-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check Wazuh-Manager compatibility with new version Red Hat Enterprise Linux 9.4 #23312
Comments
Testing🟢 Wazuh-manager installationManager installed at the RHEL 9.4 machine by following this guide.Using a the vagrant box: Installation logs[root@localhost vagrant]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
08/05/2024 12:24:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.4
08/05/2024 12:24:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log
08/05/2024 12:25:00 INFO: --- Dependencies ---
08/05/2024 12:25:00 INFO: Installing lsof.
08/05/2024 12:25:15 ERROR: Your system does not meet the recommended minimum hardware requirements of 4Gb of RAM and 2 CPU cores. If you want to proceed with the installation use the -i option to ignore these requirements.
[root@localhost vagrant]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i
08/05/2024 12:25:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.4
08/05/2024 12:25:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log
08/05/2024 12:25:32 WARNING: Hardware and system checks ignored.
08/05/2024 12:25:32 INFO: Wazuh web interface port will be 443.
08/05/2024 12:25:34 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443.
08/05/2024 12:25:35 INFO: Wazuh repository added.
08/05/2024 12:25:35 INFO: --- Configuration files ---
08/05/2024 12:25:35 INFO: Generating configuration files.
08/05/2024 12:25:37 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
08/05/2024 12:25:37 INFO: --- Wazuh indexer ---
08/05/2024 12:25:37 INFO: Starting Wazuh indexer installation.
08/05/2024 12:27:19 INFO: Wazuh indexer installation finished.
08/05/2024 12:27:19 INFO: Wazuh indexer post-install configuration finished.
08/05/2024 12:27:19 INFO: Starting service wazuh-indexer.
08/05/2024 12:27:35 INFO: wazuh-indexer service started.
08/05/2024 12:27:35 INFO: Initializing Wazuh indexer cluster security settings.
08/05/2024 12:27:46 INFO: Wazuh indexer cluster initialized.
08/05/2024 12:27:46 INFO: --- Wazuh server ---
08/05/2024 12:27:46 INFO: Starting the Wazuh manager installation.
08/05/2024 12:28:43 INFO: Wazuh manager installation finished.
08/05/2024 12:28:43 INFO: Starting service wazuh-manager.
08/05/2024 12:29:02 INFO: wazuh-manager service started.
08/05/2024 12:29:02 INFO: Starting Filebeat installation.
08/05/2024 12:29:11 INFO: Filebeat installation finished.
08/05/2024 12:29:12 INFO: Filebeat post-install configuration finished.
08/05/2024 12:29:12 INFO: Starting service filebeat.
08/05/2024 12:29:12 INFO: filebeat service started.
08/05/2024 12:29:12 INFO: --- Wazuh dashboard ---
08/05/2024 12:29:12 INFO: Starting Wazuh dashboard installation.
08/05/2024 12:31:11 INFO: Wazuh dashboard installation finished.
08/05/2024 12:31:11 INFO: Wazuh dashboard post-install configuration finished.
08/05/2024 12:31:11 INFO: Starting service wazuh-dashboard.
08/05/2024 12:31:12 INFO: wazuh-dashboard service started.
08/05/2024 12:31:45 INFO: Initializing Wazuh dashboard web application.
08/05/2024 12:31:47 INFO: Wazuh dashboard web application initialized.
08/05/2024 12:31:47 INFO: --- Summary ---
08/05/2024 12:31:47 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
User: admin
Password: ---
08/05/2024 12:31:47 INFO: Installation finished. 🟢 Enrollment and connectivity with an agentIt was needed to disable the firewall to get the agent to connect: Connection logs
🟢 Centralized configuration work correctlyEdit agent.conf
Log in the agent side after edit agent.conf in the manager
🟢 FIM: Decoding and filtering of correct alerts from FIMAlert from FIM
🟢 SCA: Policy supportSCA is officially supported on RHEL 9. Default configuration was used. Connection logs
🟢 SyscollectorConfiguration by default. 🟢 Vulnerability detectorConfiguration
Vulnerability alert
🟢 Active responseUse case: Restarting the Wazuh agent with active response Manager ossec.conf configuration: <active-response>
<command>restart-wazuh</command>
<location>local</location>
<rules_id>550</rules_id>
</active-response>
Force a FIM modify alert (id 550) to get the restart.sh script executed with active response: ResultsManager's alerts** Alert 1715166818.7689060: - restart,
2024 May 08 14:13:38 (agent3-ubu22) any->syscheck
Rule: 100009 (level 5) -> 'Changes made to the agent configuration file - /var/ossec/etc/ossec.conf'
File '/var/ossec/etc/ossec.conf' modified
Mode: realtime
Changed attributes: size,mtime,md5,sha1,sha256
Size changed from '5681' to '5682'
Old modification time was: '1715166684', now it is '1715166818'
Old md5sum was: '78a1bd39c2a113fb967c85371acab4a7'
New md5sum is : '2c280e1d64b0afb47049ec3798910c58'
Old sha1sum was: 'd118c0b6a5d478098065e77bde5b57da9dcb6b80'
New sha1sum is : '3d7eb2bc0fb7916653978643b87df308447bbc8b'
Old sha256sum was: 'bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9'
New sha256sum is : '818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502'
Attributes:
- Size: 5682
- Permissions: rw-rw----
- Date: Wed May 8 14:13:38 2024
- Inode: 1574517
- User: root (0)
- Group: wazuh (113)
- MD5: 2c280e1d64b0afb47049ec3798910c58
- SHA1: 3d7eb2bc0fb7916653978643b87df308447bbc8b
- SHA256: 818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502
** Alert 1715166848.7690161: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2024 May 08 14:14:08 (agent3-ubu22) any->wazuh-remoted
Rule: 506 (level 3) -> 'Wazuh agent stopped.'
