Deploy LevelBlue HIDS Agents

Applies to Product: USM Appliance™ LevelBlue OSSIM®

You can deploy an LevelBlue HIDS agent to a host

  • Through the Getting Started Wizard

    This option supports deployment to Windows hosts and agentless deployment to Linux hosts. For instructions, see Deploying HIDS to Servers, in the Getting Started Wizard topic.

  • From the Asset List View

    This option supports deployment to Microsoft Windows servers only. For instructions, see Deploying HIDS Agents, in Asset Management.

  • From the HIDS management view

    This option supports deployment to Windows and Linux hosts.

For Microsoft Windows hosts, USM Appliance generates a binary file containing the appropriate server configuration and authentication key. You can choose to let USM Appliance install the file for you, or download the file and install it on the host yourself.

Before you can deploy a HIDS agent to the Windows machine, make sure that it meets the following requirements.

  • If using any network accelerator devices in the environment, you must add USM Appliance Sensor to their allowlist. This is because the USM Appliance Sensor utilizes SMB (Server Message Block) to transfer the HIDS agent installation package to the Windows machine. If the network accelerator tries to optimize the traffic from the USM Appliance Sensor, it may cause the HIDS deployment to fail.

  • The operating system must be one of the following

    • Microsoft Windows XP
    • Windows 7, 8, or 10
    • Windows Server 2003, 2008R2, or 2012R2

  • You need to use a user account that belongs to the same Administrators group as the local Administrator account.

    Note: For security reasons, the local Administrator account is disabled by default on all versions of Windows currently in mainstream support. In order for the HIDS deployment to succeed, you need to enable the local Administrator account (not recommended), or create a user account and add it to the built-in Administrators group.

  • You must have changed the target Windows machine based on the steps below.

    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use simple file sharing.
    3. Go to Control Panel > Windows Firewall > Exceptions.
    4. Select File and Printer Sharing.
    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use Sharing Wizard (Recommended).
    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.
    4. Enable File and Printer Sharing (SMB-In).
    5. Go to Control Panel > User Accounts > Change User Account Control Settings.
    6. Move the slider to Never notify.
    1. Go to Control Panel > Windows Firewall > Advanced Settings > Inbound Rules.
    2. Enable File and Printer Sharing (SMB-In).
    3. To allow NTLMv2 security, run gpedit.msc.

    4. Go to Local Security > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and change these settings.

      1. Network Security: Minimum session security for NTLMSPP based (including secure RPC) clients, select
        • Require NTLMv2 session security
        • Require 128-bit encryption
      2. Network Security: Minimum session security for NTLMSPP based (including secure RPC) servers, select
        • Require NTLMv2 session security
        • Require 128-bit encryption
      3. Network Security: LAN Manager Authentication level, select
        • Send NTLMv2 response only\refuse LM & NTLM
    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use Sharing Wizard (Recommended).
    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.
    4. Enable File and Printer Sharing (SMB-In).
    5. Enable Windows Management Instrumentation (WMI) entry.
    6. Go to Control Panel > User Accounts > Change User Account Control Settings.
    7. Move the slider to Never notify.

    8. Open Group Policy.

      1. Go to Local Policies > Security Options
      2. Set Network access: Shares that can be accessed anonymously to IPC.
      3. Set User Account Control: Run all administrators in Admin Approval Mode to Disabled (recommended).
    9. Apply changes and restart the machine.

Note: The Winexe installation utility may trigger a false positive alert as a “potential hacking tool” during an authorized application installation, even though the Winexe remote installation is an authorized action. In this instance, the best practices are to either allowlist the IP address of USM Appliance, or temporarily disable the antivirus software during the installation.

To deploy the LevelBlue HIDS agent to a Windows host

  1. Go to Environment > Detection.

  2. Go to HIDS > Agents > Agent Control > Add Agent.

  3. On New HIDS Agent, select the host from the asset tree.

    USM Appliance populates Agent Name with the host name, and IP/CIDR with the host IP address automatically.

  4. Click Save.

    USM Appliance adds the new agent to the list.

  5. To deploy the agent, click the button in the Actions column.

  6. In Automatic Deployment for Windows, type the Domain (optional), User, and Password of the host; then click Save.

    USM Appliance assembles a preconfigured binary file and deploys it to the host.

