Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove deprecated or non necessary active response scripts #16648

Open
TheMuntu opened this issue Apr 6, 2023 · 0 comments
Open

Remove deprecated or non necessary active response scripts #16648

TheMuntu opened this issue Apr 6, 2023 · 0 comments
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/enhancement/usability

Comments

@TheMuntu
Copy link

TheMuntu commented Apr 6, 2023
edited by Spades0

Wazuh version Component Install type Install method Platform
4.4.x Wazuh component Manager/Agent Packages/Sources OS version

Description

Wazuh has several out of the box active responses for some operating systems it supports (Windows, Linux/Unix). This issue aims to track all the deprecated, redundants or non necessary active response scripts and remove them from next Wazuh versions.

Current AR scripts

Wazuh has the following out-of-the-box active response scripts:

Windows

PS C:\Program Files (x86)\ossec-agent\active-response\bin> ls
    Directory: C:\Program Files (x86)\ossec-agent\active-response\bin
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/13/2022   4:35 PM          52312 netsh.exe
-a----         9/13/2022   4:35 PM          50776 restart-wazuh.exe
-a----         9/13/2022   4:35 PM          52312 route-null.exe

Linux

vagrant@Ubuntu:~$ sudo ls -l /var/ossec/active-response/bin
total 248
-rwxr-x--- 1 root ossec 19504 Nov 12  2021 default-firewall-drop
-rwxr-x--- 1 root ossec 16112 Nov 12  2021 disable-account
-rwxr-x--- 1 root ossec 19504 Nov 12  2021 firewall-drop
-rwxr-x--- 1 root ossec 20528 Nov 12  2021 firewalld-drop
-rwxr-x--- 1 root ossec 17480 Nov 12  2021 host-deny
-rwxr-x--- 1 root ossec 15376 Nov 12  2021 ip-customblock
-rwxr-x--- 1 root ossec 16040 Nov 12  2021 ipfw
-rwxr-x--- 1 root ossec 15352 Nov 12  2021 kaspersky
-rwxr-x--- 1 root ossec 14434 Nov 12  2021 kaspersky.py
-rwxr-x--- 1 root ossec 15984 Nov 12  2021 npf
-rwxr-x--- 1 root ossec 16112 Nov 12  2021 pf
-rwxr-x--- 1 root ossec 15352 Nov 12  2021 restart-wazuh
-rwxr-x--- 1 root ossec  1038 Nov 12  2021 restart.sh
-rwxr-x--- 1 root ossec 15368 Nov 12  2021 route-null
-rwxr-x--- 1 root ossec 16256 Nov 12  2021 wazuh-slack

Linked issues

The table below would hold all child issues linked to remove deprecated or non necessary active response scripts.

Issue # title Platform
#15499 Remove default-firewall-drop active response on Linux/Unix endpoints Linux/Unix
#15689 Remove redundant restart.sh active response scripts in both Wazuh server and Linux/Unix endpoints Linux/Unix
#16645 Remove wazuh-slack active response script from next Wazuh versions Linux/Unix

Expected changes

The following changes are to be expected:

All related documentation that uses these scripts will be updated.

Considerations

How would the removal of these scripts affect old Wazuh installations and upgrades from old installations? Particularly installations where the ossec.conf file already has configurations with the removed active response.

General notes

Any comments and use cases that need to be accounted for in this issue should be added as a comment below.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/enhancement/usability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vikman90 @TheMuntu