The ossec-authd daemon will automatically add an agent to an OSSEC manager and provide the key to the agent. The agent-auth application is the client application used with ossec-authd. ossec-authd will create an agent with an ip address of any instead of using its actual IP.
Warning
By default there is no authentication or authorization involved in this transaction, so it is recommended that this daemon only be run when a new agent is being added.
-D
<dir>
¶chroot to <dir>
.
-d
¶Execute ossec-authd in debug mode. This option can be used multiple times to increase the verbosity of the debug messages.
-g
<group>
¶Run as group
.
-h
¶Display a help message.
-i
¶Add agents with a specific IP address instead of using any
.
-k
<path>
¶Full path to the server key.
-p
<port>
¶Listen on port.
Default 1515
-t
¶Test the configuration.
-V
¶Display OSSEC Version and license information.
-v
<path>
¶Full path to the CA certificate used to verify the clients.
Note
This option is available in OSSEC 2.9.
-x
<path>
¶Full path to the server certificate.
Note
This option is available in OSSEC 2.9.
ossec-authd
requires SSL keys to run. This process will create the necessary keys in /var/ossec/etc
and allow ossec-authd
to start:
# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
Without the key ossec-authd
will give the following error:
[user@ossec-manager] :; sudo /var/ossec/bin/ossec-authd
2012/04/18 11:05:01 ossec-authd: INFO: Started (pid: 20669).
2012/04/18 11:05:01 ossec-authd: ERROR: Unable to read certificate file (not found): /var/ossec/etc/sslmanager.cert
2012/04/18 11:05:01 ossec-authd: ERROR: SSL error. Exiting.
If the default locations of /var/ossec/etc/sslmanager.cert and /var/ossec/etc/sslmanager.key are not suitable then the -x and -k options can be used to specify alternative locations.
ossec-authd
can verify that connecting agents present a valid X.509 certificate when requesting a key. This is optional
and is only useful if hosts in your environment are assigned certificates when they’re provisioned (or at some point before
being added to OSSEC). If agent certificate verification is desired then the relevant CA certificate must be loaded with the
-v option. This will cause ossec-authd
to verify that agents present a valid certificate when requesting a key. If an
agent does not present a certificate or presents an invalid certificate then the agent will not be allocated a key.
A certificate presented by an agent may be found to be invalid for the following reasons:
It was not signed by the specified CA.
It is expired.
# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &
And the logs when an agent is added:
2011/01/19 15:04:40 ossec-authd: INFO: New connection from 192.168.10.5
2011/01/19 15:04:41 ossec-authd: INFO: Received request for a new agent (example-agent) from: 192.168.10.5
2011/01/19 15:04:41 ossec-authd: INFO: Agent key generated for example-agent (requested by 192.168.10.5)
2011/01/19 15:04:41 ossec-authd: INFO: Agent key created for example-agent (requested by 192.168.10.5)
# /var/ossec/bin/ossec-authd -v /var/ossec/etc/CA.cert -d
If debug output is enabled then “Peer verification requested” will be displayed when starting.
2014/06/07 17:04:56 ossec-authd: DEBUG: Starting ...
2014/06/07 17:04:56 ossec-authd: INFO: Started (pid: 2043).
2014/06/07 17:04:56 ossec-authd: DEBUG: Peer verification requested.
2014/06/07 17:04:56 ossec-authd: DEBUG: Returning CTX for server.
2014/06/07 17:04:56 ossec-authd: DEBUG: Going into listening mode.
2014/06/07 17:04:58 ossec-authd: INFO: New connection from 192.168.10.5
2014/06/07 17:04:58 ossec-authd: INFO: Received request for a new agent (example-agent) from: 192.168.10.5
2014/06/07 17:04:58 ossec-authd: INFO: Agent key generated for example-agent (requested by 192.168.10.5)
2014/06/07 17:04:58 ossec-authd: INFO: Agent key created for example-agent (requested by 192.168.10.5)
2014/06/07 17:04:58 ossec-authd: DEBUG: Process 2044 exited