Release 4.8.0 - Alpha 2 - E2E UX tests - Security Configuration Assessment

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the CICD team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the CICD team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/security-warriors team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Jan 16, 2024 and notify the @wazuh/security-warriors team via Slack using the c-release channel
• Review: The @wazuh/security-warriors team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jan 17, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Jan 18, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Fedora 38 x86_64
Server	Installation assistant	Single node	Fedora 38 x86_64
Dashboard	Installation assistant	-	Fedora 38 x86_64
Agent	Wazuh WUI one-liner deploy using FQDN	-	Windows server 2016 x86_64, Debian 12 x86_64, Ubuntu 22.04 x86_64, macOS Sonoma arm

Test description

For the selected Wazuh Agent OS:

• Check that their respective SCA policies are applied properly
• Use and activate a custom policy for any of them
• Disable an used policy and confirm it is not used anymore
• Push SCA config through centralized config and check it applies properly

Known issues

• Improve offline installation experience wazuh-packages#1422
• SCA command gets an extra EMPTY_LINE when running commands using c: #12347
• Clarification required in the "How to share policy files and configuration with the Wazuh agents" section wazuh-documentation#6896

New Known issues

• Wazuh Installation Assistant should install the lsof or openssl package only when needed wazuh-packages#2772
• wazuh-states-vulnerabilities Index missing on Wazuh 4.8.0-alpha2 AIO Installations (AMI - OVA - AIO) #21413
• Inconsistency in SCA macOS version filename #21440

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure type	Notes
🔴	Deployment	Dependencies not needed	New issue opened: wazuh/wazuh-packages#2772
🔴	Deployment	VD index missing	New issue opened: #21413
🔴	Deployment	WUI one-liner deploy does not accept hostnames	New issue opened: wazuh/wazuh-dashboard-plugins#6311
🔴	Deployment	WUI one-liner deploy incorrect abbreviature	New issue opened: wazuh/wazuh-dashboard-plugins#6310
🔴	Check that their respective SCA policies are applied properly	Incorrect system version in SCA filename	New issue opened: #21440
🔴	Check that their respective SCA policies are applied properly	Wrong checks in SCA policies	New issue opened: #21421
🟢	Use and activate a custom policy for any of them	--	--
🟢	Disable an used policy and confirm it is not used anymore	--	--
🟢	Push SCA config through centralized config and check it applies properly	--	--

• All new issues have been added to the qa_known label

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • Yes, it is clear
  • Ambiguities: Deployment specifies a single node of each component using the WIA, but it is not specified if it should be an AIO or a distributed deployment
• Did you face any challenges not covered by the guideline?
  • No
• Suggestions for improvement:
  • Set policy cases, for each test, for example: follow the documentation use case or create a new policy that checks X case
  • Check filenames and versions
  • Check the Not applicable rules

Resource issue

• https://github.com/wazuh/internal-devel-requests/issues/691

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• @davidjiglesias
• @wazuh/security-warriors

[rauldpm]

Update report

• Problems encountered during the provisioning of Fedora 38 machines by not assigning a private IP to the machine, which makes communication between nodes impossible
• Apparently, it is a network manager problem in Fedora, since the configuration of /etc/sysconfig/network-scripts/ has been deprecated in favor of /etc/NetworkManager/system-connections/
  • A file called enp0s8.nmconnection has been created in the new location with the following content, after that, the IPs have been assigned successfully

[connection]
id=Wired connection 2
uuid=0fc877a1-e3a9-30d3-951b-aa05544ff3e6
type=ethernet
autoconnect-priority=-999
interface-name=eth1
timestamp=1683239079

[ethernet]

[ipv4]
address1=192.168.56.86/24
method=manual

[ipv6]
addr-gen-mode=default
method=auto

[rauldpm]

Update report

Wazuh indexer deployment 🟢

• System info

[root@fedora38indexer e2e]# cat /etc/os-release 
NAME="Fedora Linux"
VERSION="38 (Thirty Eight)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Thirty Eight)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14

