-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 4.7.2 - RC 1 - E2E UX tests - Security Configuration Assessment #21046
Comments
1. Environment🟢 Wazuh central componentsIndexer, Wazuh, and Dashboard environment configuration. [ec2-user@ip-172-31-39-226 ~]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.3 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.3 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.3
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
[ec2-user@ip-172-31-39-226 ~]$ uname -r
5.14.0-362.8.1.el9_3.x86_64
[ec2-user@ip-172-31-39-226 ~]$ free -g
total used free shared buff/cache available
Mem: 3 0 2 0 0 3
Swap: 0 0 0
[ec2-user@ip-172-31-39-226 ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 10G 0 disk
├─nvme0n1p1 259:1 0 1M 0 part
├─nvme0n1p2 259:2 0 200M 0 part /boot/efi
├─nvme0n1p3 259:3 0 600M 0 part /boot
└─nvme0n1p4 259:4 0 9.2G 0 part /
[ec2-user@ip-172-31-39-226 ~]$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 48 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Vendor ID: AuthenticAMD
Model name: AMD EPYC 7571
CPU family: 23
Model: 1
Thread(s) per core: 2
Core(s) per socket: 1
Socket(s): 1
Stepping: 2
BogoMIPS: 4399.99
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc
cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnow
prefetch topoext vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 clzero xsaveerptr arat npt nrip_save
Virtualization features:
Hypervisor vendor: KVM
Virtualization type: full
Caches (sum of all):
L1d: 32 KiB (1 instance)
L1i: 64 KiB (1 instance)
L2: 512 KiB (1 instance)
L3: 8 MiB (1 instance)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0,1
Vulnerabilities:
Gather data sampling: Not affected
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Retbleed: Mitigation; untrained return thunk; SMT vulnerable
Spec store bypass: Vulnerable
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
Srbds: Not affected
Tsx async abort: Not affected 🟢 Wazuh agent on Debian 10admin@ip-172-31-47-212:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
admin@ip-172-31-47-212:~$ uname -a
Linux ip-172-31-47-212 6.1.0-13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
admin@ip-172-31-47-212:~$ free -g
total used free shared buff/cache available
Mem: 1 0 1 0 0 1
Swap: 0 0 0
admin@ip-172-31-47-212:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
xvda 202:0 0 8G 0 disk
├─xvda1 202:1 0 7.9G 0 part /
├─xvda14 202:14 0 3M 0 part
└─xvda15 202:15 0 124M 0 part /boot/efi
admin@ip-172-31-47-212:~$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 46 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Vendor ID: GenuineIntel
Model name: Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
CPU family: 6
Model: 79
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 1
Stepping: 1
BogoMIPS: 4600.00
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni
pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault invpcid_single pti fsgsbase bmi1 avx2 sm
ep bmi2 erms invpcid xsaveopt
Virtualization features:
Hypervisor vendor: Xen
Virtualization type: full
Caches (sum of all):
L1d: 32 KiB (1 instance)
L1i: 32 KiB (1 instance)
L2: 256 KiB (1 instance)
L3: 45 MiB (1 instance)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0
Vulnerabilities:
Gather data sampling: Not affected
Itlb multihit: KVM: Mitigation: VMX unsupported
L1tf: Mitigation; PTE Inversion
Mds: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Meltdown: Mitigation; PTI
Mmio stale data: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Retbleed: Not affected
Spec rstack overflow: Not affected
Spec store bypass: Vulnerable
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
Srbds: Not affected
Tsx async abort: Not affected
🟢 Wazuh agent on Ubuntu 22ubuntu@ip-172-31-46-118:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
ubuntu@ip-172-31-46-118:~$ uname -a
Linux ip-172-31-46-118 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-172-31-46-118:~$ free -g
total used free shared buff/cache available
Mem: 1 0 1 0 0 1
Swap: 0 0 0
ubuntu@ip-172-31-46-118:~$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 48 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Vendor ID: AuthenticAMD
Model name: AMD EPYC 7571
CPU family: 23
Model: 1
Thread(s) per core: 2
Core(s) per socket: 1
Socket(s): 1
Stepping: 2
BogoMIPS: 4399.98
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc
cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnow
prefetch topoext vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 clzero xsaveerptr arat npt nrip_save
Virtualization features:
Hypervisor vendor: KVM
Virtualization type: full
Caches (sum of all):
L1d: 32 KiB (1 instance)
L1i: 64 KiB (1 instance)
L2: 512 KiB (1 instance)
L3: 8 MiB (1 instance)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0,1
Vulnerabilities:
Gather data sampling: Not affected
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Retbleed: Mitigation; untrained return thunk; SMT vulnerable
Spec rstack overflow: Mitigation; safe RET, no microcode
Spec store bypass: Vulnerable
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
Srbds: Not affected
Tsx async abort: Not affected
🟢 Wazuh agent on macOS Ventura arm
|
2. Install environment🟢 Wazuh components installationInstallation was done using quickstart [ec2-user@ip-172-31-39-226 ~]$ curl -sO https://packages-dev.wazuh.com/4.7/wazuh-install.sh
[ec2-user@ip-172-31-39-226 ~]$ sudo bash ./wazuh-install.sh -a -i
27/12/2023 17:54:27 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.2
27/12/2023 17:54:27 INFO: Verbose logging redirected to /var/log/wazuh-install.log
27/12/2023 17:54:41 WARNING: Hardware and system checks ignored.
