Release 4.8.0 - RC 1 - Specific systems

[wazuhci]

Packages tests metrics information

Main release stage issue	#23246
Main packages metrics issue	#23255
Version	4.8.0
Release stage	RC 1
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-rc1

---

Build packages

System	Status	Build
AIX	🟢	https://ci.wazuh.info/job/Packages_builder_special/965/
HPUX	🟢	https://ci.wazuh.info/job/Packages_builder_special/966/
S10 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/968/
S11 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/967/
OVA	🟢	https://ci.wazuh.info/job/Packages_builder_tier/3442/
AMI	🟢	https://ci.wazuh.info/job/Packages_builder_tier/3443/

---

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
HPUX	🟢	🔴	---	---	⚪	⚪	⚪	⚪	⚪	⚪	⚪
S10 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S11 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
OVA	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢
AMI	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢

---

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Debian Stretch	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

---

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

---

Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Approved with known issues
🟢 - Approved

---

Testing considerations

• Testing on PPC64EL systems must be done inside a container.
  • The container must be requested to CICD team using an internal-devel-request, with access through authorized keys and a specific password.
• When testing on PPC64EL Debian, installing procps may be required if it is not present in the container.

---

Conclusion 🔴

New issues

• HP-UX agent is not able to register #23323
• Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449 (Reopened)
• Indexer-connector Warning log in Footprint test #23303

Known issues

• Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046
• Permission errors in the Wazuh Indexer service (systemd) wazuh-packages#2685
• Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511
• Remoted show Too big message size from socket after receiving a Wazuh agent message #17596

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

• @davidjiglesias

---

[juliamagan]

Analysis report - AIX 🟢

System info 🟢

# hostname
soaxp126
# uname -a
AIX soaxp126 1 6 00CADA644C00

Installation with variables 🟢

• Wazuh agent

# curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14.3M  100 14.3M    0     0  10.4M      0  0:00:01  0:00:01 --:--:-- 10.4M

# WAZUH_MANAGER="X.X.X.X" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent                 ##################################################
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

  
# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

#  grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: soaxp126
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp126 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1714994997

   Syscheck last started at:  Mon May  6 11:29:28 2024
   Syscheck last ended at:    Mon May  6 11:29:35 2024

Installation without variables 🟢

• Wazuh agent

# rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent                 ##################################################
  
# vi /var/ossec/etc/ossec.conf

# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: soaxp126
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp126 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1714995383

   Syscheck last started at:  Mon May  6 11:35:04 2024
   Syscheck last ended at:    Mon May  6 11:35:11 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/06 06:34:56 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:34:56 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:03 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:03 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:06 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:06 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 06:35:06 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-06T11:35:26.165+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"soaxp126","ip":"192.168.253.126"},"manager":{"name":"wazuh-server"},"id":"1714995326.139209","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"23926","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

# grep udp /var/ossec/etc/ossec.conf
       <protocol>udp</protocol>
    
# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


    
# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/06 06:38:44 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/06 06:38:44 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-06T11:38:50.267+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":10,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"soaxp126","ip":"192.168.253.126"},"manager":{"name":"wazuh-server"},"id":"1714995530.146735","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}

Removal 🟢

# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty

Check users and groups 🟢

# cat /etc/passwd | grep wazuh
wazuh:*:211:1::/home/wazuh:/usr/bin/ksh
# cat /etc/group | grep wazuh
wazuh:!:209:wazuh

Errors and warnings 🟢

# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

# curl -O -k https://packages.wazuh.com/4.x/aix/wazuh-agent-4.7.4-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13.5M  100 13.5M    0     0  10.4M      0  0:00:01  0:00:01 --:--:-- 10.4M
# WAZUH_MANAGER="X.X.X.X" rpm -ivh wazuh-agent-4.7.4-1.aix.ppc.rpm
wazuh-agent                 ##################################################
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: soaxp126
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp126 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.7.4
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1714995940

   Syscheck last started at:  Mon May  6 11:45:21 2024
   Syscheck last ended at:    Mon May  6 11:45:28 2024

• Upgrade:

# rpm -U wazuh-agent-4.8.0-1.aix.ppc.rpm
# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
2024/05/06 06:45:23 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       1

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: soaxp126
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp126 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1714996206

   Syscheck last started at:  Mon May  6 11:47:07 2024
   Syscheck last ended at:    Mon May  6 11:47:17 2024

[juliamagan]

Analysis report - Solaris 10 🟢

System info 🟢

# hostname
sossp109
# uname -a
SunOS sossp109 5.10 Generic_147147-26 sun4v sparc sun4v

Installation without variables 🟢

• Wazuh agent

# /opt/csw/bin/curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.8.0-sol10-sparc.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 17.4M    0  7672    0     0  17243      0  0:17:43 --:--:--  0:17:43 17240
100 17.4M  100 17.4M    0     0  7035k      0  0:00:02  0:00:02 --:--:-- 7036k

# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </wazuh-agent_v4.8.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

bash-3.2#  /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sossp109
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715009549

   Syscheck last started at:  Mon May  6 15:32:05 2024
   Syscheck last ended at:    Mon May  6 15:32:24 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

bash-3.2# egrep "tcp" /var/ossec/logs/ossec.log 
2024/05/06 10:32:02 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 10:32:02 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 10:32:04 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 10:32:04 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-06T15:32:33.640+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"sossp109","ip":"192.168.253.109"},"manager":{"name":"wazuh-server"},"id":"1715009553.293206","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"19567","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

bash-3.2# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
bash-3.2# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# grep "udp" /var/ossec/logs/ossec.log
2024/05/06 10:34:56 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/06 10:34:56 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-06T15:35:09.468+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sossp109","ip":"192.168.253.109"},"manager":{"name":"wazuh-server"},"id":"1715009709.294989","full_log":"File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.X11-pipe/X0"},"location":"rootcheck"}

Removal 🟢

bash-3.2# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.8.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

Check users and groups 🟢

bash-3.2# cat /etc/passwd | grep wazuh
wazuh:x:61561:57447::/var/ossec:/bin/false
bash-3.2# cat /etc/group | grep wazuh
wazuh::57447:

Errors and warnings 🟢

bash-3.2# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
bash-3.2# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

bash-3.2# /opt/csw/bin/curl -O https://packages.wazuh.com/4.x/solaris/sparc/10/wazuh-agent_v4.7.4-sol10-sparc.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15.7M  100 15.7M    0     0  6298k      0  0:00:02  0:00:02 --:--:-- 6300k
bash-3.2# pkgadd -d wazuh-agent_v4.7.4-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </wazuh-agent_v4.7.4-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.4
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"

