Release 4.6.0 - Alpha 1 - E2E UX tests - Configuration assessment

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, or Docker) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Communicate these to QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/framework team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Multi node	Fedora 38 x86_64
Server	Installation assistant	Single node	Fedora 38 x86_64
Dashboard	Installation assistant	-	Fedora 38 x86_64
Agent	Wazuh WUI one-liner deploy using FQDN	-	Windows server 2016 x86_64, Debian 10 x86_64, Fedora 38 x86_64, macOS Ventura arm

Test description

For the selected Wazuh Agent OS:

• Check that their respective SCA policies are applied properly
• Use and activate a custom policy for any of them
• Disable an used policy and confirm it is not used anymore
• Push SCA config through centralized config and check it applies properly

Known issues

• Improve offline installation experience wazuh-packages#1422
• SCA command gets an extra EMPTY_LINE when running commands using c: #12347

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below, removing current examples:

Status	Test	Failure type	Notes
🟡	macOS Ventura agent installation with Wazuh WUI one-liner deploy using FQDN	The WAZUH_MANAGER variable did not work on the installation	#18933
🟡	Push SCA config through centralized config and check it applies properly with Fedora	Fedora operating system does not have an SCA policy	#18306
🟡	Push SCA config through centralized config and check it applies properly with Windows Server 2016	Failure when attempting to create an SCA policy with Windows Server 2016	#18981

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  Everything was clear and without any ambiguity
• Did you face any challenges not covered by the guideline?
  No
• Suggestions for improvement:

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• @davidjiglesias
• @wazuh/security-warriors

[javiersanchz]

Environment 🟢

Set up the environment with Vagrant and VirtualBox, for the macOS Ventura ARM and Windows server 2016 agents (not found in the Vagrantfile), I requested the CICD team to create a VM in this issue with the corresponding operating system and architecture.

Vagrantfile

Vagrant.configure("2") do |config|
  config.vm.define "indexer" do |instance|
    instance.vm.box = "fedora/38-cloud-base"
    instance.vm.hostname = "indexer"
    instance.vm.network "private_network", ip: "192.168.56.101"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "4096"
      pmv.cpus = 2
      pmv.name = "E2E_indexer"
    end
  end

  config.vm.define "indexer2" do |instance|
    instance.vm.box = "fedora/38-cloud-base"
    instance.vm.hostname = "indexer2" 
    instance.vm.network "private_network", ip: "192.168.56.102"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "4096"
      pmv.cpus = 2
      pmv.name = "E2E_indexer2"
    end
  end

  config.vm.define "manager" do |instance|
    instance.vm.box = "fedora/38-cloud-base"
    instance.vm.hostname = "manager"
    instance.vm.network "private_network", ip: "192.168.56.103"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "2048"
      pmv.cpus = 2
      pmv.name = "E2E_manager"
    end
  end

  config.vm.define "dashboard" do |instance|
    instance.vm.box = "fedora/38-cloud-base"
    instance.vm.hostname = "dashboard"
    instance.vm.network "private_network", ip: "192.168.56.104"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "2048"
      pmv.cpus = 2
      pmv.name = "E2E_dashboard"
    end
  end

  config.vm.define "agent-debian" do |instance|
    instance.vm.box = "debian/buster64"
    instance.vm.hostname = "agent-debian"
    instance.vm.network "private_network", ip: "192.168.56.105"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "2048"
      pmv.cpus = 2
      pmv.name = "E2E_agent-debian"
    end
  end

  config.vm.define "agent-fedora" do |instance|
    instance.vm.box = "fedora/38-cloud-base"
    instance.vm.hostname = "agent-fedora"
    instance.vm.network "private_network", ip: "192.168.56.106"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "2048"
      pmv.cpus = 2
      pmv.name = "E2E_agent-fedora"
    end
  end

  config.vm.define "agent-windows" do |instance|
    instance.vm.box = "StefanScherer/windows_2016"
    instance.vm.hostname = "agent-windows"
    instance.vm.network "private_network", ip: "192.168.56.107"
    instance.vm.provider "virtualbox" do |pmv|
      pmv.memory = "4096"
      pmv.cpus = 2
      pmv.name = "E2E_agent-windows"
    end
  end
end