• Certificates creation
  • Opened issue Wazuh Installation Assistant should install the lsof or openssl package only when needed wazuh-packages#2772

[root@fedora38indexer e2e]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
[root@fedora38indexer e2e]# curl -sO https://packages-dev.wazuh.com/4.8/config.yml
[root@fedora38indexer e2e]# nano config.yml 
[root@fedora38indexer e2e]# cat config.yml 
nodes:
  indexer:
    - name: node-1
      ip: "192.168.57.21"
  server:
    - name: wazuh-1
      ip: "192.168.57.20"
  dashboard:
    - name: dashboard
      ip: "192.168.57.22"
[root@fedora38indexer e2e]# bash wazuh-install.sh --generate-config-files
12/01/2024 14:55:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 14:55:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 14:55:00 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.
[root@fedora38indexer e2e]# bash wazuh-install.sh --generate-config-files -i
12/01/2024 14:55:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 14:55:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 14:55:24 INFO: --- Dependencies ---
12/01/2024 14:55:24 INFO: Installing lsof.
12/01/2024 14:55:27 INFO: Installing openssl.
12/01/2024 14:55:29 WARNING: Hardware and system checks ignored.
12/01/2024 14:55:29 INFO: --- Configuration files ---
12/01/2024 14:55:29 INFO: Generating configuration files.
12/01/2024 14:55:30 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
12/01/2024 14:55:30 INFO: --- Dependencies ---
12/01/2024 14:55:30 INFO: Removing lsof.
12/01/2024 14:55:31 INFO: Removing openssl.

• Wazuh indexer install

[root@fedora38indexer e2e]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
[root@fedora38indexer e2e]# ls
wazuh-install-files.tar  wazuh-install.sh
[root@fedora38indexer e2e]# bash wazuh-install.sh --wazuh-indexer node-1
12/01/2024 14:59:02 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 14:59:02 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 14:59:02 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.
[root@fedora38indexer e2e]# bash wazuh-install.sh --wazuh-indexer node-1 -i
12/01/2024 14:59:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 14:59:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 14:59:07 INFO: --- Dependencies ---
12/01/2024 14:59:07 INFO: Installing lsof.
12/01/2024 14:59:09 INFO: Installing openssl.
12/01/2024 14:59:12 WARNING: Hardware and system checks ignored.
12/01/2024 14:59:14 INFO: Wazuh development repository added.
12/01/2024 14:59:14 INFO: --- Wazuh indexer ---
12/01/2024 14:59:14 INFO: Starting Wazuh indexer installation.
12/01/2024 15:00:12 INFO: Wazuh indexer installation finished.
12/01/2024 15:00:12 INFO: Wazuh indexer post-install configuration finished.
12/01/2024 15:00:12 INFO: Starting service wazuh-indexer.
12/01/2024 15:00:19 INFO: wazuh-indexer service started.
12/01/2024 15:00:19 INFO: Initializing Wazuh indexer cluster security settings.
12/01/2024 15:00:20 INFO: Wazuh indexer cluster initialized.
12/01/2024 15:00:20 INFO: --- Dependencies ---
12/01/2024 15:00:20 INFO: Removing lsof.
12/01/2024 15:00:21 INFO: Removing openssl.
12/01/2024 15:00:21 INFO: Installation finished.
[root@fedora38indexer e2e]# bash wazuh-install.sh --start-cluster -i
12/01/2024 15:01:09 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 15:01:09 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 15:01:12 INFO: --- Dependencies ---
12/01/2024 15:01:12 INFO: Installing lsof.
12/01/2024 15:01:19 INFO: Installing openssl.
12/01/2024 15:01:21 WARNING: Hardware and system checks ignored.
12/01/2024 15:01:23 INFO: Wazuh indexer cluster security configuration initialized.
12/01/2024 15:01:24 INFO: The Wazuh indexer cluster ISM initialized.
12/01/2024 15:01:25 INFO: Updating the internal users.
12/01/2024 15:01:26 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
12/01/2024 15:01:31 INFO: --- Dependencies ---
12/01/2024 15:01:31 INFO: Removing lsof.
12/01/2024 15:01:31 INFO: Removing openssl.
12/01/2024 15:01:32 INFO: Wazuh indexer cluster started.

