Release 4.8.0 - Alpha 2 - Specific systems #21394

wazuhci · 2024-01-11T16:41:08Z

Packages tests metrics information


Main release stage issue	#21386
Main packages metrics issue	#21388
Version	4.8.0
Release stage	Alpha 2
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-alpha2

Build packages

System	Status	Build
AIX	🟢	https://ci.wazuh.info/job/Packages_builder_special/916/
HPUX	🟢	https://ci.wazuh.info/job/Packages_builder_special/915/
S10 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/913/
S11 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/914
OVA	🟢	https://ci.wazuh.info/job/Packages_builder_OVA/330/
AMI	🟢	https://ci.wazuh.info/job/Packages_builder_ami/199

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
HPUX	🟢	🟢	---	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S10 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S11 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
OVA	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢
AMI	🟢	🟢	---	---	---	🟢	🟢	🟡	🟢	🟢	🟢

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Debian Stretch	🟢	🟢	🟢	🟢	🔴	🟢	🟢	🟢	🟢	🟢	🟢

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🔴	🟢	🟢	🟢	🟢

Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Ready to review
🟢 - Approved

Testing considerations

Testing on PPC64EL systems must be done inside a container.
- The container must be requested to CICD team using an internal-devel-request, with access through authorized keys and a specific password.
When testing on PPC64EL Debian, installing procps may be required if it is not present in the container.

Conclusion 🔴

New Issues

Known Issues

Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

@davidjiglesias

The text was updated successfully, but these errors were encountered:

Deblintrake09 · 2024-01-12T10:15:20Z

Analysis Report - AMI 🟡

WUI 🔴

Loading Screen: OK
Login Screen: OK
Credentials: OK
Health Check 🔴
Overview OK

Logs 🟡

Wazuh Dashboard - journalctl 🟢

# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
Jan 12 10:01:26 wazuh-server opensearch-dashboards[5413]: {"type":"log","@timestamp":"2024-01-12T10:01:26Z","tags":["error","plugins","securityDashboards"],"pid":5413,"message":"Failed authentication: Error: Authentication Exception"}
Jan 12 10:00:54 wazuh-server opensearch-dashboards[5413]: {"type":"log","@timestamp":"2024-01-12T10:00:54Z","tags":["error","plugins","securityDashboards"],"pid":5413,"message":"Failed authentication: Error: Authentication Exception"}
Jan 12 10:00:46 wazuh-server opensearch-dashboards[5413]: {"type":"log","@timestamp":"2024-01-12T10:00:46Z","tags":["error","plugins","securityDashboards"],"pid":5413,"message":"Failed authentication: Error: Authentication Exception"}
Jan 12 09:59:42 wazuh-server opensearch-dashboards[5413]: {"type":"error","@timestamp":"2024-01-12T09:59:42Z","tags":["connection","client","error"],"pid":5413,"level":"error","error":{"message":"140511668950912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140511668950912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140511668950912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
Jan 12 09:55:40 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:40Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:38 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:38Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:35 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:35Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:33 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:33Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:30 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:30Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:28 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:28Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ResponseError]: Response Error"}
Jan 12 09:55:25 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:25Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:23 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:23Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:20 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:20Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:18 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:18Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:15 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:15Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 12 09:55:13 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:13Z","tags":["error","savedobjects-service"],"pid":2586,"message":"Unable to retrieve version information from OpenSearch nodes."}
Jan 12 09:55:13 wazuh-server opensearch-dashboards[2586]: {"type":"log","@timestamp":"2024-01-12T09:55:13Z","tags":["error","opensearch","data"],"pid":2586,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh Indexer - journalctl 🟡

# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager will be removed in a future release
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jan 12 09:54:24 wazuh-server systemd-entrypoint[3100]: WARNING: A terminally deprecated method in java.lang.System has been called
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager will be removed in a future release
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jan 12 09:54:09 wazuh-server systemd-entrypoint[3100]: WARNING: A terminally deprecated method in java.lang.System has been called

Wazuh Indexer - /var/logs/wazuh-indexer 🟢

# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:54:24,546Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1964m, -Xmx1964m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6518941897775988647, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1029701632, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:20,231Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:27,621Z", "level": "ERROR", "component": "o.o.i.i.ManagedIndexCoordinator", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:27,760Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,305Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,306Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,307Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,412Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,430Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,434Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:28,447Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,841Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,844Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,846Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:30,849Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,343Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,345Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,348Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:33,350Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,845Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,848Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,852Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:35,864Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,346Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,349Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,351Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:38,356Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,849Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,852Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,854Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-12T09:55:40,856Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "6nknf0IHRt2xJ3JhBbuuBw", "node.id": "N8JWbeeaR5KLBuioF3-HTA"  }
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:54:24,546][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1964m, -Xmx1964m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6518941897775988647, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=1029701632, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:20,231][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:27,621][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:27,760][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,305][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,306][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,307][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@64ef241] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,412][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,430][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,434][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:28,447][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,841][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,844][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,846][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:30,849][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,343][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,345][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,348][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:33,350][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,845][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,848][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,852][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:35,864][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,346][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,349][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,351][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:38,356][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,849][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,852][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,854][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-12T09:55:40,856][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)

Wazuh Server - /var/ossec/logs 🟢

# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log

Filebeat Test 🟢

# filebeat test output
elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

# curl -k -u admin:pass https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "6nknf0IHRt2xJ3JhBbuuBw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           17          97   5    0.03    0.15     0.31 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1


# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 16,
  "active_shards" : 16,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Users 🟢

# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard


# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

Versions 🟢

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="server"

# cat /usr/share/wazuh-indexer/VERSION 
4.8.0

# cat /usr/share/wazuh-dashboard/VERSION
4.8.0

# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.10.0",
  "branch": "2.x",
  "build": {
    "number": 48002,
    "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Processes 🟢

# ps -ef | grep wazuh
root      2864     1  0 09:53 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2904     1  0 09:53 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  3100     1  5 09:53 ?        00:01:06 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1964m -Xmx1964m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6518941897775988647 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=1029701632 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh     3495     1  0 09:54 ?        00:00:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     3496  3495  0 09:54 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     3499  3495  0 09:54 ?        00:00:03 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     3502  3495  0 09:54 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      3545     1  0 09:54 ?        00:00:00 /var/ossec/bin/wazuh-authd
wazuh     3562     1  0 09:54 ?        00:00:01 /var/ossec/bin/wazuh-db
root      3588     1  0 09:54 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     3604     1  0 09:54 ?        00:00:01 /var/ossec/bin/wazuh-analysisd
root      3617     1  0 09:54 ?        00:00:10 /var/ossec/bin/wazuh-syscheckd
wazuh     3635     1  0 09:54 ?        00:00:01 /var/ossec/bin/wazuh-remoted
root      3674     1  0 09:54 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh     3727     1  0 09:54 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root      3749     1  0 09:54 ?        00:00:01 /var/ossec/bin/wazuh-modulesd
wazuh-d+  5413     1  1 09:55 ?        00:00:11 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root      5559  3140  0 09:55 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  5661  5559  0 09:55 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+  5672  5661  0 09:55 pts/0    00:00:00 -bash
root      6353  6241  0 10:14 pts/0    00:00:00 grep --color=auto wazuh


# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

SSH Root Access Denied 🟢

$ ssh -i "Ephemeral.pem" root@MANAGER_IP
Please login as the user "wazuh-user" rather than the user "root".

SSH wazuh-user Access Allowed 🟢

$ ssh -i "Ephemeral.pem" wazuh-user@MANAGER_IP

wwwwww.           wwwwwww.          wwwwwww.
wwwwwww.          wwwwwww.          wwwwwww.
 wwwwww.         wwwwwwwww.        wwwwwww.
 wwwwwww.        wwwwwwwww.        wwwwwww.
  wwwwww.       wwwwwwwwwww.      wwwwwww.
  wwwwwww.      wwwwwwwwwww.      wwwwwww.
   wwwwww.     wwwwww.wwwwww.    wwwwwww.
   wwwwwww.    wwwww. wwwwww.    wwwwwww.
    wwwwww.   wwwwww.  wwwwww.  wwwwwww.
    wwwwwww.  wwwww.   wwwwww.  wwwwwww.
     wwwwww. wwwwww.    wwwwww.wwwwwww.
     wwwwwww.wwwww.     wwwwww.wwwwwww.
      wwwwwwwwwwww.      wwwwwwwwwwww.
      wwwwwwwwwww.       wwwwwwwwwwww.      oooooo
       wwwwwwwwww.        wwwwwwwwww.      oooooooo
       wwwwwwwww.         wwwwwwwwww.     oooooooooo
        wwwwwwww.          wwwwwwww.      oooooooooo
        wwwwwww.           wwwwwwww.       oooooooo
         wwwwww.            wwwwww.         oooooo


         WAZUH Open Source Security Platform
                  https://wazuh.com

Production Repositories 🟢

[wazuh-user@wazuh-server ~]$ cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

Indexer - journalctl

Warnings Related to setSecurityManager
Reported: Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046 - Known issue

WUI

Health Check failed - wazuh-states-vulnerabilities index not found
New Issue reported in wazuh-states-vulnerabilities Index missing on Wazuh 4.8.0-alpha2 AIO Installations (AMI - OVA - AIO) #21413

jnasselle · 2024-01-15T14:56:08Z

Update

Environment provisioning pipelines
https://ci.wazuh.info/job/Packages_builder_special/923/
https://ci.wazuh.info/job/Packages_builder_special/922/
https://ci.wazuh.info/job/Packages_builder_special/921/
https://ci.wazuh.info/job/Packages_builder_special/920/

Deblintrake09 · 2024-01-15T16:13:35Z

Analysis report - OVA

OVA - Check system 🟢

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
[wazuh-user@wazuh-server ~]$ sudo su

OVA - Check Wazuh agent connection 🟢

Check Logs - Agent TCP connection

2024/01/15 16:43:11 wazuh-agent: INFO: Trying to connect to server ([192.168.1.136]:1514/tcp).
2024/01/15 16:43:11 wazuh-agent: INFO: (4102): Connected to the server ([192.168.1.136]:1514/tcp)

Check alerts

{"timestamp":"2024-01-15T15:43:29.317+0000","rule":{"level":9,"description":"SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0: Score less than 30% (27)","id":"19005","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Caprica","ip":"192.168.1.134"},"manager":{"name":"wazuh-server"},"id":"1705333409.2108934","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1279491199","policy":"CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. Please note that the rules provide accurate results for Windows 11 Operating Systems with the System language set to English. The SCA policy will work with other languages but the results will be less accurate due to some of the rules that depend on the System language.","policy_id":"cis_win11_enterprise_22H2","passed":"128","failed":"331","invalid":"12","total_checks":"471","score":"27","file":"cis_win11_enterprise.yml"}},"location":"sca"}

Check logs - Agent UDP connection

      <protocol>udp</protocol>


2024/01/15 16:46:42 wazuh-agent: INFO: Trying to connect to server ([192.168.1.136]:1514/udp).
2024/01/15 16:46:43 wazuh-agent: INFO: (4102): Connected to the server ([192.168.1.136]:1514/udp)

Check alerts

{"timestamp":"2024-01-15T15:43:29.317+0000","rule":{"level":9,"description":"SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0: Score less than 30% (27)","id":"19005","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Caprica","ip":"192.168.1.134"},"manager":{"name":"wazuh-server"},"id":"1705333409.2108934","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1279491199","policy":"CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. Please note that the rules provide accurate results for Windows 11 Operating Systems with the System language set to English. The SCA policy will work with other languages but the results will be less accurate due to some of the rules that depend on the System language.","policy_id":"cis_win11_enterprise_22H2","passed":"128","failed":"331","invalid":"12","total_checks":"471","score":"27","file":"cis_win11_enterprise.yml"}},"location":"sca"}

