Skip to content

Latest commit

 

History

History
115 lines (70 loc) · 5 KB

install_agent_linux.rst

File metadata and controls

115 lines (70 loc) · 5 KB
Raw

OSPatrol 101: Installing a Linux Agent

Things to keep in mind:

Just like the server installation most of the agent OSPatrol processes chroot themselves to /var/ospatrol. Unlike the server version, an agent installation does not store as many logs. The main logs are /var/ospatrol/logs/ospatrol.log and /var/ospatrol/logs/active-responses.log if you are using active response. Be sure to allow ample space for these log files.

Installation process:

In the following steps actions performed on the agent will be in the red putty windows, and actions on the server will be in the black backgrounded windows.

  • Download the OSPatrol tarball and pgp/gnupg signature from ospatrol.net to the agent.

OSPatrol download

  • Use GnuPG or PGP to verify the download. Use gpg --import OSPatrol-GPG-Key.asc to import the OSPatrol gpg key, then gpg --verify ospatrol-hids-2.6.tar.gz.sid ospatrol-hids-2.6.tar.gz to verify the signature an

d file.

gpg --verify ospatrol-hids-2.6.tar.gz

  • Unpack the tarball and change into the new directory with tar -zxf ospatrol-hids-2.6.tar.gz. Run the install.sh script to perform the installation ./install.sh:

cd ospatrol-hids-2.6 && ./install.sh

  • The install.sh script will display information about the host including the user name and hostname. Press enter to continue.

agent information

  • Select agent as the type of installation and select an installation location (as usual, we're using the default):

select agent

  • Enter the IP address of the OSPatrol manager. This will automatically populate the agent's ospatrol.conf with this setting:

server IP address

  • By default the script will enable file integrity checking, rootkit checking, and active-response. Right now I've chosen to disable active-response. I want to get more comfortable with OSPatrol before telling it to take actions on its own. This will be easy to change later. This screen also mentions that /var/log/dpkg.log will be monitored in addition to the default log files. If this agent was a Red Hat based Linux distribution instead of Debian based, /var/log/yum.log would be listed.

Active response

  • After this OSPatrol will be compiled and installed. If there are errors, double check that you have the proper pre-requisites installed.

Installation complete

  • Now that the installation is complete the encryption key needs to be installed. This key will be created on the manager and copied to the agent. The simplest way to do this is using the manage_agents utility, although creating keys one by one may be time consuming if there are a lot of agents. Othe methods will be covered later.

Refer to managing_agents for instructions on adding an agent to an OSPatrol server.

Exporting the agent key:

  • The manage_agents menu offers an option to (E)xtract key for an agent (E). This option extracts the key (base64 encoded) so it can be transfered to the agent. A simple copy & paste is all that is necessary to install it.

extract the key

Importing the agent key:

  • Importing the key on the agent is simple. We'll use the manage_agents on the agent as well. Notice the list of available actions is much smaller on the agent.

agent's manage_agents menu

  • Select I to import the key and paste the key we got from the manager's manage_agents application.

paste the key

  • Confirm the information provided.

confirm the information

  • Finally, restart the agent's OSPatrol processes using ospatrol-control.

restart