X.X.X.X[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: sossp109
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.7.4
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715010296

   Syscheck last started at:  Mon May  6 15:44:51 2024
   Syscheck last ended at:    Mon May  6 15:44:57 2024

• Upgrade:

bash-3.2# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.4 Stopped
bash-3.2# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
bash-3.2# cp /var/ossec/etc/client.keys ~/client.keys.bk
bash-3.2# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.7.4

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.7.4 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.
bash-3.2# rm -rf /var/ossec
bash-3.2# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </wazuh-agent_v4.8.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.
bash-3.2# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
bash-3.2# chown root:wazuh /var/ossec/etc/ossec.conf
bash-3.2# mv ~/client.keys.bk /var/ossec/etc/client.keys
bash-3.2# chown root:wazuh /var/ossec/etc/client.keys
bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: sossp109
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715011160

   Syscheck last started at:  Mon May  6 15:47:45 2024
   Syscheck last ended at:    Mon May  6 15:47:51 2024

[juliamagan]

Analysis report - Solaris 11 🟢

System info 🟢

root@sossp104:~# hostname
sossp104
root@sossp104:~# uname -a
SunOS sossp104 5.11 11.3 sun4v sparc sun4v

Installation without variables 🟢

• Wazuh agent

root@sossp104:~# curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.8.0-sol11-sparc.p5p
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7030k  100 7030k    0     0  5790k      0  0:00:01  0:00:01 --:--:-- 5947k

root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
Creating Plan (Evaluating mediators): /

           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1       119/119      6.5/6.5 29.7M/s

PHASE                                          ITEMS
Installing new actions                       175/175
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 


root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006

Wazuh agent_control. Agent information:
   Agent ID:   006
   Agent Name: sossp104
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715012336

   Syscheck last started at:  Mon May  6 16:12:48 2024
   Syscheck last ended at:    Mon May  6 16:14:58 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

root@sossp104:~# grep "tcp" /var/ossec/logs/ossec.log 
2024/05/06 11:12:38 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 11:12:38 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/06 11:12:47 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/06 11:12:47 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-06T16:13:07.785+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"sossp104","ip":"192.168.253.104"},"manager":{"name":"wazuh-server"},"id":"1715011987.492883","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}

• UDP
• Wazuh Agent

root@sossp104:~# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# grep "udp" /var/ossec/logs/ossec.log
2024/05/06 11:20:36 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/06 11:20:36 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-06T16:20:55.076+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":4,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"sossp104","ip":"192.168.253.104"},"manager":{"name":"wazuh-server"},"id":"1715012455.494345","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}

Removal 🟢

root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
root@sossp104:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         222/222
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240506T112544Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240506T112544Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240506T112544Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240506T112544Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240506T112544Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240506T112544Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240506T112544Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240506T112544Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240506T112544Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240506T112544Z

Check users and groups 🟢

root@sossp104:~#  cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp104:~#  cat /etc/group | grep wazuh
wazuh::13:

Errors and warnings 🟢

root@sossp104:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
root@sossp104:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

root@sossp104:~# curl -O https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.7.4-sol11-sparc.p5p
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6270k  100 6270k    0     0  5717k      0  0:00:01  0:00:01 --:--:-- 5887k

root@sossp104:~# pkg install -g wazuh-agent_v4.7.4-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         98/98      5.8/5.8    0B/s

PHASE                                          ITEMS
Installing new actions                       151/151
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007

Wazuh agent_control. Agent information:
   Agent ID:   007
   Agent Name: sossp104
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.7.4
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715013660

   Syscheck last started at:  Mon May  6 16:40:42 2024
   Syscheck last ended at:    Mon May  6 16:40:48 2024

• Upgrade:

root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.4 Stopped
root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
            Packages to update:   1
       Create boot environment:  No
Create backup boot environment: Yes

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         57/57      5.7/5.7 44.9M/s

PHASE                                          ITEMS
Installing new actions                         24/24
Updating modified actions                      38/38
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 
root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007

Wazuh agent_control. Agent information:
   Agent ID:   007
   Agent Name: sossp104
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715014109

   Syscheck last started at:  Mon May  6 16:47:30 2024
   Syscheck last ended at:    Mon May  6 16:47:37 2024

[juliamagan]

Analysis report - Debian Stretch PPC64EL 🟢

System info

root@b15135db48bf:~#  cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Installation with variables 🟢

• Wazuh agent

root@b15135db48bf:~# curl -O https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_ppc64el.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6305k  100 6305k    0     0  14.3M      0 --:--:-- --:--:-- --:--:-- 14.3M