Wazuh processes 🟢

# ps aux | grep wazuh
wazuh-d+  2348  0.4  1.9 1025840 158880 ?      Ssl  13:28   0:35 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root      3538  0.0  0.0  98668  3700 ?        Ss   13:28   0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-i+  3805  1.7 58.2 8295196 4746924 ?     Ssl  13:28   2:31 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3981m -Xmx3981m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-10104280001518864660 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2087714816 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root      3816  0.0  0.0  86424  3752 ?        Ss   13:28   0:00 login -- wazuh-user
wazuh     4811  0.0  1.2 999296 102232 ?       Sl   13:28   0:03 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     4818  0.0  0.7 279088 59288 ?        S    13:28   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     4823  0.0  0.9 439448 75080 ?        S    13:28   0:01 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     4826  0.0  0.6 572728 57020 ?        S    13:28   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      4941  0.0  0.0 260292  5800 ?        Sl   13:28   0:08 /var/ossec/bin/wazuh-authd
wazuh     5331  0.2  0.2 943156 19500 ?        Sl   13:28   0:20 /var/ossec/bin/wazuh-db
root      5608  0.0  0.0  38940  3832 ?        Sl   13:28   0:00 /var/ossec/bin/wazuh-execd
wazuh     6083  0.0  0.4 1440072 38204 ?       Sl   13:28   0:05 /var/ossec/bin/wazuh-analysisd
root      6636  0.1  0.1 357788 11644 ?        SNl  13:28   0:10 /var/ossec/bin/wazuh-syscheckd
wazuh     6909  0.0  0.1 1231164 12052 ?       Sl   13:28   0:06 /var/ossec/bin/wazuh-remoted
wazuh-u+  7052  0.0  0.0 124864  3996 tty1     Ss+  13:28   0:00 -bash
root      7401  0.0  0.0 481452  4976 ?        Sl   13:28   0:01 /var/ossec/bin/wazuh-logcollector
wazuh     7671  0.0  0.0  39028  3860 ?        Sl   13:28   0:00 /var/ossec/bin/wazuh-monitord
root      7960  0.0  0.8 594084 66064 ?        Sl   13:28   0:03 /var/ossec/bin/wazuh-modulesd
root     14725  0.0  0.0 119416  1000 pts/0    S+   15:50   0:00 grep --color=auto wazuh
root     19304  0.0  0.1 150628  9068 ?        Ss   13:29   0:00 sshd: wazuh-user [priv]
wazuh-u+ 19307  0.0  0.0 151332  5352 ?        S    13:29   0:00 sshd: wazuh-user@pts/0
wazuh-u+ 19308  0.0  0.0 124864  4268 pts/0    Ss   13:29   0:00 -bash

Versions 🟢

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="server"

# cat /usr/share/wazuh-indexer/VERSION
4.8.0
# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.10.0",
  "branch": "2.x",
  "build": {
    "number": 48002,
    "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Users 🟢

# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard

# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

OVA - WUI 🟢

Loading screen
Login screen
Expected failure. Check vulnerabilities index pattern
Known Issue wazuh-states-vulnerabilities Index missing on Wazuh 4.8.0-alpha2 AIO Installations (AMI - OVA - AIO) #21413
Main menu

Dark mode

Main menu

OVA - Logs 🟡 :

Wazuh Dashboard - Journalctl 🟡

Known Issue Multiple messages in Wazuh indexer wazuh-cluster.log file asking to run securityadmin after reboot wazuh-packages#1582

# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
Jan 15 15:57:24 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:57:24Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:56:17 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:56:17Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:56:17 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:56:17Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:56:17 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:56:17Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:56:17 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:56:17Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:56:17 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:56:17Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:55:00 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T15:55:00Z","tags":["error","opensearch","data"],"pid":2348,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2024.3w/MfaffVPlTNqCV4kEWojxFQ] already exists"}
Jan 15 15:53:52 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:53:52Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:47 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:47Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:47 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:47Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:47 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:47Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:47 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:47Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:47 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:47Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:47 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:47Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 15:52:40 wazuh-server opensearch-dashboards[2348]: {"type":"error","@timestamp":"2024-01-15T15:52:40Z","tags":["connection","client","error"],"pid":2348,"level":"error","error":{"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","name":"Error","stack":"Error: 140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140655976675200:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 46\n"}
Jan 15 13:28:37 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T13:28:37Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 13:28:35 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T13:28:35Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:31 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:31Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:29 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:29Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:26 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:26Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:24 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:24Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:21 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:21Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:19 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:19Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Jan 15 14:28:16 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:16Z","tags":["error","savedobjects-service"],"pid":2348,"message":"Unable to retrieve version information from OpenSearch nodes."}
Jan 15 14:28:16 wazuh-server opensearch-dashboards[2348]: {"type":"log","@timestamp":"2024-01-15T14:28:16Z","tags":["error","opensearch","data"],"pid":2348,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Wazuh Indexer - Journalctl 🟡

# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
Jan 15 14:28:18 wazuh-server systemd-entrypoint[3805]: WARNING: System::setSecurityManager will be removed in a future release
Jan 15 14:28:18 wazuh-server systemd-entrypoint[3805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Jan 15 14:28:18 wazuh-server systemd-entrypoint[3805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jan 15 14:28:18 wazuh-server systemd-entrypoint[3805]: WARNING: A terminally deprecated method in java.lang.System has been called
Jan 15 14:28:16 wazuh-server systemd-entrypoint[3805]: WARNING: System::setSecurityManager will be removed in a future release
Jan 15 14:28:16 wazuh-server systemd-entrypoint[3805]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jan 15 14:28:16 wazuh-server systemd-entrypoint[3805]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jan 15 14:28:16 wazuh-server systemd-entrypoint[3805]: WARNING: A terminally deprecated method in java.lang.System has been called

Expected errors:

Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

Wazuh Indexer - /var/logs/wazuh-indexer 🟡

/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T14:00:12,978][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-7118627300260076941, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:31,544][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:35,561][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:35,992][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:36,003][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:36,013][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:36,017][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:00:36,021][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T14:28:18,517][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10104280001518864660, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T14:28:33,090][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-01-15T13:28:38,698][ERROR][o.o.i.i.ManagedIndexCoordinator] [node-1] Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T14:00:12,978Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-7118627300260076941, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:31,544Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:35,561Z", "level": "ERROR", "component": "o.o.i.i.ManagedIndexCoordinator", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:35,992Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:36,003Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:36,013Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:36,017Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:00:36,021Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T14:28:18,517Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10104280001518864660, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T14:28:33,090Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-01-15T13:28:38,698Z", "level": "ERROR", "component": "o.o.i.i.ManagedIndexCoordinator", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failed to get ISM policies with templates: Failed to execute phase [query], all shards failed", "cluster.uuid": "JhLZQROCTLeDXIPPfNT96A", "node.id": "eAbbe5L3SfSXASpPBfrzqw"  }

Expected error logs

Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511

Wazuh Server - /var/ossec/logs 🟢

[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/01/15 15:42:51 :router: ERROR: Error sending message to provider: Error parsing message, 1: 577: error: invalid number: "-1", constant does not fit [0; 4294967295]
[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
1

OVA - Filebeat Tests 🟢

# filebeat test output

elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

OVA - Wazuh Indexer Cluster 🟢

# curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "JhLZQROCTLeDXIPPfNT96A",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           33          81   0    0.14    0.04     0.01 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 17,
  "active_shards" : 17,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

OVA - No root ssh access 🟢

➜  ~ ssh root@192.168.1.136
root@192.168.1.136's password: 
Permission denied, please try again.
root@192.168.1.136's password: 
Received disconnect from 192.168.1.136 port 22:2: Too many authentication failures
Disconnected from 192.168.1.136 port 22

damarisg · 2024-01-15T18:44:43Z

Analysis Report - Solaris 11 SPARC

System Info 🟢

xbmk@sossp104:~$ hostname
sossp104
xbmk@sossp104:~$  uname -a
SunOS sossp104 5.11 11.3 sun4v sparc sun4v

Installation 🟢

Installation

xbmk@sossp104:~$ curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.8.0-sol11-sparc.p5p
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                              Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:  0 6320k    0 29683    0     0  49676      0  0:02:10 --:--:--  0:02:100 6320k  100 6320k    0     0  5478k      0  0:00:01  0:00:01 --:--:-- 5787k

root@sossp104:~#  pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
        Packages to install:  1
         Services to change:  1
    Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1       119/119      5.8/5.8 28.3M/s

PHASE                                          ITEMS
Installing new actions                       175/175
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           2/2
root@sossp104:~#

Change Agent IP

root@sossp104:~# vi /var/ossec/etc/ossec.conf
root@sossp104:~# cat /var/ossec/etc/ossec.conf | grep address
   <address>xx.xxx.xx.xxx</address>

Start Agent

root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~#

Agent Info

root@sossp104:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@sossp104:~#

Check Agent in Manager

root@ip-xxx-xx-xx-xxx:/home/ubuntu# /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
Agent ID:   010
Agent Name: sossp104
IP address: any
Status:     Active

Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
Client version:      Wazuh v4.8.0
Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
Shared file hash:    4a8724b20dee0124ff9656783c490c4e
Last keep alive:     1705344677

Syscheck last started at:  Mon Jan 15 18:45:17 2024
Syscheck last ended at:    Mon Jan 15 18:45:38 2024

root@ip-xxx-xx-xx-xxx:/home/ubuntu#

No Errors Present in the Agent

root@sossp104:~# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
    0

No Errors Present in the Manager

root@ip-xxx-xx-xx-xxx:/home/ubuntu#  grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
    0

Check Users and Groups 🟢

root@sossp104:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp104:~# cat /etc/group | grep wazuh
wazuh::13:
root@sossp104:~#

Generate Alerts 🟢

TCP 🟢

Agent is Connected Through TCP

root@sossp104:~# grep -i "tcp" /var/ossec/logs/ossec.log
2024/01/15 12:45:09 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp).
2024/01/15 12:45:09 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp).
2024/01/15 12:45:16 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/tcp).
2024/01/15 12:45:16 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/tcp).

