vedrixNL commented 9 months ago

Hi,

Using Wazuh Puppet module to maintain repository inside VM with Wazuh Agent running.

$manage_repo
Install Wazuh through Wazuh repositories.

Default true

Type Boolean

During apt update you see a warning of a deprecated use of apt-key.

W: https://packages.wazuh.com/4.x/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Using Debian 12, latest version of Wazuh Puppet Module. Any change that Wazuh will solve the way of storing trusted.gpg keys in the correct way or is it missing debian 12 support?

Appreciate the help and effort!

davidcr01 commented 8 months ago

Hello.

The use of apt-key is being deprecated due to security concerns related to third-party repositories. The deprecation of apt-key is primarily driven by the potential security risks it poses. When adding OpenPGP keys to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d using apt-key, the key becomes unconditionally trusted by APT on all other repositories configured on the system, including official Debian/Ubuntu repositories. This could allow malicious third-party repositories to replace packages on the system, posing significant security threats. As a result, the transition away from apt-key is essential for enhancing system security. This transition consists in using the gpg command instead of the apt-key command. We use this type of GPG installation in some installation steps in our documentation: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#adding-the-wazuh-repository

So this is not a Debian 12 problem, but a generic APT problem. We are adding this issue to our project and fix is as soon as possible.

davidcr01 commented 8 months ago

Update Report

I had some issues configuring the Puppet agent in the Debian 12 machine. Everything was correct until the second puppet agent -t failed:

Notice: Requesting catalog from puppet-master.com:8140 (172.31.39.200)
Notice: Catalog compiled by ip-172-31-39-200.ec2.internal
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: /puppet/v3/catalog/ip-172-31-32-136. (method :post). Please see the server logs for details.
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request: /puppet/v3/report/ip-172-31-32-136. (method :put). Please see the server logs for details.

The 8140 port was available, the configuration was correct and the machines could see each other. I changed the Puppet agent to an Ubuntu 20 machine, and with the same configuration, everything was correct.

Workaround

I made several workarounds to solve this issue:

:x: Usage of apt::keyring. Related: https://forge.puppet.com/modules/puppetlabs/apt/readme#add-gpg-keys. This alternative was discarded because the keyring parameter is available since Puppet version 8.1.0
:x: Usage of the file resource to manage the wazuh.list content. This alternative was discarded because the declaration of the file had a conflict with other existing declarations of the apt module:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/apt/sources.list.d/wazuh.list] is already declared at (file: /etc/puppetlabs/code/environments/production/modules/wazuh/manifests/repo.pp, line: 41); cannot redeclare (file: /etc/puppetlabs/code/environments/production/modules/apt/manifests/setting.pp, line: 68) (file: /etc/puppetlabs/code/environments/production/modules/apt/manifests/setting.pp, line: 68, column: 3) (file: /etc/puppetlabs/code/environments/production/modules/apt/manifests/source.pp, line: 129) on node ip-172-31-35-39.ec2.internal

:heavy_check_mark: Finally, the proposed workaround is to manage the GPG and the repository manually:

Create a import-wazuh-key function that imports the Wazuh key with the GPG tool.
Create a task that ensures the permissions of the keyring.
Use the concat tool, avoiding the file tool, which manages dynamically the content of the wazuh.list file.

This last alternative is the longer and manual one, but it is the one that does not depend on a higher version of Puppet and can be used in older versions of Puppet (6 and 7).

davidcr01 commented 8 months ago

Update Report

Testing

After the development, the Wazuh puppet deployment has been tested in:

Ubuntu 20
Debian 11

In the three tests, the deployment succeeded.