System information

Indexer 🟢

OS information

[vagrant@indexer ~]$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Cloud Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

Indexer 2 🟢

OS information

[vagrant@indexer2 ~]$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Cloud Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

Manager 🟢

OS information

[vagrant@manager ~]$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Cloud Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

Dashboard 🟢

OS information

[vagrant@dashboard ~]$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Cloud Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

Wazuh Agent - Debian 10 🟢

OS information

vagrant@agent-debian:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Wazuh Agent - Fedora 38 🟢

OS information

[vagrant@agent-fedora ~]$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Cloud Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

Wazuh Agent - macOS 🟢

OS information

vagrant@macos-13 ~ % system_profiler SPSoftwareDataType
Software:
    System Software Overview:
      System Version: macOS 13.4.1 (22F82)
      Kernel Version: Darwin 22.5.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: macos-13
      User Name: vagrant (vagrant)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 17 hours, 49 minutes

Wazuh Agent - Windows server 2016 x86_64 🟢

OS information

[javiersanchz]

Install environment

An issue 234 was opened due to the fact that during the environment installation, the indexer does not correctly perform its installation. It seems that everything was an IP configuration problem..

Wazuh Indexer 🟢

Initial configuration

[vagrant@indexer ~]$ sudo su
[root@indexer vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/wazuh-install.sh
[root@indexer vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/config.yml
[root@indexer vagrant]# nano config.yml 
[root@indexer vagrant]# cat config.yml 
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: 192.168.56.101
    - name: node-2
      ip: "192.168.56102
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: 192.168.56.103
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: 192.168.56.104

[root@indexer vagrant]# bash wazuh-install.sh --generate-config-files -i
08/09/2023 13:19:59 INFO: Starting Wazuh installation assistant. Wazuh version: 4.6.0
08/09/2023 13:19:59 INFO: Verbose logging redirected to /var/log/wazuh-install.log
08/09/2023 13:20:05 WARNING: Hardware and system checks ignored.
08/09/2023 13:20:05 INFO: --- Configuration files ---
08/09/2023 13:20:05 INFO: Generating configuration files.
08/09/2023 13:20:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.

[root@indexer vagrant]# bash wazuh-install.sh --wazuh-indexer node-1 -i
11/09/2023 09:54:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.6.0
11/09/2023 09:54:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
11/09/2023 09:54:53 WARNING: Hardware and system checks ignored.
11/09/2023 09:54:55 INFO: Wazuh development repository added.
11/09/2023 09:54:55 INFO: --- Wazuh indexer ---
11/09/2023 09:54:55 INFO: Starting Wazuh indexer installation.
11/09/2023 09:56:06 INFO: Wazuh indexer installation finished.
11/09/2023 09:56:06 INFO: Wazuh indexer post-install configuration finished.
11/09/2023 09:56:06 INFO: Starting service wazuh-indexer.
11/09/2023 09:56:50 INFO: wazuh-indexer service started.
11/09/2023 09:56:50 INFO: Initializing Wazuh indexer cluster security settings.
11/09/2023 09:56:50 INFO: Wazuh indexer cluster initialized.
11/09/2023 09:56:50 INFO: Installation finished.

[root@indexer vagrant]# bash wazuh-install.sh --start-cluster -i
11/09/2023 11:36:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.6.0
11/09/2023 11:36:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log
11/09/2023 11:36:35 WARNING: Hardware and system checks ignored.
11/09/2023 11:36:43 INFO: Wazuh indexer cluster security configuration initialized.
11/09/2023 11:37:43 INFO: Wazuh indexer cluster started.