  7. Alternatively, to download the preconfigured binary file, click the button in the Actions column.

    Your browser downloads the file automatically or prompts you for the download.

  8. Transfer the file, named ossec_installer_<agent_id>.exe, to the Microsoft Windows host.

  9. On the Windows host, double-click to run the executable.

    The installer runs in a console briefly, then displays a progress bar until completion.

Important: For Linux hosts, depending on which distribution of Linux you use, LevelBlue recommends that you download the corresponding ossec-hids-agent installer file from the OSSEC's Downloads page directly, and then follow their instructions to complete the installation.

After you have successfully installed the HIDS agent on the Linux host, perform the steps below to connect it to USM Appliance.

To add the HIDS agent to USM Appliance

  1. Go to Environment > Detection.
  2. Go to HIDS > Agents > Agent Control > Add Agent.

  3. On New HIDS Agent, select the host from the asset tree.

    USM Appliance populates Agent Name with the host name, and IP/CIDR with the host IP address automatically.

  4. Click Save.

    USM Appliance adds the new agent to the list.

  5. To extract the key for the agent, click the button in the Actions column, and then copy the key that displays.

  6. Login to the Linux host, run /var/ossec/bin/manage_agents, and then enter I to import the key you copied in the previous step.

    Note: On some installations, Centos, for example, the command may be manage_client instead of manage_agents.

  7. Edit /var/ossec/etc/ossec-agent.conf to change the server IP address to the USM Appliance.

  8. Start the HIDS agent if it is not already running:

    service ossec start

    chkconfig ossec-hids on

  9. On the USM Appliance, go to Environment > Detection, click HIDS Control, and then Restart.

You can verify the deployment both on the HIDS agent and in USM Appliance.

On the HIDS agents, you can check the ossec.log file to make sure that a message similar to the following exists:

2015/09/18 09:07:38 ossec-agent: INFO: Started (pid: 3440).

2015/09/18 09:07:38 ossec-agent(4102): INFO: Connected to the server (10.47.30.100:1514).

To check the agent log file on the Windows hosts

  1. Go to Start > OSSEC > Manage Agent.

  2. In OSSEC Agent Manager, click View and select View Logs.

    This opens the ossec.log file on the agent.

To check the agent log file on the Linux hosts

  1. Login to the Linux host.

  2. In a console, enter the following:

    more /var/ossec/logs/ossec.log

On the USM Appliance, make sure there are LevelBlue HIDS events.

To verify the HIDS deployment in USM Appliance

  1. Go to Environment > Detection.

    The Overview page for HIDS displays.

  2. Ensure that the Status column for the deployed agents display Active, and the Trend chart is not empty.

  3. To see the LevelBlue HIDS events from a specific agent, go to Analysis > Security Events (SIEM).

  4. In Data Sources, select LevelBlue HIDS; change Event Name to Src IP, enter the IP addresses of the HIDS agent, and then click Go.

    The LevelBlue HIDS events from the particular agent display.

By default, USM Appliance updates the HIDS Agent information in its database every 60 minutes. If you want to increase the frequency, you can change the refresh rate under Configuration > Administration > Main > Detection.

You may see the following messages in the web UI when deploying LevelBlue HIDS agents in USM Appliance.

USM Appliance HIDS agent deployment status messages

Message

Explanation
Agent ID '<agent_id>' is not valid. Agent ID has to be 1-4 digital characters. The HIDS agent ID provided is not valid.
Cannot create HIDS agent '<agent_name>' on the sensor '<sensor_id}>'. The HIDS agent cannot be added to the given sensor.
Cannot get HIDS agents related to asset <asset_id>. The HIDS agent information cannot be retrieved.
Cannot resolve the given asset <asset_id>. The asset ID is not a valid UUID.
Cannot resolve the given sensor <sensor_id>. The sensor ID is not found in the database.
Deployment IP '<ip_address>' is not valid IP address. The IP address provided is not a valid IP address.
HIDS Agent cannot be deployed. Reason: <error_msg>. The errors received from the commands used to deploy the HIDS agent in the target host.
HIDS agent successfully deployed. The HIDS agent deployment is successful.
Invalid Credentials: '<username>' is not valid username. The username contains characters that are not allowed.
Invalid Credentials: Password is not valid. The password contains characters that are not allowed.
Sorry, deployment job cannot be launched due to an error when sending the request. Please try again. The job to deploy the HIDS agent cannot be launched.