root@b15135db48bf:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb'
The following additional packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Suggested packages:
  bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils
  binfmt-support readline-doc
The following NEW packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common wazuh-agent xz-utils
0 upgraded, 21 newly installed, 0 to remove and 3 not upgraded.
Need to get 6437 kB/12.9 MB of archives.
After this operation, 76.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [6457 kB]
Get:2 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB]
Get:3 http://archive.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB]
Get:4 http://archive.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB]
Get:5 http://archive.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB]
Get:6 http://archive.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB]
Get:7 http://archive.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB]
Get:8 http://archive.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB]
Get:9 http://archive.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB]
Get:10 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB]
Get:11 http://archive.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB]
Get:12 http://archive.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB]
Get:13 http://archive.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB]        
Get:14 http://archive.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB]         
Get:15 http://archive.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB]         
Get:16 http://archive.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB]
Get:17 http://archive.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB]
Get:18 http://archive.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB]    
Get:19 http://archive.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB]    
Get:20 http://archive.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B]        
Get:21 http://archive.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB]      
Fetched 6437 kB in 10s (590 kB/s)                                                                      
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libpython3.5-minimal:ppc64el.
(Reading database ... 11722 files and directories currently installed.)
Preparing to unpack .../00-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5-minimal.
Preparing to unpack .../01-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5-minimal (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../02-python3-minimal_3.5.3-1_ppc64el.deb ...
Unpacking python3-minimal (3.5.3-1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../03-mime-support_3.60_all.deb ...
Unpacking mime-support (3.60) ...
Selecting previously unselected package libmpdec2:ppc64el.
Preparing to unpack .../04-libmpdec2_2.4.2-1_ppc64el.deb ...
Unpacking libmpdec2:ppc64el (2.4.2-1) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../05-readline-common_7.0-3_all.deb ...
Unpacking readline-common (7.0-3) ...
Selecting previously unselected package libreadline7:ppc64el.
Preparing to unpack .../06-libreadline7_7.0-3_ppc64el.deb ...
Unpacking libreadline7:ppc64el (7.0-3) ...
Selecting previously unselected package libsqlite3-0:ppc64el.
Preparing to unpack .../07-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ...
Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Selecting previously unselected package libpython3.5-stdlib:ppc64el.
Preparing to unpack .../08-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5.
Preparing to unpack .../09-python3.5_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5 (3.5.3-1+deb9u1) ...
Selecting previously unselected package libpython3-stdlib:ppc64el.
Preparing to unpack .../10-libpython3-stdlib_3.5.3-1_ppc64el.deb ...
Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../11-dh-python_2.20170125_all.deb ...
Unpacking dh-python (2.20170125) ...
Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Setting up python3.5-minimal (3.5.3-1+deb9u1) ...
Setting up python3-minimal (3.5.3-1) ...
Selecting previously unselected package python3.
(Reading database ... 12694 files and directories currently installed.)
Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ...
Unpacking python3 (3.5.3-1) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ...
Unpacking bzip2 (1.0.6-8.1) ...
Selecting previously unselected package libmagic-mgc.
Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic-mgc (1:5.30-1+deb9u3) ...
Selecting previously unselected package libmagic1:ppc64el.
Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Selecting previously unselected package file.
Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking file (1:5.30-1+deb9u3) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ...
Unpacking xz-utils (5.2.2-1.2+b1) ...
Selecting previously unselected package distro-info-data.
Preparing to unpack .../6-distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../7-lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Selecting previously unselected package wazuh-agent.
Preparing to unpack .../8-wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up readline-common (7.0-3) ...
Setting up mime-support (3.60) ...
Setting up libreadline7:ppc64el (7.0-3) ...
Setting up distro-info-data (0.36) ...
Setting up libmagic-mgc (1:5.30-1+deb9u3) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Processing triggers for systemd (232-25+deb9u12) ...
Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Setting up libmpdec2:ppc64el (2.4.2-1) ...
Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Setting up file (1:5.30-1+deb9u3) ...
Setting up python3.5 (3.5.3-1+deb9u1) ...
Setting up libpython3-stdlib:ppc64el (3.5.3-1) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up lsb-release (9.20161125) ...
Setting up dh-python (2.20170125) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

root@b15135db48bf:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@b15135db48bf:~# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

  
root@b15135db48bf:~# grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: b15135db48bf
   IP address: any
   Status:     Active

   Operating system:    Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715068559

   Syscheck last started at:  Tue May  7 07:55:20 2024
   Syscheck last ended at:    Tue May  7 07:55:33 2024
 

Installation without variables 🟢

• Wazuh agent

root@b15135db48bf:~# apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/6457 kB of archives.
After this operation, 40.4 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [6457 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 12838 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

root@b15135db48bf:~# vim /var/ossec/etc/ossec.conf 
root@b15135db48bf:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@b15135db48bf:~# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 009

Wazuh agent_control. Agent information:
   Agent ID:   009
   Agent Name: b15135db48bf
   IP address: any
   Status:     Active

   Operating system:    Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715068952

   Syscheck last started at:  Tue May  7 08:02:33 2024
   Syscheck last ended at:    Tue May  7 08:02:35 2024

 

Generate alerts (TCP & UDP) 🟢

• TCP
• Wazuh Agent

root@b15135db48bf:~# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/07 08:02:26 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:26 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:32 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:32 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:45 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:45 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:45 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:50 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:50 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:02:50 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-07T08:03:02.311+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"009","name":"b15135db48bf","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715068982.1127469","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1203457508","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

root@b15135db48bf:~# vim /var/ossec/etc/ossec.conf 
root@b15135db48bf:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@b15135db48bf:~# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/07 08:04:10 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/07 08:04:10 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-07T08:04:31.232+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"009","name":"b15135db48bf","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715069071.1177913","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1941082158","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"}

Removal 🟢

root@b15135db48bf:~# apt-get remove wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 40.4 MB disk space will be freed.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 13245 files and directories currently installed.)
Removing wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
root@b15135db48bf:~# apt-get remove --purge wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 12852 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.8.0-1) ...
Processing triggers for systemd (232-25+deb9u12) ...

Check users and groups 🟢

root@b15135db48bf:~# cat /etc/passwd | grep wazuh
wazuh:x:107:108::/var/ossec:/bin/false
root@b15135db48bf:~# cat /etc/group | grep wazuh
wazuh:x:108:

Errors and warnings 🟢

root@b15135db48bf:~# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
root@b15135db48bf:~# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

root@b15135db48bf:~# curl -O https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.4-1_ppc64el.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5591k  100 5591k    0     0  12.8M      0 --:--:-- --:--:-- --:--:-- 12.9M

root@b15135db48bf:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.7.4-1_ppc64el.deb
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.7.4-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/5726 kB of archives.
After this operation, 37.1 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.7.4-1_ppc64el.deb wazuh-agent ppc64el 4.7.4-1 [5726 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 14648 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.4-1_ppc64el.deb ...
Unpacking wazuh-agent (4.7.4-1) ...
Setting up wazuh-agent (4.7.4-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.7.4-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

root@b15135db48bf:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@b15135db48bf:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
   Agent ID:   010
   Agent Name: b15135db48bf
   IP address: any
   Status:     Active

   Operating system:    Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.7.4
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715069439

   Syscheck last started at:  Tue May  7 08:10:39 2024
   Syscheck last ended at:    Tue May  7 08:10:41 2024

• Upgrade:

root@b15135db48bf:~# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@b15135db48bf:~# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@b15135db48bf:~# apt-get update
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://archive.debian.org/debian stretch Release
Get:4 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el Packages [8121 B]
Fetched 25.4 kB in 0s (39.4 kB/s)
Reading package lists... Done
root@b15135db48bf:~# apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 6457 kB of archives.
After this operation, 3280 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.8.0-1 [6457 kB]
Fetched 6457 kB in 0s (10.7 MB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 15241 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) over (4.7.4-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
root@b15135db48bf:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@b15135db48bf:~# /var/ossec/bin/wazuh-control info  
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
   Agent ID:   010
   Agent Name: b15135db48bf
   IP address: any
   Status:     Active

   Operating system:    Linux |b15135db48bf |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715069901

   Syscheck last started at:  Tue May  7 08:17:32 2024
   Syscheck last ended at:    Tue May  7 08:17:33 2024

[juliamagan]

Analysis report - CentOS 7 PPC64EL 🟢

System info

[root@5a4317d62f7b ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Installation with variables 🟢

• Wazuh agent

[root@5a4317d62f7b ~]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.ppc64le.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7994k  100 7994k    0     0  2469k      0  0:00:03  0:00:03 --:--:-- 2470k

[root@5a4317d62f7b ~]# WAZUH_MANAGER="X.X.X.X" yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le
Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package               Arch              Version           Repository                              Size
========================================================================================================
Installing:
 wazuh-agent           ppc64le           4.8.0-1           /wazuh-agent-4.8.0-1.ppc64le            36 M

Transaction Summary
========================================================================================================
Install  1 Package

Total size: 36 M
Installed size: 36 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 

Installed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!


