ossec

[root@server ~]# yum install epel-release -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.fibergrid.in
* epel: epel.mirror.net.in
* extras: mirror.fibergrid.in
* updates: mirror.fibergrid.in
Resolving Dependencies
–> Running transaction check
—> Package epel-release.noarch 0:7-8 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================
Installing:
epel-release noarch 7-8 epel 14 k

Transaction Summary
================================================================================================================================================
Install 1 Package

Total download size: 14 k
Installed size: 24 k
Downloading packages:
epel-release-7-8.noarch.rpm | 14 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-8.noarch 1/1
warning: /etc/yum.repos.d/epel-testing.repo created as /etc/yum.repos.d/epel-testing.repo.rpmnew
warning: /etc/yum.repos.d/epel.repo created as /etc/yum.repos.d/epel.repo.rpmnew
Verifying : epel-release-7-8.noarch 1/1

Installed:
epel-release.noarch 0:7-8

Complete!
[root@server ~]# wget https://www.atomicorp.com/installers/atomic && sudo chmod +x atomic && sudo ./atomic
–2016-11-20 10:50:30– https://www.atomicorp.com/installers/atomic
Resolving http://www.atomicorp.com (www.atomicorp.com)… 74.208.77.16
Connecting to http://www.atomicorp.com (www.atomicorp.com)|74.208.77.16|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 10549 (10K) [text/plain]
Saving to: ‘atomic’

100%[======================================================================================================>] 10,549 –.-K/s in 0s

2016-11-20 10:50:32 (51.5 MB/s) – ‘atomic’ saved [10549/10549]
Atomic Free Unsupported Archive installer, version 3.0.1

BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE
PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:

THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS
PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE
COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED
BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

For supported software packages please contact us at:

sales@atomicorp.com

Do you agree to these terms? (yes/no) [Default: yes] yes

Configuring the [atomic] repo archive for this system

Installing the Atomic GPG keys: OK

Downloading atomic-release-1.0-21.el7.art.noarch.rpm: Preparing… ################################# [100%]
Updating / installing…
1:atomic-release-1.0-21.el7.art ################################# [100%]
OK