Start the indexer cluster

[root@indexer vagrant]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
  indexer_username: 'admin'
  indexer_password: 'LToKtl?rGkUL+VBqkJxFF3ZDqSb8QRkS'

[root@indexer vagrant]# curl -k -u admin:LToKtl?rGkUL+VBqkJxFF3ZDqSb8QRkS https://192.168.56.101:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "KjSQmPCdQK69lTrsWH7gbw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"

Wazuh Indexer2 🟢

Initial configuration

[vagrant@indexer2 ~]$ sudo su
[root@indexer2 vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/wazuh-install.sh

[root@indexer2 vagrant]# bash wazuh-install.sh --wazuh-indexer node-2 -i
11/09/2023 09:54:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.6.0
11/09/2023 09:54:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
11/09/2023 09:54:53 WARNING: Hardware and system checks ignored.
11/09/2023 09:54:55 INFO: Wazuh development repository added.
11/09/2023 09:54:55 INFO: --- Wazuh indexer ---
11/09/2023 09:54:55 INFO: Starting Wazuh indexer installation.
11/09/2023 09:56:06 INFO: Wazuh indexer installation finished.
11/09/2023 09:56:06 INFO: Wazuh indexer post-install configuration finished.
11/09/2023 09:56:06 INFO: Starting service wazuh-indexer.
11/09/2023 09:56:50 INFO: wazuh-indexer service started.
11/09/2023 09:56:50 INFO: Initializing Wazuh indexer cluster security settings.
11/09/2023 09:56:50 INFO: Wazuh indexer cluster initialized.
11/09/2023 09:56:50 INFO: Installation finished.

Start the indexer cluster

[root@indexer2 vagrant]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
  indexer_username: 'admin'
  indexer_password: 'LToKtl?rGkUL+VBqkJxFF3ZDqSb8QRkS'

[root@indexer2 vagrant]# curl -k -u admin:LToKtl?rGkUL+VBqkJxFF3ZDqSb8QRkS https://192.168.56.102:9200
{
  "name" : "node-2",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "KjSQmPCdQK69lTrsWH7gbw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Wazuh server 🟢

Wazuh server installation

[root@manager vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/wazuh-install.sh
[root@manager vagrant]# bash wazuh-install.sh --wazuh-server wazuh-1 -i
11/09/2023 14:36:39 INFO: Starting Wazuh installation assistant. Wazuh version: 4.6.0
11/09/2023 14:36:39 INFO: Verbose logging redirected to /var/log/wazuh-install.log
11/09/2023 14:36:47 WARNING: Hardware and system checks ignored.
11/09/2023 14:36:48 INFO: Wazuh development repository added.
11/09/2023 14:36:49 INFO: --- Wazuh server ---
11/09/2023 14:36:49 INFO: Starting the Wazuh manager installation.
11/09/2023 14:38:04 INFO: Wazuh manager installation finished.
11/09/2023 14:38:04 INFO: Starting service wazuh-manager.
11/09/2023 14:38:19 INFO: wazuh-manager service started.
11/09/2023 14:38:19 INFO: Starting Filebeat installation.
11/09/2023 14:38:28 INFO: Filebeat installation finished.
11/09/2023 14:38:30 INFO: Filebeat post-install configuration finished.
11/09/2023 14:38:36 INFO: Starting service filebeat.
11/09/2023 14:38:37 INFO: filebeat service started.
11/09/2023 14:38:37 INFO: Installation finished.

[root@manager vagrant]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Wazuh dashboard 🟢

Wazuh dashboard installation

[root@dashboard vagrant]# curl -sO https://packages-dev.wazuh.com/4.6/wazuh-install.sh

[root@dashboard vagrant]# bash wazuh-install.sh --wazuh-dashboard dashboard -i
11/09/2023 14:47:08 INFO: Starting Wazuh installation assistant. Wazuh version: 4.6.0
11/09/2023 14:47:08 INFO: Verbose logging redirected to /var/log/wazuh-install.log
11/09/2023 14:47:11 INFO: --- Dependencies ---
11/09/2023 14:47:11 INFO: Installing lsof.
11/09/2023 14:47:20 WARNING: Hardware and system checks ignored.
11/09/2023 14:47:20 INFO: Wazuh web interface port will be 443.
11/09/2023 14:47:22 INFO: Wazuh development repository added.
11/09/2023 14:47:22 INFO: --- Wazuh dashboard ----
11/09/2023 14:47:26 INFO: --- Dependencies ---
11/09/2023 14:47:26 INFO: Installing chromium.
11/09/2023 14:48:35 INFO: Installing xorg-x11-fonts-100dpi.
11/09/2023 14:48:40 INFO: Installing xorg-x11-fonts-75dpi.
11/09/2023 14:48:44 INFO: Installing xorg-x11-utils.
11/09/2023 14:48:45 WARNING: Cannot install optional dependency: xorg-x11-utils.
11/09/2023 14:48:45 INFO: Installing xorg-x11-fonts-cyrillic.
11/09/2023 14:48:48 INFO: Installing xorg-x11-fonts-Type1.
11/09/2023 14:48:51 INFO: Installing xorg-x11-fonts-misc.
11/09/2023 14:48:56 WARNING: Wazuh dashboard dependencies skipped. PDF report generation may not work.
11/09/2023 14:48:56 INFO: Starting Wazuh dashboard installation.
11/09/2023 14:51:31 INFO: Wazuh dashboard installation finished.
11/09/2023 14:51:31 INFO: Wazuh dashboard post-install configuration finished.
11/09/2023 14:51:31 INFO: Starting service wazuh-dashboard.
11/09/2023 14:51:32 INFO: wazuh-dashboard service started.
11/09/2023 14:51:52 INFO: Initializing Wazuh dashboard web application.
11/09/2023 14:51:53 INFO: Wazuh dashboard web application initialized.
11/09/2023 14:51:53 INFO: --- Summary ---
11/09/2023 14:51:53 INFO: You can access the web interface https://192.168.56.104:443
    User: admin
    Password: LToKtl?rGkUL+VBqkJxFF3ZDqSb8QRkS
11/09/2023 14:51:53 INFO: Installation finished.

Print passwords

[root@dashboard vagrant]# tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
wazuh-install-files/wazuh-passwords.txt
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: 'LToKtl?rGkUL+VBqkJxFF3ZDqSb8QRkS'

# Wazuh dashboard user for establishing the connection with Wazuh indexer
  indexer_username: 'kibanaserver'
  indexer_password: '3Ap5k+6mp+Nb.fyCZCarrs2czJN9A4r7'

# Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
  indexer_username: 'kibanaro'
  indexer_password: 'ineJX8nlm810.oPl8AkKJfTU37Gmm1XT'

# Filebeat user for CRUD operations on Wazuh indices
  indexer_username: 'logstash'
  indexer_password: 'Bw2qjuUjPLlL6MlzDm3FcvuC.7IJ?YyT'

# User with READ access to all indices
  indexer_username: 'readall'
  indexer_password: 'AaF+u5OkGx4xnCP?x6Av6.?**RtR2Zhe'

# User with permissions to perform snapshot and restore operations
  indexer_username: 'snapshotrestore'
  indexer_password: 'at6hprDREXA7+MZm+q.BesnlyZ9wkPUb'

# Password for wazuh API user
  api_username: 'wazuh'
  api_password: 'dxvsAj5FpSnYMBoc?OPv+P7ser?h5sOU'

# Password for wazuh-wui API user
  api_username: 'wazuh-wui'
  api_password: 'nSoSOWGzNLfl7K.tJ6wouwTWUm.Wze0F'

Dashboard URL 🟢

Wazuh agent - Debian 🟢

Wazuh WUI using FQDN

Wazuh agent - Fedora 🟢

Wazuh WUI using FQDN

Wazuh agent - macOS 🟡

Wazuh WUI using FQDN

The WAZUH_MANAGER variable did not work on the installation.

sh-3.2# curl -so wazuh-agent.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.6.0-1.arm64.pkg && echo -e "WAZUH_MANAGER='81.35.99.235'\nWAZUH_AGENT_GROUP='default'\nWAZUH_AGENT_NAME='macOS'\n" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.
sh-3.2# sudo /Library/Ossec/bin/wazuh-control start
2023/09/12 01:33:14 wazuh-agentd: ERROR: (4112): Invalid server address found: 'MANAGER_IP'
2023/09/12 01:33:14 wazuh-agentd: ERROR: (1215): No client configured. Exiting.
wazuh-agentd: Configuration error. Exiting

It seems that this error is already reported in the following issue

Accessing the /Library/Ossec/etc/ossec.conf and manually modifying the MANAGER_IP connects successfully.