[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

  
[root@5a4317d62f7b ~]# grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
   Agent ID:   011
   Agent Name: 5a4317d62f7b
   IP address: any
   Status:     Pending

   Operating system:    Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715070318

   Syscheck last started at:  Tue May  7 08:24:55 2024
   Syscheck last ended at:    Tue May  7 08:25:21 2024

 

Installation without variables 🟢

• Wazuh agent

[root@5a4317d62f7b ~]#  yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le
Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package               Arch              Version           Repository                              Size
========================================================================================================
Installing:
 wazuh-agent           ppc64le           4.8.0-1           /wazuh-agent-4.8.0-1.ppc64le            36 M

Transaction Summary
========================================================================================================
Install  1 Package

Total size: 36 M
Installed size: 36 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 

Installed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!


[root@5a4317d62f7b ~]# vim /var/ossec/etc/ossec.conf 
-bash: vim: command not found
[root@5a4317d62f7b ~]# vi /var/ossec/etc/ossec.conf 
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 012

Wazuh agent_control. Agent information:
   Agent ID:   012
   Agent Name: 5a4317d62f7b
   IP address: any
   Status:     Active

   Operating system:    Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715070829

   Syscheck last started at:  Tue May  7 08:33:49 2024
   Syscheck last ended at:    Tue May  7 08:33:51 2024


 

Generate alerts (TCP & UDP) 🟢

• TCP
• Wazuh Agent

[root@5a4317d62f7b ~]# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/07 08:33:42 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:33:42 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:33:48 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:33:48 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/07 08:34:05 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:34:05 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/07 08:34:05 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-07T08:34:15.888+0000","rule":{"level":3,"description":"CIS CentOS Linux 7 Benchmark v3.0.0: Ensure shadow group is empty.","id":"19008","firedtimes":236,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.3"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2","CC5.2"],"cis":["6.2.18"],"cis_csc":["5.1"],"gpg_13":["4.3"],"gdpr_IV":["35.7.d"],"hipaa":["164.312.b"],"cis_level":["1"]},"agent":{"id":"012","name":"5a4317d62f7b","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715070855.2738847","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1703781396","policy":"CIS CentOS Linux 7 Benchmark v3.0.0","check":{"id":"6195","title":"Ensure shadow group is empty.","description":"The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group","rationale":"Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily runa password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.","remediation":"Remove any legacy '+' entries from /etc/shadow if they exist.","compliance":{"cis":"6.2.18","cis_csc":"5.1","pci_dss":"2.2.3","nist_800_53":"CM.1","gpg_13":"4.3","gdpr_IV":"35.7.d","hipaa":"164.312.b","tsc":"CC5.2","cis_level":"1"},"command":["grep -E ^shadow:[^:]*:[^:]*:[^:]+ /etc/group"],"result":"passed"}}},"location":"sca"}

• UDP
• Wazuh Agent

[root@5a4317d62f7b ~]# vi /var/ossec/etc/ossec.conf 
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/07 08:35:07 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/07 08:35:07 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-07T08:35:24.559+0000","rule":{"level":3,"description":"CIS CentOS Linux 7 Benchmark v3.0.0: Ensure default group for the root account is GID 0.","id":"19008","firedtimes":238,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","8.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2","CC6.1"],"cis":["5.4.3"],"cis_csc":["5.1"],"cis_level":["1"]},"agent":{"id":"012","name":"5a4317d62f7b","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1715070924.2815184","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"716391465","policy":"CIS CentOS Linux 7 Benchmark v3.0.0","check":{"id":"6180","title":"Ensure default group for the root account is GID 0.","description":"The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.","rationale":"Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users.","remediation":"Run the following command to set the root user default group to GID 0: usermod -g 0 root","compliance":{"cis":"5.4.3","cis_csc":"5.1","pci_dss":"8.2","tsc":"CC6.1","cis_level":"1"},"file":["/etc/passwd"],"result":"passed"}}},"location":"sca"}

Removal 🟢

[root@5a4317d62f7b ~]# yum remove wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package              Arch             Version             Repository                              Size
========================================================================================================
Removing:
 wazuh-agent          ppc64le          4.8.0-1             @/wazuh-agent-4.8.0-1.ppc64le           36 M

Transaction Summary
========================================================================================================
Remove  1 Package

Installed size: 36 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 

Removed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!

Check users and groups 🟢

[root@5a4317d62f7b ~]# cat /etc/passwd | grep wazuh
wazuh:x:999:997::/var/ossec:/sbin/nologin
[root@5a4317d62f7b ~]# cat /etc/group | grep wazuh
wazuh:x:997:wazuh

Errors and warnings 🟢

[root@5a4317d62f7b ~]# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
[root@5a4317d62f7b ~]# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

[root@5a4317d62f7b ~]# curl -O https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.4-1.ppc64le.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7043k  100 7043k    0     0  9806k      0 --:--:-- --:--:-- --:--:-- 9809k


[root@5a4317d62f7b ~]# WAZUH_MANAGER="X.X.X.X" yum install ./wazuh-agent-4.7.4-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.7.4-1.ppc64le.rpm: wazuh-agent-4.7.4-1.ppc64le
Marking ./wazuh-agent-4.7.4-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package              Arch             Version          Repository                             Size
====================================================================================================
Installing:
 wazuh-agent          ppc64le          4.7.4-1          /wazuh-agent-4.7.4-1.ppc64le           32 M

Transaction Summary
====================================================================================================
Install  1 Package

Total size: 32 M
Installed size: 32 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.7.4-1.ppc64le                                                      1/1 
  Verifying  : wazuh-agent-4.7.4-1.ppc64le                                                      1/1 

Installed:
  wazuh-agent.ppc64le 0:4.7.4-1                                                                     

Complete!


