Link to home
Start Free TrialLog in
Avatar of Henry
HenryFlag for France

asked on

Installing the OSSEC security tool on Debian 10.7

Hi, I need to install the OSSEC security tool on Debian 10.7 but without a internet connection. Can someone do this test with Debian 10.7 and provide me a procedure ?

Avatar of Dr. Klahn
Dr. Klahn

It will be difficult if not impossible to do this without a network connection.

The apt package manager must go out to the repository and pull in the package.  Then it examines the package dependencies.  It's not unusual for a complex package to have fifty or sixty dependencies.  Then apt must go check to see if those dependency packages are up to date.  If not, it must bring each of those package up to date, which in turn drags in more dependencies, ad nearly infinitum.  I have seen a single package cause cascading updates that take the better part of an hour to resolve.

In theory you could burn a CD-ROM / DVD set with the "current" package set.  It's usually not fully up to date which halts the install when apt finds an out-of-date package.  And the last time I looked the package set was about 10 DVDs.

Far easier to temporarily connect the system to the internet behind a firewall and let it update and install over the internet.
Use another machine to download package. OSSEC can be compiled on one system, and copied to the destination systems. This installation method still requires GNU make on the target system.

Compiling OSSEC for install on a second server

First download the OSSEC package corresponding to the version you want to install and unpack it (on the system with a compiler).
# wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
# tar -zxvf ossec-hids-latest.tar.gz

Open in new window

Enter in the source directory of the downloaded package, and configure OSSEC to build the agent version. The make commands should compile the correct binaries.
# cd ossec-*/src
# make setagent
# make all
# make build

Open in new window

Modify ossec-hids-*/etc/preloaded-vars.conf to set BINARY_INSTALL to yes.
# echo "USER_BINARYINSTALL=\"y\"" >> ossec-hids*/etc/preloaded-vars.conf

Open in new window

Finally create an OSSEC package.
# tar -cvf ossec-binary.tar ossec-hids*

Open in new window

Installation of the binary OSSEC package

On the target system (that does not have a C compiler) download your ossec-binary.tar created in the steps above.
Complete the installation by unarchiving the binary package and running ./install.sh.
# tar xfv ossec-binary.tar
# cd ossec-*
# ./install.sh

Open in new window

After following the installation prompts the install will be complete.
https://www.ossec.net/docs/docs/manual/installation/installation-binary.html
Expanding Dr. Klahn's comment.

This will be difficult.

The APT repositories run off the Internet... so the solution for you will be...

Burn the current package set onto an SSD drive (DVDs will be safer + more expensive + slower to generate)...

Anyway, burn the current package set on to SSD, then walk the SSD drive to your machine with no connection, drop on packages + do your updates.

You'll have to also play many tricks with DNS + will have a new part time (maybe full time) job of implementing every single service tested across a network which allow packages to install correctly. This list is massively long, so you'll require a large amount of budget/time/will/expertise to keep this working.
My earlier post is on agent. Looking at the doc will help.
User generated image
Note also
User generated image
If the use case is not for agent (which the example shows agent package), then adjust the "TARGET" accordingly. You can see your default setting i.e. "make setting"

TARGET

The TARGET is the type of system being built.
This is set during the compilation, either through the install.sh script or manually in the src directory:
$ cd ossec-hids-*/src
$ make TARGET=server

Open in new window

Available options:
  • server: OSSEC Management Server
  • local: Local OSSEC installation
  • agent: OSSEC Agent
  • hybrid: Hybrid OSSEC server
  • winagent: Windows Agent
https://ossec-documentation.readthedocs.io/en/latest/manual/installation/build-options.html
Avatar of Henry

ASKER

Hi,
I tried compiling OSSEC for a Binary Installation, but there is an error now with this version (ossec-hids-3.6.0.tar.gz) :

 ~/ossec-hids-3.6.0/src# make TARGET=server
cc -I./external/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM -DUSE_PCRE2_JIT -Wall -Wextra -I./ -I./headers/ -DARGV0=\"ossec-maild\" -c os_maild/sendmail.c -o os_maild/sendmail.o
os_maild/sendmail.c:12:10: fatal error: event.h: Aucun fichier ou dossier de ce type
 #include <event.h>
          ^~~~~~~~~
compilation terminated.
make: *** [Makefile:926: os_maild/sendmail.o] Error 1

Thanks for any help
SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial