x86)\ossec-agent\" /y
net start "OSSEC HIDS"
David Lang
Stephen Bawks
Dec 23, 2014, 1:02:42 PM12/23/14
to ossec...@googlegroups.com, da...@lang.hm
Do you still need to create the windows machines on the server side manually? In Linux you can run the agent-auth command but I don't see that command in the Windows client.
David Lang
Dec 23, 2014, 1:11:25 PM12/23/14
to Stephen Bawks, ossec...@googlegroups.com
In my current workflow I am creating the machine before installing the windows
agent, but I would like to use agent-auth, which is what I was asking about.
David Lang
On Tue, 23 Dec 2014, Stephen Bawks wrote:
> Do you still need to create the windows machines on the server side
> manually? In Linux you can run the agent-auth command but I don't see that
> command in the Windows client.
>
>
> On Monday, December 22, 2014 3:29:05 PM UTC-5, David Lang wrote:
>>
>> I have the following .cmd script that I run on each machine. Has the
>> agent-auth
>> tool for the auto-configuration of keys been ported to windows? I don't
>> see any
>> sign of it and all the documentation is for linux.
>>
>> @echo off
>> setlocal enabledelayedexpansion > NUL 2> NUL
>> net stop "OSSEC HIDS" > NUL 2> NUL
>> del "C:\Program Files (x86)\ossec-agent" /s /q > NUL 2> NUL
>> cmd /c "\\10.1.1.1\ossec\ossec-agent-win32-2.8.exe /S"
>> findstr /I /C:" %COMPUTERNAME%." \\10.1.1.1\ossec\ossec.keys > "C:\Program
>> Files (x86)\ossec-agent\client.keys"
>> copy \\10.1.1.1\ossec\ossec.conf "C:\Program Files (x86)\ossec-agent\" /y
>> net start "OSSEC HIDS"
>>
>> David Lang
>>
>> On Mon, 22 Dec 2014, dan (ddp) wrote:
>>
>>> On Mon, Dec 22, 2014 at 2:56 PM, <ste...@bawks.com <javascript:>>
agent, but I would like to use agent-auth, which is what I was asking about.
David Lang
On Tue, 23 Dec 2014, Stephen Bawks wrote:
> Do you still need to create the windows machines on the server side
> manually? In Linux you can run the agent-auth command but I don't see that
> command in the Windows client.
>
>
> On Monday, December 22, 2014 3:29:05 PM UTC-5, David Lang wrote:
>>
>> I have the following .cmd script that I run on each machine. Has the
>> agent-auth
>> tool for the auto-configuration of keys been ported to windows? I don't
>> see any
>> sign of it and all the documentation is for linux.
>>
>> @echo off
>> setlocal enabledelayedexpansion > NUL 2> NUL
>> net stop "OSSEC HIDS" > NUL 2> NUL
>> del "C:\Program Files (x86)\ossec-agent" /s /q > NUL 2> NUL
>> cmd /c "\\10.1.1.1\ossec\ossec-agent-win32-2.8.exe /S"
>> findstr /I /C:" %COMPUTERNAME%." \\10.1.1.1\ossec\ossec.keys > "C:\Program
>> Files (x86)\ossec-agent\client.keys"
>> copy \\10.1.1.1\ossec\ossec.conf "C:\Program Files (x86)\ossec-agent\" /y
>> net start "OSSEC HIDS"
>>
>> David Lang
>>
>> On Mon, 22 Dec 2014, dan (ddp) wrote:
>>
>> wrote:
>>>> Is there a way to silently install the .exe in windows?
>>>>
>>>
>>> /s? /S? Something like that, I think.
>>>
>>>>
>>>>
>>>> I could not find any form of documentation and or any command line
>> options
>>>> that I can include but I thought I would reach out and find out.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>> Groups
>>>> "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>> an
>>>> email to ossec-list+...@googlegroups.com <javascript:>.
>>>> Is there a way to silently install the .exe in windows?
