Windows installation - attempting mass deployment
743 views
Skip to first unread message
GeorgeY
Aug 6, 2010, 3:24:25 AM8/6/10
to ossec-list
Hi all,
New to the group and to Ossec.
Thank you all for some pretty informative posts. I apologise if this
is another one of those "How to I mass deploy ossec-agent to xxx
number of Windows systems in my network".
Basically, from what I have read in this discussion group - it is not
possible to mass deploy it as there are reg keys involved and a
service needs to be registered on the target host. Also, agentless
monitoring does not support Windows and its more for SSH type devices.
Then I stumbled upon this post
http://groups.google.com/group/ossec-list/browse_thread/thread/a1a223f2e51461cb/ffb49fb6bb7ca3cf?lnk=gst&q=silent+install#ffb49fb6bb7ca3cf.
Question - has anyone attempted this and got it to work? I am a little
lost after looking at the guide on Michael's website as I am not very
familiar with *nix platforms but would like to try this since the
ossec server itself is sitting on a Solaris box. Can anyone share
their experiences?
Thanks
New to the group and to Ossec.
Thank you all for some pretty informative posts. I apologise if this
is another one of those "How to I mass deploy ossec-agent to xxx
number of Windows systems in my network".
Basically, from what I have read in this discussion group - it is not
possible to mass deploy it as there are reg keys involved and a
service needs to be registered on the target host. Also, agentless
monitoring does not support Windows and its more for SSH type devices.
Then I stumbled upon this post
http://groups.google.com/group/ossec-list/browse_thread/thread/a1a223f2e51461cb/ffb49fb6bb7ca3cf?lnk=gst&q=silent+install#ffb49fb6bb7ca3cf.
Question - has anyone attempted this and got it to work? I am a little
lost after looking at the guide on Michael's website as I am not very
familiar with *nix platforms but would like to try this since the
ossec server itself is sitting on a Solaris box. Can anyone share
their experiences?
Thanks
smokey
Aug 8, 2010, 6:21:40 AM8/8/10
to ossec-list
This shouldn't be a problem, but it will involve some additional
scripting...
My scenario would be:
1. Create MSI package
2. Deploy through GPO
3. Create default config, use xcopy to copy config file to computers
4. Import auth. key: manage_agent.exe -i agentkey
Cheers!
On Aug 6, 9:24 am, GeorgeY <george....@gmail.com> wrote:
> Hi all,
>
> New to the group and to Ossec.
> Thank you all for some pretty informative posts. I apologise if this
> is another one of those "How to I mass deploy ossec-agent to xxx
> number of Windows systems in my network".
> Basically, from what I have read in this discussion group - it is not
> possible to mass deploy it as there are reg keys involved and a
> service needs to be registered on the target host. Also, agentless
> monitoring does not support Windows and its more for SSH type devices.
> Then I stumbled upon this posthttp://groups.google.com/group/ossec-list/browse_thread/thread/a1a223....
scripting...
My scenario would be:
1. Create MSI package
2. Deploy through GPO
3. Create default config, use xcopy to copy config file to computers
4. Import auth. key: manage_agent.exe -i agentkey
Cheers!
On Aug 6, 9:24 am, GeorgeY <george....@gmail.com> wrote:
> Hi all,
>
> New to the group and to Ossec.
> Thank you all for some pretty informative posts. I apologise if this
> is another one of those "How to I mass deploy ossec-agent to xxx
> number of Windows systems in my network".
> Basically, from what I have read in this discussion group - it is not
> possible to mass deploy it as there are reg keys involved and a
> service needs to be registered on the target host. Also, agentless
> monitoring does not support Windows and its more for SSH type devices.
GeorgeY
Aug 9, 2010, 2:28:01 AM8/9/10
to ossec-list
Hi Smokey,
Thanks very much for your reply.
I should be able to use the MSI package that comes with the new
version?
Thanks very much for your reply.
I should be able to use the MSI package that comes with the new
version?
Michael Starks
Aug 9, 2010, 4:29:10 PM8/9/10
to ossec...@googlegroups.com
> Thanks very much for your reply.
> I should be able to use the MSI package that comes with the new
> version?
express purpose of facilitating mass installs better. You should see them
in the next release. It's not an MSI package, but it most likely can be
converted to one with one of the many tools out there. Key management is
still out-of-band at the moment.