[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.4...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.4"
WAZUH_REVISION="40717"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013

Wazuh agent_control. Agent information:
   Agent ID:   013
   Agent Name: 5a4317d62f7b
   IP address: any
   Status:     Active

   Operating system:    Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.7.4
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715071164

   Syscheck last started at:  Tue May  7 08:39:24 2024
   Syscheck last ended at:    Tue May  7 08:39:26 2024

• Upgrade:

[root@5a4317d62f7b ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@5a4317d62f7b ~]# cat > /etc/yum.repos.d/wazuh.repo << EOF
> [wazuh]
> gpgcheck=1
> gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
> enabled=1
> name=EL-\$releasever - Wazuh
> baseurl=https://packages-dev.wazuh.com/pre-release/yum/
> protect=1
> EOF
[root@5a4317d62f7b ~]# yum clean all
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Cleaning repos: base extras updates wazuh
Cleaning up list of fastest mirrors

[root@5a4317d62f7b ~]# yum upgrade wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
 * base: mirrors.xtom.com
 * extras: mirrors.xtom.com
 * updates: mirrors.xtom.com
base                                                                         | 3.6 kB  00:00:00     
extras                                                                       | 2.9 kB  00:00:00     
updates                                                                      | 2.9 kB  00:00:00     
wazuh                                                                        | 3.4 kB  00:00:00     
(1/5): base/7/ppc64le/group_gz                                               | 153 kB  00:00:00     
(2/5): extras/7/ppc64le/primary_db                                           | 233 kB  00:00:00     
(3/5): base/7/ppc64le/primary_db                                             | 4.8 MB  00:00:00     
(4/5): updates/7/ppc64le/primary_db                                          |  21 MB  00:00:00     
(5/5): wazuh/primary_db                                                      | 462 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.4-1 will be updated
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                   Arch                  Version                  Repository           Size
====================================================================================================
Updating:
 wazuh-agent               ppc64le               4.8.0-1                  wazuh               7.8 M

Transaction Summary
====================================================================================================
Upgrade  1 Package

Total download size: 7.8 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-agent-4.8.0-1.ppc64le.rpm                                              | 7.8 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-agent-4.8.0-1.ppc64le                                                      1/2 
  Cleanup    : wazuh-agent-4.7.4-1.ppc64le                                                      2/2 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                      1/2 
  Verifying  : wazuh-agent-4.7.4-1.ppc64le                                                      2/2 

Updated:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                     

Complete!

[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
[root@5a4317d62f7b ~]# /var/ossec/bin/wazuh-control info  
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013

Wazuh agent_control. Agent information:
   Agent ID:   013
   Agent Name: 5a4317d62f7b
   IP address: any
   Status:     Active

   Operating system:    Linux |5a4317d62f7b |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1715071323

   Syscheck last started at:  Tue May  7 08:41:24 2024
   Syscheck last ended at:    Tue May  7 08:41:26 2024

[juliamagan]

Analysis Report - AMI 🟡

WUI 🟢

• Loading Screen: OK
  

• Login Screen: OK
  

• Credentials: OK

• Health Check
  

• Overview OK
  

Logs 🟡

• Wazuh Dashboard - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
may 07 10:10:28 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T10:10:28Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
may 07 09:42:18 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T09:42:18Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"139832918595456:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
may 07 06:40:24 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:24Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 07 06:40:24 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:24Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 07 06:40:23 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:23Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 06:40:23 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:40:23Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 06:18:37 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T06:18:37Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 05:35:04 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T05:35:04Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 04:52:58 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T04:52:58Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 03:30:13 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T03:30:13Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 00:42:28 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:28Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 07 00:42:28 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:28Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 07 00:42:27 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:27Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 07 00:42:26 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:42:26Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 00:40:10 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:40:10Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 07 00:39:34 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-07T00:39:34Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 23:31:01 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T23:31:01Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 21:42:06 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T21:42:06Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"139832918595456:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 20:23:15 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:15Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 06 20:23:15 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:15Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 06 20:23:14 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:14Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 20:23:13 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:23:13Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 06 20:22:43 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T20:22:43Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 19:22:48 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T19:22:48Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n","name":"Error","stack":"Error: 139832918595456:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n","code":"ERR_SSL_SSLV3_ALERT_BAD_CERTIFICATE"},"message":"139832918595456:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 42\n"}
may 06 12:47:18 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:47:18Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 12:24:58 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:58Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 06 12:24:58 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:58Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 06 12:24:56 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:56Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 12:24:54 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T12:24:54Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 06 11:03:33 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:33Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139832918595456:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 06 11:03:30 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:30Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 06 11:03:26 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:26Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 11:03:23 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T11:03:23Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139832918595456:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 06 09:55:24 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T09:55:24Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 09:49:44 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T09:49:44Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 139832918595456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"139832918595456:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
may 06 09:27:34 wazuh-server opensearch-dashboards[5530]: {"type":"error","@timestamp":"2024-05-06T09:27:34Z","tags":["connection","client","error"],"pid":5530,"level":"error","error":{"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139832918595456:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 06 09:19:27 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:27Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:24 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:24Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:22 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:22Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:19 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:19Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:17 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:17Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:15 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:15Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ResponseError]: Response Error"}
may 06 09:19:12 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:12Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:09 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:09Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:07 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:07Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:04 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:04Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:19:02 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:19:02Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:59 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:59Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:57 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:57Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:54 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:54Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:52 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:52Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:49 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:49Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:47 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:47Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:44 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:44Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 06 09:18:42 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:42Z","tags":["error","savedobjects-service"],"pid":1811,"message":"Unable to retrieve version information from OpenSearch nodes."}
may 06 09:18:42 wazuh-server opensearch-dashboards[1811]: {"type":"log","@timestamp":"2024-05-06T09:18:42Z","tags":["error","opensearch","data"],"pid":1811,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

• Reported in : Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449

• Wazuh Indexer - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
may 07 00:00:00 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 07 00:00:00 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 06 09:17:57 wazuh-server systemd-entrypoint[2327]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager will be removed in a future release
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 06 09:17:56 wazuh-server systemd-entrypoint[2327]: WARNING: A terminally deprecated method in java.lang.System has been called
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager will be removed in a future release
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 06 09:17:36 wazuh-server systemd-entrypoint[2327]: WARNING: A terminally deprecated method in java.lang.System has been called

