branchnetconsulting
commented
5 years ago I just now tested the actual behavior of Wazuh Manager 3.9.5, and what I find is that when started/restarted with ossec-control, Wazuh manager automatically runs ossec-makelists, but when started/restarted with systemctl, Wazuh manager does not call ossec-makelists. I also see that when we run ossec-logtest, there is no call to ossec-makelists made to make sure all compiled CDBs are up to date. What is the intended behavior for Wazuh Manager related to CDBs?
If you ask me, the CDB feature would be most easy to work with if the end user had no need to know about ossec-makelists at all. Just make sure that ossec-makelists or its equivalent is internally called every time Wazuh Manager is started/restarted, whether via ossec-controlor any other service control mechanism, and also make sure ossec-logtest does the same each time it is started. Then our users are ensured their compiled CDBs are always up to date when they need them.
I just learned that as of 3.8.0, ossec-makelists is called automatically whenever wazuh-manager is started or restarted. This is mentioned in the 3.8.0 Release Notes, but missing from the changelog: https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md#v380-2019-01-19
Also, there are multiple references in the documentation since 3.8.0 indicating that ossec-makelists must be manually run after any change to a CDB file. These need to be corrected. For example: https://documentation.wazuh.com/3.9/user-manual/capabilities/system-calls-monitoring/audit-configuration.html https://documentation.wazuh.com/3.9/user-manual/ruleset/cdb-list.html#making-the-cdb-list
Kevin Branch