• Wazuh indexer cluster checks

[root@fedora38indexer e2e]# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
  indexer_username: 'admin'
  indexer_password: 'WHN7OS5WIE2KDb629puaShif.hf*MGcd'
[root@fedora38indexer e2e]# curl -k -u admin:WHN7OS5WIE2KDb629puaShif.hf*MGcd https://192.168.57.21:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "ydfY-gv-S4ufkotWQI48Jw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
[root@fedora38indexer e2e]# curl -k -u admin:WHN7OS5WIE2KDb629puaShif.hf*MGcd https://192.168.57.21:9200/_cat/nodes?v
ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                               cluster_manager name
192.168.57.21           29          90   2    0.07    0.14     0.12 dimr      data,ingest,master,remote_cluster_client *               node-1
[root@fedora38indexer e2e]# curl -k -u admin:WHN7OS5WIE2KDb629puaShif.hf*MGcd https://192.168.57.21:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-indexer-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 13,
  "active_shards" : 13,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
[root@fedora38indexer e2e]# curl -k -u admin:WHN7OS5WIE2KDb629puaShif.hf*MGcd https://192.168.57.21:9200/_cat/indices?v
health status index                                uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .plugins-ml-config                   dUR4B6zsQv2639103WlReQ   1   0          1            0      3.9kb          3.9kb
green  open   .opensearch-observability            2BGFBHbPTmWvRus8Kr-2eA   1   0          0            0       208b           208b
green  open   wazuh-alerts-4.x-2024.01.12-000001   v1TWV7BPQOK-S2Fm1t25Mw   3   0          0            0       624b           624b
green  open   .opendistro-job-scheduler-lock       ojYXVsScTpu6B6qfbGAmfQ   1   0          2            2     22.3kb         22.3kb
green  open   .opendistro_security                 ypZtRwNiSvOoaYdNzUq7gw   1   0         10            2     96.5kb         96.5kb
green  open   wazuh-archives-4.x-2024.01.12-000001 eR4h1tJ8TYKQ52WB6fHdJA   3   0          0            0       624b           624b

Wazuh server deployment 🟢

• System info

[root@fedora38server e2e]# cat /etc/os-release 
NAME="Fedora Linux"
VERSION="38 (Thirty Eight)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Thirty Eight)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14

• Wazuh server install

[root@fedora38server e2e]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
[root@fedora38server e2e]# ls
wazuh-install-files.tar  wazuh-install.sh
[root@fedora38server e2e]# bash wazuh-install.sh --wazuh-server wazuh-1
12/01/2024 15:11:22 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 15:11:22 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 15:11:22 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.
[root@fedora38server e2e]# bash wazuh-install.sh --wazuh-server wazuh-1 -i
12/01/2024 15:11:24 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 15:11:24 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 15:11:27 INFO: --- Dependencies ---
12/01/2024 15:11:27 INFO: Installing lsof.
12/01/2024 15:11:30 INFO: Installing openssl.
12/01/2024 15:11:33 WARNING: Hardware and system checks ignored.
12/01/2024 15:11:34 INFO: Wazuh development repository added.
12/01/2024 15:11:34 INFO: --- Wazuh server ---
12/01/2024 15:11:34 INFO: Starting the Wazuh manager installation.
12/01/2024 15:12:26 INFO: Wazuh manager installation finished.
12/01/2024 15:12:26 INFO: Starting service wazuh-manager.
12/01/2024 15:12:40 INFO: wazuh-manager service started.
12/01/2024 15:12:40 INFO: Starting Filebeat installation.
12/01/2024 15:12:44 INFO: Filebeat installation finished.
12/01/2024 15:12:46 INFO: Filebeat post-install configuration finished.
12/01/2024 15:12:49 INFO: Starting service filebeat.
12/01/2024 15:12:49 INFO: filebeat service started.
12/01/2024 15:12:49 INFO: --- Dependencies ---
12/01/2024 15:12:49 INFO: Removing lsof.
12/01/2024 15:12:50 INFO: Removing openssl.
12/01/2024 15:12:50 INFO: Installation finished.
[root@fedora38server e2e]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="server"
[root@fedora38server e2e]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 
[root@fedora38server e2e]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log  | wc -l
0