>>>>
>>>
>>> /s? /S? Something like that, I think.
>>>
>>>>
>>>>
>>>> I could not find any form of documentation and or any command line
>> options
>>>> that I can include but I thought I would reach out and find out.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>> Groups
>>>> "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>> an
dan (ddp)
Dec 23, 2014, 1:24:10 PM12/23/14
to ossec...@googlegroups.com
On Mon, Dec 22, 2014 at 3:27 PM, David Lang <da...@lang.hm> wrote:
> I have the following .cmd script that I run on each machine. Has the
> agent-auth tool for the auto-configuration of keys been ported to windows? I
> don't see any sign of it and all the documentation is for linux.
>
Last I saw there was a request for testers that went no where, but
> I have the following .cmd script that I run on each machine. Has the
> agent-auth tool for the auto-configuration of keys been ported to windows? I
> don't see any sign of it and all the documentation is for linux.
>
that was a long time ago.
David Lang
Dec 23, 2014, 4:11:01 PM12/23/14
to ossec...@googlegroups.com
On Tue, 23 Dec 2014, dan (ddp) wrote:
> On Mon, Dec 22, 2014 at 3:27 PM, David Lang <da...@lang.hm> wrote:
>> I have the following .cmd script that I run on each machine. Has the
>> agent-auth tool for the auto-configuration of keys been ported to windows? I
>> don't see any sign of it and all the documentation is for linux.
>>
>
> Last I saw there was a request for testers that went no where, but
> that was a long time ago.
well, it looks like we've got a couple folks interested in testing now if there
> On Mon, Dec 22, 2014 at 3:27 PM, David Lang <da...@lang.hm> wrote:
>> I have the following .cmd script that I run on each machine. Has the
>> agent-auth tool for the auto-configuration of keys been ported to windows? I
>> don't see any sign of it and all the documentation is for linux.
>>
>
> Last I saw there was a request for testers that went no where, but
> that was a long time ago.
is still development interest. :-)
David Lang
Bryan K. Carter
Dec 23, 2014, 5:25:20 PM12/23/14
to ossec...@googlegroups.com
I would also be willing to do some testing. I am just beginning a
deployment to about 700 windows clients.
---------------------------------------------------
Bryan K. Carter
deployment to about 700 windows clients.
---------------------------------------------------
Bryan K. Carter
dan (ddp)
Dec 26, 2014, 7:32:37 AM12/26/14
to ossec...@googlegroups.com
On Tue, Dec 23, 2014 at 5:10 PM, Bryan K. Carter
<cart...@deseretmgt.com> wrote:
> I would also be willing to do some testing. I am just beginning a
> deployment to about 700 windows clients.
>
Awesome! Please report back any results.
<cart...@deseretmgt.com> wrote:
> I would also be willing to do some testing. I am just beginning a
> deployment to about 700 windows clients.
>
David Lang
Dec 26, 2014, 2:35:16 PM12/26/14
to ossec...@googlegroups.com
On Fri, 26 Dec 2014, dan (ddp) wrote:
> On Tue, Dec 23, 2014 at 5:10 PM, Bryan K. Carter <cart...@deseretmgt.com>
> wrote:
>> I would also be willing to do some testing. I am just beginning a deployment
>> to about 700 windows clients.
>>
>
> Awesome! Please report back any results.
where do we find the windows agent-auth tool? is it something we need to
> On Tue, Dec 23, 2014 at 5:10 PM, Bryan K. Carter <cart...@deseretmgt.com>
> wrote:
>> I would also be willing to do some testing. I am just beginning a deployment
>> to about 700 windows clients.
>>
>
> Awesome! Please report back any results.
configure when compiling a new windows binary?
