Deploying HIDS to Servers

Applies to Product: USM Appliance™ LevelBlue OSSIM®

We recommend deploying a host-based intrusion detection system (HIDS) to enable

  • File integrity monitoring
  • Rootkit detection
  • Event log collection

The Getting Started Wizard provides two options for HIDS agent deployment.

Windows — HIDS agent is installed locally on specified hosts. All Windows hosts must meet the prerequisites described in the Asset Management topic, Deploying HIDS Agents, of the USM Appliance User Guide.

UNIX/Linux — HIDS agents are not installed on hosts but provide agentless operation. UNIX and Linux systems are monitored remotely for file integrity only. For information on installing HIDS agents on UNIX/Linux hosts, see Deploy the AlienVault HIDS Agents to Linux Hosts.

Before you can deploy a HIDS agent to the Windows machine, make sure that it meets the following requirements.

  • If using any network accelerator devices in the environment, you must add USM Appliance Sensor to their allowlist. This is because the USM Appliance Sensor utilizes SMB (Server Message Block) to transfer the HIDS agent installation package to the Windows machine. If the network accelerator tries to optimize the traffic from the USM Appliance Sensor, it may cause the HIDS deployment to fail.
  • The operating system must be one of the following

    • Microsoft Windows XP
    • Windows 7, 8, or 10
    • Windows Server 2003, 2008R2, or 2012R2
  • You need to use a user account that belongs to the same Administrators group as the local Administrator account.

    Note: For security reasons, the local Administrator account is disabled by default on all versions of Windows currently in mainstream support. In order for the HIDS deployment to succeed, you need to enable the local Administrator account (not recommended), or create a user account and add it to the built-in Administrators group.

  • You must have changed the target Windows machine based on the steps below.

Note: The Winexe installation utility may trigger a false positive alert as a “potential hacking tool” during an authorized application installation, even though the Winexe remote installation is an authorized action. In this instance, the best practices are to either allowlist the IP address of USM Appliance, or temporarily disable the antivirus software during the installation.

To deploy HIDS

  1. Select the Windows or the UNIX/Linux tab, as appropriate.
  2. Type your Username and Password.

    Note: For UNIX/Linux systems, this should be your SSH credentials.

  3. (Windows only) Optionally, enter the Domain information.
  4. From the asset tree on the right, choose the asset(s) on which you would like to deploy a HIDS agent.
  5. Click Deploy.

    The HIDS Deployment popup prompts you for confirmation

  6. Click Continue.

    A progress bar appears.

    After the deployment finishes, a message displays the number of devices successfully deployed with HIDS.

  7. Click OK.

    Deploy HIDS to Servers window for Getting Started Wizard

  8. After you finish deploying the HIDS agents, click Next at bottom-right to proceed.

Next...

You must now enable the USM Appliance Log to collect data from network assets; see Enabling Log Management.