{"id":1720,"date":"2018-12-12T23:58:34","date_gmt":"2018-12-12T20:58:34","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1720"},"modified":"2024-03-11T21:48:15","modified_gmt":"2024-03-11T18:48:15","slug":"how-to-install-ossec-agent-on-solaris-11-4","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-solaris-11-4\/","title":{"rendered":"How to Install OSSEC Agent on Solaris 11.4"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1056\" height=\"591\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-ossec-agent.png\" alt=\"Install OSSEC Agent on Solaris\" class=\"wp-image-16876\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-ossec-agent.png?v=1685472628 1056w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-ossec-agent-768x430.png?v=1685472628 768w\" sizes=\"(max-width: 1056px) 100vw, 1056px\" \/><\/figure>\n\n\n\n<p>In this tutorial, we are going to learn how to install <a href=\"https:\/\/www.ossec.net\/about\/\" target=\"_blank\" rel=\"noreferrer noopener\">OSSEC<\/a> agent on Solaris 11.4. <em>Note that this is not an official guide but rather a documentation of the steps that I took myself in order to get OSSEC agent working on Solaris 11.4<\/em>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-ossec-agent-on-solaris-11-4\">Installing OSSEC Agent on Solaris 11.4<\/a><ul><li><a href=\"#prerequisites\">Prerequisites<\/a><\/li><li><a href=\"#download-ossec-tarball\">Download OSSEC Tarball<\/a><\/li><li><a href=\"#install-ossec-agent-on-solaris-11-4\">Install OSSEC Agent on Solaris 11.4<\/a><ul><li><a href=\"#extract-the-source-code\">Extract the Source Code<\/a><\/li><li><a href=\"#update-ossec-agent-install-script\">Update OSSEC Agent Install Script<\/a><\/li><li><a href=\"#install-ossec-agent-on-solaris-11-4-1\">Install OSSEC Agent on Solaris 11.4<\/a><\/li><\/ul><\/li><li><a href=\"#register-and-import-ossec-agent\">Register and Import OSSEC Agent<\/a><\/li><li><a href=\"#running-ossec-agent-on-solaris-11\">Running OSSEC agent on Solaris 11<\/a><\/li><\/ul><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-ossec-agent-on-solaris-11-4\">Installing OSSEC Agent on Solaris 11.4<\/h2>\n\n\n\n<p>Just like we have explained in our other tutorials regarding installation of OSSEC HIDS agent on Linux hosts, OSSEC is an opensource host intrusion detection system that can be used to <span class=\"st\">actively monitor all aspects of system activity including file integrity monitoring, log monitoring, rootkit detection, Windows registry monitoring and process monitoring.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h3>\n\n\n\n<p>To install OSSEC agent on Solaris 11.4, you need to compile and build it from the source and consequently, you need have the build utilities;&nbsp; <code>gcc<\/code> and <code>make<\/code>.<\/p>\n\n\n\n<p>For the case of Solaris, GNU C compiler, <code>gmake<\/code> is used instead of the traditional <code>make<\/code> utility.<\/p>\n\n\n\n<p>Hence before you can proceed, verify that you have these utilities installed on your system.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>which gcc<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>which: no gcc in (\/usr\/bin:\/usr\/sbin)<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>which gmake<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/bin\/gmake<\/code><\/pre>\n\n\n\n<p>As you can see above, we don&#8217;t have the GNU compiler installed. Hence run the command below to install it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>pkg install gcc<\/code><\/pre>\n\n\n\n<p>Once the installation is done, you can run the command below to verify the installed version.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>gcc -v<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nUsing built-in specs.