27/12/2023 17:54:41 INFO: Wazuh web interface port will be 443.
27/12/2023 17:54:45 INFO: Wazuh development repository added.
27/12/2023 17:54:45 INFO: --- Configuration files ---
27/12/2023 17:54:45 INFO: Generating configuration files.
27/12/2023 17:54:47 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
27/12/2023 17:54:47 INFO: --- Wazuh indexer ---
27/12/2023 17:54:47 INFO: Starting Wazuh indexer installation.
27/12/2023 17:57:11 INFO: Wazuh indexer installation finished.
27/12/2023 17:57:11 INFO: Wazuh indexer post-install configuration finished.
27/12/2023 17:57:11 INFO: Starting service wazuh-indexer.
27/12/2023 17:57:34 INFO: wazuh-indexer service started.
27/12/2023 17:57:34 INFO: Initializing Wazuh indexer cluster security settings.
27/12/2023 17:57:45 INFO: Wazuh indexer cluster initialized.
27/12/2023 17:57:45 INFO: --- Wazuh server ---
27/12/2023 17:57:45 INFO: Starting the Wazuh manager installation.
27/12/2023 17:59:03 INFO: Wazuh manager installation finished.
27/12/2023 17:59:03 INFO: Starting service wazuh-manager.
27/12/2023 17:59:24 INFO: wazuh-manager service started.
27/12/2023 17:59:24 INFO: Starting Filebeat installation.
27/12/2023 17:59:35 INFO: Filebeat installation finished.
27/12/2023 17:59:36 INFO: Filebeat post-install configuration finished.
27/12/2023 17:59:36 INFO: Starting service filebeat.
27/12/2023 17:59:37 INFO: filebeat service started.
27/12/2023 17:59:37 INFO: --- Wazuh dashboard ---
27/12/2023 17:59:37 INFO: Starting Wazuh dashboard installation.
27/12/2023 18:02:40 INFO: Wazuh dashboard installation finished.
27/12/2023 18:02:40 INFO: Wazuh dashboard post-install configuration finished.
27/12/2023 18:02:40 INFO: Starting service wazuh-dashboard.
27/12/2023 18:02:41 INFO: wazuh-dashboard service started.
27/12/2023 18:03:25 INFO: Initializing Wazuh dashboard web application.
27/12/2023 18:03:26 INFO: Wazuh dashboard web application initialized.
27/12/2023 18:03:26 INFO: --- Summary ---
27/12/2023 18:03:26 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
User: admin
Password: Xw0Be****************
27/12/2023 18:03:26 INFO: Installation finished.
🟢 Wazuh agent installation on Debian 12To install the agent, the Deploying Wazuh agents on Linux endpoints documentation was used root@ip-172-31-47-212:/home/admin# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrin
gs/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@ip-172-31-47-212:/home/admin# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
root@ip-172-31-47-212:/home/admin# apt-get update
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [38 B]
Get:5 file:/etc/apt/mirrors/debian-security.list Mirrorlist [47 B]
Hit:2 https://cdn-aws.deb.debian.org/debian bookworm InRelease
Hit:3 https://cdn-aws.deb.debian.org/debian bookworm-updates InRelease
Hit:4 https://cdn-aws.deb.debian.org/debian bookworm-backports InRelease
Hit:6 https://cdn-aws.deb.debian.org/debian-security bookworm-security InRelease
Hit:7 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease
Reading package lists... Done
root@ip-172-31-47-212:/home/admin# WAZUH_MANAGER="172.31.39.226" apt-get install wazuh-agent=4.7.2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 9379 kB of archives.
After this operation, 31.5 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.7.2-1 [9379 kB]
Fetched 9379 kB in 1s (9953 kB/s)
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 31636 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.2-1_amd64.deb ...
Unpacking wazuh-agent (4.7.2-1) ...
Setting up wazuh-agent (4.7.2-1) ..
root@ip-172-31-47-212:/home/admin# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
root@ip-172-31-47-212:/home/admin# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; preset: enabled)
Active: active (running) since Thu 2023-12-28 13:17:11 UTC; 9s ago
Process: 15152 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 28 (limit: 2349)
Memory: 28.5M
CPU: 2.325s
CGroup: /system.slice/wazuh-agent.service
├─15175 /var/ossec/bin/wazuh-execd
├─15186 /var/ossec/bin/wazuh-agentd
├─15199 /var/ossec/bin/wazuh-syscheckd
├─15212 /var/ossec/bin/wazuh-logcollector
└─15229 /var/ossec/bin/wazuh-modulesd
Dec 28 13:17:04 ip-172-31-47-212 systemd[1]: Starting wazuh-agent.service - Wazuh agent...
Dec 28 13:17:04 ip-172-31-47-212 env[15152]: Starting Wazuh v4.7.2...
Dec 28 13:17:05 ip-172-31-47-212 env[15152]: Started wazuh-execd...
Dec 28 13:17:06 ip-172-31-47-212 env[15152]: Started wazuh-agentd...
Dec 28 13:17:07 ip-172-31-47-212 env[15152]: Started wazuh-syscheckd...
Dec 28 13:17:08 ip-172-31-47-212 env[15152]: Started wazuh-logcollector...
Dec 28 13:17:09 ip-172-31-47-212 env[15152]: Started wazuh-modulesd...
Dec 28 13:17:11 ip-172-31-47-212 env[15152]: Completed.
Dec 28 13:17:11 ip-172-31-47-212 systemd[1]: Started wazuh-agent.service - Wazuh agent.
🟢 Wazuh agent installation on Ubuntu 22root@ip-172-31-46-118:/home/ubuntu# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@ip-172-31-46-118:/home/ubuntu# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt unstable main
root@ip-172-31-46-118:/home/ubuntu# apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [36.6 kB]
Fetched 283 kB in 1s (205 kB/s)
Reading package lists... Done
root@ip-172-31-46-118:/home/ubuntu# WAZUH_MANAGER="172.31.39.226" apt-get install wazuh-agent=4.7.2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded.
Need to get 9379 kB of archives.
After this operation, 31.5 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.7.2-1 [9379 kB]
Fetched 9379 kB in 1s (10.1 MB/s)
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 64799 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.2-1_amd64.deb ...
Unpacking wazuh-agent (4.7.2-1) ...
Setting up wazuh-agent (4.7.2-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Running kernel seems to be up-to-date.
Restarting services...
systemctl restart acpid.service chrony.service cron.service irqbalance.service multipathd.service packagekit.service polkit.service rsyslog.service serial-getty@ttyS0.service snapd.service ssh.service systemd-journald.service systemd-networkd.service systemd-resolved.service systemd-udevd.service
Service restarts being deferred:
/etc/needrestart/restart.d/dbus.service
systemctl restart getty@tty1.service
systemctl restart networkd-dispatcher.service
systemctl restart systemd-logind.service
systemctl restart unattended-upgrades.service
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@ip-172-31-46-118:/home/ubuntu# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.
root@ip-172-31-46-118:/home/ubuntu# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-12-28 13:22:05 UTC; 11s ago
Process: 7353 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 29 (limit: 2294)
Memory: 15.2M
CPU: 3.500s
CGroup: /system.slice/wazuh-agent.service
├─7375 /var/ossec/bin/wazuh-execd
├─7386 /var/ossec/bin/wazuh-agentd
├─7399 /var/ossec/bin/wazuh-syscheckd
├─7412 /var/ossec/bin/wazuh-logcollector
└─7429 /var/ossec/bin/wazuh-modulesd
Dec 28 13:21:57 ip-172-31-46-118 systemd[1]: Starting Wazuh agent...