Alerts are correctly generated for the agent - Expected logs

root@ip-xxx-xx-xx-xxx:/home/ubuntu# grep sossp104 /var/ossec/logs/alerts/alerts.json
{"timestamp":"2024-01-15T18:45:30.559+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344330.98131","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:34.739+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-172-31-43-159"},"id":"1705344334.98402","full_log":"ossec: Agent stopped: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-remoted"}
{"timestamp":"2024-01-15T18:45:37.108+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344337.98729","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:44.954+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99054","full_log":"Trojaned version of file '/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:44.981+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99453","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:47.750+0000","rule":{"level":7,"description":"CVE-2011-0064 affects pango","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.99860","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2011-0064","cvss":{"cvss2":{"base_score":"6.800000","vector":{"access_complexity":"MEDIUM","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"enumeration":"CVE","package":{"architecture":"sparc","condition":"Package equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-03-07T21:00:01Z","rationale":"The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.","reference":"http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9, https://bugzilla.redhat.com/show_bug.cgi?id=678563, https://build.opensuse.org/request/show/63070, http://secunia.com/advisories/43559, http://secunia.com/advisories/43572, http://secunia.com/advisories/43578, http://www.vupen.com/english/advisories/2011/0543, http://www.vupen.com/english/advisories/2011/0555, http://www.vupen.com/english/advisories/2011/0558, http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056065.html, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://secunia.com/advisories/43800, http://securitytracker.com/id?1025145, http://www.debian.org/security/2011/dsa-2178, http://www.mandriva.com/security/advisories?name=MDVSA-2011:040, http://www.redhat.com/support/errata/RHSA-2011-0309.html, http://www.securityfocus.com/bid/46632, http://www.ubuntu.com/usn/USN-1082-1, http://www.vupen.com/english/advisories/2011/0584, http://www.vupen.com/english/advisories/2011/0683, https://bugzilla.mozilla.org/show_bug.cgi?id=606997, https://bugzilla.novell.com/show_bug.cgi?id=672502, https://exchange.xforce.ibmcloud.com/vulnerabilities/65770","severity":"Medium","status":"Active","title":"CVE-2011-0064 affects pango","type":"Packages","updated":"2021-07-14T15:41:29Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-15T18:45:47.760+0000","rule":{"level":10,"description":"CVE-2011-0020 affects pango","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.104757","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"redhat","cve":"CVE-2011-0020","cvss":{"cvss2":{"base_score":"7.600000","vector":{"access_complexity":"HIGH","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE"}}},"cwe_reference":"CWE-119","enumeration":"CVE","package":{"architecture":"sparc","condition":"Package less than or equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-01-24T18:00:03Z","rationale":"Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.","reference":"http://openwall.com/lists/oss-security/2011/01/18/6, http://openwall.com/lists/oss-security/2011/01/20/2, https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616, https://bugzilla.redhat.com/show_bug.cgi?id=671122, http://www.vupen.com/english/advisories/2011/0186, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://osvdb.org/70596, http://secunia.com/advisories/42934, http://secunia.com/advisories/43100, http://www.redhat.com/support/errata/RHSA-2011-0180.html, http://www.securityfocus.com/bid/45842, http://www.securitytracker.com/id?1024994, http://www.vupen.com/english/advisories/2011/0238, https://bugzilla.gnome.org/show_bug.cgi?id=639882, https://exchange.xforce.ibmcloud.com/vulnerabilities/64832","severity":"High","status":"Active","title":"CVE-2011-0020 affects pango","type":"Packages","updated":"2023-02-13T03:22:38Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-15T18:45:48.315+0000","rule":{"level":3,"description":"CIS Benchmark for Oracle Solaris 11 v1.1.0: Disable Local-only Graphical Login Environment","id":"19008","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["2.1"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344348.108826","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"27726","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","check":{"id":"8000","title":"Disable Local-only Graphical Login Environment","description":"The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode.","rationale":"This service should be disabled if it is not required.","remediation":"To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default","compliance":{"cis":"2.1"},"command":["svcs -xv svc:/application/graphical-login/gdm:default"],"result":"passed"}}},"location":"sca"}

No Errors in Agent Logs

    root@sossp104:~# grep -i "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
    0
root@sossp104:~#

UDP🟢

Agent is Connected Through UDP

    
root@sossp104:~# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
root@sossp104:~#  grep udp /var/ossec/etc/ossec.conf
     <protocol>udp</protocol>
root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.      

root@sossp104:~# grep "udp" /var/ossec/logs/ossec.log
2024/01/15 13:11:59 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xx.xxx]:1514/udp).
2024/01/15 13:11:59 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xx.xxx]:1514/udp).

Alerts are Correctly Generated for the Agent

root@ip-xxx-xx-xx-xxx:/home/ubuntu# grep sossp104 /var/ossec/logs/alerts/alerts.json
{"timestamp":"2024-01-15T18:45:30.559+0000","rule":{"level":3,"description":"New wazuh agent connected.","id":"501","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-172-31-43-159"},"id":"1705344330.98131","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:34.739+0000","rule":{"level":3,"description":"Wazuh agent stopped.","id":"506","mitre":{"id":["T1562.001"],"tactic":["Defense Evasion"],"technique":["Disable or Modify Tools"]},"firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344334.98402","full_log":"ossec: Agent stopped: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-remoted"}
{"timestamp":"2024-01-15T18:45:37.108+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"010","name":"sossp104"},"manager":{"name":"ip-172-31-43-159"},"id":"1705344337.98729","full_log":"ossec: Agent started: 'sossp104->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"sossp104->any"},"location":"wazuh-agent"}
{"timestamp":"2024-01-15T18:45:44.954+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99054","full_log":"Trojaned version of file '/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:44.981+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344344.99453","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}
{"timestamp":"2024-01-15T18:45:47.750+0000","rule":{"level":7,"description":"CVE-2011-0064 affects pango","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":"sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.99860","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2011-0064","cvss":{"cvss2":{"base_score":"6.800000","vector":{"access_complexity":"MEDIUM","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"enumeration":"CVE","package":{"architecture":"sparc","condition":"Package equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-03-07T21:00:01Z","rationale":"The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.","reference":"http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9, https://bugzilla.redhat.com/show_bug.cgi?id=678563, https://build.opensuse.org/request/show/63070, http://secunia.com/advisories/43559, http://secunia.com/advisories/43572, http://secunia.com/advisories/43578, http://www.vupen.com/english/advisories/2011/0543, http://www.vupen.com/english/advisories/2011/0555, http://www.vupen.com/english/advisories/2011/0558, http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056065.html, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://secunia.com/advisories/43800, http://securitytracker.com/id?1025145, http://www.debian.org/security/2011/dsa-2178, http://www.mandriva.com/security/advisories?name=MDVSA-2011:040, http://www.redhat.com/support/errata/RHSA-2011-0309.html, http://www.securityfocus.com/bid/46632, http://www.ubuntu.com/usn/USN-1082-1, http://www.vupen.com/english/advisories/2011/0584, http://www.vupen.com/english/advisories/2011/0683, https://bugzilla.mozilla.org/show_bug.cgi?id=606997, https://bugzilla.novell.com/show_bug.cgi?id=672502, https://exchange.xforce.ibmcloud.com/vulnerabilities/65770","severity":"Medium","status":"Active","title":"CVE-2011-0064 affects pango","type":"Packages","updated":"2021-07-14T15:41:29Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-15T18:45:47.760+0000","rule":{"level":10,"description":"CVE-2011-0020 affects pango","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"010","name":sossp104","ip":"yyy.yyy.yyy.yyy"},"manager":{"name":"ip-xxx-xx-xx-xxx"},"id":"1705344347.104757","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"redhat","cve":"CVE-2011-0020","cvss":{"cvss2":{"base_score":"7.600000","vector":{"access_complexity":"HIGH","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"COMPLETE","integrity_impact":"COMPLETE"}}},"cwe_reference":"CWE-119","enumeration":"CVE","package":{"architecture":"sparc","condition":"Package less than or equal to 1.28.3","name":"pango","source":" ","version":"1.28.3"},"published":"2011-01-24T18:00:03Z","rationale":"Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.","reference":"http://openwall.com/lists/oss-security/2011/01/18/6, http://openwall.com/lists/oss-security/2011/01/20/2, https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616, https://bugzilla.redhat.com/show_bug.cgi?id=671122, http://www.vupen.com/english/advisories/2011/0186, http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html, http://osvdb.org/70596, http://secunia.com/advisories/42934, http://secunia.com/advisories/43100, http://www.redhat.com/support/errata/RHSA-2011-0180.html, http://www.securityfocus.com/bid/45842, http://www.securitytracker.com/id?1024994, http://www.vupen.com/english/advisories/2011/0238, https://bugzilla.gnome.org/show_bug.cgi?id=639882, https://exchange.xforce.ibmcloud.com/vulnerabilities/64832","severity":"High","status":"Active","title":"CVE-2011-0020 affects pango","type":"Packages","updated":"2023-02-13T03:22:38Z"}},"location":"vulnerability-detector"}

No Errors in Agent Logs

root@sossp104:~# grep -i "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
    0

Removal 🟢

root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
root@sossp104:~# pkg uninstall wazuh-agent
         Packages to remove:  1
         Services to change:  1
    Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         222/222
Updating package state database                 Done
Updating package cache                           1/1
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           2/2

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240115T132031Z
ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240115T132031Z
ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240115T132031Z
ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240115T132031Z
ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240115T132031Z
ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240115T132031Z
ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240115T132031Z
ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240115T132031Z
ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240115T132031Z
ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240115T132031Z
root@sossp104:~# groupdel wazuh
root@sossp104:~#

Upgrade from 4.7.2 to 4.8.0 🟢

Install wazuh 4.7.2 on agent

root@sossp104:~# curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.7.2-sol11-
sparc.p5p
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                              Dload  Upload   Total   Spent    Left  Speed
100 6270k  100 6270k    0     0  5805k      0  0:00:01  0:00:01 --:--:-- 5977k
root@sossp104:~# pkg install -g wazuh-agent_v4.7.2-sol11-sparc.p5p wazuh-agent
        Packages to install:  1
         Services to change:  1
    Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         98/98      5.8/5.8 32.9M/s

PHASE                                          ITEMS
Installing new actions                       151/151
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           2/2

Change IP

root@sossp104:~# vi /var/ossec/etc/ossec.conf
root@sossp104:~# cat /var/ossec/etc/ossec.conf | grep address
   <address>xx.xxx.xx.xxx</address>
root@sossp104:~#

Start Agent

root@sossp104:~#  /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Check Wazuh Manager

root@ip-xxx-xx-xx-xxx:/home/ubuntu# /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
Agent ID:   011
Agent Name: sossp104
IP address: any
Status:     Active

Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
Client version:      Wazuh v4.7.2
Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
Shared file hash:    4a8724b20dee0124ff9656783c490c4e
Last keep alive:     1705405240

Syscheck last started at:  Tue Jan 16 11:37:32 2024
Syscheck last ended at:    Tue Jan 16 11:37:39 2024

root@ip-xxx-xx-xx-xxx:/home/ubuntu#

Upgrade to Wazuh 4.8.0

root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
         Packages to update:   1
    Create boot environment:  No
Create backup boot environment: Yes

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         57/57      5.0/5.0 41.1M/s

PHASE                                          ITEMS
Installing new actions                         24/24
Updating modified actions                      38/38
Updating package state database                 Done
Updating package cache                           1/1
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           2/2

Check and restart Status

root@sossp104:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Check Manager

root@ip-xxx-xx-xx-xxx:/home/ubuntu# /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
Agent ID:   011
Agent Name: sossp104
IP address: any
Status:     Active

Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
Client version:      Wazuh v4.8.0
Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
Shared file hash:    4a8724b20dee0124ff9656783c490c4e
Last keep alive:     1705405620

Syscheck last started at:  Tue Jan 16 11:46:32 2024
Syscheck last ended at:    Tue Jan 16 11:46:39 2024

root@ip-xxx-xx-xx-xxx:/home/ubuntu#

rauldpm · 2024-01-15T19:55:30Z

Analysis report - PPC64EL 🔴

Resources: https://github.com/wazuh/internal-devel-requests/issues/695 🟢

CentOS 7 🟢

System info

[root@73fa8c7b1b7c ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[root@73fa8c7b1b7c ~]# hostname
73fa8c7b1b7c

Fresh install 🟢

Install 🟢

[root@73fa8c7b1b7c ~]# rpm --import https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
[root@73fa8c7b1b7c ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
[root@73fa8c7b1b7c ~]# WAZUH_MANAGER="xxx" yum install wazuh-agent
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirrors.xtom.com
* extras: mirrors.ocf.berkeley.edu
* updates: mirrors.xtom.com
wazuh                                                                                                 | 3.4 kB  00:00:00     
wazuh/primary_db                                                                                      | 440 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================
Package                          Arch                         Version                      Repository                  Size
=============================================================================================================================
Installing:
wazuh-agent                      ppc64le                      4.8.0-1                      wazuh                      6.9 M

Transaction Summary
=============================================================================================================================
Install  1 Package

Total download size: 6.9 M
Installed size: 33 M
Is this ok [y/d/N]: y
Downloading packages:
wazuh-agent-4.8.0-1.ppc64le.rpm                                                                       | 6.9 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.8.0-1.ppc64le                                                                               1/1 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                                               1/1 

Installed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                                              

Complete!

