Agent Management¶
On the OSSEC management server an agent can be added in multiple ways. The first method is adding an agent with the manage_agents utility. The second is using ossec-authd. This is a process on the ossec management server that receives key requests, adds an agent, and sends the key to the new agent.
manage_agents¶
The manage_agents utility is run on both the OSSEC management server and the OSSEC agent. On the management server it will add an agent and export a key to be imported on the agent. On the agent the manage_agents utility will import a key for authenticating the agent to the management server.
manage_agents provides both a menu based interface and a command line interface. When run without any arguments, the menu is presented.
If an agent is added with a specific IP address, it must be unique. Duplicate IP addresses will cause issues with agents connecting to the server.
Adding an agent¶
The menu interface for manage_agents
# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.2.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:
Typing a or A will provide prompts for information about the agent.
When adding an agent, manage_agents will prompt for information about the agent. This information includes an ID, name, and IP address. Each entry should be unique. Duplicating information will cause issues with agents connecting to the server.
The ID is a number, starting with 1. This ID is used by OSSEC for configuration.
The name of the agent can also be used in a number of configuration options.
The IP address should be the IP address the OSSEC server will see from the agent. Instead of a specific IP address a CIDR address can be used for DHCP ranges or any can be used if the IP is not known (dhcp from an ISP).
After the first agent is added, the OSSEC server processes should be restarted.
The key that is extracted is a secret key, and should be kept safe. If this key is disclosed, a malicious user could impersonate the agent.
ossec-authd¶
Instead of adding agents manually, ossec-authd can be used. ossec-authd is a daemon that listens for TLS connections, adds the connecting machine as an agent, and replies with a new key. On the agent, the agent-auth program is run to communicate with ossec-authd.
Support for this requires the OpenSSL development libraries.
Adding an agent example¶
OSSEC-SERVER # /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.2.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: test
* The IP Address of the new agent: 10.10.10.10
* An ID for the new agent[1025]:
Agent information:
ID:1025
Name:test
IP Address:10.10.10.10
Confirm adding it?(y/n): y
Agent added with ID 1025
After the agent is added, its key can be extracted with E at the menu.
OSSEC-AGENT # /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.2.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e
Available agents:
ID: 010, Name: public, IP: 192.168.17.12
ID: 1024, Name: junction.example.com, IP: any
ID: 1025, Name: test, IP: 10.10.10.10
Provide the ID of the agent to extract the key (or '\q' to quit): 1025
Agent key information for '1025' is:
MTAyNSB0ZXN0IDEwLjEwLjEwLjEwIDQ3ZDFkOGFiMzU5OWRiNDkyNTU4NjkzOGNiYTY4YTM5NmMwNmIwZmJkOTY3YWVjMmUzNzU4NWYzOGM4MmRmNTY=
** Press ENTER to return to the main menu.
This key can be added to an agent to associate it with a manager.