\nCOLLECT_GCC=gcc\nCOLLECT_LTO_WRAPPER=\/usr\/gcc\/7\/lib\/gcc\/x86_64-pc-solaris2.11\/7.3.0\/lto-wrapper\nTarget: x86_64-pc-solaris2.11\nConfigured with: \/builds\/ulhg\/workspace\/Solaris_11u4\/Userland\/full-build\/02a-build-i386\/components\/gcc7\/gcc-7.3.0\/configure --prefix=\/usr\/gcc\/7 --mandir=\/usr\/gcc\/7\/share\/man --bindir=\/usr\/gcc\/7\/bin --sbindir=\/usr\/gcc\/7\/sbin --libdir=\/usr\/gcc\/7\/lib --infodir=\/usr\/gcc\/7\/share\/info --libexecdir=\/usr\/gcc\/7\/lib --enable-languages=c,c++,fortran,objc --enable-shared --enable-initfini-array --disable-rpath --with-system-zlib --with-build-config=no --with-gmp-include=\/usr\/include --with-mpfr-include=\/usr\/include --without-gnu-ld --with-ld=\/usr\/bin\/ld --with-gnu-as --with-as=\/usr\/gnu\/bin\/as --disable-bootstrap 'BOOT_CFLAGS=-g -O2' x86_64-pc-solaris2.11\nThread model: posix\ngcc version 7.3.0 (GCC) \n<\/code><\/pre>\n\n\n\n<p>Next, link the GNU C compiler to Sun C++ compiler<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>which gcc<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/bin\/gcc<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ln -s \/usr\/bin\/gcc \/usr\/bin\/cc<\/code><\/pre>\n\n\n\n<p>Now that the you have what is required to install OSSEC HIDS on Solaris 11.4, proceed as follows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"download-ossec-tarball\">Download OSSEC Tarball<\/h3>\n\n\n\n<p>OSSEC tarball can be downloaded from the <a href=\"https:\/\/www.ossec.net\/downloads.html\" target=\"_blank\" rel=\"noopener\">OSSEC downloads page<\/a>. You can simply run the command below to download it;<\/p>\n\n\n\n<p>Replace the value of the VER variable with the current version of OSSEC agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=3.7.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/${VER}.tar.gz -P \/tmp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-ossec-agent-on-solaris-11-4\">Install OSSEC Agent on Solaris 11.4<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-the-source-code\">Extract the Source Code<\/h4>\n\n\n\n<p>Navigate to the tarball download directory and extract OSSEC HIDS.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf ${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-ossec-agent-install-script\">Update OSSEC Agent Install Script<\/h4>\n\n\n\n<p>Before you can proceed to install OSSEC agent on Solaris 11.4, you need to make a few changes on the installation files.<\/p>\n\n\n\n<p>By default, OSSEC is set to be compiled using the traditional <code>make<\/code> utility. Since Solaris utilizes the GNU make utility,<code>gmake<\/code>,&nbsp; we are going to configure OSSEC to use <code>gmake<\/code> instead so as to avoid possible misinterpretations of GNU make extensions. If you fail to do this, you may encounter such an error.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n5- Installing the system\n - Running the Makefile\nmake: Fatal error in reader: Makefile, line 3: Unexpected end of line seen\n\n Error 0x5.\n Building error. Unable to finish the installation.\n\n<\/code><\/pre>\n\n\n\n<p>Thus, navigate to OSSEC source directory and edit the <code>install.sh<\/code> script.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ossec-hids-3.7.0\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>vi install.sh<\/code><\/pre>\n\n\n\n<p>Replace the value of <code>MAKEBIN=make<\/code> on the <strong><code>install()<\/code><\/strong> section to <code>MAKEBIN=gmake<\/code>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n##########\n# install()\n##########\nInstall()\n{\n    echo \"\"\n    echo \"5- ${installing}\"\n\n    echo \"DIR=\\\"${INSTALLDIR}\\\"\" > ${LOCATION}\n\n    # Changing Config.OS with the new C flags\n    # Checking if debug is enabled\n    if [ \"X${SET_DEBUG}\" = \"Xdebug\" ]; then\n        CEXTRA=\"${CEXTRA} -DDEBUGAD\"\n    fi\n\n    echo \"CEXTRA=${CEXTRA}\" >> .\/src\/Config.OS\n\n<strong>    #MAKEBIN=make\n    MAKEBIN=gmake<\/strong>\n    ## Find make\/gmake\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Similarly, you may encounter issues with PCRE;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n5- Installing the system\n - Running the Makefile\ncc -I.\/external\/compat -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\\\"\/var\/ossec\\\" -DUSER=\\\"ossec\\\" -DREMUSER=\\\"ossecr\\\" -DGROUPGLOBAL=\\\"ossec\\\" -DMAILUSER=\\\"ossecm\\\" -DSunOS -DSOLARIS -DHIGHFIRST -DZLIB_SYSTEM -DUSE_PCRE2_JIT -DLIBOPENSSL_ENABLED -DCLIENT -Wall -Wextra -I.\/ -I.\/headers\/ -I.\/client-agent   -DARGV0=\\\"ossec-agentd\\\" -c client-agent\/notify.c -o client-agent\/notify.o\nIn file included from .\/headers\/shared.h:215:0,\n                 from client-agent\/notify.c:10:\n<strong>.\/os_regex\/os_regex.h:19:10: fatal error: pcre2.h: No such file or directory\n #include &lt;pcre2.h><\/strong>\n          ^~~~~~~~~\ncompilation terminated.