Enable repo by default? (yes/no) [Default: yes]: yes
The Atomic repo has now been installed and configured for your system
The following channels are available:
atomic – [ACTIVATED] – contains the stable tree of ART packages
atomic-testing – [DISABLED] – contains the testing tree of ART packages
atomic-bleeding – [DISABLED] – contains the development tree of ART packages
[root@server ~]# yum install ossec-hids ossec-hids-server -y
Loaded plugins: fastestmirror
atomic | 3.4 kB 00:00:00
atomic/7/x86_64/primary_db | 833 kB 00:00:19
Loading mirror speeds from cached hostfile
* atomic: www4.atomicorp.com
* base: mirror.fibergrid.in
* epel: epel.mirror.net.in
* extras: mirror.fibergrid.in
* updates: mirror.fibergrid.in
Resolving Dependencies
–> Running transaction check
—> Package ossec-hids.x86_64 0:2.8.3-53.el7.art will be installed
–> Processing Dependency: inotify-tools for package: ossec-hids-2.8.3-53.el7.art.x86_64
—> Package ossec-hids-server.x86_64 0:2.8.3-53.el7.art will be installed
–> Processing Dependency: perl(Digest::MD5) for package: ossec-hids-server-2.8.3-53.el7.art.x86_64
–> Processing Dependency: perl(DBI) for package: ossec-hids-server-2.8.3-53.el7.art.x86_64
–> Processing Dependency: libGeoIP.so.1()(64bit) for package: ossec-hids-server-2.8.3-53.el7.art.x86_64
–> Running transaction check
—> Package GeoIP.x86_64 0:1.6.9-2.el7.art will be installed
–> Processing Dependency: geoipupdate for package: GeoIP-1.6.9-2.el7.art.x86_64
–> Processing Dependency: GeoIP-data for package: GeoIP-1.6.9-2.el7.art.x86_64
—> Package inotify-tools.x86_64 0:3.14-8.el7 will be installed
—> Package perl-DBI.x86_64 0:1.627-4.el7 will be installed
–> Processing Dependency: perl(RPC::PlServer) >= 0.2001 for package: perl-DBI-1.627-4.el7.x86_64
–> Processing Dependency: perl(RPC::PlClient) >= 0.2000 for package: perl-DBI-1.627-4.el7.x86_64
–> Processing Dependency: perl(Data::Dumper) for package: perl-DBI-1.627-4.el7.x86_64
—> Package perl-Digest-MD5.x86_64 0:2.52-3.el7 will be installed
–> Processing Dependency: perl(Digest::base) >= 1.00 for package: perl-Digest-MD5-2.52-3.el7.x86_64
–> Running transaction check
—> Package GeoIP-GeoLite-data.noarch 0:2016.04-1.el7.art will be installed
–> Processing Dependency: GeoIP-GeoLite-data-extra = 2016.04-1.el7.art for package: GeoIP-GeoLite-data-2016.04-1.el7.art.noarch
—> Package geoipupdate.x86_64 0:2.2.2-2.el7.art will be installed
—> Package perl-Data-Dumper.x86_64 0:2.145-3.el7 will be installed
—> Package perl-Digest.noarch 0:1.17-245.el7 will be installed
—> Package perl-PlRPC.noarch 0:0.2020-14.el7 will be installed
–> Processing Dependency: perl(Net::Daemon) >= 0.13 for package: perl-PlRPC-0.2020-14.el7.noarch
–> Processing Dependency: perl(Net::Daemon::Test) for package: perl-PlRPC-0.2020-14.el7.noarch
–> Processing Dependency: perl(Net::Daemon::Log) for package: perl-PlRPC-0.2020-14.el7.noarch
–> Processing Dependency: perl(Compress::Zlib) for package: perl-PlRPC-0.2020-14.el7.noarch
–> Running transaction check
—> Package GeoIP-GeoLite-data-extra.noarch 0:2016.04-1.el7.art will be installed
—> Package perl-IO-Compress.noarch 0:2.061-2.el7 will be installed
–> Processing Dependency: perl(Compress::Raw::Zlib) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch
–> Processing Dependency: perl(Compress::Raw::Bzip2) >= 2.061 for package: perl-IO-Compress-2.061-2.el7.noarch
—> Package perl-Net-Daemon.noarch 0:0.48-5.el7 will be installed
–> Running transaction check
—> Package perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 will be installed
—> Package perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================
Installing:
ossec-hids x86_64 2.8.3-53.el7.art atomic 68 k
ossec-hids-server x86_64 2.8.3-53.el7.art atomic 703 k
Installing for dependencies:
GeoIP x86_64 1.6.9-2.el7.art atomic 117 k
GeoIP-GeoLite-data noarch 2016.04-1.el7.art atomic 385 k
GeoIP-GeoLite-data-extra noarch 2016.04-1.el7.art atomic 24 M
geoipupdate x86_64 2.2.2-2.el7.art atomic 30 k
inotify-tools x86_64 3.14-8.el7 epel 50 k
perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 base 32 k
perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 base 57 k
perl-DBI x86_64 1.627-4.el7 base 802 k
perl-Data-Dumper x86_64 2.145-3.el7 base 47 k
perl-Digest noarch 1.17-245.el7 base 23 k
perl-Digest-MD5 x86_64 2.52-3.el7 base 30 k
perl-IO-Compress noarch 2.061-2.el7 base 260 k
perl-Net-Daemon noarch 0.48-5.el7 base 51 k
perl-PlRPC noarch 0.2020-14.el7 base 36 k

Transaction Summary
================================================================================================================================================
Install 2 Packages (+14 Dependent packages)

