Release 4.7.2 - RC 1 - E2E UX tests - Security Configuration Assessment

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
  ** Test Requirements: ** Please make sure your test comprehensively includes a full stack and agent/s deployment according to the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate at least one end-to-end alert, irrespective of test type, from the agent to the dashboard.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
  ** Known Issues: ** You can just familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), and add the Release testing/publication objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests; here you have an example: Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/security-warriors team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok; otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Dec 27, 2023 and notify the @wazuh/security-warriors team via Slack using the c-release channel
• Review: The @wazuh/security-warriors team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Dec 28, 2023 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Dec 29, 2023.

Deployment requirements

Component	Installation	Type	OS
Indexer	Quickstart	-	RHEL 9 x86_64
Server	Quickstart	-	RHEL 9 x86_64
Dashboard	Quickstart	-	RHEL 9 x86_64
Agent	Installing Wazuh agents	-	Windows server 2016 x86_64, Debian 12 x86_64, Ubuntu 22.04 x86_64, macOS Sonoma arm

Test description

For the selected Wazuh Agent OS:

• Check that their respective SCA policies are applied properly
• Use and activate a custom policy for any of them
• Disable a used policy and confirm it is not used anymore
• Push SCA config through the centralized config and check it applies properly

Known issues

• Improve offline installation experience wazuh-packages#1422
• SCA command gets an extra EMPTY_LINE when running commands using c: #12347

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below.

Status	Test	Failure type	Notes
🟢	Deploy Wazuh components
🟢	Wazuh agent installation on Debian 10
🟢	Wazuh agent installation on Ubuntu 22
🟢	Wazuh agent installation on Windows Server 2016
🟢	Wazuh agent installation on macOS
🟢	Check that their respective SCA policies are applied properly		Work fine for all the endpoints
🟢	Use and activate a custom policy for any of them
🟢	Disable a used policy and confirm it is not used anymore
🟡	Push SCA config through the centralized config and check it applies properly	#6896	Worked for Linux and macOS endpoints, but the suggested central configuration for Windows 2016 needs an adjustment to work because the shared folder is not found in <OSSECDIR>/etc/shared as suggested by the documentation, it is found in <OSSECDIR>/shared

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • the deployment component table is ambiguous and suggests a multi-node installation. The table has entries for each central component (indexer, server, and dashboard) but indicates following the Quickstart installation that installs all the components in the same instance. Having only one table entry for all the central components or referring to an AIO deployment will be better.
• Did you face any challenges not covered by the guideline?
  • There's no suggestion on how to execute the test description using the Wazuh documentation. I've followed a previous e2e to learn how to execute the required tests.
• Suggestions for improvement:
  • I've made some modifications to the issue description. Mostly English language corrections.

Reviewers validation

The criteria for completing this task are based on all reviewers' validation of the conclusions and test results.

All the checkboxes below must be marked to close this issue.

• @davidjiglesias
• @wazuh/security-warriors

[mhamra]

1. Environment

🟢 Wazuh central components

Indexer, Wazuh, and Dashboard environment configuration.

[ec2-user@ip-172-31-39-226 ~]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.3 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.3 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.3
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
[ec2-user@ip-172-31-39-226 ~]$ uname -r
5.14.0-362.8.1.el9_3.x86_64
[ec2-user@ip-172-31-39-226 ~]$ free -g
               total        used        free      shared  buff/cache   available
Mem:               3           0           2           0           0           3
Swap:              0           0           0
[ec2-user@ip-172-31-39-226 ~]$ lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
nvme0n1     259:0    0   10G  0 disk
├─nvme0n1p1 259:1    0    1M  0 part
├─nvme0n1p2 259:2    0  200M  0 part /boot/efi
├─nvme0n1p3 259:3    0  600M  0 part /boot
└─nvme0n1p4 259:4    0  9.2G  0 part /
[ec2-user@ip-172-31-39-226 ~]$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         48 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  2
  On-line CPU(s) list:   0,1
Vendor ID:               AuthenticAMD
  Model name:            AMD EPYC 7571
    CPU family:          23
    Model:               1
    Thread(s) per core:  2
    Core(s) per socket:  1
    Socket(s):           1
    Stepping:            2
    BogoMIPS:            4399.99
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc
                          cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnow
                         prefetch topoext vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 clzero xsaveerptr arat npt nrip_save
Virtualization features:
  Hypervisor vendor:     KVM
  Virtualization type:   full
Caches (sum of all):
  L1d:                   32 KiB (1 instance)
  L1i:                   64 KiB (1 instance)
  L2:                    512 KiB (1 instance)
  L3:                    8 MiB (1 instance)
NUMA:
  NUMA node(s):          1
  NUMA node0 CPU(s):     0,1
Vulnerabilities:
  Gather data sampling:  Not affected
  Itlb multihit:         Not affected
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Mmio stale data:       Not affected
  Retbleed:              Mitigation; untrained return thunk; SMT vulnerable
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Not affected
  Tsx async abort:       Not affected

