There's more…
Congratulations! You just installed, configured, and started OSSEC to protect your server. An excellent first step in the mastery of OSSEC! You might also be thinking that there is a lot of work to run this setup process on each server, and you're right. It's not always desirable or possible to perform source installs on every server in your network. Luckily for us, there's a speedier way!
Binary installations
On most production systems, a C compiler may not available. Don't worry, it is still possible to deploy it on these systems without requiring administrators to install hefty development packages.
OSSEC provides a binary installer for Windows on the Downloads page (http://www.ossec.net/?page_id=19) of the site. This is an agent-only binary, so you will still require a Linux/BSD server to manage any Windows agents.
For Linux systems, there are two major package managers, RPM and APT. Distributions based on Red Hat use a binary package called an RPM. Atomicorp provides a handy installer for their nicely packaged OSSEC RPMs, which you can install using the following command on your Red Hat server:
$ wget -q -O - https://www.atomicorp.com/installers/atomic |sudo sh
After that, you'll be able to install the OSSEC server or agent through yum:
$ sudo yum install ossec-hids-server
Or for a client install, use the following command:
$ sudo yum install ossec-hids-client
If you intend to install it on a Debian-based Linux distribution, Nicolas Zin has packaged OSSEC for Ubuntu. His work is available at the following link:
https://launchpad.net/~nicolas-zin/+archive/ossec-ubuntu
Follow his instructions to enable the source in APT. Install OSSEC server by running the following command:
$ sudo apt-get install ossec-hids-server
Or for a client install, use the following command:
$ sudo apt-get install ossec-hids-agent
Integrating the deployment of OSSEC into your organization's configuration management solution is much easier with binary packaging. Servers receiving a binary package do not require a C compiler to be installed. This often fits within the organization's requirements to remove unnecessary software from its infrastructure.
Starting OSSEC at boot
Even though OSSEC may already be running, we need to make sure that we configure our installation to start during the operating system's boot sequence. This step varies depending on the operating system you're running. The easiest way to start OSSEC on Linux/BSD is to add the /var/ossec/bin/ossec-control start command to the /etc/rc.d/rc.local file, which is executed at boot.
If you've chosen the binary package install, chances are that the package provides an initialization script for your operating system. Most modern systems use an initialization script usually installed as /etc/init.d/ossec-hids, and the following commands will enable it:
- Red Hat-based:
/sbin/chkconfig ossec-hids on - Debian-based:
/sbin/update-rc.d ossec-hids defaults
The Microsoft Windows binary installer configures OSSEC to run at startup, so no additional steps are necessary.