Up
Previous Next

Sheriff CSM™

Deploy Sheriff HIDS Agents

You can deploy a Sheriff HIDS agent to a host

  • Through the Getting Started Wizard
    This option supports deployment to Windows hosts and agentless deployment to Linux hosts. For instructions, see Deploying HIDS to Servers, in the Getting Started Wizard topic.

  • From the Asset List View
    This option supports deployment to Microsoft Windows servers only. For instructions, see Deploying HIDS Agents in Asset Management.

  • From the HIDS management view
    This option supports deployment to Windows and Linux hosts.

For Microsoft Windows hosts, Sheriff CSM generates a binary file containing the appropriate server configuration and authentication key. You can choose to let Sheriff CSM install the file for you, or download the file and install it on the host yourself.

Before you can deploy a HIDS agent to the Windows machine, make sure that it meets the following requirements.
  • If using any network accelerator devices in the environment, you must add Sheriff CSM Sensor (Deputy) to their whitelist. This is because the Sheriff CSM Sensor utilizes SMB (Server Message Block) to transfer the HIDS agent installation package to the Windows machine. If the network accelerator tries to optimize the traffic from the Sheriff CSM Sensor, it may cause the HIDS deployment to fail.

  • The operating system must be one of the following

    • Microsoft Windows XP
    • Windows 7, 8, or 10
    • Windows Server 2003, 2008R2, or 2012R2

  • You need to use a user account that belongs to the same Administrators group as the local Administrator account.

    Note: For security reasons, the local Administrator account is disabled by default on all versions of Windows currently in mainstream support. In order for the HIDS deployment to succeed, you need to enable the local Administrator account (not recommended), or create a user account and add it to the built-in Administrators group.

  • You must have changed the target Windows machine based on the steps below.

    1. Go to Control Panel > Folder Options > View.

    2. Deselect Use simple file sharing.

    3. Go to Control Panel > Windows Firewall > Exceptions.

    4. Select File and Printer Sharing.

    1. Go to Control Panel > Folder Options > View.

    2. Deselect Use Sharing Wizard (Recommended).

    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.

    4. Enable File and Printer Sharing (SMB-In).

    5. Go to Control Panel > User Accounts > Change User Account Control Settings.

    6. Move the slider to Never notify.

    1. Go to Control Panel > Windows Firewall > Advanced Settings > Inbound Rules.

    2. Enable File and Printer Sharing (SMB-In).

    3. To allow NTLMv2 security, run gpedit.msc.

    4. Go to Local Security > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and change these settings.

      1. Network Security: Minimum session security for NTLMSPP based (including secure RPC) clients,select

        • Require NTLMv2 session security
        • Require 128-bit encryption

      2. Network Security: Minimum session security for NTLMSPP based (including secure RPC) servers, select

        • Require NTLMv2 session security
        • Require 128-bit encryption

      3. Network Security: LAN Manager Authentication level, select

        • Send NTLMv2 response only\refuse LM & NTLM<

    1. Go to Control Panel Folder. Options View

    2. Deselect Use Sharing Wizard (Recommended).

    3. Go to Control Panel System and Security Windows Firewall Advanced Settings Inbound Rules.

    4. Enable File and Printer Sharing (SMB-In).

    5. Enable Windows Management Instrumentation (WMI) entry.

    6. Go to Control Panel User Accounts Change User Account Control Settings.

    7. Move the slider to Never notify.

    8. Open Group Policy.

      1. Go to Local Policies Security Options
      2. Set Network access: Shares that can be accessed anonymously
      3. Set User Account Control: Run all administrators in Admin Approval Mode to

    9. Apply changes and restart the machine.

Note: The Winexe installation utility may trigger a false positive alert as a “potential hacking tool” during an authorized application installation, even though the Winexe remote installation is an authorized action. In this instance, the best practices are to either whitelist the IP address of Sheriff CSM, or temporarily disable the antivirus software during the installation.

To deploy the Sheriff HIDS agent to a Windows host
  1. Go to Environment > Detection.