Dec 28 13:21:58 ip-172-31-46-118 env[7353]: Starting Wazuh v4.7.2...
Dec 28 13:21:59 ip-172-31-46-118 env[7353]: Started wazuh-execd...
Dec 28 13:22:00 ip-172-31-46-118 env[7353]: Started wazuh-agentd...
Dec 28 13:22:01 ip-172-31-46-118 env[7353]: Started wazuh-syscheckd...
Dec 28 13:22:02 ip-172-31-46-118 env[7353]: Started wazuh-logcollector...
Dec 28 13:22:03 ip-172-31-46-118 env[7353]: Started wazuh-modulesd...
Dec 28 13:22:05 ip-172-31-46-118 env[7353]: Completed.
Dec 28 13:22:05 ip-172-31-46-118 systemd[1]: Started Wazuh agent.
🟢 Wazuh agent installation on Windows server 2016PS C:\Users\Administrator\Downloads> wget -O wazuh-agent-4.7.2-1.msi https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.7.2-1.msi
StatusCode : 200
StatusDescription : OK
Content : {208, 207, 17, 224...}
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
x-amz-server-side-encryption: AES256
X-Cache: RefreshHit from cloudfront
X-Amz-Cf-Pop: IAD79-C1
X-Amz-Cf-Id: Y8AKt3-y3fOiN_39MeFue1g4KkoaW57YiJq_5pfobqrIakZ...
Headers : {[Connection, keep-alive], [x-amz-server-side-encryption, AES256], [X-Cache, RefreshHit from
cloudfront], [X-Amz-Cf-Pop, IAD79-C1]...}
RawContentLength : 6524928
PS C:\Users\Administrator\Downloads> .\wazuh-agent-4.7.2-1.msi /q WAZUH_MANAGER="172.31.39.226"
PS C:\Users\Administrator\Downloads> net start wazuh
The Wazuh service is starting.
The Wazuh service was started successfully.
🟢 Wazuh agent installation on macOS Sonoma arm
|
3. Check 1: Check that their respective SCA policies are applied properly |
4. Check 2: Use and activate a custom policy for any of them🟢 Wazuh agent on Debian 12
root@ip-172-31-47-212:/home/admin# cat /home/admin/sca_test
one line
Expected line
third line
root@ip-172-31-47-212:/home/admin#
root@ip-172-31-47-212:/home/admin# cat /var/ossec/ruleset/sca/custom_policy.yml
policy:
id: "custom_policy"
file: "custom_policy.yml"
name: "Custom policy for SCA test."
description: "Review whether SCA is working as expected"
checks:
- id: 20000
title: "File should contain expected line"
description: "Check that sca_test contains specific line"
condition: all
rules:
- 'f:/home/admin/sca_test -> Expected line'
root@ip-172-31-10-208:/home/admin#
root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
root@ip-172-31-47-212:/home/admin#
root@ip-172-31-47-212:/home/admin# cat /home/admin/sca_test
one line
third line
root@ip-172-31-10-208:/home/admin#
root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
root@ip-172-31-47-212:/home/admin#
|
5. Check 3: Disable a used policy and confirm it is not used anymore🟢 Wazuh agent on Debian 12
root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
root@ip-172-31-47-212:/home/admin#
root@ip-172-31-47-212:/home/admin# tail -20 /var/ossec/logs/ossec.log
2023/12/28 15:28:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/12/28 15:28:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2023/12/28 15:28:44 wazuh-logcollector: INFO: Started (pid: 18628).
2023/12/28 15:28:45 wazuh-modulesd: INFO: Started (pid: 18645).