🟢 Wazuh agent on Debian 10

admin@ip-172-31-47-212:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
admin@ip-172-31-47-212:~$ uname -a
Linux ip-172-31-47-212 6.1.0-13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
admin@ip-172-31-47-212:~$ free -g
               total        used        free      shared  buff/cache   available
Mem:               1           0           1           0           0           1
Swap:              0           0           0
admin@ip-172-31-47-212:~$ lsblk
NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
xvda     202:0    0    8G  0 disk
├─xvda1  202:1    0  7.9G  0 part /
├─xvda14 202:14   0    3M  0 part
└─xvda15 202:15   0  124M  0 part /boot/efi
admin@ip-172-31-47-212:~$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         46 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  1
  On-line CPU(s) list:   0
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
    CPU family:          6
    Model:               79
    Thread(s) per core:  1
    Core(s) per socket:  1
    Socket(s):           1
    Stepping:            1
    BogoMIPS:            4600.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni
                         pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault invpcid_single pti fsgsbase bmi1 avx2 sm
                         ep bmi2 erms invpcid xsaveopt
Virtualization features:
  Hypervisor vendor:     Xen
  Virtualization type:   full
Caches (sum of all):
  L1d:                   32 KiB (1 instance)
  L1i:                   32 KiB (1 instance)
  L2:                    256 KiB (1 instance)
  L3:                    45 MiB (1 instance)
NUMA:
  NUMA node(s):          1
  NUMA node0 CPU(s):     0
Vulnerabilities:
  Gather data sampling:  Not affected
  Itlb multihit:         KVM: Mitigation: VMX unsupported
  L1tf:                  Mitigation; PTE Inversion
  Mds:                   Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
  Retbleed:              Not affected
  Spec rstack overflow:  Not affected
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Not affected
  Tsx async abort:       Not affected

🟢 Wazuh agent on Ubuntu 22

ubuntu@ip-172-31-46-118:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
ubuntu@ip-172-31-46-118:~$ uname -a
Linux ip-172-31-46-118 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-172-31-46-118:~$ free -g
               total        used        free      shared  buff/cache   available
Mem:               1           0           1           0           0           1
Swap:              0           0           0
ubuntu@ip-172-31-46-118:~$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         48 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  2
  On-line CPU(s) list:   0,1
Vendor ID:               AuthenticAMD
  Model name:            AMD EPYC 7571
    CPU family:          23
    Model:               1
    Thread(s) per core:  2
    Core(s) per socket:  1
    Socket(s):           1
    Stepping:            2
    BogoMIPS:            4399.98
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc
                          cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnow
                         prefetch topoext vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 clzero xsaveerptr arat npt nrip_save
Virtualization features:
  Hypervisor vendor:     KVM
  Virtualization type:   full
Caches (sum of all):
  L1d:                   32 KiB (1 instance)
  L1i:                   64 KiB (1 instance)
  L2:                    512 KiB (1 instance)
  L3:                    8 MiB (1 instance)
NUMA:
  NUMA node(s):          1
  NUMA node0 CPU(s):     0,1
Vulnerabilities:
  Gather data sampling:  Not affected
  Itlb multihit:         Not affected
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Mmio stale data:       Not affected
  Retbleed:              Mitigation; untrained return thunk; SMT vulnerable
  Spec rstack overflow:  Mitigation; safe RET, no microcode
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Not affected
  Tsx async abort:       Not affected