[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"
[root@73fa8c7b1b7c ~]# grep address /var/ossec/etc/ossec.conf 
    <address>xxx</address>

[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@73fa8c7b1b7c ~]# ps -ef | grep wazuh
root       881     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh      893     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root       907     1  1 16:41 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root       922     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root       939     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      1311    19  0 16:41 pts/0    00:00:00 grep --color=auto wazuh

Wazuh manager connection 🟢

root@ip-172-31-82-18:/home/ubuntu# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
  Agent ID:   001
  Agent Name: 73fa8c7b1b7c
  IP address: any
  Status:     Active

  Operating system:    Linux |73fa8c7b1b7c |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
  Client version:      Wazuh v4.8.0
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705423323

  Syscheck last started at:  Tue Jan 16 16:41:34 2024
  Syscheck last ended at:    Tue Jan 16 16:41:57 2024

Check Users and Groups 🟢

[root@73fa8c7b1b7c ~]# grep wazuh /etc/passwd
wazuh:x:999:997::/var/ossec:/sbin/nologin
[root@73fa8c7b1b7c ~]# grep wazuh /etc/group
wazuh:x:997:wazuh

Generate Alerts 🟢

** Alert 1705423298.1992783: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2>
2024 Jan 16 16:41:38 (73fa8c7b1b7c) any->vulnerability-detector
Rule: 23503 (level 5) -> 'CVE-2021-36086 affects libsepol'
{"vulnerability":{"assigner":"mitre","cve":"CVE-2021-36086","cvss":{"cvss2":{"bas>
vulnerability.assigner: mitre
vulnerability.cve: CVE-2021-36086
vulnerability.cvss.cvss2.base_score: 2.100000
vulnerability.cvss.cvss2.vector.access_complexity: LOW
vulnerability.cvss.cvss2.vector.authentication: NONE
vulnerability.cvss.cvss2.vector.availability: PARTIAL
vulnerability.cvss.cvss2.vector.confidentiality_impact: NONE
vulnerability.cvss.cvss2.vector.integrity_impact: NONE
vulnerability.cwe_reference: CWE-416
vulnerability.enumeration: CVE
vulnerability.package.architecture: ppc64le
vulnerability.package.condition: Package less than 2.9-3.el8.aarch64
vulnerability.package.name: libsepol
vulnerability.package.source:
vulnerability.package.version: 2.5-10.el7
vulnerability.published: 2021-07-01T03:15:08Z
vulnerability.rationale: The CIL compiler in SELinux 3.2 has a use-after-free in >
vulnerability.reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32>
vulnerability.severity: Low
vulnerability.status: Active
vulnerability.title: CVE-2021-36086 affects libsepol
vulnerability.type: Packages

TCP 🟢

[root@73fa8c7b1b7c ~]# grep protocol /var/ossec/etc/ossec.conf 
      <protocol>tcp</protocol>
[root@73fa8c7b1b7c ~]# grep tcp /var/ossec/logs/ossec.log 
2024/01/16 16:41:27 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 16:41:27 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/16 16:41:33 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 16:41:33 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).

UDP 🟢

[root@73fa8c7b1b7c ~]# sed -i "s/tcp/udp/g" /var/ossec/etc/ossec.conf 
[root@73fa8c7b1b7c ~]# grep protocol /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>
[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@73fa8c7b1b7c ~]# grep udp /var/ossec/logs/ossec.log 
2024/01/16 16:50:18 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/udp).
2024/01/16 16:50:18 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/udp).

Logs 🟢

Expected errors due to Wazuh manager protocol change

[root@73fa8c7b1b7c ~]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
3
[root@73fa8c7b1b7c ~]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/01/16 16:49:21 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/16 16:49:21 wazuh-agentd: ERROR: (1216): Unable to connect to '[xxx]:1514/tcp': 'Connection refused'.
2024/01/16 16:49:32 wazuh-agentd: ERROR: (1216): Unable to connect to '[xxx]:1514/tcp': 'Connection refused'.

Removal 🟢

[root@73fa8c7b1b7c ~]# yum remove wazuh-agent
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================
 Package                         Arch                        Version                        Repository                  Size
=============================================================================================================================
Removing:
 wazuh-agent                     ppc64le                     4.8.0-1                        @wazuh                      33 M

Transaction Summary
=============================================================================================================================
Remove  1 Package

Installed size: 33 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : wazuh-agent-4.8.0-1.ppc64le                                                                               1/1 
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                                               1/1 

Removed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                                              

Complete!

[root@73fa8c7b1b7c ~]# ls -l /var/ossec/
total 4
drwxrwx---. 2 999 997 4096 Jan 16 16:55 etc
[root@73fa8c7b1b7c ~]# ls -l /var/ossec/etc/
total 12
-rw-r-----. 1  999 997   86 Jan 16 16:41 client.keys.rpmsave
-rw-rw----. 1 root 997 5173 Jan 16 16:49 ossec.conf.rpmsave

[root@73fa8c7b1b7c ~]# grep -R wazuh /etc/
/etc/passwd-:wazuh:x:999:997::/var/ossec:/sbin/nologin
/etc/gshadow-:wazuh:!::wazuh
/etc/yum.repos.d/wazuh.repo:[wazuh]
/etc/yum.repos.d/wazuh.repo:gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
/etc/yum.repos.d/wazuh.repo:baseurl=https://packages-dev.wazuh.com/pre-release/yum/
/etc/group-:wazuh:x:997:wazuh
/etc/shadow-:wazuh:!!:19738::::::

Upgrade from 4.7.2 🟢

Upgrade 🟢

Install 4.7.2

[root@73fa8c7b1b7c ~]# curl -sO https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.2-1.ppc64le.rpm
[root@73fa8c7b1b7c ~]# WAZUH_MANAGER="xxx" yum localinstall wazuh-agent-4.7.2-1.ppc64le.rpm 
Loaded plugins: fastestmirror, ovl
Examining wazuh-agent-4.7.2-1.ppc64le.rpm: wazuh-agent-4.7.2-1.ppc64le
Marking wazuh-agent-4.7.2-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================
Package                    Arch                   Version                 Repository                                   Size
=============================================================================================================================
Installing:
wazuh-agent                ppc64le                4.7.2-1                 /wazuh-agent-4.7.2-1.ppc64le                 32 M

Transaction Summary
=============================================================================================================================
Install  1 Package

Total size: 32 M
Installed size: 32 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.7.2-1.ppc64le                                                                               1/1 
  Verifying  : wazuh-agent-4.7.2-1.ppc64le                                                                               1/1 

Installed:
  wazuh-agent.ppc64le 0:4.7.2-1                                                                                              

Complete!

[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@73fa8c7b1b7c ~]# ps -ef | grep wazuh
root      3471     1  0 17:31 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     3483     1  0 17:31 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      3497     1  0 17:31 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root      3511     1  0 17:31 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      3529     1  1 17:31 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      3914    19  0 17:31 pts/0    00:00:00 grep --color=auto wazuh

root@ip-172-31-82-18:/home/ubuntu# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
  Agent ID:   003
  Agent Name: 73fa8c7b1b7c
  IP address: any
  Status:     Active

  Operating system:    Linux |73fa8c7b1b7c |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
  Client version:      Wazuh v4.7.2
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705428512

  Syscheck last started at:  Tue Jan 16 17:31:33 2024
  Syscheck last ended at:    Tue Jan 16 17:31:35 2024

[root@73fa8c7b1b7c ~]# yum upgrade wazuh-agent
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirrors.xtom.com
* extras: mirrors.ocf.berkeley.edu
* updates: mirrors.xtom.com
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.2-1 will be updated
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================
Package                          Arch                         Version                      Repository                  Size
=============================================================================================================================
Updating:
wazuh-agent                      ppc64le                      4.8.0-1                      wazuh                      6.9 M

Transaction Summary
=============================================================================================================================
Upgrade  1 Package

Total download size: 6.9 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-agent-4.8.0-1.ppc64le.rpm                                                                       | 6.9 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-agent-4.8.0-1.ppc64le                                                                               1/2 
  Cleanup    : wazuh-agent-4.7.2-1.ppc64le                                                                               2/2 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                                               1/2 
  Verifying  : wazuh-agent-4.7.2-1.ppc64le                                                                               2/2 

Updated:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                                              

Complete!
[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"
[root@73fa8c7b1b7c ~]# ps -ef | grep wazuh
root      4806     1  0 18:09 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     4818     1  0 18:09 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      4833     1 13 18:09 ?        00:00:07 /var/ossec/bin/wazuh-syscheckd
root      4848     1  0 18:09 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      4869     1  0 18:09 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      5334    19  0 18:10 pts/0    00:00:00 grep --color=auto wazuh

root@ip-172-31-82-18:/home/ubuntu# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
  Agent ID:   003
  Agent Name: 73fa8c7b1b7c
  IP address: any
  Status:     Active

  Operating system:    Linux |73fa8c7b1b7c |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
  Client version:      Wazuh v4.8.0
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705428671

  Syscheck last started at:  Tue Jan 16 18:09:52 2024
  Syscheck last ended at:    Tue Jan 16 18:09:54 2024

Check Users and Groups 🟢

[root@73fa8c7b1b7c ~]# grep wazuh /etc/passwd
wazuh:x:999:997::/var/ossec:/sbin/nologin
[root@73fa8c7b1b7c ~]# grep wazuh /etc/group
wazuh:x:997:wazuh

Generate Alerts 🟢

** Alert 1705428623.10893461: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2024 Jan 16 18:10:23 (73fa8c7b1b7c) any->sca
Rule: 19004 (level 7) -> 'SCA summary: CIS CentOS Linux 7 Benchmark v3.1.2.: Score less than 50% (38)'
{"type":"summary","scan_id":1354737437,"name":"CIS CentOS Linux 7 Benchmark v3.1.2.","policy_id":"cis_centos7_linux","file":"cis_centos7_linux.yml","description":"This document provides prescriptive guidance fo>
sca.type: summary
sca.scan_id: 1354737437
sca.policy: CIS CentOS Linux 7 Benchmark v3.1.2.
sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7.
sca.policy_id: cis_centos7_linux
sca.passed: 58
sca.failed: 91
sca.invalid: 47
sca.total_checks: 196
sca.score: 38
sca.file: cis_centos7_linux.yml

TCP 🟢

[root@73fa8c7b1b7c ~]# grep protocol /var/ossec/etc/ossec.conf 
    <protocol>tcp</protocol>
[root@73fa8c7b1b7c ~]# grep tcp /var/ossec/logs/ossec.log 
2024/01/16 17:31:25 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 17:31:26 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/16 17:31:32 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 17:31:32 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/16 18:09:51 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 18:09:51 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).