Wazuh agent - windows 🟢

Wazuh WUI using FQDN

[javiersanchz]

Check 2. Use and activate a custom policy for any of them 🟢

Wazuh agent - Debian

I created a custom policy in /var/ossec/ruleset/sca/custom_policy.yml with the following content:

policy:
  id: "custom_policy"
  file: "custom_policy.yml"
  name: "Custom policy for SCA test."
  description: "Review whether SCA is working as expected"

checks:
  - id: 20000
    title: "File should contain expected line"
    description: "Check that test_file contains specific line"
    condition: all
    rules:
      - 'f:/home/vagrant/test_file -> Expected line'

This policy only has a check that ensure the /home/vagrant/test_file contains the text Expected line.

Then, I created a the /home/vagrant/test_file with the following content:

First line
Second line
Expected line
Forth line

Restart the agent

root@agent-debian:/home/vagrant# systemctl restart wazuh-agent

The following logs can be seen in the Wazuh agent logs /var/ossec/logs/ossec.log:

2023/09/11 18:03:07 sca: INFO: Module started.
2023/09/11 18:03:07 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/custom_policy.yml'
2023/09/11 18:03:07 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 18:03:07 wazuh-modulesd:control: INFO: Starting control thread.
2023/09/11 18:03:07 sca: INFO: Starting Security Configuration Assessment scan.
2023/09/11 18:03:07 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/09/11 18:03:07 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/09/11 18:03:07 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/custom_policy.yml'
2023/09/11 18:03:07 wazuh-modulesd:syscollector: INFO: Module started.
2023/09/11 18:03:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/09/11 18:03:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/09/11 18:03:10 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/custom_policy.yml'
2023/09/11 18:03:10 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 18:03:14 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 18:03:14 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2023/09/11 18:03:18 rootcheck: INFO: Ending rootcheck scan.

The custom_policy.yml file was loaded and evaluated.

In the Wazuh dashboard, we can see the results:

If I delete the Expected line text from the /home/vagrant/test_file that is checked by the custom policy:

First line
Second line

Forth line

The SCA check fails after restarting the Wazuh agent.

[javiersanchz]

Check 3. Disable an used policy and confirm it is not used anymore 🟢

Wazuh agent-Debian

Disabling the custom policy through the configuration file (/var/ossec/etc/ossec.conf) setting the enabled=no:

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
    <policies>
      <policy enabled="no">ruleset/sca/custom_policy.yml</policy>
    </policies>
  </sca>

After restarting the Wazuh agent, the following logs can be found in the agent:

root@agent-debian:/home/vagrant# systemctl restart wazuh-agent

2023/09/11 18:26:38 sca: INFO: Module started.
2023/09/11 18:26:38 sca: INFO: Policy '/var/ossec/ruleset/sca/custom_policy.yml' disabled by configuration.
2023/09/11 18:26:38 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 18:26:38 sca: INFO: Starting Security Configuration Assessment scan.
2023/09/11 18:26:38 wazuh-modulesd:syscollector: INFO: Module started.
2023/09/11 18:26:38 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/09/11 18:26:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/09/11 18:26:38 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 18:26:43 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 18:26:43 sca: INFO: Security Configuration Assessment scan finished. Duration: 5 seconds.
2023/09/11 18:26:50 rootcheck: INFO: Ending rootcheck scan.