🟢 Wazuh agent on Windows server 2016

🟢 Wazuh agent on macOS Ventura arm

ec2-user@ip-172-31-42-65 ~ % system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: macOS 14.1.2 (23B92)
      Kernel Version: Darwin 23.1.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      User Name: ec2-user (ec2-user)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 3 hours, 2 minutes

ec2-user@ip-172-31-42-65 ~ %

[mhamra]

2. Install environment

🟢 Wazuh components installation

Installation was done using quickstart

[ec2-user@ip-172-31-39-226 ~]$ curl -sO https://packages-dev.wazuh.com/4.7/wazuh-install.sh
[ec2-user@ip-172-31-39-226 ~]$ sudo bash ./wazuh-install.sh -a -i
27/12/2023 17:54:27 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.2
27/12/2023 17:54:27 INFO: Verbose logging redirected to /var/log/wazuh-install.log
27/12/2023 17:54:41 WARNING: Hardware and system checks ignored.
27/12/2023 17:54:41 INFO: Wazuh web interface port will be 443.
27/12/2023 17:54:45 INFO: Wazuh development repository added.
27/12/2023 17:54:45 INFO: --- Configuration files ---
27/12/2023 17:54:45 INFO: Generating configuration files.
27/12/2023 17:54:47 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
27/12/2023 17:54:47 INFO: --- Wazuh indexer ---
27/12/2023 17:54:47 INFO: Starting Wazuh indexer installation.
27/12/2023 17:57:11 INFO: Wazuh indexer installation finished.
27/12/2023 17:57:11 INFO: Wazuh indexer post-install configuration finished.
27/12/2023 17:57:11 INFO: Starting service wazuh-indexer.
27/12/2023 17:57:34 INFO: wazuh-indexer service started.
27/12/2023 17:57:34 INFO: Initializing Wazuh indexer cluster security settings.
27/12/2023 17:57:45 INFO: Wazuh indexer cluster initialized.
27/12/2023 17:57:45 INFO: --- Wazuh server ---
27/12/2023 17:57:45 INFO: Starting the Wazuh manager installation.
27/12/2023 17:59:03 INFO: Wazuh manager installation finished.
27/12/2023 17:59:03 INFO: Starting service wazuh-manager.
27/12/2023 17:59:24 INFO: wazuh-manager service started.
27/12/2023 17:59:24 INFO: Starting Filebeat installation.
27/12/2023 17:59:35 INFO: Filebeat installation finished.
27/12/2023 17:59:36 INFO: Filebeat post-install configuration finished.
27/12/2023 17:59:36 INFO: Starting service filebeat.
27/12/2023 17:59:37 INFO: filebeat service started.
27/12/2023 17:59:37 INFO: --- Wazuh dashboard ---
27/12/2023 17:59:37 INFO: Starting Wazuh dashboard installation.
27/12/2023 18:02:40 INFO: Wazuh dashboard installation finished.
27/12/2023 18:02:40 INFO: Wazuh dashboard post-install configuration finished.
27/12/2023 18:02:40 INFO: Starting service wazuh-dashboard.
27/12/2023 18:02:41 INFO: wazuh-dashboard service started.
27/12/2023 18:03:25 INFO: Initializing Wazuh dashboard web application.
27/12/2023 18:03:26 INFO: Wazuh dashboard web application initialized.
27/12/2023 18:03:26 INFO: --- Summary ---
27/12/2023 18:03:26 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: Xw0Be****************
27/12/2023 18:03:26 INFO: Installation finished.

🟢 Wazuh agent installation on Debian 12

To install the agent, the Deploying Wazuh agents on Linux endpoints documentation was used

root@ip-172-31-47-212:/home/admin# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrin
gs/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

root@ip-172-31-47-212:/home/admin# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list

root@ip-172-31-47-212:/home/admin# apt-get update
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [38 B]
Get:5 file:/etc/apt/mirrors/debian-security.list Mirrorlist [47 B]
Hit:2 https://cdn-aws.deb.debian.org/debian bookworm InRelease
Hit:3 https://cdn-aws.deb.debian.org/debian bookworm-updates InRelease
Hit:4 https://cdn-aws.deb.debian.org/debian bookworm-backports InRelease
Hit:6 https://cdn-aws.deb.debian.org/debian-security bookworm-security InRelease
Hit:7 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease
Reading package lists... Done

root@ip-172-31-47-212:/home/admin# WAZUH_MANAGER="172.31.39.226" apt-get install wazuh-agent=4.7.2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 9379 kB of archives.
After this operation, 31.5 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.7.2-1 [9379 kB]
Fetched 9379 kB in 1s (9953 kB/s)
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 31636 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.2-1_amd64.deb ...
Unpacking wazuh-agent (4.7.2-1) ...
Setting up wazuh-agent (4.7.2-1) ..