David Lang
dan (ddp)
Dec 26, 2014, 2:37:46 PM12/26/14
to ossec...@googlegroups.com
On Fri, Dec 26, 2014 at 2:33 PM, David Lang <da...@lang.hm> wrote:
> On Fri, 26 Dec 2014, dan (ddp) wrote:
>
>> On Tue, Dec 23, 2014 at 5:10 PM, Bryan K. Carter <cart...@deseretmgt.com>
>> wrote:
>>>
>>> I would also be willing to do some testing. I am just beginning a
>>> deployment to about 700 windows clients.
>>>
>>
>> Awesome! Please report back any results.
>
>
> where do we find the windows agent-auth tool? is it something we need to
> configure when compiling a new windows binary?
>
I haven't looked at it, but you may have to do some updating:
> On Fri, 26 Dec 2014, dan (ddp) wrote:
>
>> On Tue, Dec 23, 2014 at 5:10 PM, Bryan K. Carter <cart...@deseretmgt.com>
>> wrote:
>>>
>>> I would also be willing to do some testing. I am just beginning a
>>> deployment to about 700 windows clients.
>>>
>>
>> Awesome! Please report back any results.
>
>
> where do we find the windows agent-auth tool? is it something we need to
> configure when compiling a new windows binary?
>
https://github.com/ossec/ossec-hids/pull/181
Martynas Buožis
Jan 5, 2015, 7:40:22 AM1/5/15
to ossec...@googlegroups.com
Hello
I made script that works, though script itself is not considering all possible cases and was done just in a quick way to work. I used Linux system to deploy OSSEC agent to 500 systems in an hour and I will try explain method I used on Linux host where OSSEC is installed.
Script is using one parameter - client name as is in DNS. I simply used bash to cycle around (like "for host in `cat list_of_hosts`; do ./deploy $host; done").
Script has to be improved in efficiency and error handling, etc. - please feel free use it as a basic idea and adapt it as needed.
#!/bin/bash
HOST=$1
PASSWORD=password_for_admin_uid
SECADMIN=domain\\uid_with_admin privileges
# Is host alive ?
ping -c1 $HOST 2>&1 >/dev/null
# If yes - lets continue
if [ $? -eq 0 ]
then
# If host is already in active agents list - we stop. To force reload client you can comment below
/var/ossec/bin/list_agents -c | egrep -qi "^$HOST-"
if [ $? -eq 0 ]
then
echo "$HOST is already active on this installation"
exit 0
fi
# set IP and capitalize NAME of the HOST
IP=$(host $HOST 2>&1|cut -d\ -f4)
NAME=$(echo $HOST | tr '[a-z]' '[A-Z]')
# Let's check if host has already key - if not create CSV file to import a new host and create new OSSEC ID
# I use for the moment netmask "0.0.0.0/0" for any - you can use client IP to format mask
OSSECID=$(grep -i " $HOST " /var/ossec/etc/client.keys | cut -d\ -f1)
if [ "$OSSECID" == "" ]
then
echo "0.0.0.0/0,$NAME" >/var/ossec/$HOST
/var/ossec/bin/manage_agents -f /$1
fi
#Let's get OSSEC ID for the client
OSSECID=$(grep -i " $HOST " /var/ossec/etc/client.keys | cut -d\ -f1)
if [ "$OSSECID" == "" ]
then
echo "Can not get OSSEC ID for client $NAME"
exit 1
fi
#extract key file for the client
egrep "^$OSSECID " /var/ossec/etc/client.keys > $HOST.key
# Check architecture and which "Program Files" shall be used
if [ $(/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST "wmic os get osarchitecture" | grep bit | cut -d- -f1) -eq 32 ]
then
ROOTDIR="Program Files"
else
ROOTDIR="Program Files (x86)"
fi
#Create install directory and copy there client
smbclient //$HOST/c$ $PASSWORD -U $SECADMIN -c "mkdir Install; cd Install; put ossec-agent-win32-2.8.exe"
#Launch unattended client installation
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST 'cmd /C C:\Install\ossec-agent-win32-2.8.exe /S'
#copy default and properly configured ossec.conf file and extracted host key to right location
smbclient //$HOST/c$ $PASSWORD -U $SECADMIN -c "cd \"$ROOTDIR\"\\ossec-agent; put ossec.conf ossec.conf; put $HOST.key client.keys"
# To be sure - do installation as service and stop/start client
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST "cmd /C C:\\\"$ROOTDIR\"\\ossec-agent\\ossec-agent.exe install-service"
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST 'cmd /C net stop "OSSEC HIDS"'
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST 'cmd /C net start "OSSEC HIDS"'
else
echo Host $HOST is not online
fi
Martynas
I made script that works, though script itself is not considering all possible cases and was done just in a quick way to work. I used Linux system to deploy OSSEC agent to 500 systems in an hour and I will try explain method I used on Linux host where OSSEC is installed.