\ngmake: *** [Makefile:1015: client-agent\/notify.o] Error 1\n\n Error 0x5.\n Building error. Unable to finish the installation.\n<\/code><\/pre>\n\n\n\n<p>To fix this on Solaris;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download PCRE source code;<\/li>\n<\/ul>\n\n\n\n<p>You can find out which PCRE version the agent is using as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep EXTERNAL_PCRE2= \/tmp\/ossec-hids-3.7.0\/src\/Makefile<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>EXTERNAL_PCRE2=external\/<strong>pcre2-10.32<\/strong>\/<\/code><\/pre>\n\n\n\n<p>As you can see, OSSEC agent 3.7.0 requires PCRE 10.32;<\/p>\n\n\n\n<p>You can download from <a href=\"https:\/\/github.com\/PCRE2Project\/pcre2\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">Github repository<\/a> as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/PCRE2Project\/pcre2\/releases\/download\/pcre2-10.32\/pcre2-10.32.tar.gz<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extract it;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf pcre2-10.32.tar.gz<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Move the extracted source to OSSEC <strong><code>src\/external<\/code><\/strong> directory.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>mv pcre2-10.32 \/tmp\/ossec-hids-3.7.0\/src\/external\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next, edit the file <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>vim src\/Makefile<\/code><\/pre>\n\n\n\n<p>and change the line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PCRE2_SYSTEM?=yes<\/code><\/pre>\n\n\n\n<p>to;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PCRE2_SYSTEM?=no<\/code><\/pre>\n\n\n\n<p>Save and exit.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-ossec-agent-on-solaris-11-4-1\">Install OSSEC Agent on Solaris 11.4<\/h4>\n\n\n\n<p>After making the above changes, launch the OSSEC installer script.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>...<\/strong>\n  (en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]<\/code><\/pre>\n\n\n\n<p>Press <strong>Enter<\/strong> to accept English as the installation language. Press <strong>Enter<\/strong> again to proceed with installation.<\/p>\n\n\n\n<p>Choose the kind of installation;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? <strong>agent<\/strong>\n\n  - Agent(client) installation chosen.<\/code><\/pre>\n\n\n\n<p>Set the default installation environment. Press Enter to accept the default.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2- Setting up the installation environment.\n\n - Choose where to install the OSSEC HIDS [\/var\/ossec]: <strong>press ENTER<\/strong>\n\n    - Installation will be made at  \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Set the OSSEC server IP address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3- Configuring the OSSEC HIDS.\n\n  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <strong>192.168.43.101<\/strong>\n\n   - Adding Server IP 192.168.43.101<\/code><\/pre>\n\n\n\n<p>Enable system integrity check and rootkit detection<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.2- Do you want to run the integrity check daemon? (y\/n) [y]: y\n\n   - Running syscheck (integrity check daemon).\n\n  3.3- Do you want to run the rootkit detection engine? (y\/n) [y]: y\n\n   - Running rootcheck (rootkit detection).<\/code><\/pre>\n\n\n\n<p>Disable active response unless you have a clear understanding of what to be alerted on.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.4 - Do you want to enable active response? (y\/n) [y]: n\n\n   - Active response disabled.<\/code><\/pre>\n\n\n\n<p>The press ENTER to proceed with installation.<\/p>\n\n\n\n<p>After that press enter to finalize on the installation. If everything goes well, you should see an output confirming the proper installation of OSSEC agent on Solaris 11.4<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n - System is Solaris (SunOS).\n - Init script modified to start OSSEC HIDS during boot.\n\n - Configuration finished properly.\n\n - To start OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control start\n\n - To stop OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control stop\n\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\n\n    Thanks for using the OSSEC HIDS.\n    If you have any question, suggestion or if you find any bug,\n    contact us at https:\/\/github.com\/ossec\/ossec-hids or using\n    our public maillist at  \n    https:\/\/groups.google.com\/forum\/#!forum\/ossec-list\n\n    More information can be found at http:\/\/www.ossec.net\n\n    ---  Press ENTER to finish (maybe more information below). ---\n    \n\n\n - You first need to add this agent to the server so they \n   can communicate with each other. When you have done so,\n   you can run the 'manage_agents' tool to import the \n   authentication key from the server.\n   \n   \/var\/ossec\/bin\/manage_agents\n\n   More information at: \n   http:\/\/www.ossec.net\/docs\/docs\/programs\/manage_agents.html\n<\/code><\/pre>\n\n\n\n<p>Hurray!! You have successfully install OSSEC agent on Solaris 11.4.<\/p>\n\n\n\n<p>The OSSEC HIDS agent configuration files are now located under <code>\/var\/ossec\/<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/var\/ossec\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nactive-response\nagentless\nbin\netc\nlogs\nqueue\ntmp\nusr\nvar\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"register-and-import-ossec-agent\">Register and Import OSSEC Agent<\/h3>\n\n\n\n<p>Import the Agent Key from the server, be it OSSEC server or AlienVault USM.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>You can obtain help on various command options for manage_agents command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/ossec\/bin\/manage_agents -h<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n  manage_agents: -[Vhlj] [-a &lt;ip> -n &lt;name>] [-d sec] [-e id] [-r id] [-i id] [-f file]\n    -V          Version and license message\n    -h          This help message\n    -j          Use JSON output\n    -l          List available agents.\n    -a &lt;ip>     Add new agent\n    -e &lt;id>     Extracts key for an agent (Manager only)\n    -r &lt;id>     Remove an agent (Manager only)\n    -i &lt;id>     Import authentication key (Agent only)\n    -n &lt;name>   Name for new agent\n    -F &lt;sec>    Remove agents with duplicated IP if disconnected since &lt;sec> seconds\n    -f &lt;file>   Bulk generate client keys from file (Manager only)\n                &lt;file> contains lines in IP,NAME format\n                &lt;file> should also exist within \/var\/ossec due to manage_agents chrooting\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-ossec-agent-on-solaris-11\">Running OSSEC agent on Solaris 11<\/h3>\n\n\n\n<p>After you have imported and connected the agent to OSSEC server, start the OSSEC agent<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/ossec\/bin\/ossec-control start<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Starting OSSEC HIDS v3.7.0...\nStarted ossec-execd...\n2023\/05\/30 18:05:57 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800\nStarted ossec-agentd...\nStarted ossec-logcollector...\nStarted ossec-syscheckd...\nCompleted.<\/code><\/pre>\n\n\n\n<p>Happy monitoring!!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=ossec\" target=\"_blank\" rel=\"noreferrer noopener\">How to install OSSEC agent on Ubuntu\/Debian\/CentOS<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we are going to learn how to install OSSEC agent on Solaris 11.4. Note that this is not an official guide but<\/p>\n","protected":false},"author":1,"featured_media":16876,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72,273],"tags":[6797,275,6798,6800,6799,274],"class_list":["post-1720","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","category-ossec","tag-install-ossec-agent-on-solaris","tag-ossec","tag-ossec-agent-install-solaris","tag-ossec-agent-solaris-installation","tag-solaris-11-pcre","tag-solaris-11-4","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1720"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1720"}],"version-history":[{"count":16,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1720\/revisions"}],"predecessor-version":[{"id":21080,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1720\/revisions\/21080"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16876"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}