root@ip-172-31-47-212:/home/admin# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
root@ip-172-31-47-212:/home/admin# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-12-28 13:17:11 UTC; 9s ago
    Process: 15152 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 28 (limit: 2349)
     Memory: 28.5M
        CPU: 2.325s
     CGroup: /system.slice/wazuh-agent.service
             ├─15175 /var/ossec/bin/wazuh-execd
             ├─15186 /var/ossec/bin/wazuh-agentd
             ├─15199 /var/ossec/bin/wazuh-syscheckd
             ├─15212 /var/ossec/bin/wazuh-logcollector
             └─15229 /var/ossec/bin/wazuh-modulesd

Dec 28 13:17:04 ip-172-31-47-212 systemd[1]: Starting wazuh-agent.service - Wazuh agent...
Dec 28 13:17:04 ip-172-31-47-212 env[15152]: Starting Wazuh v4.7.2...
Dec 28 13:17:05 ip-172-31-47-212 env[15152]: Started wazuh-execd...
Dec 28 13:17:06 ip-172-31-47-212 env[15152]: Started wazuh-agentd...
Dec 28 13:17:07 ip-172-31-47-212 env[15152]: Started wazuh-syscheckd...
Dec 28 13:17:08 ip-172-31-47-212 env[15152]: Started wazuh-logcollector...
Dec 28 13:17:09 ip-172-31-47-212 env[15152]: Started wazuh-modulesd...
Dec 28 13:17:11 ip-172-31-47-212 env[15152]: Completed.
Dec 28 13:17:11 ip-172-31-47-212 systemd[1]: Started wazuh-agent.service - Wazuh agent.

🟢 Wazuh agent installation on Ubuntu 22

root@ip-172-31-46-118:/home/ubuntu# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@ip-172-31-46-118:/home/ubuntu# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt unstable main
root@ip-172-31-46-118:/home/ubuntu# apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [36.6 kB]
Fetched 283 kB in 1s (205 kB/s)
Reading package lists... Done
root@ip-172-31-46-118:/home/ubuntu#  WAZUH_MANAGER="172.31.39.226" apt-get install wazuh-agent=4.7.2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded.
Need to get 9379 kB of archives.
After this operation, 31.5 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.7.2-1 [9379 kB]
Fetched 9379 kB in 1s (10.1 MB/s)
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 64799 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.2-1_amd64.deb ...
Unpacking wazuh-agent (4.7.2-1) ...
Setting up wazuh-agent (4.7.2-1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Running kernel seems to be up-to-date.

Restarting services...
 systemctl restart acpid.service chrony.service cron.service irqbalance.service multipathd.service packagekit.service polkit.service rsyslog.service serial-getty@ttyS0.service snapd.service ssh.service systemd-journald.service systemd-networkd.service systemd-resolved.service systemd-udevd.service
Service restarts being deferred:
 /etc/needrestart/restart.d/dbus.service
 systemctl restart getty@tty1.service
 systemctl restart networkd-dispatcher.service
 systemctl restart systemd-logind.service
 systemctl restart unattended-upgrades.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.


root@ip-172-31-46-118:/home/ubuntu# systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.
root@ip-172-31-46-118:/home/ubuntu# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-12-28 13:22:05 UTC; 11s ago
    Process: 7353 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 29 (limit: 2294)
     Memory: 15.2M
        CPU: 3.500s
     CGroup: /system.slice/wazuh-agent.service
             ├─7375 /var/ossec/bin/wazuh-execd
             ├─7386 /var/ossec/bin/wazuh-agentd
             ├─7399 /var/ossec/bin/wazuh-syscheckd
             ├─7412 /var/ossec/bin/wazuh-logcollector
             └─7429 /var/ossec/bin/wazuh-modulesd