Total download size: 26 M
Installed size: 58 M
Downloading packages:
(1/16): GeoIP-GeoLite-data-2016.04-1.el7.art.noarch.rpm | 385 kB 00:00:06
(2/16): inotify-tools-3.14-8.el7.x86_64.rpm | 50 kB 00:00:07
(3/16): ossec-hids-2.8.3-53.el7.art.x86_64.rpm | 68 kB 00:00:01
(4/16): GeoIP-1.6.9-2.el7.art.x86_64.rpm | 117 kB 00:00:18
(5/16): geoipupdate-2.2.2-2.el7.art.x86_64.rpm | 30 kB 00:00:18
(6/16): perl-Compress-Raw-Zlib-2.061-4.el7.x86_64.rpm | 57 kB 00:00:00
(7/16): perl-Data-Dumper-2.145-3.el7.x86_64.rpm | 47 kB 00:00:00
(8/16): perl-Digest-1.17-245.el7.noarch.rpm | 23 kB 00:00:00
(9/16): perl-Digest-MD5-2.52-3.el7.x86_64.rpm | 30 kB 00:00:00
(10/16): perl-IO-Compress-2.061-2.el7.noarch.rpm | 260 kB 00:00:01
(11/16): perl-Net-Daemon-0.48-5.el7.noarch.rpm | 51 kB 00:00:00
(12/16): perl-PlRPC-0.2020-14.el7.noarch.rpm | 36 kB 00:00:00
(13/16): ossec-hids-server-2.8.3-53.el7.art.x86_64.rpm | 703 kB 00:00:26
(14/16): perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64.rpm | 32 kB 00:00:25
(15/16): perl-DBI-1.627-4.el7.x86_64.rpm | 802 kB 00:00:33
(16/16): GeoIP-GeoLite-data-extra-2016.04-1.el7.art.noarch.rpm | 24 MB 00:02:12
————————————————————————————————————————————————
Total 204 kB/s | 26 MB 00:02:12
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : GeoIP-GeoLite-data-extra-2016.04-1.el7.art.noarch 1/16
Installing : GeoIP-GeoLite-data-2016.04-1.el7.art.noarch 2/16
Installing : perl-Net-Daemon-0.48-5.el7.noarch 3/16
Installing : perl-Digest-1.17-245.el7.noarch 4/16
Installing : perl-Digest-MD5-2.52-3.el7.x86_64 5/16
Installing : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 6/16
Installing : geoipupdate-2.2.2-2.el7.art.x86_64 7/16
Installing : GeoIP-1.6.9-2.el7.art.x86_64 8/16
Installing : inotify-tools-3.14-8.el7.x86_64 9/16
Installing : ossec-hids-2.8.3-53.el7.art.x86_64 10/16
Installing : perl-Data-Dumper-2.145-3.el7.x86_64 11/16
Installing : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 12/16
Installing : perl-IO-Compress-2.061-2.el7.noarch 13/16
Installing : perl-PlRPC-0.2020-14.el7.noarch 14/16
Installing : perl-DBI-1.627-4.el7.x86_64 15/16
Installing : ossec-hids-server-2.8.3-53.el7.art.x86_64 16/16
Restarting ossec-hids (via systemctl): [ OK ]
Verifying : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 1/16
Verifying : ossec-hids-2.8.3-53.el7.art.x86_64 2/16
Verifying : GeoIP-1.6.9-2.el7.art.x86_64 3/16
Verifying : ossec-hids-server-2.8.3-53.el7.art.x86_64 4/16
Verifying : perl-Data-Dumper-2.145-3.el7.x86_64 5/16
Verifying : inotify-tools-3.14-8.el7.x86_64 6/16
Verifying : perl-Digest-MD5-2.52-3.el7.x86_64 7/16
Verifying : geoipupdate-2.2.2-2.el7.art.x86_64 8/16
Verifying : perl-IO-Compress-2.061-2.el7.noarch 9/16
Verifying : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 10/16
Verifying : GeoIP-GeoLite-data-2016.04-1.el7.art.noarch 11/16
Verifying : perl-Digest-1.17-245.el7.noarch 12/16
Verifying : perl-DBI-1.627-4.el7.x86_64 13/16
Verifying : perl-Net-Daemon-0.48-5.el7.noarch 14/16
Verifying : perl-PlRPC-0.2020-14.el7.noarch 15/16
Verifying : GeoIP-GeoLite-data-extra-2016.04-1.el7.art.noarch 16/16

Installed:
ossec-hids.x86_64 0:2.8.3-53.el7.art ossec-hids-server.x86_64 0:2.8.3-53.el7.art

Dependency Installed:
GeoIP.x86_64 0:1.6.9-2.el7.art GeoIP-GeoLite-data.noarch 0:2016.04-1.el7.art GeoIP-GeoLite-data-extra.noarch 0:2016.04-1.el7.art
geoipupdate.x86_64 0:2.2.2-2.el7.art inotify-tools.x86_64 0:3.14-8.el7 perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-Data-Dumper.x86_64 0:2.145-3.el7
perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 perl-IO-Compress.noarch 0:2.061-2.el7
perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7

Complete!

[root@server ~]# service ossec-hids start
Starting ossec-hids (via systemctl): [ OK ]

[root@server ~]# service ossec-hids status
ossec-monitord is running…
ossec-logcollector is running…
ossec-remoted: Process 2756 not used by ossec, removing ..
ossec-remoted not running…
ossec-syscheckd is running…
ossec-analysisd is running…
ossec-maild is running…
ossec-execd is running…

[root@server ~]# ls /usr/share/ossec/contrib/
active-list.pl compile_alerts.txt ossec2mysqld.pl ossec-batch-manager.pl ossec_report_contrib.pl util.sh
add_localfile.sh config2xml ossec2mysql.pl ossec-eps.sh ossec_report.txt
compile_alerts.pl ossec2mysql.conf ossec2mysql.sql ossecmysql.pm ossectop.pl
[root@server ~]# ls /var/ossec/
active-response agentless bin etc logs queue rules stats tmp var

[root@server ~]# cat /var/ossec/etc/
decoders.d/ internal_options.conf.orig ossec.conf.sample shared/
decoder.xml localtime ossec-server.conf templates/
internal_options.conf ossec.conf rules.d/
[root@server ~]# cat /var/ossec/etc/ossec.conf

