OSSEC 101: authd¶
ossec-authd and agent-auth are two OSSEC applications to automatically register an agent. ossec-authd is the server side daemon, and agent-auth runs on the agent.
Running ossec-authd:¶
There aren’t many options for ossec-authd. It’s generally recommended that ossec-authd is only run when adding new agents due to the lack of authentication.
An SSL certificate is required, and should be installed at /var/ossec/etc/sslmanager.cert.
Running ossec-authd can be as simple as:
/var/ossec/bin/ossec-authd -p 1515
In this example ossec-authd listens on port 1515 for client connections.
Running agent-auth:¶
agent-auth does not have many options either. Running it can be as simple as:
/var/ossec/bin/agent-auth -m 10.10.10.10 -p 1515
Adding an agent name with -A agent_name may also be useful.
Considerations:¶
Currently ossec-authd and agent-auth do not authenticate the other side. The communication is encrypted, but there is nothing stopping an attacker with access to the ossec-authd port from registering fake agents.
Scenario:¶
On a Tuesday Adele’s boss Steve asks her to add the new database servers to the OSSEC infrastructure. Adele didn’t want to go to each of the 12 systems to configure everything from scratch, so she decided to use ossec-authd to automatically register the new systems.
Adele added an SSL certificate to the OSSEC server by running:
# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
Then she ran ossec-authd to listen on port 2157:
# /var/ossec/bin/ossec-authd -p 2157
Next Adele used the existing management infrastructure to install OSSEC agents on each of the systems, and if /var/ossec/etc/client.keys did not exist to run /var/ossec/bin/agent-auth with the following command:
# /var/ossec/bin/agent-auth -m 192.168.29.46 -p 2157