Dec 28 13:21:57 ip-172-31-46-118 systemd[1]: Starting Wazuh agent...
Dec 28 13:21:58 ip-172-31-46-118 env[7353]: Starting Wazuh v4.7.2...
Dec 28 13:21:59 ip-172-31-46-118 env[7353]: Started wazuh-execd...
Dec 28 13:22:00 ip-172-31-46-118 env[7353]: Started wazuh-agentd...
Dec 28 13:22:01 ip-172-31-46-118 env[7353]: Started wazuh-syscheckd...
Dec 28 13:22:02 ip-172-31-46-118 env[7353]: Started wazuh-logcollector...
Dec 28 13:22:03 ip-172-31-46-118 env[7353]: Started wazuh-modulesd...
Dec 28 13:22:05 ip-172-31-46-118 env[7353]: Completed.
Dec 28 13:22:05 ip-172-31-46-118 systemd[1]: Started Wazuh agent.

🟢 Wazuh agent installation on Windows server 2016

PS C:\Users\Administrator\Downloads> wget -O wazuh-agent-4.7.2-1.msi https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.7.2-1.msi


StatusCode        : 200
StatusDescription : OK
Content           : {208, 207, 17, 224...}
RawContent        : HTTP/1.1 200 OK
                    Connection: keep-alive
                    x-amz-server-side-encryption: AES256
                    X-Cache: RefreshHit from cloudfront
                    X-Amz-Cf-Pop: IAD79-C1
                    X-Amz-Cf-Id: Y8AKt3-y3fOiN_39MeFue1g4KkoaW57YiJq_5pfobqrIakZ...
Headers           : {[Connection, keep-alive], [x-amz-server-side-encryption, AES256], [X-Cache, RefreshHit from
                    cloudfront], [X-Amz-Cf-Pop, IAD79-C1]...}
RawContentLength  : 6524928

PS C:\Users\Administrator\Downloads> .\wazuh-agent-4.7.2-1.msi /q WAZUH_MANAGER="172.31.39.226"
PS C:\Users\Administrator\Downloads> net start wazuh
The Wazuh service is starting.
The Wazuh service was started successfully.

🟢 Wazuh agent installation on macOS Sonoma arm

sh-3.2#  curl https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg --output wazuh-agent-4.7.2-1.arm64.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5605k  100 5605k    0     0  13.5M      0 --:--:-- --:--:-- --:--:-- 13.9M
sh-3.2# ls
.ssh                            .zsh_history                    .zshrc                          Library                         wazuh-agent-4.7.2-1.arm64.pkg
sh-3.2#  echo "WAZUH_MANAGER='172.31.39.226'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.

sh-3.2# /Library/Ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

[mhamra]

3. Check 1: Check that their respective SCA policies are applied properly

🟢 Wazuh agent on Debian 12

SCA policies are properly applied

🟢 Wazuh agent on Ubuntu 22

SCA policies are properly applied

🟢 Wazuh agent on Windows server 2016

SCA policies are properly applied

🟢 Wazuh agent on macOS Sonoma arm

SCA policies are properly applied

[mhamra]

4. Check 2: Use and activate a custom policy for any of them

🟢 Wazuh agent on Debian 12

• Created a file in /home/admin/sca_test with the following content:

root@ip-172-31-47-212:/home/admin# cat /home/admin/sca_test
one line
Expected line
third line
root@ip-172-31-47-212:/home/admin#

• Created a custom policy in /var/ossec/ruleset/sca/custom_policy.yml with the following content:

root@ip-172-31-47-212:/home/admin# cat /var/ossec/ruleset/sca/custom_policy.yml
policy:
  id: "custom_policy"
  file: "custom_policy.yml"
  name: "Custom policy for SCA test."
  description: "Review whether SCA is working as expected"

checks:
  - id: 20000
    title: "File should contain expected line"
    description: "Check that sca_test contains specific line"
    condition: all
    rules:
      - 'f:/home/admin/sca_test -> Expected line'
root@ip-172-31-10-208:/home/admin#

• Restarted the agent to apply changes:

root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
root@ip-172-31-47-212:/home/admin#

• Checked dashboard for policy result. The policy was successfully loaded and evaluated

• Removed the expected line from the file

root@ip-172-31-47-212:/home/admin# cat /home/admin/sca_test
one line
third line
root@ip-172-31-10-208:/home/admin#

• Restarted the agent to load changes

root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
root@ip-172-31-47-212:/home/admin#

• Checked dashboard for update. The check fails as expected.