--
Michael Starks
[I] Immutable Security
Information Security, Privacy and Personal Liberty
http://www.immutablesecurity.com
smokey
Aug 10, 2010, 5:54:35 AM8/10/10
to ossec-list
Well if manage_agent.exe would support /y switch (force adding new
agent silently) then everything would be much easier.
For example running shell command during computer startup in windows
'get computer name
strComputerName = WSNetwork.ComputerName
'open key file
Set strFile = OpenTextFile(strComputerName,1)
strAgentKey = strFile.ReadLine
'add agent key
WSShell.Run manage_agent.exe -i -y strAgentKey
D.B.
On Aug 9, 10:29 pm, Michael Starks <ossec-l...@michaelstarks.com>
wrote:
agent silently) then everything would be much easier.
For example running shell command during computer startup in windows
'get computer name
strComputerName = WSNetwork.ComputerName
'open key file
Set strFile = OpenTextFile(strComputerName,1)
strAgentKey = strFile.ReadLine
'add agent key
WSShell.Run manage_agent.exe -i -y strAgentKey
D.B.
On Aug 9, 10:29 pm, Michael Starks <ossec-l...@michaelstarks.com>
wrote:
GeorgeY
Aug 10, 2010, 10:48:39 PM8/10/10
to ossec-list
I am trying to create my own msi to install ossec.
As per Dean's recommendation, i'll test the installation of the MSI on
one PC and then manually import the auth keys afterwards.
I included the entire "ossec-agent" folder in Program Files into the
MSI and am currently stuck at which registry keys is needed on the
target host?
Obviously I would like it to be added as a service as well.
Has anyone attempted this and can point me towards the required keys?
Currently, I have spotted the following hives
HKLM > Software > ossec
HKLM > System > ControlSet001 > Services > OssecSvc
HKLM > System > ControlSet002 > Services > OssecSvc
HKLM > System > CurrentControlSet > Services > OssecSvc
but there seems to be a couple of keys specified under
HKLM > System > CurrentControlSet > Enum > Root > LEGACY_OSSECSVC
Are these needed as well?
As per Dean's recommendation, i'll test the installation of the MSI on
one PC and then manually import the auth keys afterwards.
I included the entire "ossec-agent" folder in Program Files into the
MSI and am currently stuck at which registry keys is needed on the
target host?
Obviously I would like it to be added as a service as well.
Has anyone attempted this and can point me towards the required keys?
Currently, I have spotted the following hives
HKLM > Software > ossec
HKLM > System > ControlSet001 > Services > OssecSvc
HKLM > System > ControlSet002 > Services > OssecSvc
HKLM > System > CurrentControlSet > Services > OssecSvc
but there seems to be a couple of keys specified under
HKLM > System > CurrentControlSet > Enum > Root > LEGACY_OSSECSVC
Are these needed as well?
Michael Starks
Aug 10, 2010, 10:36:49 PM8/10/10
to ossec...@googlegroups.com
On 08/10/2010 04:54 AM, smokey wrote:
> Well if manage_agent.exe would support /y switch (force adding new
> agent silently) then everything would be much easier.
> Well if manage_agent.exe would support /y switch (force adding new
> agent silently) then everything would be much easier.
You don't necessarily need this tool. You can create the client.keys
file on the Windows box in the ossec-agent directory. Just put the line
for that particular agent from the manager client.keys file in there.
Then restart OSSEC on the agent. I have a batch file which does this all
remotely which I will release when I have a chance to clean it up and
test it some more.
--
Michael Starks
[I] Immutable Security
smokey
Aug 13, 2010, 5:24:55 AM8/13/10
to ossec-list
Michael, thanks for the tip;)
@GeorgeY: i'm using wininstall LE for creating MSI packages.
D.B.
On Aug 11, 4:36 am, Michael Starks <ossec-l...@michaelstarks.com>
wrote:
@GeorgeY: i'm using wininstall LE for creating MSI packages.
D.B.
On Aug 11, 4:36 am, Michael Starks <ossec-l...@michaelstarks.com>
wrote:
Jason Mantor
Aug 12, 2010, 6:01:37 PM8/12/10
to ossec...@googlegroups.com
What tool would you recommend?
I've been thinking about WixEdit, but I'm not really sure where to start.
I've been thinking about WixEdit, but I'm not really sure where to start.
GeorgeY
Aug 16, 2010, 6:12:11 AM8/16/10
to ossec-list
@D.B.: did you use wininstall LE for ossec? The one I created using
"Advanced Installer" was corrupt - it installed but could not get the
service created and not too sure about the reg keys too.