Now the custom_policy was disabled:

[javiersanchz]

Check 4. Push SCA config through centralized config and check it applies properly

Wazuh agent- Debian 🟢

I created a new agent group through the UI called debian_agents and added the agent:

I created the following policy /var/ossec/etc/shared/debian_agents/shared_custom_policy.yml in the Wazuh manager:

policy:
  id: "shared_custom_policy"
  file: "shared_custom_policy.yml"
  name: "Shared custom policy for SCA test."
  description: "Review whether SCA is working as expected" 

checks:
  - id: 20001
    title: "ssh service is enabled"
    description: "Ensure the ssh service is enabled"
    condition: all
    remediation: "Run the following command to enable ssh: # systemctl enable ssh"
    rules:
      - 'c:systemctl is-enabled ssh -> enabled'

And I enabled the sca.remote_commands in the /var/ossec/etc/local_internal_options.conf configuration of Wazuh agent to allow the SCA command can run from remote policies.

echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf

I added the following configuration to the centralized configuration of the debian_agents group (/var/ossec/etc/shared/debian_agents/agent.conf):

<agent_config>
  <!-- Shared agent configuration here -->
   <sca>
      <policies>
        <policy>etc/shared/shared_custom_policy.yml</policy>
      </policies>
    </sca>
</agent_config>

The agent was restarted and the following logs can be seen:

2023/09/11 19:28:05 sca: INFO: Module started.
2023/09/11 19:28:05 sca: INFO: Policy '/var/ossec/ruleset/sca/custom_policy.yml' disabled by configuration.
2023/09/11 19:28:05 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 19:28:05 sca: INFO: Loaded policy '/var/ossec/etc/shared/shared_custom_policy.yml'
2023/09/11 19:28:05 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 19:28:09 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2023/09/11 19:28:09 sca: INFO: Starting evaluation of policy: '/var/ossec/etc/shared/shared_custom_policy.yml'
2023/09/11 19:28:12 sca: INFO: Evaluation finished for policy '/var/ossec/etc/shared/shared_custom_policy.yml'
2023/09/11 19:28:12 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.

Note the shared_custom_policy.yml is present and was applied:

2023/09/11 19:28:05 sca: INFO: Loaded policy '/var/ossec/etc/shared/shared_custom_policy.yml'
2023/09/11 19:28:09 sca: INFO: Starting evaluation of policy: '/var/ossec/etc/shared/shared_custom_policy.yml'
2023/09/11 19:28:12 sca: INFO: Evaluation finished for policy '/var/ossec/etc/shared/shared_custom_policy.yml'

Wazuh agent- Fedora 🟡

I created a new agent group through the UI called fedora_agents and added the agent:

I created the following policy /var/ossec/etc/shared/fedora_agents/shared_custom_policy.yml in the Wazuh manager:

policy:
  id: "shared_custom_fedora_policy"
  file: "shared_custom_fedora_policy.yml"
  name: "Shared custom policy for SCA test."
  description: "Review whether SCA is working as expected" 

checks:
  - id: 20011
    title: "ssh service is enabled"
    description: "Ensure the ssh service is enabled"
    condition: all
    remediation: "Run the following command to enable ssh: # systemctl enable ssh"
    rules:
      - 'c:systemctl is-enabled ssh -> enabled'

And I enabled the sca.remote_commands in the /var/ossec/etc/local_internal_options.conf configuration of Wazuh agent to allow the SCA command can run from remote policies.

echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf

I added the following configuration to the centralized configuration of the fedora_agents group (/var/ossec/etc/shared/fedora_agents/agent.conf):

<agent_config>
  <!-- Shared agent configuration here -->
   <sca>
      <policies>
        <policy>etc/shared/shared_custom_policy.yml</policy>
      </policies>
    </sca>
</agent_config>

With the Fedora agent, it does not work as it should:

This is because the Fedora operating system does not have an SCA policy as mentioned in this issue

Wazuh agent- macOS 🟢

I created a new agent group through the UI called macOS_agents and added the agent:

I created the following policy /var/ossec/etc/shared/macOS_agents/shared_custom_policy.yml in the Wazuh manager:

policy:
  id: "shared_custom_macOS_policy"
  file: "shared_custom_macOS_policy.yml"
  name: "Shared custom policy for SCA test."
  description: "Review whether SCA is working as expected" 

checks:
  - id: 20001
    title: "ssh service is enabled"
    description: "Ensure the ssh service is enabled"
    condition: all
    remediation: "Run the following command to enable ssh: # systemctl enable ssh"
    rules:
      - 'c:systemctl is-enabled ssh -> enabled'