[mhamra]

5. Check 3: Disable a used policy and confirm it is not used anymore

🟢 Wazuh agent on Debian 12

• Disabling the custom policy through the configuration file (/var/ossec/etc/ossec.conf) setting the enabled=no:

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
    <policies>
      <policy enabled="no">ruleset/sca/custom_policy.yml</policy>
    </policies>
  </sca>

• Restarted the agent to apply changes

root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent
root@ip-172-31-47-212:/home/admin#

• Logs show the file is ignored

root@ip-172-31-47-212:/home/admin# tail -20 /var/ossec/logs/ossec.log
2023/12/28 15:28:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2023/12/28 15:28:44 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2023/12/28 15:28:44 wazuh-logcollector: INFO: Started (pid: 18628).
2023/12/28 15:28:45 wazuh-modulesd: INFO: Started (pid: 18645).
2023/12/28 15:28:45 wazuh-modulesd:control: INFO: Starting control thread.
2023/12/28 15:28:45 sca: INFO: Module started.
2023/12/28 15:28:45 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian12.yml'
2023/12/28 15:28:45 sca: INFO: Policy '/var/ossec/ruleset/sca/custom_policy.yml' disabled by configuration.
2023/12/28 15:28:45 sca: INFO: Starting Security Configuration Assessment scan.
2023/12/28 15:28:45 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2023/12/28 15:28:45 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2023/12/28 15:28:45 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2023/12/28 15:28:45 wazuh-modulesd:syscollector: INFO: Module started.
2023/12/28 15:28:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/12/28 15:28:45 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian12.yml'
2023/12/28 15:28:45 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/12/28 15:28:47 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/12/28 15:28:47 wazuh-syscheckd: INFO: FIM sync module started.
2023/12/28 15:28:52 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian12.yml'
2023/12/28 15:28:52 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.

• Checked the dashboard to confirm policy is no longer used

[mhamra]

6. Check 4: Push SCA config through centralized config and check it applies properly

🟢 Shared SCA Setup on Wazuh manager

• created the following policy /var/ossec/etc/shared/default/shared_custom_policy.yml in the Wazuh manager with following content:

[root@indexer-ip-172-31-39-226 default]]# cat /var/ossec/etc/shared/default/linux_shared_custom_policy.yml
policy:
  id: "shared_custom_policy"
  file: "shared_custom_policy.yml"
  name: "Custom shared policy for centralized SCA test."
  description: "Review whether shared policy for SCA is working as expected"

checks:
  - id: 20000
    title: "Linux endpoint should have Wazuh installed"
    description: "Check that the Linux endpoint contains the Wazuh installation directory"
    condition: all
    rules:
      - 'd:/var/ossec'

• created the following policy /var/ossec/etc/shared/default/windows_shared_custom_policy.yml in the Wazuh manager with following content:

[root@indexer-ip-172-31-39-226 default]# cat /var/ossec/etc/shared/default/windows_shared_custom_policy.yml
policy:
  id: "shared_custom_policy"
  file: "shared_custom_policy.yml"
  name: "Custom shared policy for centralized SCA test."
  description: "Review whether shared policy for SCA is working as expected"

checks:
  - id: 20001
    title: "Windows endpoint should have Wazuh installed"
    description: "Check that the Windows endpoint contains the Wazuh installation directory"
    condition: all
    rules:
      - 'd:C:\Program Files (x86)\ossec-agent\'

• Added the following configuration to the centralized configuration of the default group (/var/ossec/etc/shared/default/agent.conf):

[root@indexer-ip-172-31-39-226 default]# cat /var/ossec/etc/shared/default/agent.conf
<agent_config>
  <sca>
    <policies>
      <policy>etc/shared/linux_shared_custom_policy.yml</policy>
      <policy>etc/shared/windows_shared_custom_policy.yml</policy>
    </policies>
  </sca>
</agent_config>