Ubuntu 20

```console root@ip-172-31-35-39:/home/ubuntu# puppet agent -t | tee log.log Info: Using environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Warning: Fact value '#!/bin/sh # Wazuh Distribution Detector # Copyright (C) 2015, Wazuh Inc. # November 18, 2016. # # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation. # Default values DIST_NAME="Linux" DIST_VER="0" DIST_SUBVER="0" SSH_PORT="2200" if [ -r "/etc/os-release" ]; then . /etc/os-release DIST_NAME=$ID DIST_VER=$(echo $VERSION_ID | sed -rn 's/[^0-9]*([0-9]+).*/\1/p') if [ "X$DIST_VER" = "X" ]; then DIST_VER="0" fi if [ "$DIST_NAME" = "amzn" ] && [ "$DIST_VER" == "2018" ]; then DIST_VER="1" fi DIST_SUBVER=$(echo $VERSION_ID | sed -rn 's/[^0-9]*[0-9]+\.([0-9]+).*/\1/p') if [ "X$DIST_SUBVER" = "X" ]; then DIST_SUBVER="0" fi fi if [ ! -r "/etc/os-release" ] || [ "$DIST_NAME" = "centos" ]; then # CentOS if [ -r "/etc/centos-release" ]; then DIST_NAME="centos" DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/centos-release` DIST_SUBVER=`sed -rn 's/.* [0-9]{1,2}\.*([0-9]{0,2}).*/\1/p' /etc/centos-release` # Fedora elif [ -r "/etc/fedora-release" ]; then DIST_NAME="fedora" DIST_VER=`sed -rn 's/.* ([0-9]{1,2}) .*/\1/p' /etc/fedora-release` # RedHat elif [ -r "/etc/redhat-release" ]; then if grep -q "CentOS" /etc/redhat-release; then DIST_NAME="centos" else DIST_NAME="rhel" fi DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/redhat-release` DIST_SUBVER=`sed -rn 's/.* [0-9]{1,2}\.*([0-9]{0,2}).*/\1/p' /etc/redhat-release` # Ubuntu elif [ -r "/etc/lsb-release" ]; then . /etc/lsb-release DIST_NAME="ubuntu" DIST_VER=$(echo $DISTRIB_RELEASE | sed -rn 's/.*([0-9][0-9])\.[0-9][0-9].*/\1/p') DIST_SUBVER=$(echo $DISTRIB_RELEASE | sed -rn 's/.*[0-9][0-9]\.([0-9][0-9]).*/\1/p') # Gentoo elif [ -r "/etc/gentoo-release" ]; then DIST_NAME="gentoo" DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.[0-9]{1,2}.*/\1/p' /etc/gentoo-release` DIST_SUBVER=`sed -rn 's/.* [0-9]{1,2}\.([0-9]{1,2}).*/\1/p' /etc/gentoo-release` # SuSE elif [ -r "/etc/SuSE-release" ]; then DIST_NAME="suse" DIST_VER=`sed -rn 's/.*VERSION = ([0-9]{1,2}).*/\1/p' /etc/SuSE-release` DIST_SUBVER=`sed -rn 's/.*PATCHLEVEL = ([0-9]{1,2}).*/\1/p' /etc/SuSE-release` if [ "$DIST_SUBVER" = "" ]; then #openSuse DIST_SUBVER=`sed -rn 's/.*VERSION = ([0-9]{1,2})\.([0-9]{1,2}).*/\1/p' /etc/SuSE-release` fi # Arch elif [ -r "/etc/arch-release" ]; then DIST_NAME="arch" DIST_VER=$(uname -r | sed -rn 's/[^0-9]*([0-9]+).*/\1/p') DIST_SUBVER=$(uname -r | sed -rn 's/[^0-9]*[0-9]+\.([0-9]+).*/\1/p') # Debian elif [ -r "/etc/debian_version" ]; then DIST_NAME="debian" DIST_VER=`sed -rn 's/[^0-9]*([0-9]+).*/\1/p' /etc/debian_version` DIST_SUBVER=`sed -rn 's/[^0-9]*[0-9]+\.([0-9]+).*/\1/p' /etc/debian_version` # Slackware elif [ -r "/etc/slackware-version" ]; then DIST_NAME="slackware" DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.[0-9].*/\1/p' /etc/slackware-version` DIST_SUBVER=`sed -rn 's/.* [0-9]{1,2}\.([0-9]).*/\1/p' /etc/slackware-version` # Darwin elif [ "$(uname)" = "Darwin" ]; then DIST_NAME="darwin" DIST_VER=$(uname -r | sed -En 's/[^0-9]*([0-9]+).*/\1/p') DIST_SUBVER=$(uname -r | sed -En 's/[^0-9]*[0-9]+\.([0-9]+).*/\1/p') # Solaris / SunOS elif [ "$(uname)" = "SunOS" ]; then DIST_NAME="sunos" DIST_VER=$(uname -r | cut -d\. -f1) DIST_SUBVER=$(uname -r | cut -d\. -f2) # HP-UX elif [ "$(uname)" = "HP-UX" ]; then DIST_NAME="HP-UX" DIST_VER=$(uname -r | cut -d\. -f2) DIST_SUBVER=$(uname -r | cut -d\. -f3) # AIX elif [ "$(uname)" = "AIX" ]; then DIST_NAME="AIX" DIST_VER=$(oslevel | cut -d\. -f1) DIST_SUBVER=$(oslevel | cut -d\. -f2) # BSD elif [ "X$(uname)" = "XOpenBSD" -o "X$(uname)" = "XNetBSD" -o "X$(uname)" = "XFreeBSD" -o "X$(uname)" = "XDragonFly" ]; then DIST_NAME="bsd" DIST_VER=$(uname -r | sed -rn 's/[^0-9]*([0-9]+).*/\1/p') DIST_SUBVER=$(uname -r | sed -rn 's/[^0-9]*[0-9]+\.([0-9]+).