search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.51k stars 1.49k forks source link

MALW-3280 - Does not find wazuh-agent #1581

Open vk6xebec opened 3 days ago

vk6xebec commented 3 days ago

Describe the bug 'wazuh-agent' not found despite it running as part of MALW-3280

Version

Expected behavior Result passes

Output

2024-11-27 11:53:48 IsRunning: process 'wazuh-agent' not found
2024-11-27 11:53:48 Result: no commercial anti-virus tools found
2024-11-27 11:53:48 Hardening: assigned partial number of hardening points (0 of 3). Currently having 352 points (out of 363)

Additional context

root@ub2410test:~# sudo systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-11-27 23:46:02 AWST; 12h ago
 Invocation: 6dd5de4195ce4403835b99a52fb106d3
      Tasks: 28 (limit: 3936)
     Memory: 24.6M (peak: 26.9M)
        CPU: 1min 17.763s
     CGroup: /system.slice/wazuh-agent.service
             ├─361351 /var/ossec/bin/wazuh-execd
             ├─361715 /var/ossec/bin/wazuh-agentd
             ├─362154 /var/ossec/bin/wazuh-syscheckd
             ├─362611 /var/ossec/bin/wazuh-logcollector
             └─362994 /var/ossec/bin/wazuh-modulesd

Nov 27 23:45:53 ub2410test.home systemd[1]: Starting wazuh-agent.service - Wazuh agent...
Nov 27 23:45:53 ub2410test.home env[361278]: Starting Wazuh v4.9.2...
Nov 27 23:45:55 ub2410test.home env[361278]: Started wazuh-execd...
Nov 27 23:45:56 ub2410test.home env[361278]: Started wazuh-agentd...
Nov 27 23:45:57 ub2410test.home env[361278]: Started wazuh-syscheckd...
Nov 27 23:45:58 ub2410test.home env[361278]: Started wazuh-logcollector...
Nov 27 23:46:00 ub2410test.home env[361278]: Started wazuh-modulesd...
Nov 27 23:46:02 ub2410test.home env[361278]: Completed.
Nov 27 23:46:02 ub2410test.home systemd[1]: Started wazuh-agent.service - Wazuh agent.
root@ub2410test:~# pgrep wazuh-agent
361715
2024-11-27 11:53:43 Performing test ID FINT-4344 (Wazuh syscheck daemon running)
2024-11-27 11:53:43 Test: Checking if Wazuh syscheck daemon is running
2024-11-27 11:53:43 Performing pgrep scan without uid
2024-11-27 11:53:43 IsRunning: process 'wazuh-syscheckd' found (362154 )
2024-11-27 11:53:43 Result: syscheck (Wazuh) active
2024-11-27 11:53:44 Performing test ID TOOL-5128 (Check for active Wazuh daemon)
2024-11-27 11:53:44 Performing pgrep scan without uid
2024-11-27 11:53:44 IsRunning: process 'wazuh-analysisd' not found
2024-11-27 11:53:44 Result: Wazuh analysis daemon not active
2024-11-27 11:53:44 Performing pgrep scan without uid
2024-11-27 11:53:44 IsRunning: process 'wazuh-agentd' found (361715 )
2024-11-27 11:53:44 Result: Wazuh agent daemon is active
2024-11-27 11:51:11 Found running service: wazuh-agent
2024-11-27 11:51:16 Found enabled service at boot: wazuh-agent
mboelen commented 3 days ago

Not sure that I follow, as it looks like the agent (agentd) was found:

2024-11-27 11:53:44 Result: Wazuh agent daemon is active

When looking at the entries, I see that 'wazuh-agentd' was found, which is also the process as listed in the "Started" list. The service name is different than the actual daemon that runs as part of it.

So, I am missing here or is detection correct?

vk6xebec commented 2 days ago

yea that's what confuses me. The agent is running but the antivirus scan is not picking up the presence of the agent.