Script is using one parameter - client name as is in DNS. I simply used bash to cycle around (like "for host in `cat list_of_hosts`; do ./deploy $host; done").
Script has to be improved in efficiency and error handling, etc. - please feel free use it as a basic idea and adapt it as needed.
#!/bin/bash
HOST=$1
PASSWORD=password_for_admin_uid
SECADMIN=domain\\uid_with_admin privileges
# Is host alive ?
ping -c1 $HOST 2>&1 >/dev/null
# If yes - lets continue
if [ $? -eq 0 ]
then
# If host is already in active agents list - we stop. To force reload client you can comment below
/var/ossec/bin/list_agents -c | egrep -qi "^$HOST-"
if [ $? -eq 0 ]
then
echo "$HOST is already active on this installation"
exit 0
fi
# set IP and capitalize NAME of the HOST
IP=$(host $HOST 2>&1|cut -d\ -f4)
NAME=$(echo $HOST | tr '[a-z]' '[A-Z]')
# Let's check if host has already key - if not create CSV file to import a new host and create new OSSEC ID
# I use for the moment netmask "0.0.0.0/0" for any - you can use client IP to format mask
OSSECID=$(grep -i " $HOST " /var/ossec/etc/client.keys | cut -d\ -f1)
if [ "$OSSECID" == "" ]
then
echo "0.0.0.0/0,$NAME" >/var/ossec/$HOST
/var/ossec/bin/manage_agents -f /$1
fi
#Let's get OSSEC ID for the client
OSSECID=$(grep -i " $HOST " /var/ossec/etc/client.keys | cut -d\ -f1)
if [ "$OSSECID" == "" ]
then
echo "Can not get OSSEC ID for client $NAME"
exit 1
fi
#extract key file for the client
egrep "^$OSSECID " /var/ossec/etc/client.keys > $HOST.key
# Check architecture and which "Program Files" shall be used
if [ $(/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST "wmic os get osarchitecture" | grep bit | cut -d- -f1) -eq 32 ]
then
ROOTDIR="Program Files"
else
ROOTDIR="Program Files (x86)"
fi
#Create install directory and copy there client
smbclient //$HOST/c$ $PASSWORD -U $SECADMIN -c "mkdir Install; cd Install; put ossec-agent-win32-2.8.exe"
#Launch unattended client installation
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST 'cmd /C C:\Install\ossec-agent-win32-2.8.exe /S'
#copy default and properly configured ossec.conf file and extracted host key to right location
smbclient //$HOST/c$ $PASSWORD -U $SECADMIN -c "cd \"$ROOTDIR\"\\ossec-agent; put ossec.conf ossec.conf; put $HOST.key client.keys"
# To be sure - do installation as service and stop/start client
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST "cmd /C C:\\\"$ROOTDIR\"\\ossec-agent\\ossec-agent.exe install-service"
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST 'cmd /C net stop "OSSEC HIDS"'
/usr/bin/winexe --user=$SECADMIN%$PASSWORD //$HOST 'cmd /C net start "OSSEC HIDS"'
else
echo Host $HOST is not online
fi
Martynas
Reply all
Reply to author
Forward
0 new messages