• Reported in Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

• Reported in Permission errors in the Wazuh Indexer service (systemd) wazuh-packages#2685

• Wazuh Indexer - /var/logs/wazuh-indexer 🟡

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T09:19:13,876Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "m7MH9oKeSU-WRy0VYZjzFA", "node.id": "Iagsn0KOTky14LI39RsyMg"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T09:19:13,878Z", "level": "ERROR", "component": "o.o.a.a.AlertIndices", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "info deleteOldIndices", "cluster.uuid": "m7MH9oKeSU-WRy0VYZjzFA", "node.id": "Iagsn0KOTky14LI39RsyMg"  }
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T09:19:13,876][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T09:19:13,878][ERROR][o.o.a.a.AlertIndices     ] [node-1] info deleteOldIndices

/var/log/wazuh-indexer/wazuh-cluster.log:[2024-02-27T12:11:57,227][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-02-27T12:12:17,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@4db6f045] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-02-27T12:12:17,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@4db6f045] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

• Wazuh Server - /var/ossec/logs 🟡

2024/05/07 10:11:17 wazuh-remoted: WARNING: Unexpected message (hex): '22236950662804ffffff3bff49ffffffffff30ffff2f69ffffff164e03ffff6fffffffffff605757ff1dff20ff5dffffffffff65ff5d0744ff1d645dffff353767ffffff5c283555ff5dffffffff1c25ff2fffff505b01ff4434ffff0effff12ffffff24ffffffff23ffffffffffff4c3245ffffff7dff58196c20ffff38ff6cff3b7dff16ff294376111d61ffff0eff44ffffffff2228ff541b6bff6fffff461c18ffff23ff79ff285dff68354cffffff79342cffffffff69ff3bff0fffff282933ff4eff18ff7aff3d4c205429491a6f414051ff78ffff46071a1e146fffff49ffff24ffffffffff1bff0f386dff0f4313ffffff78601364ffffffffffff72386affffff6714ff16ffff5cffffff02175e6cff70ff444662ff6c2e104bffff103dffff2f38ffffff120fffff57ffffff4c4fff12ffffffffff1a1fffffff20ffffff5412ff28ff29ffff665affffff13ffffffffff29ff46ffffffffff786bffffffff0eff10ffffffff43291d22236950662804ffffff3bff49ffffffffff30ffff2f69ffffff164e03ffff6fffffffffff605757ff1dff20ff5dffffffffff65ff5d0744ff1d645dffff353767ffffff5c283555ff5dffffffff1c25ff2fffff505b01ff4434ffff0effff12ffffff24ffffffff23ffffffffffff4c3245ffffff7dff58196c20ffff38ff6cff3b7dff16ff294376111d61ffff0eff44ffffffff2228ff541b6bff6fffff461c18ffff23ff79ff285dff68354cffffff79342cffffffff69ff3bff0fffff282933ff4eff18ff7aff3d4c205429491a6f414051ff78ffff46071a1e146fffff49ffff24ffffffffff1bff0f386dff0f4313ffffff78601364ffffffffffff72386affffff6714ff16ffff5cffffff02175e6cff70ff444662ff6c2e104bffff103dffff2f38ffffff120fffff57ffffff4c4fff12ffffffffff1a1fffffff20ffffff5412ff28ff29ffff665affffff13ffffffffff29ff46ffffffffff786bffffffff0eff10ffffffff43291d22236950662804ffffff3bff49ffffffffff30ffff2f69ffffff164e03ffff6fffffffffff605757ff1dff20ff5dffffffffff65ff5d0744ff1d645dffff353767ffffff5c283555ff5dffffffff1c25ff2fffff505b01ff4434ffff0effff12ffffff24ffffffff23ffffffffffff4c3245ffffff7dff58196c20ffff38ff6cff3b7dff16ff294376111d61ffff0eff44ffffffff2228ff541b6bff6fffff461c18ffff23ff79ff285dff68354cffffff79342cffffffff69ff3bff0fffff282933ff4eff18ff7aff3d4c205429491a6f414051ff78ffff46071a1e146fffff49ffff24ffffffffff1bff0f386dff0f4313ffffff78601364ffffffffffff72386affffff6714ff16ffff5cffffff02175e6cff70ff444662ff6c2e104bffff103dffff'
2024/05/07 10:11:17 wazuh-remoted: WARNING: Too big message size from socket [36].

• Related to Remoted show Too big message size from socket after receiving a Wazuh agent message #17596

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "m7MH9oKeSU-WRy0VYZjzFA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           61          97   1    0.01    0.03     0.04 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1

[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 14,
  "active_shards" : 14,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Users 🟢

[root@wazuh-server wazuh-user]#  grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

Versions 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]#  cat /usr/share/wazuh-indexer/VERSION 
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.10.0",
  "branch": "2.x",
  "build": {
    "number": 48009,
    "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Processes 🟢

# ps -ef | grep wazuh
[root@wazuh-server wazuh-user]# ps -ef | grep wazuh
root      2091     1  0 may06 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2131     1  0 may06 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  2327     1  0 may06 ?        00:08:38 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3941m -Xmx3941m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-12830181436784623402 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2066743296 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh-d+  5530     1  0 may06 ?        00:02:36 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root     19323  2691  0 may06 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 19340 19323  0 may06 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+ 19341 19340  0 may06 pts/0    00:00:00 -bash
root     26845  2691  0 08:44 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+ 26862 26845  0 08:44 ?        00:00:00 sshd: wazuh-user@pts/1
wazuh-u+ 26863 26862  0 08:44 pts/1    00:00:00 -bash
wazuh    27593     1  1 10:10 ?        00:00:14 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    27594 27593  0 10:10 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    27597 27593  0 10:10 ?        00:00:06 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    27600 27593  0 10:10 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     27644     1  0 10:10 ?        00:00:02 /var/ossec/bin/wazuh-authd
wazuh    27661     1  0 10:10 ?        00:00:01 /var/ossec/bin/wazuh-db
root     27687     1  0 10:10 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    27702     1  0 10:10 ?        00:00:04 /var/ossec/bin/wazuh-analysisd
root     27715     1  1 10:10 ?        00:00:12 /var/ossec/bin/wazuh-syscheckd
wazuh    27763     1  0 10:10 ?        00:00:01 /var/ossec/bin/wazuh-remoted
root     27798     1  0 10:10 ?        00:00:00 /var/ossec/bin/wazuh-logcollector
wazuh    27822     1  0 10:10 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root     27843     1  0 10:10 ?        00:00:01 /var/ossec/bin/wazuh-modulesd
root     29568 19364  0 10:28 pts/0    00:00:00 grep --color=auto wazuh



[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

SSH Root Access Denied 🟢

juliamagan@pop-os:~/Downloads$ ssh -i idr-1117.pem -p 2200 root@X.X.X.X
Please login as the user "wazuh-user" rather than the user "root".

