Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for localfile blocks deployment #16847

Merged
merged 4 commits into from
Apr 27, 2023
Merged

Added support for localfile blocks deployment #16847

merged 4 commits into from
Apr 27, 2023

Conversation

72nomada
Copy link
Contributor

@72nomada 72nomada commented Apr 23, 2023
edited
Loading

Related issue
#16751

This solves the need to deploy extra localfile configuration blocks for ossec.conf based on OS and OS Version.
The new file is called localfile-extra.template. Files should be created under the etc/template/config folder structure.

Current problem was to add the shown localfile block on some macOS versions to use the ULS collection capabilities.

<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="trace,log,activity" level="info">(process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")</query>
</localfile>

Test - Agent with localfile-extra.template files

We have created a macOS package using this modification in https://github.com/wazuh/wazuh/pull/16078/files

After package installation, we can verify the correct localfile block is included in the wazuh-agent ossec.conf file:

  ...
  <!-- Log analysis -->
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <location>macos</location>
    <log_format>macos</log_format>
    <query type="trace,log,activity" level="info">(process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")</query>
  </localfile>

  <!-- Active response -->
  ...

Test - Agent with NO localfile-extra.template files

We tested the packet for an RHEL 9 system with no need for localfile-extra.template configuration. Wazh-agent was installed and worked as expected.

@72nomada 72nomada requested a review from vikman90 April 23, 2023 09:40
@72nomada 72nomada self-assigned this Apr 23, 2023
@72nomada 72nomada mentioned this pull request Apr 24, 2023
Closed
2 tasks
@72nomada 72nomada linked an issue Apr 24, 2023 that may be closed by this pull request
Include localfile sections for the wazuh-agent ossec.conf file when installing on specific OS #16751
Closed
vikman90
vikman90 previously approved these changes Apr 24, 2023
View reviewed changes
@72nomada 72nomada requested a review from vikman90 April 24, 2023 11:17
juliamagan
juliamagan approved these changes Apr 27, 2023
View reviewed changes
Copy link
Member

@juliamagan juliamagan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA review

@72nomada 72nomada merged commit d4998bc into 4.4 Apr 27, 2023
@72nomada 72nomada deleted the 16751-localfile-block-deployment branch April 27, 2023 08:22
@Nicogp Nicogp mentioned this pull request May 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

@juliamagan juliamagan juliamagan approved these changes

Assignees

@72nomada 72nomada

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Include localfile sections for the wazuh-agent ossec.conf file when installing on specific OS
3 participants
@72nomada @vikman90 @juliamagan