• Restarted the Wazuh manager to apply changes

[root@indexer-ip-172-31-39-226 default]# systemctl restart wazuh-manager

🟢 Wazuh agent on Debian 12

• Enabled the sca.remote_commands in the /var/ossec/etc/local_internal_options.conf configuration file to allow the SCA command can run from remote policies.

root@ip-172-31-47-212:/home/admin# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf

-Restarted the agent to apply changes

root@ip-172-31-47-212:/home/admin# systemctl restart wazuh-agent

• Checked Wazuh dashboard. Shared policy is successfully loaded and evaluated

🟢 Wazuh agent on Ubuntu 22

• Enabled the sca.remote_commands in the /var/ossec/etc/local_internal_options.conf configuration file to allow the SCA command can run from remote policies.

root@ip-172-31-46-118:/home/ubuntu# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf

-Restarted the agent to apply changes

root@ip-172-31-46-118:/home/ubuntu# systemctl start wazuh-agent

• Checked Wazuh dashboard. Shared policy is successfully loaded and evaluated

🟢 Wazuh agent on Windows server 2016

• Enabled the sca.remote_commands in the C:\Program Files (x86)\ossec-agent\local_internal_options.conf configuration file to allow the SCA command can run from remote policies.

C:\Program Files (x86)\ossec-agent>more "C:\Program Files (x86)\ossec-agent\local_internal_options.conf"
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades
# but will be removed when the agent is un-installed.

sca.remote_commands=1

C:\Program Files (x86)\ossec-agent>

• Restarted the agent to apply changes

PS C:\Users\Administrator> Restart-Service -Name wazuh
PS C:\Users\Administrator>

• Checked Wazuh dashboard. Shared policy is not loaded.
  

• Checked Wazuh agent logs:
  The following log is observed

2023/12/28 15:52:16 wazuh-agent: INFO: (4102): Connected to the server ([172.31.39.226]:1514/tcp).
2023/12/28 15:52:16 sca: WARNING: Policy file 'C:\Program Files (x86)\ossec-agent\etc\shared\linux_shared_custom_policy.yml' not found. Check your configuration.
2023/12/28 15:52:16 sca: WARNING: Policy file 'C:\Program Files (x86)\ossec-agent\etc\shared\windows_shared_custom_policy.yml' not found. Check your configuration.

Checking the file structure shows that the shared files are in C:\Program Files (x86)\ossec-agent\shared which is opposed to the directory that is configured as stated in the documentation

• Updated the path in the to the centralized configuration file of the default group /var/ossec/etc/shared/default/agent.conf with correct path ( from etc/shared/windows_shared_custom_policy.yml to shared/windows_shared_custom_policy.yml

[root@indexer-ip-172-31-39-226 default]# cat /var/ossec/etc/shared/default/agent.conf
<agent_config>
  <sca>
    <policies>
      <policy>etc/shared/linux_shared_custom_policy.yml</policy>
      <policy>shared/windows_shared_custom_policy.yml</policy>
    </policies>
  </sca>
</agent_config>

• Restarted the Wazuh manager to apply changes

[root@indexer-ip-172-31-39-226 default]# systemctl restart wazuh-manager
[root@indexer-ip-172-31-39-226 default]#

• Checked Wazuh dashboard. Shared policy is successfully loaded and evaluated

🟢 Wazuh agent on macOS Sonoma arm

• enabled the sca.remote_commands in the /Library/Ossec/etc/local_internal_options.conf configuration of Wazuh agent to allow the SCA command can run from remote policies.

sh-3.2# echo "sca.remote_commands=1" >> /Library/Ossec/etc/local_internal_options.conf

• The restarted the agent:

sh-3.2# /Library/Ossec/bin/wazuh-control restart
2023/12/28 16:11:32 sca: WARNING: File 'shared/windows_shared_custom_policy.yml' not found.
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.7.2 Stopped
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
2023/12/28 16:11:38 sca: WARNING: File 'shared/windows_shared_custom_policy.yml' not found.
Started wazuh-modulesd...
Completed.

Below we can see that the SCA is applied and failed as expected.

[MarcelKemp]

LGTM!

[damarisg]

GJ!