And I enabled the sca.remote_commands in the//Library/Ossec/etc/local_internal_options.confconfiguration of Wazuh agent to allow the SCA command can run from remote policies.

echo "sca.remote_commands=1" >> /Library/Ossec/etc/local_internal_options.conf

I added the following configuration to the centralized configuration of the macOS_agents group (/var/ossec/etc/shared/macOS_agents/agent.conf):

<agent_config>
  <!-- Shared agent configuration here -->
   <sca>
      <policies>
        <policy>etc/shared/shared_custom_policy.yml</policy>
      </policies>
    </sca>
</agent_config>

The agent was restarted and the following logs can be seen:

2023/09/12 02:09:16 sca: INFO: Module started.
2023/09/12 02:09:16 sca: INFO: Loaded policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_13.x.yml'
2023/09/12 02:09:16 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml'
2023/09/12 02:09:16 sca: INFO: Starting Security Configuration Assessment scan.
2023/09/12 02:09:16 sca: INFO: Starting evaluation of policy: '/Library/Ossec/ruleset/sca/cis_apple_macOS_13.x.yml'
2023/09/12 02:09:26 sca: INFO: Evaluation finished for policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_13.x.yml'
2023/09/12 02:09:26 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml'
2023/09/12 02:09:29 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml'
2023/09/12 02:09:29 sca: INFO: Security Configuration Assessment scan finished. Duration: 13 seconds.

2023/09/12 02:09:16 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml'
2023/09/12 02:09:26 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml'
2023/09/12 02:09:29 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml'

Wazuh agent - Windows server 2016 🟡

I created a new agent group through the UI called windows_agents and added the agent:

I created the following policy /var/ossec/etc/shared/windows_agents/shared_custom_policy.yml in the Wazuh manager:

policy:
  id: "shared_custom_win_policy"
  file: "shared_custom_win_policy.yml"
  name: "Shared custom policy for SCA test."
  description: "Review whether SCA is working as expected" 

checks:
  - id: 20021
    title: "File has the expected configuration"
    description: "Ensure the file contains the expected configuration"
    condition: all 
    rules:
      - 'f:C:\Users\Administrator\Desktop\custom_config'

I added the following configuration to the centralized configuration of the windows_agents group (/var/ossec/etc/shared/windows_agents/agent.conf)

<agent_config>
  <!-- Shared agent configuration here -->
    <sca>
      <policies>
        <policy>shared/shared_custom_policy.yml</policy>
      </policies>
    </sca>
</agent_config>

The agent was restarted and the following logs can be seen:

It seems that the policy of searching for the custom_config file in C:\Users\Administrator\Desktop\custom_config is failing, even though it is located in the mentioned path.

I opened the following issue for investigation: #18981

[MarcelKemp]

There are a few typos that need to be corrected, but otherwise, LGTM!

• Wazuh WUI usando FQDN -> Wazuh WUI using FQDN
• Restart de agent -> Restart the agent
  Among other typos

And according to the last failure, after a test I was not able to replicate it (except in the case that there was no such file in the directory). But well, we will continue with the tests on the open issue:

• Failure when attempting to create an SCA policy with Windows Server 2016 #18981

[MarcelKemp]

After verifying the problem with the following comment:

• Failure when attempting to create an SCA policy with Windows Server 2016 #18981 (comment)

I consider that as it is a mistake of the tester, it should not be considered as a failure.
I change it to known issue 🟡, although it could be considered as working correctly 🟢.

[davidjiglesias]

Agents deployment was not done using FQDN.

macOS agent deployed with an incorrect architecture, as the deployment section mentioned using ARM.

Please, correct the typos mentioned by @MarcelKemp here: #18833 (comment)

[javiersanchz]

Corrected typographical errors!

[davidjiglesias]

LGTM!