Wazuh dashboard deployment 🟢

• System info

[root@fedora38dashboard e2e]# cat /etc/os-release 
NAME="Fedora Linux"
VERSION="38 (Thirty Eight)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Thirty Eight)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14

• Wazuh dashboard install

[root@fedora38dashboard e2e]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
[root@fedora38dashboard e2e]# ls
wazuh-install-files.tar  wazuh-install.sh
[root@fedora38dashboard e2e]# bash wazuh-install.sh --wazuh-dashboard dashboard
12/01/2024 15:52:31 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 15:52:31 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 15:52:31 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.
[root@fedora38dashboard e2e]# bash wazuh-install.sh --wazuh-dashboard dashboard -i
12/01/2024 15:52:34 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
12/01/2024 15:52:34 INFO: Verbose logging redirected to /var/log/wazuh-install.log
12/01/2024 15:52:36 INFO: --- Dependencies ---
12/01/2024 15:52:36 INFO: Installing lsof.
12/01/2024 15:52:39 INFO: Installing openssl.
12/01/2024 15:52:41 WARNING: Hardware and system checks ignored.
12/01/2024 15:52:41 INFO: Wazuh web interface port will be 443.
12/01/2024 15:52:43 INFO: Wazuh development repository added.
12/01/2024 15:52:43 INFO: --- Wazuh dashboard ----
12/01/2024 15:52:43 INFO: Starting Wazuh dashboard installation.
12/01/2024 15:53:34 INFO: Wazuh dashboard installation finished.
12/01/2024 15:53:34 INFO: Wazuh dashboard post-install configuration finished.
12/01/2024 15:53:34 INFO: Starting service wazuh-dashboard.
12/01/2024 15:53:35 INFO: wazuh-dashboard service started.
12/01/2024 15:53:47 INFO: Initializing Wazuh dashboard web application.
12/01/2024 15:53:47 INFO: Wazuh dashboard web application initialized.
12/01/2024 15:53:47 INFO: --- Summary ---
12/01/2024 15:53:47 INFO: You can access the web interface https://192.168.57.22:443
    User: admin
    Password: WHN7OS5WIE2KDb629puaShif.hf*MGcd
12/01/2024 15:53:47 INFO: --- Dependencies ---
12/01/2024 15:53:47 INFO: Removing lsof.
12/01/2024 15:53:48 INFO: Removing openssl.
12/01/2024 15:53:48 INFO: Installation finished.

• Related issue wazuh-states-vulnerabilities Index missing on Wazuh 4.8.0-alpha2 AIO Installations (AMI - OVA - AIO) #21413

---

Inconsistency found in the WUI agent deployment 🔴

• The WUI asks for an IP address or an FDQN so the ubuntu22 value is not accepted

• But the URL provided to help redirects to the manager_address value which specifies the following:

• Based on the documentation, the ubuntu22 value should be accepted, reported at The Server address field in the Deploy new agent section does not accept hostnames as indicated in the documentation wazuh-dashboard-plugins#6311
• Also, the FDQN is a typo and should be FQDN as the same WUI specifies: fully qualified domain name, reported at Incorrect abbreviation for Fully Qualified Domain Name wazuh-dashboard-plugins#6310

---

• Modified the host /etc/hosts file to set the custom FQDN name

192.168.57.20 fedora38server.fqdn fedora38server

• FQDN resolution 🟢

root@debian12agent:/home/e2e# ping fedora38server.fqdn
PING fedora38server.fqdn (192.168.57.20) 56(84) bytes of data.
64 bytes from fedora38server.fqdn (192.168.57.20): icmp_seq=1 ttl=64 time=0.777 ms
64 bytes from fedora38server.fqdn (192.168.57.20): icmp_seq=2 ttl=64 time=1.67 ms