<!– OSSEC example config –>

<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>daniel.cid@xxx.com</email_to>
<smtp_server>smtp.xxx.com.</smtp_server>
<email_from>ossecm@ossec.xxx.com.</email_from>
</global>

<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!– <include>policy_rules.xml</include> –>
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!– Frequency that syscheck is executed — default every 20 hours –>
<frequency>72000</frequency>

<!– Directories to check (perform all possible verifications) –>
<directories check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=”yes”>/bin,/sbin</directories>

<!– Files/directories to ignore –>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
</syscheck>

<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>

<global>
<white_list>127.0.0.1</white_list>
<white_list>192.168.2.1</white_list>
<white_list>192.168.2.190</white_list>
<white_list>192.168.2.32</white_list>
<white_list>192.168.2.10</white_list>
</global>

<remote>
<connection>secure</connection>
</remote>

<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>

<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!– Active Response Config –>
<active-response>
<!– This response is going to execute the host-deny
– command for every event that fires a rule with
– level (severity) >= 6.
– The IP is going to be blocked for 600 seconds.
–>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

<active-response>
<!– Firewall Drop response. Block the IP for
– 600 seconds on the firewall (iptables,
– ipfilter, etc).
–>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

<!– Files to monitor (localfiles) –>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/access_log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>
</ossec_config>

 

=================================================

[root@agent ~]# wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
–2016-11-20 13:42:21– https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
Resolving bintray.com (bintray.com)… 108.168.194.93
Connecting to bintray.com (bintray.com)|108.168.194.93|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://dl.bintray.com/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz [following]
–2016-11-20 13:42:37– https://dl.bintray.com/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
Resolving dl.bintray.com (dl.bintray.com)… 108.168.243.150
Connecting to dl.bintray.com (dl.bintray.com)|108.168.243.150|:443… connected.
HTTP request sent, awaiting response… 302
Location: https://akamai.bintray.com/87/87c7a1904d5c08c7cff3e42bd47c055b14b08faa?__gda__=exp=1479699458~hmac=d3cbdf05a2556aa2c77179026d832b781c62da173456971fc71e91947dfa5381&response-content-disposition=attachment%3Bfilename%3D%22ossec-hids-2.8.3.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX1_jsHP6GZQhKi8q7ts5h6dmA3ODfse49KFVaAyYJZELZikrsEDfagC3KG1G8o64Y7Hw9c1axr21Szi0IgFgBZ8p9Hvbg8eTuWdlvF5A_iNUvq92bkHj8jdD [following]
–2016-11-20 13:42:43– https://akamai.bintray.com/87/87c7a1904d5c08c7cff3e42bd47c055b14b08faa?__gda__=exp=1479699458~hmac=d3cbdf05a2556aa2c77179026d832b781c62da173456971fc71e91947dfa5381&response-content-disposition=attachment%3Bfilename%3D%22ossec-hids-2.8.3.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX1_jsHP6GZQhKi8q7ts5h6dmA3ODfse49KFVaAyYJZELZikrsEDfagC3KG1G8o64Y7Hw9c1axr21Szi0IgFgBZ8p9Hvbg8eTuWdlvF5A_iNUvq92bkHj8jdD
Resolving akamai.bintray.com (akamai.bintray.com)… 104.120.161.132
Connecting to akamai.bintray.com (akamai.bintray.com)|104.120.161.132|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1642095 (1.6M) [application/gzip]
Saving to: ‘ossec-hids-2.8.3.tar.gz’

100%[======================================================================================================>] 16,42,095 263KB/s in 6.0s

2016-11-20 13:42:53 (265 KB/s) – ‘ossec-hids-2.8.3.tar.gz’ saved [1642095/1642095]
[root@agent ~]# tar -xvf ossec-hids-2.8.3.tar.gz

[root@agent ~]# cd ossec-hids-2.8.3/
[root@agent ossec-hids-2.8.3]# ll
total 100
drwxrwxr-x 4 root root 4096 Oct 12 2015 active-response
-rw-rw-r– 1 root root 542 Oct 12 2015 BUGS
-rw-rw-r– 1 root root 291 Oct 12 2015 CONFIG
drwxrwxr-x 6 root root 4096 Oct 12 2015 contrib
-rw-rw-r– 1 root root 3198 Oct 12 2015 CONTRIBUTORS
drwxrwxr-x 4 root root 4096 Oct 12 2015 doc
drwxrwxr-x 4 root root 4096 Oct 12 2015 etc
-rw-rw-r– 1 root root 1850 Oct 12 2015 INSTALL
-rwxrwxr-x 1 root root 32019 Oct 12 2015 install.sh
-rw-rw-r– 1 root root 24710 Oct 12 2015 LICENSE
-rw-rw-r– 1 root root 1666 Oct 12 2015 README.md
drwxrwxr-x 30 root root 4096 Oct 12 2015 src

 

[root@agent ossec-hids-2.8.3]# ./install.sh

OSSEC HIDS v2.8.3 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

– System: Linux agent.puppet.com 3.10.0-327.36.3.el7.x86_64
– User: root
– Host: agent.puppet.com
— Press ENTER to continue or Ctrl-C to abort. —
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

– Agent(client) installation chosen.