UDP 🟢

[root@73fa8c7b1b7c ~]# sed -i "s/tcp/udp/g" /var/ossec/etc/ossec.conf
[root@73fa8c7b1b7c ~]# grep protocol /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>
[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@73fa8c7b1b7c ~]# grep udp /var/ossec/logs/ossec.log 
2024/01/16 18:16:32 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/udp).
2024/01/16 18:16:32 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/udp).

Logs 🟢

[root@73fa8c7b1b7c ~]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
0

Debian Stretch 🔴

System info

root@f56fb668a773:~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@f56fb668a773:~# hostname
f56fb668a773

Fresh install 🟢

Install 🟢

root@f56fb668a773:~# curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@f56fb668a773:~# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@f56fb668a773:~# apt update
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://archive.debian.org/debian stretch Release
Get:3 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el Packages [7786 B]
Fetched 25.1 kB in 0s (35.0 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@f56fb668a773:~# WAZUH_MANAGER="xxx" apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal
  libpython3.5-stdlib lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal xz-utils
Suggested packages:
  bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils binfmt-support
The following NEW packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal
  libpython3.5-stdlib lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal wazuh-agent xz-utils
0 upgraded, 18 newly installed, 0 to remove and 3 not upgraded.
Need to get 11.5 MB of archives.
After this operation, 73.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.8.0-1 [5793 kB]
Get:2 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB]
Get:3 http://archive.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB]
Get:4 http://archive.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB]
Get:5 http://archive.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB]
Get:6 http://archive.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB]
Get:7 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB]
Get:8 http://archive.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB]
Get:9 http://archive.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB]
Get:10 http://archive.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB]
Get:11 http://archive.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB]                              
Get:12 http://archive.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB]                              
Get:13 http://archive.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB]                  
Get:14 http://archive.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB]                     
Get:15 http://archive.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB]                         
Get:16 http://archive.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB]                         
Get:17 http://archive.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B]                             
Get:18 http://archive.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB]                           
Fetched 11.5 MB in 10s (1129 kB/s)                                                                                          
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libpython3.5-minimal:ppc64el.
(Reading database ... 11959 files and directories currently installed.)
Preparing to unpack .../0-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5-minimal.
Preparing to unpack .../1-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5-minimal (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../2-python3-minimal_3.5.3-1_ppc64el.deb ...
Unpacking python3-minimal (3.5.3-1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../3-mime-support_3.60_all.deb ...
Unpacking mime-support (3.60) ...
Selecting previously unselected package libmpdec2:ppc64el.
Preparing to unpack .../4-libmpdec2_2.4.2-1_ppc64el.deb ...
Unpacking libmpdec2:ppc64el (2.4.2-1) ...
Selecting previously unselected package libpython3.5-stdlib:ppc64el.
Preparing to unpack .../5-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5.
Preparing to unpack .../6-python3.5_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5 (3.5.3-1+deb9u1) ...
Selecting previously unselected package libpython3-stdlib:ppc64el.
Preparing to unpack .../7-libpython3-stdlib_3.5.3-1_ppc64el.deb ...
Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../8-dh-python_2.20170125_all.deb ...
Unpacking dh-python (2.20170125) ...
Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Setting up python3.5-minimal (3.5.3-1+deb9u1) ...
Setting up python3-minimal (3.5.3-1) ...
Selecting previously unselected package python3.
(Reading database ... 12899 files and directories currently installed.)
Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ...
Unpacking python3 (3.5.3-1) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ...
Unpacking bzip2 (1.0.6-8.1) ...
Selecting previously unselected package libmagic-mgc.
Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic-mgc (1:5.30-1+deb9u3) ...
Selecting previously unselected package libmagic1:ppc64el.
Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Selecting previously unselected package file.
Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking file (1:5.30-1+deb9u3) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ...
Unpacking xz-utils (5.2.2-1.2+b1) ...
Selecting previously unselected package distro-info-data.
Preparing to unpack .../6-distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../7-lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Selecting previously unselected package wazuh-agent.
Preparing to unpack .../8-wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up mime-support (3.60) ...
Setting up distro-info-data (0.36) ...
Setting up libmagic-mgc (1:5.30-1+deb9u3) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Processing triggers for systemd (232-25+deb9u12) ...
Setting up libmpdec2:ppc64el (2.4.2-1) ...
Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Setting up file (1:5.30-1+deb9u3) ...
Setting up python3.5 (3.5.3-1+deb9u1) ...
Setting up libpython3-stdlib:ppc64el (3.5.3-1) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up lsb-release (9.20161125) ...
Setting up dh-python (2.20170125) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...

[root@73fa8c7b1b7c ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"
[root@73fa8c7b1b7c ~]# grep address /var/ossec/etc/ossec.conf 
      <address>xxx</address>

root@f56fb668a773:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@f56fb668a773:~# ps -ef | grep wazuh
root      4525     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     4536     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      4549     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-syscheckd
root      4562     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      4579     1  0 16:41 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      4931    34  0 16:41 pts/1    00:00:00 grep wazuh

Wazuh manager connection 🟢

root@ip-172-31-82-18:/home/ubuntu# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
  Agent ID:   002
  Agent Name: f56fb668a773
  IP address: any
  Status:     Active

  Operating system:    Linux |f56fb668a773 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
  Client version:      Wazuh v4.8.0
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705423349

  Syscheck last started at:  Tue Jan 16 16:41:40 2024
  Syscheck last ended at:    Tue Jan 16 16:41:59 2024

Check Users and Groups 🟢

root@f56fb668a773:~# grep wazuh /etc/passwd
wazuh:x:107:108::/var/ossec:/bin/false
root@f56fb668a773:~# grep wazuh /etc/group
wazuh:x:108:

Generate Alerts 🟢

** Alert 1705423304.2610326: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2>
2024 Jan 16 16:41:44 (f56fb668a773) any->vulnerability-detector
Rule: 23504 (level 7) -> 'CVE-2023-43786 affects libx11-data'
{"vulnerability":{"assigner":"redhat","cve":"CVE-2023-43786","cvss":{"cvss3":{"ba>
vulnerability.assigner: redhat
vulnerability.cve: CVE-2023-43786
vulnerability.cvss.cvss3.base_score: 5.500000
vulnerability.cvss.cvss3.vector.availability: HIGH
vulnerability.cvss.cvss3.vector.confidentiality_impact: NONE
vulnerability.cvss.cvss3.vector.integrity_impact: NONE
vulnerability.cvss.cvss3.vector.privileges_required: LOW
vulnerability.cvss.cvss3.vector.scope: UNCHANGED
vulnerability.cvss.cvss3.vector.user_interaction: NONE
vulnerability.cwe_reference: CWE-835
vulnerability.enumeration: CVE
vulnerability.package.architecture: all
vulnerability.package.condition: Package less than 2:1.8.4-2+deb12u2
vulnerability.package.name: libx11-data
vulnerability.package.source: libx11
vulnerability.package.version: 2:1.6.4-3+deb9u1
vulnerability.published: 2023-10-10T13:15:22Z
vulnerability.rationale: A vulnerability was found in libX11 due to an infinite l>
vulnerability.reference: https://bugzilla.redhat.com/show_bug.cgi?id=2242253, htt>
vulnerability.severity: Medium
vulnerability.status: Active
vulnerability.title: CVE-2023-43786 affects libx11-data

TCP 🟢

root@f56fb668a773:~# grep protocol /var/ossec/etc/ossec.conf 
      <protocol>tcp</protocol>
root@f56fb668a773:~# grep tcp /var/ossec/logs/ossec.log 
2024/01/16 16:41:33 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 16:41:33 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/16 16:41:39 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 16:41:39 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).

UDP 🟢

root@f56fb668a773:~# sed -i "s/tcp/udp/g" /var/ossec/etc/ossec.conf
root@f56fb668a773:~# grep protocol /var/ossec/etc/ossec.conf 
      <protocol>udp</protocol>
root@f56fb668a773:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@f56fb668a773:~# grep udp /var/ossec/logs/ossec.log 
2024/01/16 16:50:24 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/udp).
2024/01/16 16:50:24 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/udp).

Logs 🟢

Expected errors due to Wazuh manager protocol change

root@f56fb668a773:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
3
root@f56fb668a773:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/01/16 16:49:21 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/16 16:49:21 wazuh-agentd: ERROR: (1216): Unable to connect to '[xxx]:1514/tcp': 'Connection refused'.
2024/01/16 16:49:32 wazuh-agentd: ERROR: (1216): Unable to connect to '[xxx]:1514/tcp': 'Connection refused'.

Removal 🔴

root@f56fb668a773:~# apt-get remove wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal
  libpython3.5-stdlib lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 39.5 MB disk space will be freed.
Do you want to continue? [Y/n] Y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 13453 files and directories currently installed.)
Removing wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...

root@f56fb668a773:~# ls -l /var/ossec/
total 8
drwxr-xr-x 3 root root  4096 Jan 16 16:55 etc
drwxr-x--- 8 root wazuh 4096 Jan 16 16:55 queue
root@f56fb668a773:~# ls -l /var/ossec/etc/
total 20
-rw-r----- 1 wazuh wazuh   86 Jan 16 16:41 client.keys.save
-rw-r----- 1 root  wazuh  320 Jan 10 18:27 local_internal_options.conf.save
-rw-rw---- 1 root  wazuh 5284 Jan 16 16:49 ossec.conf.save
drwxrwx--- 2 root  wazuh 4096 Jan 16 16:55 shared
root@f56fb668a773:~# ls -l /var/ossec/queue/
total 24
drwxrwx--- 2 wazuh wazuh 4096 Jan 16 16:50 alerts
drwxr-x--- 3 wazuh wazuh 4096 Jan 16 16:37 fim
drwxr-x--- 2 wazuh wazuh 4096 Jan 16 16:41 logcollector
drwxr-x--- 2 wazuh wazuh 4096 Jan 16 16:41 rids
drwxrwx--- 2 wazuh wazuh 4096 Jan 16 16:50 sockets
drwxr-x--- 3 wazuh wazuh 4096 Jan 16 16:55 syscollector

root@f56fb668a773:~# grep -R wazuh /etc/
/etc/passwd-:wazuh:x:107:108::/var/ossec:/bin/false
/etc/group:wazuh:x:108:
/etc/passwd:wazuh:x:107:108::/var/ossec:/bin/false
/etc/shadow-:wazuh:*:19738:0:99999:7:::
/etc/init.d/wazuh-agent:WAZUH_CONTROL="$WAZUH_HOME/bin/wazuh-control"
/etc/apt/sources.list.d/wazuh.list:deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
/etc/shadow:wazuh:*:19738:0:99999:7:::
/etc/gshadow:wazuh:!::
grep: /etc/modules-load.d/modules.conf: No such file or directory

Opened issue about system users: APT Wazuh agent and manager do not remove system users when the package is removed without purge wazuh-packages#2775

Upgrade from 4.7.2 🟢

Upgrade 🟢

Install 4.7.2

root@f56fb668a773:~# curl -sO https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.2-1_ppc64el.deb
root@f56fb668a773:~# WAZUH_MANAGER="xxx" apt-get install ./wazuh-agent_4.7.2-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.7.2-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 5727 kB of archives.
After this operation, 37.1 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.7.2-1 [5727 kB]
Fetched 5727 kB in 0s (10.6 MB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 13043 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.2-1_ppc64el.deb ...
Unpacking wazuh-agent (4.7.2-1) ...
Setting up wazuh-agent (4.7.2-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...