---

Wazuh agent Ubuntu 22 deployment using FQDN 🟢

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='fedora38server.fqdn' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb

root@ubuntu22:/home/e2e# cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

root@ubuntu22:/home/e2e# wget https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='fedora38server.fqdn' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb
--2024-01-12 17:38:57--  https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 52.222.174.36, 52.222.174.123, 52.222.174.91, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|52.222.174.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9707926 (9.3M) [binary/octet-stream]
Saving to: ‘wazuh-agent_4.8.0-1_amd64.deb’

wazuh-agent_4.8.0-1_amd64.deb          100%[=========================================================================>]   9.26M  7.33MB/s    in 1.3s    

2024-01-12 17:39:00 (7.33 MB/s) - ‘wazuh-agent_4.8.0-1_amd64.deb’ saved [9707926/9707926]

Selecting previously unselected package wazuh-agent.
(Reading database ... 75832 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
root@ubuntu22:/home/e2e# grep address /var/ossec/etc/ossec.conf 
      <address>fedora38server.fqdn</address>
root@ubuntu22:/home/e2e# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@ubuntu22:/home/e2e# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"

[root@fedora38server e2e]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: ubuntu22
   IP address: any
   Status:     Active

   Operating system:    Linux |ubuntu22 |5.15.0-69-generic |#76-Ubuntu SMP Fri Mar 17 17:19:29 UTC 2023 |x86_64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705081247

   Syscheck last started at:  Fri Jan 12 17:40:37 2024
   Syscheck last ended at:    Fri Jan 12 17:40:39 2024

Wazuh agent Debian 12 deployment using FQDN 🟢

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='fedora38server.fqdn' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb

root@debian12agent:/home/e2e# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@debian12agent:/home/e2e# 

root@debian12agent:/home/e2e# wget https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='fedora38server.fqdn' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb
--2024-01-12 17:52:46--  https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 52.84.66.124, 52.84.66.65, 52.84.66.126, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|52.84.66.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9707926 (9.3M) [binary/octet-stream]
Saving to: ‘wazuh-agent_4.8.0-1_amd64.deb’

wazuh-agent_4.8.0-1_amd64.deb          100%[==========================================================================>]   9.26M  43.5MB/s    in 0.2s    

2024-01-12 17:52:47 (43.5 MB/s) - ‘wazuh-agent_4.8.0-1_amd64.deb’ saved [9707926/9707926]

Selecting previously unselected package wazuh-agent.
(Reading database ... 25530 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
root@debian12agent:/home/e2e# grep address /var/ossec/etc/ossec.conf 
      <address>fedora38server.fqdn</address>
root@debian12agent:/home/e2e# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@debian12agent:/home/e2e# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"

[root@fedora38server e2e]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: debian12agent
   IP address: any
   Status:     Active

   Operating system:    Linux |debian12agent |6.1.0-9-amd64 |#1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) |x86_64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705082137

   Syscheck last started at:  Fri Jan 12 17:54:38 2024
   Syscheck last ended at:    Fri Jan 12 17:54:39 2024

Wazuh agent Windows Server 2016 deployment using FQDN 🟢

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.8.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='fedora38server.fqdn' WAZUH_REGISTRATION_SERVER='fedora38server.fqdn' 

[root@fedora38server e2e]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: WIN-MG3QA6KI086
   IP address: any
   Status:     Active

   Operating system:    Microsoft Windows Server 2016 Datacenter Evaluation
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705082533

   Syscheck last started at:  Fri Jan 12 18:02:13 2024
   Syscheck last ended at:    Fri Jan 12 18:02:18 2024

Wazuh agent macOS Sonoma ARM using FQDN deployment 🟢

curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.8.0-1.arm64.pkg && echo "WAZUH_MANAGER='ec2-3-84-87-11.compute-1.amazonaws.com'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /

sh-3.2# system_profiler SPSoftwareDataType SPHardwareDataType
Software:

    System Software Overview:

      System Version: macOS 14.1.2 (23B92)
      Kernel Version: Darwin 23.1.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      User Name: System Administrator (root)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 1 hour, 3 minutes

sh-3.2# curl -so wazuh-agent.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.8.0-1.arm64.pkg && echo "WAZUH_MANAGER='ec2-3-84-87-11.compute-1.amazonaws.com'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.
sh-3.2# grep address /Library/Ossec/etc/ossec.conf 
      <address>ec2-xxx.compute-1.amazonaws.com</address>
sh-3.2# sudo /Library/Ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

[root@ip-172-31-39-248 fedora]# /var/ossec/bin/agent_control  -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: ip-172-31-44-166.ec2.internal
   IP address: any
   Status:     Active

   Operating system:    Darwin |ip-172-31-44-166.ec2.internal |23.1.0 |Darwin Kernel Version 23.1.0: Mon Oct  9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 |arm64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705332055

   Syscheck last started at:  Mon Jan 15 15:18:56 2024
   Syscheck last ended at:    Mon Jan 15 15:19:02 2024

---

[rauldpm]

Tests

Check that their respective SCA policies are applied properly

Ubuntu 22 🟢

Debian 12 🟢

Windows 2016 🟢

macOS Sonoma 🟡

⚠️ macOS version is 14.1 but 14.0 SCA is being used, pending to be checked, reported at #21440

About Not applicable rules

Debian SCA marks the ID 33027 Ensure sudo log file exists /etc/sudoers with a Not applicable result because it could not open the file as it is not a directory

root@debian12agent:/home/e2e# ls -l /etc/sudoers
-r--r----- 1 root root 1714 Mar  8  2023 /etc/sudoers

Reported at: #21421 🔴

---

Use and activate a custom policy for any of them

• Use case used: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/use-cases.html#detecting-a-running-process

Ubuntu 22 🟢

root@ubuntu22:/home/e2e# mkdir /var/ossec/etc/custom-sca-files/
root@ubuntu22:/home/e2e# nano /var/ossec/etc/custom-sca-files/processcheck.yml
root@ubuntu22:/home/e2e# cat /var/ossec/etc/custom-sca-files/processcheck.yml 
policy:
  id: "process_check"
  file: "processcheck.yml"
  name: "SCA use case to detect running processes"
  description: "Guidance for checking running processes on Linux endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check that the SSH service and password-related files are present on the system"
  description: "Requirements for running the SCA scan against the Unix based systems policy."
  condition: any
  rules:
    - "f:$sshd_file"
    - "f:/etc/passwd"
    - "f:/etc/shadow"

variables:
  $sshd_file: /etc/ssh/sshd_config

checks:
  - id: 10003
    title: "Ensure that netcat is not running on your endpoint"
    description: "Netcat is running on your endpoint."
    rationale: "Threat actors can use netcat to open ports on your endpoints or to connect to remote servers."
    remediation: "Kill the netcat process if confirmed to be malicious after further investigation."
    condition: none
    rules:
      - 'p:nc'
      - 'p:netcat'
root@ubuntu22:/home/e2e# chown wazuh:wazuh /var/ossec/etc/custom-sca-files/processcheck.yml

Edited ossec.conf with:

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
    <policies>
      <policy enabled="yes">/var/ossec/etc/custom-sca-files/processcheck.yml</policy>
    </policies>
  </sca>

Installed netcat:

root@ubuntu22:/home/e2e# apt install netcat
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  netcat
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 2,044 B of archives.
After this operation, 17.4 kB of additional disk space will be used.
Get:1 https://mirrors.edge.kernel.org/ubuntu jammy/universe amd64 netcat all 1.218-4ubuntu1 [2,044 B]
Fetched 2,044 B in 15s (132 B/s)                         
Selecting previously unselected package netcat.
(Reading database ... 76241 files and directories currently installed.)
Preparing to unpack .../netcat_1.218-4ubuntu1_all.deb ...
Unpacking netcat (1.218-4ubuntu1) ...
Setting up netcat (1.218-4ubuntu1) ...
Scanning processes...                                                                                                                                                  
Scanning linux images...                                                                                                                                               