2- Setting up the installation environment.

– Choose where to install the OSSEC HIDS [/var/ossec]:

– Installation will be made at /var/ossec .

– The installation directory already exists. Should I delete it? (y/n) [y]:

3- Configuring the OSSEC HIDS.

3.1- What’s the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.133

– Adding Server IP 192.168.43.133

3.2- Do you want to run the integrity check daemon? (y/n) [y]:

– Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

– Running rootcheck (rootkit detection).

3.4 – Do you want to enable active response? (y/n) [y]:
3.5- Setting the configuration to analyze the following logs:
— /var/log/messages
— /var/log/secure
— /var/log/xferlog
— /var/log/maillog
— /var/log/httpd/error_log (apache log)
— /var/log/httpd/access_log (apache log)

– If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue —
5- Installing the system
– Running the Makefile
INFO: Little endian set.

*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/external’
cd zlib-1.2.8/; ./configure; make libz.a;
Checking for gcc…
Checking for shared library support…
Building shared library libz.so.1.2.8 with gcc.
Checking for off64_t… Yes.
Checking for fseeko… Yes.
Checking for strerror… Yes.
Checking for unistd.h… Yes.
Checking for stdarg.h… Yes.
Checking whether to use vs[n]printf() or s[n]printf()… using vs[n]printf().
Checking for vsnprintf() in stdio.h… Yes.
Checking for return value of vsnprintf()… Yes.
Checking for attribute(visibility) support… Yes.
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/external/zlib-1.2.8′
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inftrees.o inftrees.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o trees.o trees.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o zutil.o zutil.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o compress.o compress.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o uncompr.o uncompr.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzclose.o gzclose.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzlib.o gzlib.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzread.o gzread.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzwrite.o gzwrite.c
ar rc libz.a adler32.o crc32.o deflate.o infback.o inffast.o inflate.o inftrees.o trees.o zutil.o compress.o uncompr.o gzclose.o gzlib.o gzread.o gzwrite.o
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/external/zlib-1.2.8′
cp -pr zlib-1.2.8/libz.a .
cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/external’
*** Making cJSON (by Dave Gamble) ***
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/external/cJSON’
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”cJSON\” -DOSSECHIDS -c cJSON.c
ar -crus libcJSON.a *.o
cp -pr cJSON.h ../../headers/
cp -pr libcJSON.a ../
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/external/cJSON’
*** Making Lua 5.2 (by team at PUC-Rio in Brazi) ***
Copyright © 1994–2014 Lua.org, PUC-Rio.
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/external/lua-5.2.3′
cd src && make posix
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/external/lua-5.2.3/src’
make all SYSCFLAGS=”-DLUA_USE_POSIX”
make[3]: Entering directory `/root/ossec-hids-2.8.3/src/external/lua-5.2.3/src’
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lapi.o lapi.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lcode.o lcode.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lctype.o lctype.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ldebug.o ldebug.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ldo.o ldo.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ldump.o ldump.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lfunc.o lfunc.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lgc.o lgc.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o llex.o llex.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lmem.o lmem.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lobject.o lobject.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lopcodes.o lopcodes.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lparser.o lparser.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lstate.o lstate.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lstring.o lstring.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ltable.o ltable.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ltm.o ltm.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lundump.o lundump.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lvm.o lvm.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lzio.o lzio.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lauxlib.o lauxlib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lbaselib.o lbaselib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lbitlib.o lbitlib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lcorolib.o lcorolib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ldblib.o ldblib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o liolib.o liolib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lmathlib.o lmathlib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o loslib.o loslib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lstrlib.o lstrlib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o ltablib.o ltablib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o loadlib.o loadlib.c
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o linit.o linit.c
ar rcu liblua.a lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o lbaselib.o lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o lstrlib.o ltablib.o loadlib.o linit.o
ranlib liblua.a
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o lua.o lua.c
cc -o ossec-lua lua.o liblua.a -lm
cc -O2 -Wall -DLUA_COMPAT_ALL -DLUA_USE_POSIX -c -o luac.o luac.c
cc -o ossec-luac luac.o liblua.a -lm
make[3]: Leaving directory `/root/ossec-hids-2.8.3/src/external/lua-5.2.3/src’
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/external/lua-5.2.3/src’
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/external/lua-5.2.3′

*** Making os_xml ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_xml’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”os_xml\” -DOSSECHIDS -c *.c
ar -crus os_xml.a *.o
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_xml’
*** Making os_regex ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_regex’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”os_regex\” -DOSSECHIDS -c *.c
ar -crus os_regex.a *.o
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_regex’
*** Making os_net ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_net’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”os_net\” -DOSSECHIDS -c os_net.c
ar -crus os_net.a os_net.o
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_net’
*** Making os_crypto ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_crypto’
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/os_crypto/blowfish’
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”blowfish_op\” -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
ar cru bf_op.a bf_op.o bf_skey.o bf_enc.o
ranlib bf_op.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/os_crypto/blowfish’
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/os_crypto/md5′
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”md5_op\” -DOSSECHIDS -c md5.c md5_op.c
ar cru md5_op.a md5_op.o md5.o
ranlib md5_op.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/os_crypto/md5′
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/os_crypto/sha1′
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”sha1_op\” -DOSSECHIDS -c sha1_op.c
ar cru sha1_op.a sha1_op.o
ranlib sha1_op.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/os_crypto/sha1′
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/os_crypto/md5_sha1′
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”md5_sha1_op\” -DOSSECHIDS -c ../md5/md5.c md5_sha1_op.c
ar cru md5_op.a md5_sha1_op.o ../md5/md5.o
ranlib md5_op.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/os_crypto/md5_sha1′
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/os_crypto/shared’
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”shared\” -DOSSECHIDS -c *.c
ar cru shared.a *.o
ranlib shared.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/os_crypto/shared’
ar cru os_crypto.a blowfish/bf_op.o blowfish/bf_skey.o blowfish/bf_enc.o md5/md5_op.o md5/md5.o sha1/sha1_op.o md5_sha1/md5_sha1_op.o shared/*.o
ranlib os_crypto.a
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_crypto’
*** Making shared ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/shared’
cc -c -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”shared-libs\” -DOSSECHIDS *.c
file_op.c: In function ‘rename_ex’:
file_op.c:660:9: warning: too many arguments for format [-Wformat-extra-args]
);
^
ar cru lib_shared.a *.o
ranlib lib_shared.a
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/shared’
*** Making config ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/config’
cc -c -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-config\” -DOSSECHIDS *.c
ar cru lib_config.a *.o
ranlib lib_config.a
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/config’
*** Making os_maild ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_maild’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-maild\” -DOSSECHIDS maild.c config.c os_maild_client.c sendmail.c mail_list.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-maild
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_maild’
*** Making os_dbd ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_dbd’
Compiling DB support with:
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-dbd\” -DOSSECHIDS *.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-dbd
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_dbd’
*** Making os_csyslogd ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_csyslogd’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-csyslogd\” -DOSSECHIDS *.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a ../external/libcJSON.a -lm -o ossec-csyslogd
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_csyslogd’
*** Making agentlessd ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/agentlessd’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-agentlessd\” -DOSSECHIDS *.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a -o ossec-agentlessd
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/agentlessd’
*** Making os_execd ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_execd’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-execd\” -DOSSECHIDS execd.c exec.c config.c ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-execd
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-execd\” -DOSSECHIDS -c execd.c exec.c config.c
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_execd’
*** Making analysisd ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd’
cd ./cdb; make
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/cdb’
cc -I../ -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”cdb\” -DOSSECHIDS -c cdb.c cdb_hash.c cdb_make.c uint32_pack.c uint32_unpack.c
ar cru cdb.a cdb.o cdb_hash.o cdb_make.o uint32_pack.o uint32_unpack.o
ar cru cdb_make.a cdb.o cdb_hash.o cdb_make.o uint32_pack.o uint32_unpack.o
ranlib cdb.a
ranlib cdb_make.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/cdb’
cd ./alerts; make
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/alerts’
cc -I../ -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”alerts\” -DOSSECHIDS -c mail.c log.c exec.c getloglocation.c
ar cru alerts.a mail.o log.o exec.o getloglocation.o
ranlib alerts.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/alerts’
cd ./decoders; make
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/decoders’
cd plugins; make;
make[3]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/decoders/plugins’
cc -g -Wall -I../../../ -I../../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -I../../ -c *.c
make[3]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/decoders/plugins’
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -I../ -c *.c
ar cru decoders.a *.o plugins/*.o
ranlib decoders.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/decoders’
cd ./compiled_rules; make;
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/compiled_rules’
./register_rule.sh build
*Build completed.
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -I../ -c *.c
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/compiled_rules’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -I./ analysisd.c stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c zeromq_output.c compiled_rules/*.o ../config/lib_config.a decoders/decoders.a cdb/cdb.a cdb/cdb_make.a alerts/alerts.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a ../shared/lib_shared.a ../os_zlib/os_zlib.c ../external/libz.a ../external/libcJSON.a -lm -o ossec-analysisd
cd ./cdb; make
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/cdb’
cc -I../ -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”cdb\” -DOSSECHIDS -c cdb.c cdb_hash.c cdb_make.c uint32_pack.c uint32_unpack.c
ar cru cdb.a cdb.o cdb_hash.o cdb_make.o uint32_pack.o uint32_unpack.o
ar cru cdb_make.a cdb.o cdb_hash.o cdb_make.o uint32_pack.o uint32_unpack.o