ossec: Agent stopped: 'agent3-ubu22->any'.
** Alert 1715166851.7690498: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,
2024 May 08 14:14:11 (agent3-ubu22) any->wazuh-agent
Rule: 503 (level 3) -> 'Wazuh agent started.'
ossec: Agent started: 'agent3-ubu22->any'.
Active response log
🟢 csyslogd moduleLink to the docu guide: https://documentation.wazuh.com/current/user-manual/manager/manual-syslog-output.html Configuration in the manager
Manager log
Rsyslog server configuration and resultsDone in a Ubuntu 22 VM.Edit rsyslog file: Uncomment tcp config lines:
Disable firewall: Restart rsyslog: Alert received in rsyslog server in
🟢 maild modulePostfix installationLink to the docu guide:
Configuration in the manager
Restart manager and generate some FIM modified event (rule id 550 set in the configuration). Results
🔴 -> 🟢 clusterd moduleSee #23312 (comment) nginx installationLink to the docu guide:
With this configuration:
The following problem is arising:
Install another wazuh-manager to create the clusterResults🟢 integratord moduleVirustotal integrationLink: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#virustotal
|
🔴 -> 🟢 clusterd moduleTo avoid the nginx installation problem this test has been performed without using a Load Balancer, following this documentation. Cluster configuration block in master node <cluster>
<name>wazuh</name>
<node_name>master-node</node_name>
<key>7f0fb8da5d78dd01671cf8713e6c5ed5</key>
<node_type>master</node_type>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>192.168.56.208</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster> Cluster configuration block in worker node<cluster>
<name>wazuh</name>
<node_name>worker01-node</node_name>
<key>7f0fb8da5d78dd01671cf8713e6c5ed5</key>
<node_type>worker</node_type>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>192.168.56.208</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
Agent enrollment logs with worker node2024/05/09 17:20:13 wazuh-agentd: INFO: Requesting a key from server: 192.168.56.100
2024/05/09 17:20:13 wazuh-agentd: INFO: No authentication password provided
2024/05/09 17:20:13 wazuh-agentd: INFO: Using agent name as: agent-rhel9.4
2024/05/09 17:20:13 wazuh-agentd: INFO: Waiting for server reply
2024/05/09 17:20:13 wazuh-agentd: INFO: Valid key received
2024/05/09 17:20:13 wazuh-agentd: INFO: Waiting 20 seconds before server connection
2024/05/09 17:20:33 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/09 17:20:33 wazuh-agentd: INFO: Closing connection to server ([192.168.56.100]:1514/tcp).
2024/05/09 17:20:33 wazuh-agentd: INFO: Trying to connect to server ([192.168.56.100]:1514/tcp).
2024/05/09 17:20:33 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.56.100]:1514/tcp).
2024/05/09 17:20:34 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing... Cluster and listed agent visualization[root@localhost vagrant]# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: agent3-ubu22, IP: any, Disconnected
ID: 002, Name: agent-rhel9.4, IP: any, Active
List of agentless devices:
[root@localhost vagrant]# /var/ossec/bin/cluster_control -l
NAME TYPE VERSION ADDRESS
master-node master 4.7.4 192.168.56.208
worker01-node worker 4.7.4 192.168.56.100
[root@localhost vagrant]# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: agent3-ubu22, IP: any, Disconnected
ID: 002, Name: agent-rhel9.4, IP: any, Active
List of agentless devices: |
LGTM. |
Description
Hello team, this issue is to check the full compatibility of Wazuh Manager on the newfound version of Red Hat Enterprise Linux 9.4 operating system.
OSs checks issue: #23311
For this, it is necessary to perform the following tests to check that everything works as expected:
agentless functionality, at the moment, is not possible to test it, wait until redesign: Agentless redesign #14406The text was updated successfully, but these errors were encountered: