Manager/Agent Installation

Installation of OSSEC HIDS is very simple, the install.sh shell script automating most of it. There are a few questions to be answered before the installation will occur, one of the most important being which type of installation is desired. It is important to choose the correct installation type: server, agent, local, or hybrid. More information on them can be found on the OSSEC Architecture page.

Note

In the following installation the commands follow the #. Everything else is either comments or output.

  1. Download the latest version and verify its checksum.

Note

On some systems, the command md5, sha1, or wget may not exist. Try md5sum, sha1sum or lynx respectively instead.

Warning

wget may not be able to pull files from the OSSEC site. Use the -U flag to add a UserAgent, or obtain the checksum file by some other manner.

# wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
# wget -U ossec https://raw.githubusercontent.com/ossec/ossec-docs/master/docs/whatsnew/checksums/2.8.3/ossec-hids-2.8.3.tar.gz.sha256
# cat ossec-hids-2.8.3.tar.gz.sha256
SHA256 (ossec-hids-2.8.3.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
# sha256sum -c  ossec-hids-2.8.3.tar.gz.sha256 ossec-hids-2.8.3.tar.gz
(SHA256) ossec-hids-2.8.3.tar.gz: OK
  1. Extract the compressed package and run the install.sh script. It will guide you through the installation and compile the source (not shown).

    # tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
    # cd ossec-hids-*
    # ./install.sh
    
  2. The OSSEC manager listens on UDP port 1514. Any firewall sbetween the agents and the manager will need to allow this traffic.

  3. The server, agent, and hybrid installations will require additional configuration. More information can be found on the Managing the agents page.

  4. Start OSSEC HIDS by running the following command:

    # /var/ossec/bin/ossec-control start
    

Manual Installation

OSSEC can also be installed in a more manual fashion. No modifications will be made to the ossec.conf file, so it will have to be configured after installation. The ossec, ossecm and ossecr users will still be created automatically.

After the source tarball is downloaded and extracted:

cd ossec-hids-*/src
make TARGET=<server|local|agent>
make install

Build options can still be passed to make (USE_ZEROMQ, USE_GEOIP, etc.).