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

After stopping the netcat command:

Windows 2016 🟢

• Policy modified to match Windows Server 2016 instead of Windows 10

macOS Sonoma 🟢

sh-3.2# mkdir /Library/Ossec/etc/custom-sca-files/
sh-3.2# nano /Library/Ossec/etc/custom-sca-files/processcheck.yml
sh-3.2# nano /Library/Ossec/etc/ossec.conf 
sh-3.2# cat /Library/Ossec/etc/custom-sca-files/processcheck.yml
policy:
  id: "process_check"
  file: "processcheck.yml"
  name: "SCA use case to detect running processes"
  description: "Guidance for checking running processes on mac endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check macOS"
  description: "Requirements to verify that the endpoint is macOS."
  condition: any
  rules:
    - 'c:sw_vers -> r:^ProductName:\t*\s*macOS'

checks:
  - id: 10005
    title: "Ensure that netcat is not running on your endpoint"
    description: "Netcat is running on your endpoint."
    rationale: "Threat actors can use netcat to open ports on your endpoints or to connect to remote servers."
    remediation: "Kill the netcat process if confirmed to be malicious after further investigation."
    condition: none
    rules:
      - 'c:sh -c "ps -e -o command | grep -E \"^(nc|netcat) .*((-.*l.+[0-9]{1,5})|([0-9]{1,5}.*-.*l))\"" -> r:nc'
sh-3.2# grep "processcheck.yml" /Library/Ossec/etc/ossec.conf 
      <policy enabled="yes">/Library/Ossec/etc/custom-sca-files/processcheck.yml</policy>

---

Disable a used policy and confirm it is not used anymore

Ubuntu 22 🟢

root@ubuntu22:/home/e2e# systemctl restart wazuh-agent.service 
root@ubuntu22:/home/e2e# grep "disabled by configuration" /var/ossec/logs/ossec.log 
2024/01/15 14:33:39 sca: INFO: Policy '/var/ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration.

Windows 2016 🟢

macOS Sonoma 🟢

sh-3.2# grep "processcheck.yml" /Library/Ossec/etc/ossec.conf 
      <policy enabled="no">/Library/Ossec/etc/custom-sca-files/processcheck.yml</policy>
sh-3.2# /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
sh-3.2# grep "disabled by configuration" /Library/Ossec/logs/ossec.log 
2024/01/15 15:30:15 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration.

---

Push SCA config through the centralized config and check it applies properly

Shared configuration for Debian, Ubuntu, and Windows endpoints

[root@fedora38server e2e]# nano /var/ossec/etc/shared/default/shared_custom_policy.yml
[root@fedora38server e2e]# cat /var/ossec/etc/shared/default/shared_custom_policy.yml
policy:
  id: "shared_custom_policy"
  file: "shared_custom_policy.yml"
  name: "Custom shared policy for centralized SCA test."
  description: "Review whether shared policy for SCA is working as expected"

checks:
  - id: 20000
    title: "Linux endpoint should have Wazuh installed"
    description: "Check that the Linux endpoint contains the Wazuh installation directory"
    condition: all
    rules:
      - 'd:/var/ossec'
[root@fedora38server e2e]# nano /var/ossec/etc/shared/default/agent.conf 
[root@fedora38server e2e]# cp /var/ossec/etc/shared/default/shared_custom_policy.yml /var/ossec/etc/shared/default/shared_custom_policy.txt
[root@fedora38server e2e]# cat /var/ossec/etc/shared/default/agent.conf 

<agent_config>

  <sca>
    <policies>
      <policy>etc/shared/shared_custom_policy.yml</policy>
      <policy>shared/shared_custom_policy.txt</policy>
    </policies>
  </sca>

</agent_config>
[root@fedora38server e2e]# systemctl restart wazuh-manager
[root@fedora38server e2e]# /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [etc/shared/default/agent.conf]
2024/01/15 16:15:12 sca: WARNING: File 'etc/shared/shared_custom_policy.yml' not found.
2024/01/15 16:15:12 sca: WARNING: File 'shared/shared_custom_policy.txt' not found.
verify-agent-conf: OK

