Just like the server installation most of the agent OSPatrol processes chroot themselves to /var/ospatrol
. Unlike the server version, an agent installation does not store as many logs. The main logs are /var/ospatrol/logs/ospatrol.log
and /var/ospatrol/logs/active-responses.log
if you are using active response. Be sure to allow ample space for these log files.
In the following steps actions performed on the agent will be in the red putty windows, and actions on the server will be in the black backgrounded windows.
- Download the OSPatrol tarball and pgp/gnupg signature from ospatrol.net to the agent.
- Use GnuPG or PGP to verify the download. Use
gpg --import OSPatrol-GPG-Key.asc
to import the OSPatrol gpg key, thengpg --verify ospatrol-hids-2.6.tar.gz.sid ospatrol-hids-2.6.tar.gz
to verify the signature an
d file.
- Unpack the tarball and change into the new directory with
tar -zxf ospatrol-hids-2.6.tar.gz
. Run the install.sh script to perform the installation./install.sh
:
- The install.sh script will display information about the host including the user name and hostname. Press enter to continue.
- Select
agent
as the type of installation and select an installation location (as usual, we're using the default):
- Enter the IP address of the OSPatrol manager. This will automatically populate the agent's
ospatrol.conf
with this setting:
- By default the script will enable file integrity checking, rootkit checking, and active-response. Right now I've chosen to disable active-response. I want to get more comfortable with OSPatrol before telling it to take actions on its own. This will be easy to change later. This screen also mentions that
/var/log/dpkg.log
will be monitored in addition to the default log files. If this agent was a Red Hat based Linux distribution instead of Debian based,/var/log/yum.log
would be listed.
- After this OSPatrol will be compiled and installed. If there are errors, double check that you have the proper pre-requisites installed.
- Now that the installation is complete the encryption key needs to be installed. This key will be created on the manager and copied to the agent. The simplest way to do this is using the
manage_agents
utility, although creating keys one by one may be time consuming if there are a lot of agents. Othe methods will be covered later.
Refer to managing_agents for instructions on adding an agent to an OSPatrol server.
- The
manage_agents
menu offers an option to(E)xtract key for an agent (E).
This option extracts the key (base64 encoded) so it can be transfered to the agent. A simple copy & paste is all that is necessary to install it.
- Importing the key on the agent is simple. We'll use the
manage_agents
on the agent as well. Notice the list of available actions is much smaller on the agent.
- Select
I
to import the key and paste the key we got from the manager'smanage_agents
application.
- Confirm the information provided.
- Finally, restart the agent's OSPatrol processes using
ospatrol-control
.