How to deploy OSSEC agents using Security Onion?

[Abdiel Berrocal]

Hi, how are you? I'm new using SO. I want to know how to deploy OSSEC agents using Security Onion. I have a friend who uses OSSIM and he has the posibility to deploy OSSEC agents to all the machines that he has in his network remotely (I mean, he is not accessing the machines and configuring it manually). So, I want to know if there is a feature in SO to do the same.

For example: in SO, just select the machine that I want to deploy the OSSEC agent and do that, deploy it. Without accessing the machine, installing the ossec agent and configuring it manually. Windows machine preferably.

[Kevin Branch]

Hi Abdiel,

Wazuh has replaced OSSEC in Security Onion, though because it is a fork of OSSEC you will still see the word OSSEC appear here and there.  It is very possible to mass deploy Wazuh agents across many systems, be they Windows, Linux, or other.  I've done so with most of my own clients, and just taught a class on that very topic today.  Wazuh is very powerful in this area but their documentation on the mass deployment and self-registration topic is a big weak at this time.  Are you wanting to push out the agent to many Windows systems?  Let me know and maybe I'll be able to give you some quick pointers.

Kevin Branch

Wazuh Trainer

On Tue, Feb 5, 2019 at 2:05 PM Abdiel Berrocal <abdiel...@gmail.com> wrote:

Hi, how are you? I'm new using SO. I want to know how to deploy OSSEC agents using Security Onion. I have a friend who uses OSSIM and he has the posibility to deploy OSSEC agents to all the machines that he has in his network remotely (I mean, he is not accessing the machines and configuring it manually). So, I want to know if there is a feature in SO to do the same.

For example: in SO, just select the machine that I want to deploy the OSSEC agent and do that, deploy it. Without accessing the machine, installing the ossec agent and configuring it manually. Windows machine preferably.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Abdiel Berrocal]

Are you wanting to push out the agent to many Windows systems?

A: Yes, I need to push out the agent to many Windows systems.

[Kevin Branch]

Here are steps for registering a bunch of Windows agents to report to Wazuh manager on your Security Onion Server:

In /var/ossec/etc/ossec.conf on your SO Server

In the <auth> section, change <use_password> from no to yes

In the <remote> section, change <procotol> from udp to tcp

Activate the auth service on the SO Server

/var/ossec/bin/ossec-control enable auth

Create a shared password file on your SO Server (pick your own password) that will be used by all agents registering themselves with the Wazuh auth service.

echo "YourSecretPassword" > /var/ossec/etc/authd.pass

Restart Wazuh manager on SO server to get this all working on the server side.

/var/ossec/bin/ossec-control restart

On SO Server, allow incoming connections on the auth service tcp port

ufw allow 1515/tcp

I don't know about your network but make sure that wherever your agents are, they are allowed to open a connection to the Security Onion server on tcp ports 1514 & 1515 

1515 is for one-time registration

1514 is for ongoing connection of the agents to the manager(server)

Using the management tool of your choice, push the Wazuh installer MSI to all of your Windows systems.  The latest one that matches Security Onion can be downloaded here

https://packages.wazuh.com/3.x/windows/wazuh-agent-3.7.2-1.msi

Your full options for running the MSI are explained here

https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_windows.html

but here is a basic way you could have it run on your Windows systems assuming your SO Server is listening at 10.20.30.40

wazuh-agent-3.7.2-1.msi /q ADDRESS="10.20.30.40" AUTHD_SERVER="10.20.30.40" PROTOCOL="TCP" PASSWORD="YourSecretPassword"

After installing the MSI then make the Windows agent system stop and restart the Wazuh agent service

net stop wazuh

net start wazuh

At this point your Windows systems should be registered and connected to the manager/server.  Check that by running on the SO Server:

/var/ossec/bin/agent_contol -l

You are looking for registered systems reporting as Active

Kevin

On Wed, Feb 6, 2019 at 8:13 AM Abdiel Berrocal <abdiel...@gmail.com> wrote:

Are you wanting to push out the agent to many Windows systems?

A: Yes, I need to push out the agent to many Windows systems.

[Kevin Branch]

I should have also included running "ufw allow 1514/tcp" on the SO server to allow registered agents to connect in to Wazuh manager.

Also I should have mentioned that it is important to avoid installing Wazuh agents of a version newer than what is running on your SO Server.  That means sticking with Wazuh 3.7.2 agents for now.   It is already on SO's roadmap to upgrade to Wazuh 3.8.2

https://github.com/Security-Onion-Solutions/security-onion/issues/1422

Once SO is running Wazuh 3.8.2, you would have the option of using the Wazuh agent_upgrade tool on the SO Server to push upgraded agents out to already registered and connected agents.

https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html

Let me know how the deployment process works for you.  There are likely refinements called for to improve my quick procedure list.  Your feedback would be appreciated.  Ultimately this belongs in a Wiki.

Kevin

[Abdiel Berrocal]

Thank you for the information. I will be working in what you explained here.