  2. Go to HIDS > Agents > Agent Control > Add Agent.

  3. On New HIDS Agent, select the host from the asset tree.

    Sheriff CSM populates Agent Name with the host name, and IP/CIDR with the host IP address automatically.

  4. Click Save.

    Sheriff CSM adds the new agent to the list.

  5. To deploy the agent, click the button in the Actions column.

  6. In Automatic Deployment for Windows, type the Domain (optional), User, and Password of the host; then click Save.

    Sheriff CSM assembles a preconfigured binary file and deploys it to the host.

  7. Alternatively, to download the preconfigured binary file, click the button in the Actions column.

    Your browser downloads the file automatically or prompts you for the download.

  8. Transfer the file, named ossec_installer_<agent_id>.exe, to the Microsoft Windows host.

  9. On the Windows host, double-click to run the executable.

    The installer runs in a console briefly, then displays a progress bar until completion.

Important: For Linux hosts, depending on which distribution of Linux you use, Sheriff recommends that you download the corresponding ossec-hids-agent installer file from the OSSEC's Downloads page directly, and then follow their instructions to complete the installation.

After you have successfully installed the HIDS agent on the Linux host, perform the steps below to connect it to the Sheriff CSM.

To add the HIDS agent to Sheriff CSM

  1. Go to Environment > Detection.

  2. Go to HIDS > Agents > Agent Control > Add Agent.

  3. On New HIDS Agent, select the host from the asset tree.

    Sheriff CSM populates Agent Name with the host name, and IP/CIDR with the host IP address automatically.

  4. Click Save.

    Sheriff CSM adds the new agent to the list.

  5. To extract the key for the agent, click the button in the Actions column, and then copy the key that displays. Show me.

  6. Login to the Linux host, run /var/ossec/bin/manage_agents, and then enter I to import the key you copied in the previous step.

    Note: On some installations, Centos, for example, the command may be manage_client instead of manage_agents.

  7. Edit /var/ossec/etc/ossec-agent.conf to change the server IP address to the Sheriff CSM.

  8. Start the HIDS agent if it is not already running:

    service ossec start 
chkconfig ossec-hids on

  9. On the Sheriff CSM, go to Environment > Detection, click HIDS Control, and then Restart.

You can verify the deployment both on the HIDS agent and the Sheriff CSM.

On the HIDS agents, you can check the ossec.log file to make sure that a message similar to the following exists: 

2015/09/18 09:07:38 ossec-agent: INFO: Started (pid: 3440).
2015/09/18 09:07:38 ossec-agent(4102): INFO: Connected to the server (10.47.30.100:1514).

To check the agent log file on the Windows hosts
  1. Go to Start > OSSEC > Manage Agent.

  2. In OSSEC Agent Manager, click View and select View Logs.

    This opens the ossec.log file on the agent.

To check the agent log file on the Linux hosts
  1. Login to the Linux host.

  2. In a console, enter the following:

    more /var/ossec/logs/ossec.log
On the Sheriff CSM, make sure there are Sheriff HIDS events.

To verify the HIDS deployment on the Sheriff CSM

  1. Go to Environment > Detection.

    The Overview page for HIDS displays.

  2. Ensure that the Status column for the deployed agents display Active, and the Trend chart is not empty.

  3. To see the Sheriff HIDS events from a specific agent, go to Analysis > Security Events (SIEM).

  4. In Data Sources, select Sheriff HIDS; change Event Name to Src IP, enter the IP addresses of the HIDS Agent, and then click Go.

    The Sheriff HIDS events from the particular agent display.

You may see the following messages in the web UI when deploying Sheriff HIDS agents in Sheriff CSM.

Sheriff CSM HIDS agent deployment status messages
Message Explanation
Your request has been processed Success
Sorry, operation was not completed due to an error when processing the request No data returned from DB
The following errors occurred A list of pertinent errors
Your changes have been saved Successful save
illegal: User User validation error
illegal: Password Password validation error
illegal: Domain Domain validation error

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > DeploymentGuide > IDSConfiguration > SheriffHIDS > DeploySheriffHIDSAgents
Topic revision: 02 May 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.