Check Wazuh-Agent compatibility with new version Ubuntu 24.04 LTS

[lchico]

Description

Hello team, this issue is to check the full compatibility of Wazuh on the newfound version of Ubuntu 24.04 LTS operating system.

OSs checks issue: #23132

For this, it is necessary to perform the following tests to check that everything works as expected:

• Agent and server (if possible) installations.
• O.S. reporting in the interface.
• WPK upgrade.
• Enrollment and connectivity with the manager.
• FIM: Real-time and who-data engines (if available).
• SCA: Policy support.
• Vulnerability Detector: Vulnerability support.
• Syscollector: Complete inventory.
• Active Response: port reset agent.
• Log capture.

[lchico]

Testing

🟢 Agent and server, (enrollment and connectivity with the manager)

Dashboard

Agent Log

🟢 FIM scheduled

Result

🟢 FIM Real-time

Configuration on the agent

  <frequency>4</frequency>
  <directories realtime="yes">/var/log/testrealtime</directories>

Result

🟢 FIM Whodata

I had to install auditd

root@ubuntu24:/vagrant# auditd
bash: auditd: command not found
root@ubuntu24:/vagrant# apt install auditd
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libauparse0t64
Suggested packages:
audispd-plugins
The following NEW packages will be installed:
auditd libauparse0t64
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 274 kB of archives.
After this operation, 893 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu noble/main amd64 libauparse0t64 amd64 1:3.1.2-2.1build1 [59.0 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu noble/main amd64 auditd amd64 1:3.1.2-2.1build1 [215 kB]
Fetched 274 kB in 2s (150 kB/s)
Selecting previously unselected package libauparse0t64:amd64.
(Reading database ... 47202 files and directories currently installed.)
Preparing to unpack .../libauparse0t64_1%3a3.1.2-2.1build1_amd64.deb ...
Adding 'diversion of /lib/x86_64-linux-gnu/libauparse.so.0 to /lib/x86_64-linux-gnu/libauparse.so.0.usr-is-merged by libauparse0t64'
Adding 'diversion of /lib/x86_64-linux-gnu/libauparse.so.0.0.0 to /lib/x86_64-linux-gnu/libauparse.so.0.0.0.usr-is-merged by libauparse0t64'
Unpacking libauparse0t64:amd64 (1:3.1.2-2.1build1) ...
Selecting previously unselected package auditd.
Preparing to unpack .../auditd_1%3a3.1.2-2.1build1_amd64.deb ...
Unpacking auditd (1:3.1.2-2.1build1) ...
Setting up libauparse0t64:amd64 (1:3.1.2-2.1build1) ...
Setting up auditd (1:3.1.2-2.1build1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /usr/lib/systemd/system/auditd.service.
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for libc-bin (2.39-0ubuntu8) ...
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

Configuration on the agent

  <directories check_all="yes" whodata="yes">/testwhodata</directories>

Alerts

🟢 Upgrade using WPK

Result

🟡 SCA support

No official SCA policies are available ( check this list).

Since it is not listed at CIS Benchmarks, no issue will be created.

SCA module is tested anyway, with a custom policy.

Configuration

This usecase is used to test SCA module.

Manager log:

** Alert 1714227951.10671: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
>sca
Rule: 19005 (level 9) -> 'SCA summary: SCA use case: Keyword check: Score less than 30% (0)'
{"type":"summary","scan_id":1532790084,"name":"SCA use case: Keyword check","policy_id":"keyword_check","file":"keywordcheck.yml","description":"Guidance for checking for a keyword or phrase in files on Ubuntu endpoints.","references":"https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html,https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html","passed":0,"failed":1,"invalid":0,"total_checks":1,"score":0,"start_time":1714227939,"end_time":1714227939,"hash":"5d28a90f4498a81461efbaf6f628a19d9778390bb5c81a393dd936181cc3d826","hash_file":"a33741eefba60ba75052477564b607cc97bdf36c773194c7ead40f30e356ec4d","force_alert":"1"}
sca.type: summary
sca.scan_id: 1532790084
sca.policy: SCA use case: Keyword check
sca.description: Guidance for checking for a keyword or phrase in files on Ubuntu endpoints.
sca.policy_id: keyword_check
sca.passed: 0
sca.failed: 1
sca.invalid: 0
sca.total_checks: 1
sca.score: 0
sca.file: keywordcheck.yml