ranlib cdb.a
ranlib cdb_make.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/cdb’
cd ./decoders; make logtest
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/decoders’
cd plugins; make;
make[3]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/decoders/plugins’
cc -g -Wall -I../../../ -I../../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -I../../ -c *.c
make[3]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/decoders/plugins’
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -DTESTRULE -I../ -c *.c
ar cru decoders.a *.o plugins/*.o
ranlib decoders.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/decoders’
cd ./compiled_rules; make;
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/compiled_rules’
./register_rule.sh build
*Build completed.
cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -I../ -c *.c
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/compiled_rules’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -DTESTRULE -I./ testrule.c analysisd.c stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c zeromq_output.c compiled_rules/*.o ../config/lib_config.a decoders/decoders.a cdb/cdb.a cdb/cdb_make.a alerts/alerts.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a ../shared/lib_shared.a ../os_zlib/os_zlib.c ../external/libz.a ../external/libcJSON.a -lm -o ossec-logtest
cd ./cdb; make
make[2]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd/cdb’
cc -I../ -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”cdb\” -DOSSECHIDS -c cdb.c cdb_hash.c cdb_make.c uint32_pack.c uint32_unpack.c
ar cru cdb.a cdb.o cdb_hash.o cdb_make.o uint32_pack.o uint32_unpack.o
ar cru cdb_make.a cdb.o cdb_hash.o cdb_make.o uint32_pack.o uint32_unpack.o
ranlib cdb.a
ranlib cdb_make.a
make[2]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd/cdb’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-analysisd\” -DOSSECHIDS -DTESTRULE -I./ makelists.c lists_make.c stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c picviz.c prelude.c zeromq_output.c compiled_rules/*.o ../config/lib_config.a decoders/decoders.a cdb/cdb.a cdb/cdb_make.a alerts/alerts.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a ../shared/lib_shared.a ../os_zlib/os_zlib.c ../external/libz.a ../external/libcJSON.a -lm -o ossec-makelists
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd’
*** Making logcollector ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/logcollector’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-logcollector\” -DOSSECHIDS -DARGV0=\”ossec-logcollector\” *.c ../config/lib_config.a ../shared/lib_shared.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o ossec-logcollector
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/logcollector’
*** Making remoted ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/remoted’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-remoted\” -DOSSECHIDS *.c ../config/lib_config.a ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_net/os_net.a ../os_xml/os_xml.a ../os_regex/os_regex.a -lpthread -o ossec-remoted
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/remoted’
*** Making client-agent ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/client-agent’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-agentd\” -DOSSECHIDS *.c ../config/lib_config.a ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a -DCLIENT -o ossec-agentd
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/client-agent’
*** Making addagent ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/addagent’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”manage_agents\” -DOSSECHIDS *.c ../shared/lib_shared.a ../os_regex/os_regex.a ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../os_net/os_net.a -o manage_agents
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/addagent’
*** Making util ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/util’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS ../addagent/manage_agents.c ../addagent/manage_keys.c ../addagent/validate.c ../addagent/read_from_user.c ../addagent/b64.c syscheck_update.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o syscheck_update
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS clear_stats.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o clear_stats
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS list_agents.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o list_agents
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS verify-agent-conf.c ../config/lib_config.a ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a ../os_xml/os_xml.a -o verify-agent-conf
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS ../addagent/manage_agents.c ../addagent/manage_keys.c ../addagent/validate.c ../addagent/read_from_user.c ../addagent/b64.c agent_control.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o agent_control
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS ../addagent/manage_agents.c ../addagent/manage_keys.c ../addagent/validate.c ../addagent/read_from_user.c ../addagent/b64.c syscheck_control.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o syscheck_control
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS ../addagent/manage_agents.c ../addagent/manage_keys.c ../addagent/validate.c ../addagent/read_from_user.c ../addagent/b64.c rootcheck_control.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o rootcheck_control
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”util\” -DOSSECHIDS ossec-regex.c ../os_zlib/os_zlib.c ../external/libz.a ../os_crypto/os_crypto.a ../shared/lib_shared.a ../os_regex/os_regex.a ../os_net/os_net.a -o ossec-regex
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/util’
*** Making rootcheck ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/rootcheck’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-rootcheck\” -DOSSECHIDS -c check_open_ports.c check_rc_pids.c check_rc_trojans.c run_rk_check.c check_rc_dev.c check_rc_ports.c check_rc_policy.c common.c common_rcl.c win-common.c unix-process.c check_rc_files.c check_rc_readproc.c os_string.c check_rc_if.c check_rc_sys.c rootcheck.c config.c -D_GNU_SOURCE
ar cru rootcheck_lib.a *.o
ranlib rootcheck_lib.a
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/rootcheck’
*** Making syscheckd ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/syscheckd’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-syscheckd\” -DOSSECHIDS syscheck.c config.c seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o ossec-syscheckd
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/syscheckd’
*** Making monitord ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/monitord’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-monitord\” -DOSSECHIDS compress_log.c main.c manage_files.c monitor_agents.c monitord.c sign_log.c generate_reports.c ../os_maild/sendcustomemail.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -o ossec-monitord
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-monitord\” -DOSSECHIDS -UARGV0 -DARGV0=\”ossec-reportd\” report.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -o ossec-reportd
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/monitord’
*** Making os_auth ***