2023/12/28 15:28:45 wazuh-modulesd:control: INFO: Starting control thread.
2023/12/28 15:28:45 sca: INFO: Module started.
2023/12/28 15:28:45 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian12.yml'
2023/12/28 15:28:45 sca: INFO: Policy '/var/ossec/ruleset/sca/custom_policy.yml' disabled by configuration.
2023/12/28 15:28:45 sca: INFO: Starting Security Configuration Assessment scan.
2023/12/28 15:28:45 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/12/28 15:28:45 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/12/28 15:28:45 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/12/28 15:28:45 wazuh-modulesd:syscollector: INFO: Module started.
2023/12/28 15:28:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/12/28 15:28:45 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian12.yml'
2023/12/28 15:28:45 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/12/28 15:28:47 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/12/28 15:28:47 wazuh-syscheckd: INFO: FIM sync module started.
2023/12/28 15:28:52 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian12.yml'
2023/12/28 15:28:52 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
|
6. Check 4: Push SCA config through centralized config and check it applies properly🟢 Shared SCA Setup on Wazuh manager
[root@indexer-ip-172-31-39-226 default]]# cat /var/ossec/etc/shared/default/linux_shared_custom_policy.yml
policy:
id: "shared_custom_policy"
file: "shared_custom_policy.yml"
name: "Custom shared policy for centralized SCA test."
description: "Review whether shared policy for SCA is working as expected"
checks:
- id: 20000
title: "Linux endpoint should have Wazuh installed"
description: "Check that the Linux endpoint contains the Wazuh installation directory"
condition: all
rules:
- 'd:/var/ossec'
[root@indexer-ip-172-31-39-226 default]# cat /var/ossec/etc/shared/default/windows_shared_custom_policy.yml
policy:
id: "shared_custom_policy"
file: "shared_custom_policy.yml"
name: "Custom shared policy for centralized SCA test."
description: "Review whether shared policy for SCA is working as expected"
checks:
- id: 20001
title: "Windows endpoint should have Wazuh installed"
description: "Check that the Windows endpoint contains the Wazuh installation directory"
condition: all
rules:
- 'd:C:\Program Files (x86)\ossec-agent\'
[root@indexer-ip-172-31-39-226 default]# systemctl restart wazuh-manager
🟢 Wazuh agent on Debian 12
root@ip-172-31-47-212:/home/admin# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
-Restarted the agent to apply changes root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
🟢 Wazuh agent on Ubuntu 22
root@ip-172-31-46-118:/home/ubuntu# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
-Restarted the agent to apply changes root@ip-172-31-46-118:/home/ubuntu# systemctl start wazuh-agent
🟢 Wazuh agent on Windows server 2016
PS C:\Users\Administrator> Restart-Service -Name wazuh
PS C:\Users\Administrator>
Checking the file structure shows that the shared files are in
[root@indexer-ip-172-31-39-226 default]# systemctl restart wazuh-manager
[root@indexer-ip-172-31-39-226 default]#
🟢 Wazuh agent on macOS Sonoma arm
Below we can see that the SCA is applied and failed as expected. |
LGTM! |
GJ! |
End-to-End (E2E) Testing Guideline
** Test Requirements: ** Please make sure your test comprehensively includes a full stack and agent/s deployment according to the Deployment requirements, detailing the machine OS, installed version, and revision.
** Known Issues: ** You can just familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Release testing/publication
objective andVery high
priority. Communicate these to the team and QA via the c-release Slack channel.For the conclusions and the issue testing and updates, use the following legend:
Status legend
Issue delivery and completion
review_assignee
field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Dec 28, 2023 date (issue must be inPending final review
status) and notify the QA team via Slack using the c-release channel.Deployment requirements
Test description
For the selected Wazuh Agent OS:
Known issues
Conclusions
Summarize the errors detected (Known Issues included). Illustrate using the table below.
<OSSECDIR>/etc/shared
as suggested by the documentation, it is found in<OSSECDIR>/shared
Feedback
We value your feedback. Please provide insights on your testing experience.
Reviewers validation
The criteria for completing this task are based on all reviewers' validation of the conclusions and test results.
All the checkboxes below must be marked to close this issue.
The text was updated successfully, but these errors were encountered: