[Ossec-list] RE : RE : RE : RE : RE : Installing a pre-compiledagent on another machine

[fcr-mailings at nerim.net (Fred)]

Hello,

Thanks, it works !

As promised, here is a (very) little "How to export a pre-compiled agent":

---------------------

*** Why ? ***

	For security purposes, production servers don't have compilers. So,
if you want to install OSSEC HIDS on such a machine, you must compile it
first on another machine, and then export binaries.

*** How ? ***

	1) install OSSEC HIDS agent on a test machine, which has same OS
than production machines
	2) (option) configure /var/ossec/etc/ossec.conf for fixed values:
		- OSSEC Server IP address
		- Rootkit detection
	3) On production server, create a group and a user "ossec":
		- user "ossec" is a non-interactive one (/sbin/nologin, "!!"
in /etc/shadow)
	4) Export following from test machine to production machine:
		- Directory "/var/ossec"
		- Script "/etc/rc.d/init.d/ossec" (example if Linux, for
auto-start at OS startup)
	5) check and modify /var/ossec/etc/ossec.conf
	6) go on server, create authentication key for each installed
agents, and export them (as explained if official Manual).
	7) try starting agent(s)...

*** Problems ***

	If agent doesn't want to start, it may be a problem of rights on
directories and files. Try to adjust them (user "root", group "ossec").


---------------------

Well, that's a first one. Feel free to correct this "how to", errors,
missing things,...

Fred



-----Original Message-----
From: ossec-list-bounces at ossec.net [mailto:ossec-list-bounces at ossec.net] On
Behalf Of Daniel Cid
Sent: Saturday, March 25, 2006 2:09 AM
To: ossec-list at ossec.net
Subject: Re: [Ossec-list] RE : RE : RE : RE : Installing a pre-compiledagent
on another machine


Hi,

I just made a change to make sure the "disabled" element works for the
active
response. For now, if you just remove any "active-response" entry it is not
going to be executed.

*If you really want to make sure that nothing gets executed, just remove the
call for ossec-execd on the init script (or kill it later).

Btw, just adding to the previous discussion.There is another way to
install an agent without the compiler (I have done it before):

1- Compile the ossec in a box that has a compiler.
   # tar -zxvf ossec-hids-xx.tar.gz
   # cd ossec-hids-xx
   # ./install.sh
2- There will be all the binaries inside ./bin/
3- Edit the file ./install.sh and remove these two commands:
    -make all and make build (just add a # before them).
4- Compress your changes and move it anywhere you want to install the ossec
   # cd ../
   # tar -cvzf ossec-hids-xx-modifed.tar.gz ossec-hids-xx


*We should probably thing in a way to make it easier :)