make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_auth’
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-authd\” -DOSSECHIDS main-server.c ssl.c ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -o ossec-authd
cc -g -Wall -I../ -I../headers -DDEFAULTDIR=\”/var/ossec\” -DCLIENT -DUSEINOTIFY -DARGV0=\”ossec-authd\” -DOSSECHIDS main-client.c ssl.c ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -o agent-auth
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_auth’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_maild’
cp -pr ossec-maild ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_maild’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_dbd’
cp -pr ossec-dbd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_dbd’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_csyslogd’
cp -pr ossec-csyslogd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_csyslogd’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/agentlessd’
cp -pr ossec-agentlessd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/agentlessd’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_execd’
cp -pr ossec-execd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_execd’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/analysisd’
cp -pr ossec-analysisd ../../bin
cp -pr ossec-logtest ../../bin
cp -pr ossec-makelists ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/analysisd’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/logcollector’
cp -pr ossec-logcollector ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/logcollector’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/remoted’
cp -pr ossec-remoted ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/remoted’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/client-agent’
cp -pr ossec-agentd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/client-agent’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/addagent’
cp -pr manage_agents ../../bin
cp -pr manage_agents ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/addagent’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/util’
cp -pr syscheck_update clear_stats list_agents syscheck_control rootcheck_control agent_control verify-agent-conf ossec-regex ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/util’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/rootcheck’
make[1]: Nothing to be done for `build’.
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/rootcheck’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/syscheckd’
cp -pr ossec-syscheckd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/syscheckd’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/monitord’
cp -pr ossec-monitord ../../bin
cp -pr ossec-reportd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/monitord’
make[1]: Entering directory `/root/ossec-hids-2.8.3/src/os_auth’
cp -pr ossec-authd ../../bin
cp -pr agent-auth ossec-authd ../../bin
make[1]: Leaving directory `/root/ossec-hids-2.8.3/src/os_auth’
– System is Redhat Linux.
– Init script modified to start OSSEC HIDS during boot.

– Configuration finished properly.

– To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

– To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

– The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). —

– You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the ‘manage_agents’ tool to import the
authentication key from the server.

/var/ossec/bin/manage_agents

More information at:
http://www.ossec.net/en/manual.html#ma
[root@agent bin]# ./manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or ‘\q’ to quit): MDA3IGFnZW50LnB1cHBldC5jb20gMTkyLjE2OC40My4xNDMgMTQzNTY2NjMyNTk5OWM2MDNmN2NjMDZjMWE5ODZjNWM4Mjc1MzIyYzQ4NzZjMzdlMTlmNGJkMWJkNzFiYTFiMw==

Agent information:
ID:007
Name:agent.puppet.com
IP Address:192.168.43.143

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..

=================================================

[root@server ~]# service ossec-hids restart
Restarting ossec-hids (via systemctl): [ OK ]

[root@server ~]# netstat -ulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:41376 0.0.0.0:* 5306/dhclient
udp 0 0 0.0.0.0:1514 0.0.0.0:* 5562/ossec-remoted
udp 0 0 0.0.0.0:68 0.0.0.0:* 5306/dhclient
udp6 0 0 :::46833 :::* 5306/dhclient

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s