"Advanced Installer" was corrupt - it installed but could not get the
service created and not too sure about the reg keys too.
CYBORG
Oct 8, 2010, 3:33:24 AM10/8/10
to ossec-list
What tool do you used for generate client.keys file in C:\Program Files
\ossec-agent ?
i have a key (generated by ossec server)
MDQ4IHNiMSAxMC4xODAuNzQuNCBlNTcyMDFkMTkzMjc4ZThlNTlhOWY4OTJiOGUzZTliMmY3NDM2YzIzNmNjNjEyOTlkOGQyNjYxZmY2NDBlYmQ
then i try to write in client.keys this line :
041 xx5-xxx 10.180.74.3
MDQ4IHNiMSAxMC4xODAuNzQuNCBlNTcyMDFkMTkzMjc4ZThlNTlhOWY4OTJiOGUzZTliMmY3NDM2YzIzNmNjNjEyOTlkOGQyNjYxZmY2NDBlYmQ
and..... ossec-agent NOT started!
If i used C:\Program Files\ossec-agent\manage_agents tool to import
this key - Its WORK, but file client.keys changed to
041 xx5-xxx 10.180.74.3
e57201d193278e8e59a9f892b8e3e9b2f7436c236cc61299d8d2661ff640ebd1
Question: how can i write a AGENT_KEY to a multiply agents in windows
domain without C:\Program Files\ossec-agent\manage_agents tool
\ossec-agent ?
i have a key (generated by ossec server)
MDQ4IHNiMSAxMC4xODAuNzQuNCBlNTcyMDFkMTkzMjc4ZThlNTlhOWY4OTJiOGUzZTliMmY3NDM2YzIzNmNjNjEyOTlkOGQyNjYxZmY2NDBlYmQ
then i try to write in client.keys this line :
041 xx5-xxx 10.180.74.3
MDQ4IHNiMSAxMC4xODAuNzQuNCBlNTcyMDFkMTkzMjc4ZThlNTlhOWY4OTJiOGUzZTliMmY3NDM2YzIzNmNjNjEyOTlkOGQyNjYxZmY2NDBlYmQ
and..... ossec-agent NOT started!
If i used C:\Program Files\ossec-agent\manage_agents tool to import
this key - Its WORK, but file client.keys changed to
041 xx5-xxx 10.180.74.3
e57201d193278e8e59a9f892b8e3e9b2f7436c236cc61299d8d2661ff640ebd1
Question: how can i write a AGENT_KEY to a multiply agents in windows
domain without C:\Program Files\ossec-agent\manage_agents tool
Michael Starks
Oct 8, 2010, 9:12:10 AM10/8/10
to ossec...@googlegroups.com
On Fri, 8 Oct 2010 00:33:24 -0700 (PDT), CYBORG <vazh...@gmail.com>
wrote:
> What tool do you used for generate client.keys file in C:\Program Files
> \ossec-agent ?
>
> i have a key (generated by ossec server)
>
MDQ4IHNiMSAxMC4xODAuNzQuNCBlNTcyMDFkMTkzMjc4ZThlNTlhOWY4OTJiOGUzZTliMmY3NDM2YzIzNmNjNjEyOTlkOGQyNjYxZmY2NDBlYmQ
That is the BASE64 representation of the agent ID, agent name, IP and key.
> \ossec-agent ?
>
> i have a key (generated by ossec server)
>
MDQ4IHNiMSAxMC4xODAuNzQuNCBlNTcyMDFkMTkzMjc4ZThlNTlhOWY4OTJiOGUzZTliMmY3NDM2YzIzNmNjNjEyOTlkOGQyNjYxZmY2NDBlYmQ
Your key has been compromised by posting it here. Time to change it!
> If i used C:\Program Files\ossec-agent\manage_agents tool to import
> this key - Its WORK, but file client.keys changed to
> 041 xx5-xxx 10.180.74.3
> e57201d193278e8e59a9f892b8e3e9b2f7436c236cc61299d8d2661ff640ebd1
line as is on the manager client.keys.
> Question: how can i write a AGENT_KEY to a multiply agents in windows
> domain without C:\Program Files\ossec-agent\manage_agents tool
service. There should be a couple of solutions to help automate that for
2WoO.
--
Reply all
Reply to author
Forward
0 new messages