** Alert 1714227961.11942: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
>sca
Rule: 19005 (level 9) -> 'SCA summary: SCA use case: Keyword check: Score less than 30% (0)'
{"type":"summary","scan_id":1532790084,"name":"SCA use case: Keyword check","policy_id":"keyword_check","file":"keywordcheck.yml","description":"Guidance for checking for a keyword or phrase in files on Ubuntu endpoints.","references":"https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html,https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html","passed":0,"failed":1,"invalid":0,"total_checks":1,"score":0,"start_time":1714227939,"end_time":1714227939,"hash":"5d28a90f4498a81461efbaf6f628a19d9778390bb5c81a393dd936181cc3d826","hash_file":"a33741eefba60ba75052477564b607cc97bdf36c773194c7ead40f30e356ec4d","force_alert":"1","force_alert":"1"}
sca.type: summary
sca.scan_id: 1532790084
sca.policy: SCA use case: Keyword check
sca.description: Guidance for checking for a keyword or phrase in files on Ubuntu endpoints.
sca.policy_id: keyword_check
sca.passed: 0
sca.failed: 1
sca.invalid: 0
sca.total_checks: 1
sca.score: 0
sca.file: keywordcheck.yml

Agent log:

31552:2024/04/27 14:57:49 sca[13367] wm_sca.c:152 at wm_sca_main(): INFO: Module started.
31555-2024/04/27 14:57:49 sca[13367] wm_sca.c:191 at wm_sca_main(): INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
31556-2024/04/27 14:57:49 sca[13367] wm_sca.c:191 at wm_sca_main(): INFO: Loaded policy '/var/ossec/etc/custom-sca-files/keywordcheck.yml'
31565-2024/04/27 14:57:49 sca[13367] wm_sca.c:329 at wm_sca_start(): INFO: Starting Security Configuration Assessment scan.

Inventory:

🟢 Vulnerability detector

Manager Config

  <!-- Ubuntu OS vulnerabilities -->
  <provider name="canonical">
    <enabled>yes</enabled>
    <os>trusty</os>
    <os>xenial</os>
    <os>bionic</os>
    <os>focal</os>
    <os>jammy</os>
    <os allow="Ubuntu-24">jammy</os>
    <update_interval>1m</update_interval>
  </provider>

Dashboard

🟢 Active response

Manager configuration:

<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <command>restart-wazuh</command>
    <location>defined-agent</location>
    <agent_id>006</agent_id>
    <level>7</level>
  </active-response>
</ossec_config>

Result:

🟢 Log Capture

Agent configuration:

  <localfile>
    <location>/var/log/log_capture.log</location>
    <log_format>syslog</log_format>
  </localfile>

Result

🟢 Syscollector

Inventory

[MarcelKemp]

Review

Syscollector 🔴

As I see in the inventory, the collected packages do not have an architecture, vendor or description, so there seems to be a problem in the collection of the packages.

It would be necessary to open an issue to investigate this problem, because it also affects Vulnerability Detector scanning.

Vulnerability Detector 🔴

For this case, being one of the supported OSes and being LTS, it should have its corresponding <os>, so it is not correct to mark it as 🟢.

We need to check, on the one hand, if its corresponding OVAL is uploaded:

• https://security-metadata.canonical.com/oval/ (it still looks like they haven't uploaded the OVAL for Ubuntu Noble).

And on the other hand, create an issue to support it when the OVAL is uploaded. Example:

• Add support for Ubuntu Jammy in Vulnerability Detector #13162

SCA 🟡

Certainly, it is not yet listed in CIS Benchmarks, but we should let the corresponding team know so they create the issue when they add it, or we create the issue and have them work on it when they add the new benchmark.

• Create SCA policy for Ubuntu 24.04 LTS #23194

[lchico]

Syscollector 🔴 -> 🟢

After testing against the feedback from @MarcelKemp's review, I couldn't reproduce the reported issue:

As I see in the inventory, the collected packages do not have an architecture, vendor or description, so there seems to be a problem in the collection of the packages.

I retested on the same Vagrant box: bento/ubuntu-24.04

Additionally, I tested with Docker using the image: ubuntu:24.04, and it also worked as expected.

So maybe it was a refresh issue.

[MarcelKemp]

LGTM.

[Mjhay07]

Hi i encounter an issue with Ubuntu 24.04 LTS. All the agent with this specific OS version stop at random time and the last log
2024/05/14 17:43:42 wazuh-agentd: ERROR: (1216): Unable to connect to '[10.10.140.2]:1514/tcp': 'Connection timed out'.
2024/05/14 17:43:52 wazuh-agentd: INFO: Trying to connect to server ([10.10.140.2]:1514/tcp).
however when i tried to ping the Wazuh-server it become active again.