Automatically creating and setting up the agent keys

The complain I hear more often about OSSEC is related to how hard it is to setup the authentication keys between the agents and the manager. Each agent share a key-pair with the manager, so if you have a thousand agents, you need a thousand keys.

To make life easier, we added a new daemon on the manager, called ossec-authd. To get that working, you need the latest snapshot (just get from here:https://bitbucket.org/dcid/ossec-hids (click on get source)).

Once you have the new version running, you need to create the certificate / private key for SSL (note that OSSEC will look at /var/ossec/etc/sslmanager.cert and /var/ossec/etc/sslmanager.key for them).

# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

*note that you only need to run this command on the manager (not on the agents)

Once the keys are created, you can start the ossec-authd:

# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &

Setting up the agents

On the agents, the work is minimal. All you have to do is to run the following command:

# /var/ossec/bin/agent-auth -m 192.168.1.1 -p 1515

INFO: Connected to 192.168.1.1:1515
INFO: Using agent name as: melancia
INFO: Send request to manager. Waiting for reply.
INFO: Received response with agent key
INFO: Valid key created. Finished.
INFO: Connection closed.

Where 192.168.1.1 is your manager IP address. Inside the manager, you will also see the logs:

2011/01/19 15:04:40 ossec-authd: INFO: New connection from 192.168.10.5
2011/01/19 15:04:41 ossec-authd: INFO: Received request for a new agent (melancia) from: 192.168.10.5
2011/01/19 15:04:41 ossec-authd: INFO: Agent key generated for melancia (requested by 192.168.10.5)
2011/01/19 15:04:41 ossec-authd: INFO: Agent key created for melancia (requested by 192.168.10.5)

That’s it. The keys are now exchanged and you can start your agent. Note that I don’t recommend to keep the ossec-authd running during “normal” operations, only when you are setting up your agents.

The code is still in alpha/beta mode, so let us know if you find any issues (I have been using for a little while, so should be stable).

Leave a Reply

Your email address will not be published. Required fields are marked *