Monday, October 18, 2010

Deploying OSSEC for Windows with Bigfix

It's the second annual Week of OSSEC and I thought I would contribute by writing up a quick blog post about how to deploy OSSEC for Windows with Bigfix. This small tutorial focuses on how to deploy with Bigfix, but other Systems Management tools should be able to do similiar things.

One of the troublesome things with adding a client to OSSEC, is that you need to copy and paste the "client key" from the OSSEC manager. Normally the process goes like this:

1. Add the client to your OSSEC server (usually via manage_agents).
2. Install the ossec client agent via the installer.
3. Input your server IP and paste the client key that you (E)xtract from the manage_agents program on the OSSEC server.
4. Start up the ossec agent.

A silent installation switch was recently added to the Windows client (/S), which allows us to silently install the agent. To silently deploy an agent, this is the process I'm following here:

1. Add the client to your OSSEC server (via manage_agents or via some other import process).
2. Install the windows ossec client agent silently.
3. Create the client.keys file in the ossec agent directory.
4. Copy an ossec.conf file with the proper server IP to the ossec agent directory.
5. Start the ossec-agent service.

Using Bigfix, this is all very easy to do. First I put the installer and a customized ossec.conf (with your server ip and whatever other customizations you make in your environment) in a directory somewhere. Using the Bigfix Software Distribution Wizard, select this directory to create your task from (no need to select subfolders.) Accept all the defaults for now.

In the Action Script section of your task paste this:


wait __Download\ossec-agent-win32-2.5.1.exe /S

action parameter query "clientkey" with description "Please paste client.key line for this client"
appendfile {parameter "clientkey"}

delete "C:\Program Files\ossec-agent\client.keys"
copy __appendfile "C:\Program Files\ossec-agent\client.keys"

delete "C:\Program Files\ossec-agent\ossec.conf"
copy __Download\ossec.conf "C:\Program Files\ossec-agent\ossec.conf"

wait "SC" start OssecSvc


In the Relevance tab, I add this as well, to only target computers that do not already have the OSSEC agent (but this is up to you):


AND (not exists folder "c:\Program Files\ossec-agent")


This task will prompt you for the line from the client.keys file (found in the ossec/etc/client.keys file on your OSSEC server). Just paste it in when prompted. This is a quick, silent, hands-off install of OSSEC for Windows, but it is only good for installing to one computer at a time. Much faster than actually touching the system to install OSSEC, but we can do better. My next post will show how to extend this basic task to silently install to multiple computers, with each one getting it's own proper client.key.

PS. I should mention that because of the design of both OSSEC and Bigfix, there are difficulties using this method above. The client key for your agent is potentially available to an attacker in the following places: the bigfix client log, the bigfix console (the last entered data for the query parameter option is displayed to any console operators that have access to your task), and worst of all, it will be available via the bigfix fixlet web server itself. An attacker who could get a hold of your ossec client.key could, at the very least, decode your log traffic or inject fake log traffic. You'll have to do your own risk/return evaluation on using the method shown above.

2 comments:

  1. Hello, I know this post is from 2010, but hoping you can help! I have written a small batch script on Windows to remotely install the OSSEC windows agent. The silent install works fine, but I am having trouble with entering the key that I generate for the host. I have been creating a client.keys file in the install directory, and filling it out as but I realize now after doing a standard install that the number in the client.keys file is not actually the key that is generated with manage-agents. Do you know how this is converted? Can I input this value when I run the silent install? Thanks in advance!

    ReplyDelete
    Replies
    1. did you find a way to complete your steps

      Delete