Connection to X.X.X.X closed.

SSH wazuh-user Access Allowed 🟢

juliamagan@pop-os:~/Downloads$ ssh -i idr-1117.pem -p 2200 wazuh-user@X.X.X.X
Last login: Tue May  7 08:44:04 2024 from 33.red-81-38-118.dynamicip.rima-tde.net


wwwwww.           wwwwwww.          wwwwwww.
wwwwwww.          wwwwwww.          wwwwwww.
 wwwwww.         wwwwwwwww.        wwwwwww.
 wwwwwww.        wwwwwwwww.        wwwwwww.
  wwwwww.       wwwwwwwwwww.      wwwwwww.
  wwwwwww.      wwwwwwwwwww.      wwwwwww.
   wwwwww.     wwwwww.wwwwww.    wwwwwww.
   wwwwwww.    wwwww. wwwwww.    wwwwwww.
    wwwwww.   wwwwww.  wwwwww.  wwwwwww.
    wwwwwww.  wwwww.   wwwwww.  wwwwwww.
     wwwwww. wwwwww.    wwwwww.wwwwwww.
     wwwwwww.wwwww.     wwwwww.wwwwwww.
      wwwwwwwwwwww.      wwwwwwwwwwww.
      wwwwwwwwwww.       wwwwwwwwwwww.      oooooo
       wwwwwwwwww.        wwwwwwwwww.      oooooooo
       wwwwwwwww.         wwwwwwwwww.     oooooooooo
        wwwwwwww.          wwwwwwww.      oooooooooo
        wwwwwww.           wwwwwwww.       oooooooo
         wwwwww.            wwwwww.         oooooo


         WAZUH Open Source Security Platform
                  https://wazuh.com


[wazuh-user@wazuh-server ~]$ 

Production Repositories 🟢

[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

TCP and UDP

TCP, UDP and alerts have been tested before since this was the manager used for the previous agents.

[juliamagan]

Analysis report - HP-UX 🔴

System info 🟢

bash-4.4# hostname
sovmh349
bash-4.4# uname -a
HP-UX sovmh349 B.11.31 U ia64 2082618356 unlimited-user license

Installation without variables 🔴

• Wazuh agent

bash-4.4# /usr/local/bin/curl -O -k https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.8.0>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 58.1M  100 58.1M    0     0  3305k      0  0:00:18  0:00:18 --:--:-- 3438k

bash-4.4# groupadd wazuh
bash-4.4# useradd -G wazuh wazuh  
bash-4.4# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951956 bytes, 3813 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2095304 bytes, 4093 tape blocks
x /var/ossec/bin/wazuh-execd, 1814956 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 571064 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1745208 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1886936 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 572052 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355660 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892088 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 798672 bytes, 1560 tape blocks
x /var/ossec/lib/libfimdb.so, 1266648 bytes, 2474 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41705 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9254 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6109 bytes, 12 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6909 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9801 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17232 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 22966 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38690 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14430 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

bash-4.4# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

🔴
Unable to connect:

2024/05/07 03:53:30 wazuh-agentd[8077] enrollment_op.c:243 at w_enrollment_connect(): ERROR: SSL error (1). Connection refused by the manager. Maybe the port specified is incorrect.

• Crated: HP-UX agent is not able to register #23323

[juliamagan]

Analysis Report - OVA 🟡

Check System 🟢

• System Info

[wazuh-user@wazuh-server ~]$ cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

• Wazuh Processes

[wazuh-user@wazuh-server ~]$ ps aux | grep wazuh
wazuh-d+  2032  0.6  1.9 1019964 157016 ?      Ssl  11:24   0:06 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root      4445  0.0  0.0  98672  3692 ?        Ss   11:24   0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-i+  4989  5.2 56.5 8276940 4608392 ?     Ssl  11:24   0:53 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3981m -Xmx3981m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-10951774042572470084 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2087714816 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root      5009  0.0  0.0  86424  3848 ?        Ss   11:24   0:00 login -- wazuh-user
wazuh     6257  0.2  1.3 1003820 108944 ?      Sl   11:24   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6261  0.0  0.7 283288 61028 ?        S    11:24   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6264  0.0  0.8 369968 69324 ?        S    11:24   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh     6268  0.0  0.7 511656 58336 ?        S    11:24   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root      6364  0.0  0.0 131592  5820 ?        Sl   11:24   0:00 /var/ossec/bin/wazuh-authd
wazuh     6397  0.0  0.2 871960 18256 ?        Sl   11:24   0:00 /var/ossec/bin/wazuh-db
root      7016  0.0  0.0  41320  3960 ?        Sl   11:24   0:00 /var/ossec/bin/wazuh-execd
wazuh     7396  0.0  0.3 1442140 28552 ?       Sl   11:24   0:00 /var/ossec/bin/wazuh-analysisd
root      8040  0.7  0.1 360280 13872 ?        SNl  11:24   0:07 /var/ossec/bin/wazuh-syscheckd
wazuh     8059  0.0  0.1 627108 11064 ?        Sl   11:24   0:00 /var/ossec/bin/wazuh-remoted
root      8656  0.0  0.0 483716  5144 ?        Sl   11:24   0:00 /var/ossec/bin/wazuh-logcollector
wazuh     8762  0.0  0.0  41384  4232 ?        Sl   11:24   0:00 /var/ossec/bin/wazuh-monitord
root      8899  9.3  2.6 1006664 217580 ?      Sl   11:24   1:35 /var/ossec/bin/wazuh-modulesd
wazuh-u+ 14357  0.0  0.0 124864  3920 tty1     Ss+  11:24   0:00 -bash
root     18927  0.0  0.1 150628  9076 ?        Ss   11:25   0:00 sshd: wazuh-user [priv]
wazuh-u+ 18931  0.0  0.0 150628  4808 ?        S    11:25   0:00 sshd: wazuh-user@pts/0
wazuh-u+ 18932  0.0  0.0 124864  4276 pts/0    Ss   11:25   0:00 -bash
wazuh-u+ 19004  0.0  0.0 162292  4348 pts/0    R+   11:41   0:00 ps aux
wazuh-u+ 19005  0.0  0.0 119416   916 pts/0    S+   11:41   0:00 grep --color=auto wazuh