Ubuntu 22 🟢

• Enabled remote commands

root@ubuntu22:/home/e2e# nano /var/ossec/etc/local_internal_options.conf 
root@ubuntu22:/home/e2e# grep sca /var/ossec/etc/local_internal_options.conf 
sca.remote_commands=1
root@ubuntu22:/home/e2e# systemctl restart wazuh-agent.service 
root@ubuntu22:/home/e2e# grep "custom" /var/ossec/logs/ossec.log 
2024/01/15 16:07:54 sca: INFO: Loaded policy '/var/ossec/etc/shared/shared_custom_policy.yml'
2024/01/15 16:08:03 sca: INFO: Starting evaluation of policy: '/var/ossec/etc/shared/shared_custom_policy.yml'
2024/01/15 16:08:06 sca: INFO: Evaluation finished for policy '/var/ossec/etc/shared/shared_custom_policy.yml'

Debian 12 🟢

• Enabled remote commands

root@debian12agent:~# nano /var/ossec/etc/local_internal_options.conf 
root@debian12agent:~# grep sca /var/ossec/etc/local_internal_options.conf 
sca.remote_commands=1
root@debian12agent:~# systemctl restart wazuh-agent.service 
root@debian12agent:~# grep "custom" /var/ossec/logs/ossec.log 
2024/01/15 16:07:59 sca: INFO: Loaded policy '/var/ossec/etc/shared/shared_custom_policy.yml'
2024/01/15 16:08:08 sca: INFO: Starting evaluation of policy: '/var/ossec/etc/shared/shared_custom_policy.yml'
2024/01/15 16:08:11 sca: INFO: Evaluation finished for policy '/var/ossec/etc/shared/shared_custom_policy.yml'

Windows 2016 🟢

2024/01/15 16:17:11 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\shared\shared_custom_policy.txt'
2024/01/15 16:17:17 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\shared\shared_custom_policy.txt'
2024/01/15 16:17:20 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\shared\shared_custom_policy.txt'

macOS Sonoma 🟢

• Added shared policy in the Wazuh manager

[root@ip-172-31-39-248 fedora]# nano /var/ossec/etc/shared/default/shared_custom_policy.yml
[root@ip-172-31-39-248 fedora]# cat /var/ossec/etc/shared/default/shared_custom_policy.yml
policy:
  id: "shared_custom_policy"
  file: "shared_custom_policy.yml"
  name: "Custom shared policy for centralized SCA test."
  description: "Review whether shared policy for SCA is working as expected"

checks:
  - id: 20000
    title: "Linux endpoint should have Wazuh installed"
    description: "Check that the Linux endpoint contains the Wazuh installation directory"
    condition: all
    rules:
      - 'd:/var/ossec'

• Edited the agent.conf file and then restart the Wazuh manager

[root@ip-172-31-39-248 fedora]# cat /var/ossec/etc/shared/default/agent.conf 
<agent_config>
 
  <sca>
    <policies>
      <policy>etc/shared/shared_custom_policy.yml</policy>
    </policies>
  </sca>

</agent_config>
[root@ip-172-31-39-248 fedora]# systemctl restart wazuh-manager
[root@ip-172-31-39-248 fedora]# 

• Apply remote commands in the Wazuh agent and restart it

sh-3.2# nano /Library/Ossec/etc/local_internal_options.conf 
sh-3.2# grep sca /Library/Ossec/etc/local_internal_options.conf 
sca.remote_commands=1
sh-3.2# /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

• SCA policy appears and the check failed (expected)

[MarcelKemp]

LGTM, good job!
Still, I recommend when using passwords, even if it's a one-time use environment, get used to not displaying them in public issues. In this case, it would be the indexer ones, as you can show the results without the password.

[rauldpm]

As you said @MarcelKemp, those are random passwords generated by the WIA and the VMs used were not accessible to the Internet, I will take that into account the next time, thanks!

[davidjiglesias]

LGTM