Check Wazuh-Agent compatibility with new version Red Hat Enterprise Linux 9.4

[mjcr99]

Description

Hello team, this issue is to check the full compatibility of Wazuh on the newfound version of Red Hat Enterprise Linux 9.4 operating system.

OSs checks issue: #23311

For this, it is necessary to perform the following tests to check that everything works as expected:

• Agent and server (if possible) installations.
• O.S. reporting in the interface.
• WPK upgrade.
• Enrollment and connectivity with the manager.
• FIM: Real-time and who-data engines (if available).
• SCA: Policy support.
• Vulnerability Detector: Vulnerability support.
• Syscollector: Complete inventory.
• Active Response: port reset agent.
• Log capture.

[mjcr99]

Testing

🟢 O.S. reporting in the interface.

O.S. correctly reported

🔴 FIM Whodata

Audit is already installed

[root@localhost vagrant]# yum install audit
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.

Last metadata expiration check: 0:07:53 ago on Thu 09 May 2024 10:46:00 AM EEST.
Package audit-3.1.2-2.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

It's required to install audispd-plugins but it has not been possible due to package not present in repositories and no valid solution has been found.

Configuration on the agent

  <directories check_all="yes" whodata="yes">/home/vagrant</directories>

Alerts

** Alert 1715240610.21503: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2024 May 09 10:43:30 localhost->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/home/vagrant/testfile' added
Mode: realtime

Attributes:
 - Size: 0
 - Permissions: rw-r--r--
 - Date: Thu May  9 10:43:30 2024
 - Inode: 282717
 - User: root (0)
 - Group: root (0)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

🟢 Upgrade using WPK

[root@localhost vagrant]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: agent3-ubu22, IP: any, Disconnected
   ID: 003, Name: agent-rhel9.4, IP: any, Active

List of agentless devices:

[root@localhost vagrant]# /var/ossec/bin/agent_upgrade -a 003

Upgrading...

Upgraded agents:
	Agent 003 upgraded: Wazuh v4.6.0 -> Wazuh v4.7.4

🟢 Syscollector

Inventory from an agent RHEL 9.4

The rest of the checks are shared with manager, can be found here: #23312

[MarcelKemp]

LGTM.