• Manager Version

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="server"

• Indexer Version

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.8.0

• Dashboard Version

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.10.0",
  "branch": "2.x",
  "build": {
    "number": 48009,
    "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

WUI 🟢

Credentials: admin/admin

Logs 🟡

• Wazuh Dashboard - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
may 07 11:45:01 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:45:01Z","tags":["error","opensearch","data"],"pid":2032,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2024.19w/YGdFoFh5RFmYXMic2EAOkA] already exists"}
may 07 11:43:48 wazuh-server opensearch-dashboards[2032]: {"type":"error","@timestamp":"2024-05-07T11:43:48Z","tags":["connection","client","error"],"pid":2032,"level":"error","error":{"message":"140485350938496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","name":"Error","stack":"Error: 140485350938496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n","code":"ERR_SSL_TLSV1_ALERT_UNKNOWN_CA"},"message":"140485350938496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1563:SSL alert number 48\n"}
may 07 11:24:46 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:46Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ResponseError]: Response Error"}
may 07 11:24:43 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:43Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:41 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:41Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:38 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:38Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:36 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:36Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:33 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:33Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 11:24:31 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T11:24:31Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:28 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:28Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:25 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:25Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:23 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:23Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:20 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:20Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 07 13:24:18 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:18Z","tags":["error","savedobjects-service"],"pid":2032,"message":"Unable to retrieve version information from OpenSearch nodes."}
may 07 13:24:18 wazuh-server opensearch-dashboards[2032]: {"type":"log","@timestamp":"2024-05-07T13:24:18Z","tags":["error","opensearch","data"],"pid":2032,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

• Reported in Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449

• Wazuh Indexer - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager will be removed in a future release
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 11:24:34 wazuh-server systemd-entrypoint[4989]: WARNING: A terminally deprecated method in java.lang.System has been called
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager will be removed in a future release
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 07 11:24:33 wazuh-server systemd-entrypoint[4989]: WARNING: A terminally deprecated method in java.lang.System has been called

• Reported in Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

• Reported in Permission errors in the Wazuh Indexer service (systemd) wazuh-packages#2685

• Wazuh Indexer - /var/logs/wazuh-indexer 🟡

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:34,517Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10951774042572470084, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:42,994Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,686Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,711Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,714Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,716Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-07T11:24:46,759Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "Ov7qbabSQdC4Ogs2SziHWA", "node.id": "I3vrV2VcRRac-JflBF5T_Q"  }
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:34,517][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3981m, -Xmx3981m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10951774042572470084, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2087714816, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:42,994][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,686][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,711][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,714][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,716][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-07T11:24:46,759][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)

• Related to Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511

• Wazuh Server - /var/ossec/logs 🟡

[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/05/07 11:24:32 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities', retrying until the connection is successful.
2024/05/07 11:24:34 indexer-connector: WARNING: Failed to sync agent '000' with the indexer.

• Related to Indexer-connector Warning log in Footprint test #23303

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "Ov7qbabSQdC4Ogs2SziHWA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1            3          98   1    0.00    0.07     0.10 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1


[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 11,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

No Root SSH Access 🟢

juliamagan@pop-os:~$ ssh root@192.168.1.57
root@192.168.1.57's password: 
Permission denied, please try again.
root@192.168.1.57's password: 
Permission denied, please try again.
root@192.168.1.57's password: 
root@192.168.1.57: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Installation - Agent 🟢

• Generate command from WUI

• Install

root@ubuntu-jammy:/home/vagrant# wget https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.57' WAZUH_AGENT_NAME='ubuntu_agent' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb
--2024-05-07 12:04:19--  https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 52.84.66.124, 52.84.66.126, 52.84.66.65, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|52.84.66.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10271520 (9.8M) [binary/octet-stream]
Saving to: ‘wazuh-agent_4.8.0-1_amd64.deb’

wazuh-agent_4.8.0-1_amd64 100%[=====================================>]   9.79M  25.7MB/s    in 0.4s    

2024-05-07 12:04:20 (25.7 MB/s) - ‘wazuh-agent_4.8.0-1_amd64.deb’ saved [10271520/10271520]

Selecting previously unselected package wazuh-agent.
(Reading database ... 64052 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...


root@ubuntu-jammy:/home/vagrant# sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.

root@ubuntu-jammy:/home/vagrant# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...


root@ubuntu-jammy:/home/vagrant# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40809"
WAZUH_TYPE="agent"

• Wazuh Server

TCP, UDP and alerts 🟢

TCP

• Wazuh server:

[root@wazuh-server wazuh-user]# egrep tcp /var/ossec/etc/ossec.conf 
    <protocol>tcp,udp</protocol>

• Agent:

root@ubuntu-jammy:/home/vagrant# egrep tcp /var/ossec/logs/ossec.log 
2024/05/07 12:05:19 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.57]:1514/tcp).
2024/05/07 12:05:19 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.57]:1514/tcp).

• Alerts:

{"timestamp":"2024-05-07T12:05:42.350+0000","rule":{"level":7,"description":"SCA summary: CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.: Score less than 50% (42)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"ubuntu_agent","ip":"192.168.1.60"},"manager":{"name":"wazuh-server"},"id":"1715083542.667469","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1507681415","policy":"CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","passed":"76","failed":"104","invalid":"2","total_checks":"182","score":"42","file":"cis_ubuntu22-04.yml"}},"location":"sca"}

UDP

• Wazuh server:

[root@wazuh-server wazuh-user]# egrep tcp /var/ossec/etc/ossec.conf 
    <protocol>tcp,udp</protocol>

• Agent:

root@ubuntu-jammy:/home/vagrant# egrep udp /var/ossec/logs/ossec.log 
2024/05/07 12:10:41 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.57]:1514/udp).
2024/05/07 12:10:41 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.57]:1514/udp).

• Alerts:

{"timestamp":"2024-05-07T12:10:43.110+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"ubuntu_agent","ip":"192.168.1.60"},"manager":{"name":"wazuh-server"},"id":"1715083843.671952","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}

[MARCOSD4]

GJ, but the errors and warnings of the OVA and AMI logs should be indicated by placing the yellow circle 🟡 at the conclusion of the issue.

[MARCOSD4]

LGTM