root@f56fb668a773:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@f56fb668a773:~# ps -ef | grep wazuh
root      9031     1  0 18:07 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh     9042     1  0 18:07 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root      9058     1 28 18:07 ?        00:00:01 /var/ossec/bin/wazuh-syscheckd
root      9071     1  0 18:07 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root      9088     1  4 18:07 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root      9441    34  0 18:08 pts/1    00:00:00 grep wazuh

root@ip-172-31-82-18:/home/ubuntu# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
  Agent ID:   004
  Agent Name: f56fb668a773
  IP address: any
  Status:     Active

  Operating system:    Linux |f56fb668a773 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
  Client version:      Wazuh v4.7.2
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705428524

  Syscheck last started at:  Tue Jan 16 18:07:55 2024
  Syscheck last ended at:    Tue Jan 16 18:08:05 2024

root@f56fb668a773:~# apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 5793 kB of archives.
After this operation, 2441 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.8.0-1 [5793 kB]
Fetched 5793 kB in 0s (9453 kB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 13424 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) over (4.7.2-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
root@f56fb668a773:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"
root@f56fb668a773:~# ps -ef | grep wazuh
root     10152     1  0 18:10 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    10163     1  0 18:10 ?        00:00:00 /var/ossec/bin/wazuh-agentd
root     10177     1  9 18:10 ?        00:00:05 /var/ossec/bin/wazuh-syscheckd
root     10190     1  0 18:10 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
root     10210     1  0 18:10 ?        00:00:00 /var/ossec/bin/wazuh-modulesd
root     10675    34  0 18:11 pts/1    00:00:00 grep wazuh

root@ip-172-31-82-18:/home/ubuntu# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
  Agent ID:   004
  Agent Name: f56fb668a773
  IP address: any
  Status:     Active

  Operating system:    Linux |f56fb668a773 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
  Client version:      Wazuh v4.8.0
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705428682

  Syscheck last started at:  Tue Jan 16 18:10:03 2024
  Syscheck last ended at:    Tue Jan 16 18:10:04 2024

Check Users and Groups 🟢

root@f56fb668a773:~# grep wazuh /etc/passwd
wazuh:x:107:108::/var/ossec:/bin/false
root@f56fb668a773:~# grep wazuh /etc/group                
wazuh:x:108:

Generate Alerts 🟢

** Alert 1705428612.10870297: - syslog,dpkg,config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,tsc_CC8.1,
2024 Jan 16 18:10:12 (f56fb668a773) any->/var/log/dpkg.log
Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'
2024-01-16 18:10:10 status installed libc-bin:ppc64el 2.24-11+deb9u4
dpkg_status: status installed
package: libc-bin
arch: ppc64el
version: 2.24-11+deb9u4

TCP 🟢

root@f56fb668a773:~# grep protocol /var/ossec/etc/ossec.conf
    <protocol>tcp</protocol>
root@f56fb668a773:~# grep tcp /var/ossec/logs/ossec.log 
2024/01/16 18:07:48 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 18:07:48 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/16 18:07:54 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 18:07:54 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/16 18:10:02 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/16 18:10:02 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).

UDP 🟢

root@f56fb668a773:~# sed -i "s/tcp/udp/g" /var/ossec/etc/ossec.conf
root@f56fb668a773:~# grep protocol /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
root@f56fb668a773:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@f56fb668a773:~# grep udp /var/ossec/logs/ossec.log 
2024/01/16 18:16:37 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/udp).
2024/01/16 18:16:37 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/udp).

Logs 🟢

root@f56fb668a773:~# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l
0

jnasselle · 2024-01-15T20:09:24Z

Analysis report - AIX 🟢

System info 🟢

bash-4.4$ hostname
soaxp089
bash-4.4$ uname -a
AIX soaxp089 1 6 00CADA644C00

Installation 🟢

Installation

curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13.4M  100 13.4M    0     0  9699k      0  0:00:01  0:00:01 --:--:-- 9706k
# bash-4.4# WAZUH_MANAGER="OBFUSCATED_MANAGER_IP" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent                 ##################################################

bash-4.4# rpm -qi wazuh-agent
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.8.0                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Wed Jan 10 14:59:42 2024
Install date: Mon Jan 15 12:33:27 2024      Build Host: soaxp089
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.8.0-1.src.rpm
Size        : 64928716                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
# bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"

Manager IP

bash-4.4# grep address /var/ossec/etc/ossec.conf
      <address>OBFUSCATED_MANAGER_IP</address>

Start Agent

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Check Agent in Manager

[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: soaxp089
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp089 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705345063

   Syscheck last started at:  Mon Jan 15 18:38:47 2024
   Syscheck last ended at:    Mon Jan 15 18:38:54 2024

Errors Present in the Agent (expected)

bash-4.4# grep -E "ERROR|WARNING" /var/ossec/logs/ossec.log
2024/01/15 12:38:39 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 12:46:32 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 12:46:32 wazuh-agentd: ERROR: (1216): Unable to connect to '[OBFUSCATED_MANAGER_IP]:1514/tcp': 'Connection refused'.
2024/01/15 12:46:33 wazuh-syscheckd: WARNING: Process locked due to agent is offline. Waiting for connection...

Generate alerts 🟢

TCP 🟢

Agent info

bash-4.4# grep protocol /var/ossec/etc/ossec.conf
      <protocol>tcp</protocol>
      
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# grep tcp /var/ossec/etc/ossec.conf
2024/01/15 12:38:36 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 12:38:36 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/tcp).

Manager alerts

{"timestamp":"2024-01-15T18:56:56.027+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"soaxp089","ip":"192.168.253.89"},"manager":{"name":"wazuh-server"},"id":"1705345016.78532","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"15439","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}

UDP 🟢

Agent info

bash-4.4# grep protocol /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
      
bash-4.4# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# grep udp /var/ossec/logs/ossec.log 
2024/01/15 12:52:36 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/udp).
2024/01/15 12:52:36 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/udp).

Manager alerts

{"timestamp":"2024-01-15T19:10:28.543+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":10,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"soaxp089","ip":"192.168.253.89"},"manager":{"name":"wazuh-server"},"id":"1705345828.140646","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}

Removal 🟡

bash-4.4# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty

Known issues:

Upgrade 🟢

Installation of 4.7.2 agent

bash-4.4# curl -O -k https://packages.wazuh.com/4.x/aix/wazuh-agent-4.7.2-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13.5M  100 13.5M    0     0  10.7M      0  0:00:01  0:00:01 --:--:-- 10.7M



bash-4.4# rpm -qi wazuh-agent
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.7.2                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Fri Jan  5 13:48:22 2024
Install date: Mon Jan 15 13:02:28 2024      Build Host: soaxp132
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.7.2-1.src.rpm
Size        : 65073461                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.2"
WAZUH_REVISION="40711"
WAZUH_TYPE="agent"

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Manager perspective of 4.7.2

[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: soaxp089
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp089 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.7.2
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705348851

   Syscheck last started at:  Mon Jan 15 19:31:09 2024
   Syscheck last ended at:    Mon Jan 15 19:31:16 2024

Agent upgrade to 4.8.0

# rpm -U wazuh-agent-4.8.0-1.aix.ppc.rpm
bash-4.4# rpm -qi wazuh-agent
Name        : wazuh-agent                  Relocations: (not relocateable)
Version     : 4.8.0                             Vendor: Wazuh, Inc <info@wazuh.com>
Release     : 1                             Build Date: Wed Jan 10 14:59:42 2024
Install date: Mon Jan 15 13:44:57 2024      Build Host: soaxp089
Group       : System Environment/Daemons    Source RPM: wazuh-agent-4.8.0-1.src.rpm
Size        : 64928716                         License: GPL
Packager    : Wazuh, Inc <info@wazuh.com>
URL         : https://www.wazuh.com/
Summary     : The Wazuh agent, used for threat detection, incident response and integrity monitoring.
Description :
Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Manager perspective of 4.8.0 after upgrade

[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: soaxp089
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp089 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705349016

   Syscheck last started at:  Mon Jan 15 19:45:00 2024
   Syscheck last ended at:    Mon Jan 15 19:45:10 2024

Check users and groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:210:1::/home/wazuh:/usr/bin/ksh

# cat /etc/group | grep wazuh
wazuh:!:209:wazuh

Errors and warnings 🟢

Errors expected due to duplicate enrollment during testing. Fixed after using force auth feature

bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
2024/01/15 13:03:37 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:03:37 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:03:42 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:03:42 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:03:52 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:03:52 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:04:07 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:04:07 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:04:27 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:04:27 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:04:53 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:04:53 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:05:23 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:05:23 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:05:58 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:05:58 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:06:38 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:06:38 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:07:23 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:07:23 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:08:13 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:08:13 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:08:44 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:08:44 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:08:50 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:08:50 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:09:00 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:09:00 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:09:15 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:09:15 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:09:35 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:09:35 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:10:00 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:10:00 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:10:30 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:10:30 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:11:05 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:11:05 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:11:45 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:11:45 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:12:30 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:12:30 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:12:59 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:12:59 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:13:04 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:13:04 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:13:14 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:13:14 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:13:29 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:13:29 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:13:49 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:13:49 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:14:15 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:14:15 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:14:45 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:14:45 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:15:20 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:15:20 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:16:00 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:16:00 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:16:45 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:16:45 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:17:35 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:17:35 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:18:30 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:18:30 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:19:30 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:19:30 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:20:30 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:20:30 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:21:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:21:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:22:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:22:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:23:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:23:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:24:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:24:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:25:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:25:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:26:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:26:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:27:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:27:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:28:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:28:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:29:31 wazuh-agentd: ERROR: Duplicate agent name: soaxp089 (from manager)
2024/01/15 13:29:31 wazuh-agentd: ERROR: Unable to add agent (from manager)
2024/01/15 13:30:53 wazuh-agentd: ERROR: Connection socket: Connection reset by peer (73)
2024/01/15 13:30:53 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 13:37:12 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 13:37:12 wazuh-syscheckd: WARNING: Process locked due to agent is offline. Waiting for connection...
2024/01/15 13:42:44 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2024/01/15 13:42:44 wazuh-agentd: ERROR: (1216): Unable to connect to '[OBFUSCATED_MANAGER_IP]:1514/tcp': 'Connection refused'.

rauldpm · 2024-01-15T20:14:27Z

Analysis report - Solaris 10 SPARC 🟢

System info

# cat /etc/release 
                   Oracle Solaris 10 1/13 s10s_u11wos_24a SPARC
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
                            Assembled 17 January 2013
# hostname
sossp109

Fresh install 🟢

Install 🟢

# /opt/csw/bin/curl -sO https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.8.0-sol10-sparc.pkg
# /opt/csw/bin/curl -sO https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.7.2-sol10-sparc.pkg
# ls -l wazuh-agent_v4.8.0-sol10-sparc.pkg 
-rw-r--r--   1 root     root     16440320 Jan 15 21:33 wazuh-agent_v4.8.0-sol10-sparc.pkg
# ls -l wazuh-agent_v4.7.2-sol10-sparc.pkg 
-rw-r--r--   1 root     root     16535552 Jan 15 21:33 wazuh-agent_v4.7.2-sol10-sparc.pkg

# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/cuhd/wazuh-agent_v4.8.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

# vi /var/ossec/etc/ossec.conf 
xterm-256color: Unknown terminal type
I don't know what kind of terminal you are on - all I have is 'xterm-256color'.
[Using open mode]
"/var/ossec/etc/ossec.conf" 198 lines, 5503 characters 
<!--
  Wazuh - Agent - Default configuration for sunos 5.10
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <client>
    <server>
      <address>xxx</address> 
:wq
"/var/ossec/etc/ossec.conf" 198 lines, 5507 characters 
# grep address /var/ossec/etc/ossec.conf 
      <address>xxx</address>

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# ps -ef | grep wazuh
  root 28187 28025   0 21:37:50 pts/1       0:00 grep wazuh
  root 28115     1   0 21:37:30 ?           0:00 /var/ossec/bin/wazuh-execd
  root 28144     1   0 21:37:33 ?           0:00 /var/ossec/bin/wazuh-logcollector
 wazuh 28125     1   0 21:37:31 ?           0:00 /var/ossec/bin/wazuh-agentd
  root 28137     1   0 21:37:33 ?           0:00 /var/ossec/bin/wazuh-syscheckd
  root 28151     1   0 21:37:33 ?           0:02 /var/ossec/bin/wazuh-modulesd

Wazuh manager connection 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
  Agent ID:   003
  Agent Name: sossp109
  IP address: any
  Status:     Active

  Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
  Client version:      Wazuh v4.8.0
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705351134

  Syscheck last started at:  Tue Jan 16 03:37:56 2024
  Syscheck last ended at:    Tue Jan 16 03:38:14 2024

Check Users and Groups 🟢

# grep wazuh /etc/passwd 
wazuh:x:53355:57447::/var/ossec:/bin/false
# grep wazuh /etc/group  
wazuh::57447:
# grep ossec /etc/group 
# grep ossec /etc/passwd
wazuh:x:53355:57447::/var/ossec:/bin/false

Generate Alerts 🟢

** Alert 1705351444.11312524: - syslog,su,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4
2024 Jan 15 20:44:04 (sossp109) any->/var/adm/messages
Rule: 5302 (level 9) -> 'User missed the password to change UID to root.'
User: root
Jan 15 21:43:22 sossp109 su: [ID 810491 auth.crit] 'su root' failed for cuhd on /dev/pts/2

TCP 🟢

# grep "protocol" /var/ossec/etc/ossec.conf                                                            
  <protocol>tcp</protocol>
# grep tcp /var/ossec/logs/ossec.log 
2024/01/15 21:37:51 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/15 21:37:51 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/15 21:37:55 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/15 21:37:55 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).

UDP 🟢

# vi /var/ossec/etc/ossec.conf 
xterm-256color: Unknown terminal type
I don't know what kind of terminal you are on - all I have is 'xterm-256color'.
[Using open mode]
"/var/ossec/etc/ossec.conf" 198 lines, 5507 characters 
<!--
  Wazuh - Agent - Default configuration for sunos 5.10
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <client>
    <server>
      <address>xxx</address>
      <port>1514</port>
      <protocol>udp</protocol>
:wq
"/var/ossec/etc/ossec.conf" 198 lines, 5507 characters 
# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# ps -ef | grep wazuh
    root 29191 28025   0 21:45:52 pts/1       0:00 grep wazuh
    root 29069     1   0 21:45:40 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root 29052     1  17 21:45:39 ?           0:15 /var/ossec/bin/wazuh-syscheckd
    root 29059     1   0 21:45:39 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root 29030     1   0 21:45:37 ?           0:00 /var/ossec/bin/wazuh-execd
  wazuh 29040     1   0 21:45:38 ?           0:00 /var/ossec/bin/wazuh-agentd
# grep udp /var/ossec/logs/ossec.log    
2024/01/15 21:45:38 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/udp).
2024/01/15 21:45:38 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/udp).

Logs 🟢

# grep ERROR /var/ossec/logs/ossec.log  | wc -l
      0
# grep WARNING /var/ossec/logs/ossec.log | wc -l
      0
# grep CRITICAL /var/ossec/logs/ossec.log | wc -l
      0
# grep FATAL /var/ossec/logs/ossec.log | wc -l   
      0

Removal 🟢

# ps -ef | grep wazuh                            
    root 29069     1   0 21:45:40 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root 29380 28025   0 21:50:07 pts/1       0:00 grep wazuh
    root 29052     1   0 21:45:39 ?           0:40 /var/ossec/bin/wazuh-syscheckd
    root 29059     1   0 21:45:39 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root 29030     1   0 21:45:37 ?           0:00 /var/ossec/bin/wazuh-execd
   wazuh 29040     1   0 21:45:38 ?           0:00 /var/ossec/bin/wazuh-agentd

# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.8.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

# ps -ef | grep wazuh
    root 29450 28025   0 21:50:18 pts/1       0:00 grep wazuh
#

# ls -l /var/ossec/                                                                                    
total 6
drwxrwx---   3 53355    57447          3 Jan 15 21:50 etc
drwxr-x---   8 root     57447          8 Jan 15 21:50 queue
# ls -l /var/ossec/etc/
total 3
drwxrwx---   2 root     57447          5 Jan 15 21:50 shared
# ls -l /var/ossec/etc/shared/
total 1801
-rw-------   1 53355    57447         76 Jan 15 21:37 agent.conf
-rw-------   1 53355    57447        228 Jan 15 21:37 ar.conf
-rw-r--r--   1 53355    57447     899315 Jan 15 21:37 merged.mg
# ls -l /var/ossec/queue/     
total 18
drwxrwx---   2 53355    57447          4 Jan 15 21:45 alerts
drwxr-x---   3 53355    57447          3 Jan 15 21:35 fim
drwxr-x---   2 53355    57447          3 Jan 15 21:37 logcollector
drwxr-x---   2 53355    57447          4 Jan 15 21:37 rids
drwxrwx---   2 53355    57447         10 Jan 15 21:45 sockets
drwxr-x---   3 53355    57447          3 Jan 15 21:50 syscollector
# ls -l /var/ossec/queue/alerts/
total 2
srw-rw----   1 root     57447          0 Jan 15 21:45 cfgaq
srw-rw----   1 root     57447          0 Jan 15 21:45 execq
# ls -l /var/ossec/queue/fim/   
total 3
drwxr-x---   2 53355    57447          4 Jan 15 21:45 db
# ls -l /var/ossec/queue/logcollector/                 
total 2
-rw-r--r--   1 root     57447        403 Jan 15 21:50 file_status.json
# ls -l /var/ossec/queue/rids/        
total 4
-rw-r--r--   1 53355    57447          7 Jan 15 21:37 003
-rw-r--r--   1 53355    57447          7 Jan 15 21:50 sender_counter
# ls -l /var/ossec/queue/sockets/
total 7
srw-rw----   1 root     57447          0 Jan 15 21:45 com
srw-rw----   1 root     57447          0 Jan 15 21:45 control
srw-rw----   1 root     57447          0 Jan 15 21:45 logcollector
srw-rw----   1 53355    57447          0 Jan 15 21:45 queue
srw-rw----   1 root     57447          0 Jan 15 21:45 syscheck
srw-rw----   1 root     57447          0 Jan 15 21:45 upgrade
srw-rw----   1 root     57447          0 Jan 15 21:45 wmodules
# ls -l /var/ossec/queue/syscollector/
total 3
drwxr-x---   2 53355    57447          4 Jan 15 21:45 db

# grep wazuh /etc/passwd 
# grep wazuh /etc/group  
# find /etc -type f | xargs grep "wazuh"
/etc/opasswd:wazuh:x:53355:57447::/var/ossec:/bin/false
/etc/oshadow:wazuh:UP:::::::

Upgrade from 4.7.2 🟢

Upgrade 🟢

Install 4.7.2

# pkgadd -d wazuh-agent_v4.7.2-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/cuhd/wazuh-agent_v4.7.2-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.2
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

Connect to the Wazuh manager

# vi /var/ossec/etc/ossec.conf 
xterm-256color: Unknown terminal type
I don't know what kind of terminal you are on - all I have is 'xterm-256color'.
[Using open mode]
"/var/ossec/etc/ossec.conf" 198 lines, 5509 characters 
<!--
  Wazuh - Agent - Default configuration for sunos 5.10
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <client>
    <server>
      <address>xxx</address>  
:wq
"/var/ossec/etc/ossec.conf" 198 lines, 5507 characters 
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# ps -ef | grep wazuh
    root 29905     1   0 22:00:58 ?           0:00 /var/ossec/bin/wazuh-execd
    root    78 28025   0 22:01:11 pts/1       0:00 grep wazuh
    root 29927     1  13 22:01:01 ?           0:12 /var/ossec/bin/wazuh-syscheckd
    root 29945     1   0 22:01:02 ?           0:02 /var/ossec/bin/wazuh-modulesd
  wazuh 29915     1   0 22:00:59 ?           0:00 /var/ossec/bin/wazuh-agentd
    root 29935     1   0 22:01:01 ?           0:00 /var/ossec/bin/wazuh-logcollector

Check Wazuh manager

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
  Agent ID:   005
  Agent Name: sossp109
  IP address: any
  Status:     Active

  Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
  Client version:      Wazuh v4.7.2
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705352528

  Syscheck last started at:  Tue Jan 16 04:01:00 2024
  Syscheck last ended at:    Tue Jan 16 04:01:06 2024

Stop agent to upgrade it

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.2 Stopped

Backup

# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
# cp /var/ossec/etc/client.keys ~/client.keys.bk

Remove the Wazuh agent

# pkgrm wazuh-agent

The following package is currently installed:
  wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.7.2

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.7.2 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.
# rm -rf /var/ossec

Install new Wazuh agent version

# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </export/home/cuhd/wazuh-agent_v4.8.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

Restore backup

# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
# chown root:wazuh /var/ossec/etc/ossec.conf
# mv ~/client.keys.bk /var/ossec/etc/client.keys
# chown root:wazuh /var/ossec/etc/client.keys

Start agent

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# ps -ef | grep wazuh
  wazuh  1000     1   0 22:03:50 ?           0:00 /var/ossec/bin/wazuh-agentd
    root  1012     1  21 22:03:51 ?           0:18 /var/ossec/bin/wazuh-syscheckd
    root  1026     1   0 22:03:51 ?           0:02 /var/ossec/bin/wazuh-modulesd
    root  1019     1   0 22:03:51 ?           0:00 /var/ossec/bin/wazuh-logcollector
    root  1158 28025   0 22:04:07 pts/1       0:00 grep wazuh
    root   990     1   0 22:03:49 ?           0:00 /var/ossec/bin/wazuh-execd

Check manager again

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
  Agent ID:   005
  Agent Name: sossp109
  IP address: any
  Status:     Active

  Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
  Client version:      Wazuh v4.8.0
  Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
  Shared file hash:    4a8724b20dee0124ff9656783c490c4e
  Last keep alive:     1705352688

  Syscheck last started at:  Tue Jan 16 04:03:50 2024
  Syscheck last ended at:    Tue Jan 16 04:03:56 2024

Check Users and Groups 🟢

# grep wazuh /etc/passwd  
wazuh:x:53355:57447::/var/ossec:/bin/false
# grep wazuh /etc/group 
wazuh::57447:

Generate Alerts 🟢

** Alert 1705352933.22303867: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2024 Jan 15 21:08:53 (sossp109) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.
title: File is owned by root and has written permissions to anyone.
file: /tmp/.X11-pipe/X0

TCP 🟢

# grep protocol /var/ossec/etc/ossec.conf 
      <protocol>tcp</protocol>
# grep tcp /var/ossec/logs/ossec.log 
2024/01/15 22:03:41 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/15 22:03:41 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/15 22:03:49 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/15 22:03:49 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).
2024/01/15 22:08:06 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/tcp).
2024/01/15 22:08:06 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/tcp).

UDP 🟢

# vi /var/ossec/etc/ossec.conf 
xterm-256color: Unknown terminal type
I don't know what kind of terminal you are on - all I have is 'xterm-256color'.
[Using open mode]
"/var/ossec/etc/ossec.conf" 198 lines, 5507 characters 
<!--
  Wazuh - Agent - Default configuration for sunos 5.10
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <client>
    <server>
      <address>xxx</address>
      <port>1514</port>
      <protocol>udp</protocol>
:wq
"/var/ossec/etc/ossec.conf" 198 lines, 5507 characters 
# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# grep udp /var/ossec/logs/ossec.log      
2024/01/15 22:13:24 wazuh-agentd: INFO: Trying to connect to server ([xxx]:1514/udp).
2024/01/15 22:13:24 wazuh-agentd: INFO: (4102): Connected to the server ([xxx]:1514/udp).

jnasselle · 2024-01-15T20:51:40Z

Analysis Report - HP-UX 🟢

Access Bash (Root) 🟢

su
/usr/local/bin/bash
export PATH=$PATH:/usr/local/bin/
bash-4.4#

System Info 🟢

# uname -a
bash-4.4$ uname -a
HP-UX sovmh336 B.11.31 U ia64 0936332656 unlimited-user license

Installation 🟢

Installation

bash-4.4# curl -sOk https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
bash-4.4# groupadd wazuh
bash-4.4# useradd -G wazuh wazuh

# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar 
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951776 bytes, 3813 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2095296 bytes, 4093 tape blocks
x /var/ossec/bin/wazuh-execd, 1814768 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 570928 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1745024 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1886768 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 571900 bytes, 1117 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355672 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892076 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 798880 bytes, 1561 tape blocks
x /var/ossec/lib/libfimdb.so, 1266648 bytes, 2474 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41658 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9151 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 5955 bytes, 12 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6373 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9407 bytes, 19 tape blocks
x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17232 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 22966 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38690 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14293 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

Change Agent IP

bash-4.4# sed "s/MANAGER_IP/OBFUSCATED_MANAGER_IP/g" /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

Start Agent

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Agent Info

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40802"
WAZUH_TYPE="agent"

Check Agent in Manager

[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sovmh336
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh336 |B.11.31 |U |ia64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705351463

   Syscheck last started at:  Mon Jan 15 19:39:35 2024
   Syscheck last ended at:    Mon Jan 15 19:40:32 2024

No Errors Present in the Agent

bash-4.4# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0

No Errors Present in the Manager

[root@wazuh-server wazuh-user]# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0

Generate Alerts 🟢

TCP 🟢

Agent is Connected Through TCP

# grep -i "tcp" /var/ossec/logs/ossec.log
2024/01/15 13:39:29 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 13:39:29 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 13:39:34 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/tcp).
2024/01/15 13:39:34 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/tcp).

Alerts are correctly generated for the agent - Expected logs

{"timestamp":"2024-01-15T20:44:14.643+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":12,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1705351454.11312989","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}

UDP 🟢

Agent is Connected Through UDP

bash-4.4# sed 's/tcp/udp/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf

bash-4.4# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>

# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# grep -i "udp" /var/ossec/logs/ossec.log
2024/01/15 13:43:12 wazuh-agentd: INFO: Trying to connect to server ([OBFUSCATED_MANAGER_IP]:1514/udp).
2024/01/15 13:43:12 wazuh-agentd: INFO: (4102): Connected to the server ([OBFUSCATED_MANAGER_IP]:1514/udp).
#

Alerts are Correctly Generated for the Agent

{"timestamp":"2024-01-15T20:47:03.723+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":14,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sovmh336","ip":"192.168.253.36"},"manager":{"name":"wazuh-server"},"id":"1705351623.11342192","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}

No Errors in Agent Logs

# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log | wc -l
0

Removal 🟢

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
# groupdel wazuh
# userdel wazuh
# rm -rf /var/ossec
# cat /etc/passwd | grep wazuh
# cat /etc/passwd | grep wazuh

Upgrade 4.7.2 -> 4.8.0 🟢

# curl -LO -k https://packages.wazuh.com/4.x/hp-ux/wazuh-agent-4.7.2-1-hpux-11v3-ia64.tar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20.8M  100 20.8M    0     0  3048k      0  0:00:07  0:00:07 --:--:-- 3307k
# groupadd wazuh
# useradd -G wazuh wazuh
# tar -xvf wazuh-agent-4.7.2-1-hpux-11v3-ia64.tar 
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1631864 bytes, 3188 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2124568 bytes, 4150 tape blocks
x /var/ossec/bin/wazuh-execd, 1560228 bytes, 3048 tape blocks
x /var/ossec/bin/manage_agents, 440844 bytes, 862 tape blocks
x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1490576 bytes, 2912 tape blocks
x /var/ossec/bin/wazuh-agentd, 1633372 bytes, 3191 tape blocks
x /var/ossec/bin/agent-auth, 441636 bytes, 863 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 290672 bytes, 568 tape blocks
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 188765 bytes, 369 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 37467 bytes, 74 tape blocks
x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70200 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70200 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 69848 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69800 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69832 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69832 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69784 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69712 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69604 bytes, 136 tape blocks
x /var/ossec/active-response/bin/route-null, 69744 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69652 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 69908 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
# sed 's/MANAGER_IP/OBFUSCATED_MANAGER_IP/g' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.new && mv /var/ossec/etc/ossec.conf.new /var/ossec/etc/ossec.conf
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Manager

[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sovmh336
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh336 |B.11.31 |U |ia64
   Client version:      Wazuh v4.7.2
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705351463

   Syscheck last started at:  Mon Jan 15 19:55:35 2024
   Syscheck last ended at:    Mon Jan 15 19:57:32 2024

Upgrade

# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.2 Stopped
# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
# cp /var/ossec/etc/client.keys ~/client.keys.bk
# groupadd wazuh
Group 'wazuh' not unique
# useradd -G wazuh wazuh
Login 'wazuh' not unique
# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar 
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1885844 bytes, 3684 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2373480 bytes, 4636 tape blocks
x /var/ossec/bin/wazuh-execd, 1814400 bytes, 3544 tape blocks
x /var/ossec/bin/manage_agents, 570716 bytes, 1115 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1744688 bytes, 3408 tape blocks
x /var/ossec/bin/wazuh-agentd, 1886384 bytes, 3685 tape blocks
x /var/ossec/bin/agent-auth, 506160 bytes, 989 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355412 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1314696 bytes, 2568 tape blocks
x /var/ossec/lib/librsync.so, 894712 bytes, 1748 tape blocks
x /var/ossec/lib/libsysinfo.so, 796248 bytes, 1556 tape blocks
x /var/ossec/lib/libfimdb.so, 1267160 bytes, 2475 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 172516 bytes, 337 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4709 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38402 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10034 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14164 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4817 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70024 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69848 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69952 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69800 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69692 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69740 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 69996 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
# chown root:wazuh /var/ossec/etc/ossec.conf
# mv ~/client.keys.bk /var/ossec/etc/client.keys
# chown root:wazuh /var/ossec/etc/client.keys
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

Check agent in wazuh server

[root@wazuh-server ~]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sovmh336
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh336 |B.11.31 |U |ia64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1705351463

   Syscheck last started at:  Mon Jan 15 20:01:04 2024
   Syscheck last ended at:    Mon Jan 15 20:03:18 2024

Check Users and Groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:108:20::/home/wazuh:/sbin/sh
# cat /etc/group | grep wazuh
wazuh::105:wazuh

damarisg · 2024-01-17T13:31:38Z

LGTM!

davidjiglesias · 2024-01-18T08:32:39Z

LGTM

wazuhci added level/subtask type/test labels Jan 11, 2024

wazuhci mentioned this issue Jan 11, 2024

Release 4.8.0 - Alpha 2 - Packages tests #21388

Closed

1 task

rauldpm assigned Deblintrake09 Jan 11, 2024

Deblintrake09 mentioned this issue Jan 12, 2024

wazuh-states-vulnerabilities Index missing on Wazuh 4.8.0-alpha2 AIO Installations (AMI - OVA - AIO) #21413

Closed

jnasselle self-assigned this Jan 15, 2024

damarisg self-assigned this Jan 15, 2024

rauldpm self-assigned this Jan 15, 2024

rauldpm mentioned this issue Jan 16, 2024

APT Wazuh agent and manager do not remove system users when the package is removed without purge wazuh/wazuh-packages#2775

Closed

davidjiglesias closed this as completed Jan 18, 2024

vikman90 mentioned this issue May 7, 2024

HP-UX agent is not able to register #23323

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 4.8.0 - Alpha 2 - Specific systems #21394

Release 4.8.0 - Alpha 2 - Specific systems #21394

wazuhci commented Jan 11, 2024 •

edited by davidjiglesias

Deblintrake09 commented Jan 12, 2024 •

edited

jnasselle commented Jan 15, 2024

Deblintrake09 commented Jan 15, 2024

damarisg commented Jan 15, 2024 •

edited

rauldpm commented Jan 15, 2024 •

edited

jnasselle commented Jan 15, 2024 •

edited

rauldpm commented Jan 15, 2024 •

edited

jnasselle commented Jan 15, 2024 •

edited

damarisg commented Jan 17, 2024

davidjiglesias commented Jan 18, 2024

Release 4.8.0 - Alpha 2 - Specific systems #21394

Release 4.8.0 - Alpha 2 - Specific systems #21394

Comments

wazuhci commented Jan 11, 2024 • edited by davidjiglesias

Packages tests metrics information

Build packages

Test packages

PPC64EL packages

OVA/AMI specific tests

Testing considerations

Conclusion 🔴

New Issues

Known Issues

Auditor's validation

Deblintrake09 commented Jan 12, 2024 • edited

Analysis Report - AMI 🟡

Indexer - journalctl

WUI

jnasselle commented Jan 15, 2024

Update

Deblintrake09 commented Jan 15, 2024

Analysis report - OVA

damarisg commented Jan 15, 2024 • edited

Analysis Report - Solaris 11 SPARC

rauldpm commented Jan 15, 2024 • edited

Analysis report - PPC64EL 🔴

jnasselle commented Jan 15, 2024 • edited

Analysis report - AIX 🟢

rauldpm commented Jan 15, 2024 • edited

Analysis report - Solaris 10 SPARC 🟢

jnasselle commented Jan 15, 2024 • edited

Analysis Report - HP-UX 🟢

damarisg commented Jan 17, 2024

davidjiglesias commented Jan 18, 2024

wazuhci commented Jan 11, 2024 •

edited by davidjiglesias

Deblintrake09 commented Jan 12, 2024 •

edited

damarisg commented Jan 15, 2024 •

edited

rauldpm commented Jan 15, 2024 •

edited

jnasselle commented Jan 15, 2024 •

edited

rauldpm commented Jan 15, 2024 •

edited

jnasselle commented Jan 15, 2024 •

edited