*/\1/p') elif [ "X$(uname)" = "XLinux" ]; then DIST_NAME="Linux" fi if [ "X$DIST_SUBVER" = "X" ]; then DIST_SUBVER="0" fi fi if [ "$DIST_NAME" = "amzn" ]; then sed -i "s/#Port\s22/Port ${SSH_PORT}/" /etc/ssh/sshd_config systemctl restart sshd.service fi if [ "$DIST_NAME" = "rhel" ] || [ "$DIST_NAME" = "centos" ] || [ "$DIST_NAME" = "rocky" ] || [ "$DIST_NAME" = "fedora" ]; then sudo sed -i "s/#Port\s22/Port ${SSH_PORT}/" /etc/ssh/sshd_config if [ "$DIST_NAME" = "centos" ] && [ "$DIST_VER" != "7" ]; then sudo yum -y install policycoreutils-python-utils else sudo yum -y install policycoreutils-python-utils fi sudo semanage port -a -t ssh_port_t -p tcp ${SSH_PORT} sudo systemctl restart sshd.service if sudo firewall-cmd --state 2>/dev/null | grep -q -w "running"; then sudo firewall-cmd --permanent --zone=public --add-port=2200/tcp sudo firewall-cmd --reload fi fi if [ "$DIST_NAME" = "ol" ]; then yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm systemctl status amazon-ssm-agent sed -i "s/#Port\s22/Port ${SSH_PORT}/" /etc/ssh/sshd_config yum -y install policycoreutils-python-utils semanage port -a -t ssh_port_t -p tcp ${SSH_PORT} sleep 60 systemctl restart sshd.service firewall-offline-cmd --add-port=${SSH_PORT}/tcp firewall-cmd --reload fi if [ "$DIST_NAME" = "ubuntu" ] || [ "$DIST_NAME" = "debian" ]; then perl -pi -e "s/^#?Port 22$/Port ${SSH_PORT}/" /etc/ssh/sshd_config service sshd restart || service ssh restart fi if [ "$DIST_NAME" = "darwin" ]; then sed -i '' "s/ 22\/tcp/ ${SSH_PORT}\/tcp/" /etc/services sed -i '' "s/ 22\/udp/ ${SSH_PORT}\/tcp/" /etc/services launchctl unload /System/Library/LaunchDaemons/ssh.plist launchctl load -w /System/Library/LaunchDaemons/ssh.plist fi' with the value length: '6358' exceeds the value length limit: 4096 Notice: Requesting catalog from puppet-master.com:8140 (172.31.39.200) Notice: Catalog compiled by ip-172-31-39-200.ec2.internal Info: Caching catalog for ip-172-31-35-39.ec2.internal Info: Applying configuration version '1709821967' Notice: /Stage[repo]/Wazuh::Repo/Exec[import-wazuh-key]/returns: executed successfully (corrective) Notice: /Stage[repo]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{sha256}c100aabaf95d9dbf9bfa75c436548000f7b82a1f1cabf3ccc31217dd9464c75d' (corrective) Info: /Stage[repo]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update] Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update] Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: created (corrective) Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /etc/wazuh-indexer] Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /usr/share/wazuh-indexer] Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /var/lib/wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]/returns: executed successfully (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/owner: owner changed 'root' to 'wazuh-indexer' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/group: group changed 'root' to 'wazuh-indexer' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/mode: mode changed '0755' to '0500' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-node-1.pem]/ensure: defined content as '{sha256}6122ba624bce3183196c775e3bb81dd11ff8fda5f7066b1b46e9af1569fffc4e' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-node-1-key.pem]/ensure: defined content as '{sha256}d1793fc7f7bf712bc6024b8078f682b4eab803e496b5f216bf1dc8af3501a5dd' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/root-ca.pem]/ensure: defined content as '{sha256}ee1d731b818bb88bd0d27c0c4c960df409ba8e296337d04417fb5fd475de584c' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin.pem]/ensure: defined content as '{sha256}94ece1c9d00f3770b27ec6e98e6b89c13246bbab651c28094b74a24866b4866d' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin-key.pem]/ensure: defined content as '{sha256}f8a5202cba17926a1290b15fbde77f04abaccdb48dea47dd6b2e0d4f2ef34662' (corrective) Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content: --- /etc/wazuh-indexer/opensearch.yml 2024-03-01 16:35:52.000000000 +0000 +++ /tmp/puppet-file20240307-161672-1wcs4ji 2024-03-07 14:34:11.538390417 +0000 @@ -2,41 +2,28 @@ node.name: "node-1" cluster.initial_master_nodes: - "node-1" -#- "node-2" -#- "node-3" cluster.name: "wazuh-cluster" -#discovery.seed_hosts: -# - "node-1-ip" -# - "node-2-ip" -# - "node-3-ip" -node.max_local_storage_nodes: "3" -path.data: /var/lib/wazuh-indexer -path.logs: /var/log/wazuh-indexer - -plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem -plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem +node.max_local_storage_nodes: "1" +path.data: "/var/lib/wazuh-indexer" +path.logs: "/var/log/wazuh-indexer" +plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer-node-1.pem +plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-node-1-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem -plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem +plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer-node-1.pem +plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-node-1-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false - plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: -- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" -#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" -#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" +- "CN=indexer-node-1,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" - -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] - -### Option to allow Filebeat-oss 7.10.2 to work ### +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false compatibility.override_main_response_version: true \ No newline at end of file Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content: Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content: content changed '{sha256}d95d40b8ee093f122d8015d4a267eddbd92ba3e323c70f2ac7ab7d8ff9e584fe' to '{sha256}7a968bc98cfb330d90f1681ead16418cda35a525b8cf5ad1ec2f4dd01d16eab2' (corrective) Info: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]/ensure: ensure changed 'stopped' to 'running' (corrective) Info: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer] Notice: /Stage[manager]/Wazuh::Manager/Package[wazuh-manager]/ensure: created (corrective) Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: --- /var/ossec/etc/shared/default/agent.conf 2024-03-01 16:41:12.000000000 +0000 +++ /tmp/puppet-file20240307-161672-1ij4dnq 2024-03-07 14:35:45.043397494 +0000 @@ -2,4 +2,4 @@ - + \ No newline at end of file Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: content changed '{sha256}d76908d51018ec72afc1a7e17fbc3971c6a812446fd930fdba5ed66f1af47ed0' to '{sha256}ea2cf84c0fdc6dd290d7cba0ad0eac63850d56203aeb882568f69f22d98dccf9' (corrective) Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/owner: owner changed 'wazuh' to 'root' (corrective) Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/mode: mode changed '0660' to '0640' (corrective) Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager] Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: --- /var/ossec/etc/rules/local_rules.xml 2024-03-01 16:41:12.000000000 +0000 +++ /tmp/puppet-file20240307-161672-s1cpk7 2024-03-07 14:35:45.083397925 +0000 @@ -1,14 +1,12 @@ - - - - - + 5716 1.1.1.1 @@ -16,4 +14,28 @@ authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - + + + + + + + + + + + + Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: content changed '{sha256}991dc926bd2e3aec88bd79be1c8b458777f64f489b3e6524e682ac33620425f4' to '{sha256}4b0ffe3d22c782a75fa5559839751959cc9cb33256ca06efcca298cb0109a342' (corrective) Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/owner: owner changed 'wazuh' to 'root' (corrective) Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/mode: mode changed '0660' to '0640' (corrective) Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager] Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content: --- /var/ossec/etc/decoders/local_decoder.xml 2024-03-01 16:41:12.000000000 +0000 +++ /tmp/puppet-file20240307-161672-j0cph0 2024-03-07 14:35:45.111398226 +0000 @@ -1,8 +1,6 @@ - - - yes yes no no - no - smtp.example.wazuh.com - wazuh@example.wazuh.com - recipient@example.wazuh.com - 12 - alerts.log 10m 0 - yes + no + 127.0.0.1 + ^localhost.localdomain$ + 10.0.0.2 @@ -26,7 +17,6 @@ 12 - plain @@ -38,8 +28,9 @@ 131072 - - + + + no yes yes @@ -48,144 +39,117 @@ yes yes yes - - 43200 - - etc/rootcheck/rootkit_files.txt - etc/rootcheck/rootkit_trojans.txt - + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt yes - + - + yes 1800 1d yes + + + yes + 1800 + 1d + yes wodles/java wodles/ciscat - + + - - + yes yes - /var/log/osquery/osqueryd.results.log + /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes - + - - - no - 1h - yes - yes - yes - yes - yes - yes - yes - - - - 10 - - + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + - + yes yes 12h yes + - - + + # Configuration for Vulnerability detection + + yes + yes + 60m + +# indexer configuration for vulnerability detection + + yes + + https://127.0.0.1:9200 + + + + /etc/filebeat/certs/root-ca.pem + + /etc/filebeat/certs/filebeat.pem + /etc/filebeat/certs/filebeat-key.pem + + + + + no + 43200 + yes + no + 10 + yes - yes - 60m - - - - yes - - https://0.0.0.0:9200 - - - - /etc/filebeat/certs/root-ca.pem - - /etc/filebeat/certs/filebeat.pem - /etc/filebeat/certs/filebeat-key.pem - - - - - - no - - - 43200 + 5m + 1h + 10 + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + /sys/kernel/security + /sys/kernel/debug + /dev/core + ^/proc + .log$|.swp$ + /etc/ssl/private.key + yes + - yes - - - yes - - - no - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - - .log$|.swp$ - - - /etc/ssl/private.key - yes - yes - yes - yes - - - 10 - - - 50 - - - - yes - 5m - 10 - - - - - 127.0.0.1 - ^localhost.localdomain$ - 127.0.0.53 - disable-account @@ -194,8 +158,8 @@ - restart-wazuh - restart-wazuh + restart-ossec + restart-ossec @@ -218,118 +182,124 @@ win_route-null - route-null.exe + route-null + yes + + + + win_route-null-2012 + route-null-2012 yes netsh - netsh.exe + netsh + yes + + + + netsh-win-2016 + netsh-win-2016 yes - + + + syslog + /var/log/syslog + + + syslog + /var/log/dpkg.log + + + syslog + /var/log/kern.log + + + syslog + /var/log/auth.log + + + syslog + /var/ossec/logs/active-responses.log + - command df -P 360 - full_command netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d netstat listening ports 360 - full_command last -n 20 360 - - + + + + + ruleset/decoders ruleset/rules 0215-policy_rules.xml - etc/lists/audit-keys - etc/lists/amazon/aws-eventnames - etc/lists/security-eventchannel - - + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + etc/decoders etc/rules - + - - yes - 1 - 64 - 15m - - - - no - 1515 - no - yes - no - HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH - - no - etc/sslmanager.cert - etc/sslmanager.key - no - - - - wazuh - node01 - master - - 1516 - 0.0.0.0 - - NODE_IP - - no - yes - - - - - syslog - /var/ossec/logs/active-responses.log - + + + no + 1515 + yes + + yes + yes + 1h + 1h + + yes + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + - - syslog - /var/log/auth.log - - - syslog - /var/log/syslog - - - syslog - /var/log/dpkg.log - + + + wazuh + node01 + master + KEY + 1516 + 0.0.0.0 + + NODE_IP + + no + yes + - - syslog - /var/log/kern.log - Info: Computing checksum on file /var/ossec/etc/ossec.conf Info: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 900082d50978037c6736092213a65a2e3d6056458a6b6cb821a1ae72c289630c Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}900082d50978037c6736092213a65a2e3d6056458a6b6cb821a1ae72c289630c' to '{sha256}d801d178273a64d34ad24c7d14dcdc62bc89f94454c96bebb81fa54c3937438c' (corrective) Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640' (corrective) Info: Concat[manager_ossec.conf]: Scheduling refresh of Service[wazuh-manager] Notice: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]/ensure: ensure changed 'stopped' to 'running' (corrective) Info: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]: Unscheduling refresh on Service[wazuh-manager] Notice: /Stage[dashboard]/Wazuh::Dashboard/Package[wazuh-dashboard]/ensure: created (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/Exec[ensure full path of /etc/wazuh-dashboard/certs]/returns: executed successfully (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/owner: owner changed 'root' to 'wazuh-dashboard' (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/group: group changed 'root' to 'wazuh-dashboard' (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/mode: mode changed '0755' to '0500' (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard.pem]/ensure: defined content as '{sha256}71aef4c05cd48dc549be1b6469110b27accb27e58cc321ffda76672ad90d8305' (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard-key.pem]/ensure: defined content as '{sha256}e3597a85ab1731acd5f9892df45a8f5e6902815f0fb0803a4eb49c36a044aafd' (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/root-ca.pem]/ensure: defined content as '{sha256}ee1d731b818bb88bd0d27c0c4c960df409ba8e296337d04417fb5fd475de584c' (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: --- /etc/wazuh-dashboard/opensearch_dashboards.yml 2024-03-01 16:41:39.000000000 +0000 +++ /tmp/puppet-file20240307-161672-s4zy5z 2024-03-07 14:38:39.685273233 +0000 @@ -2,9 +2,9 @@ server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate -#opensearch.username: -#opensearch.password: -opensearch.requestHeadersAllowlist: ["securitytenant","authorization"] +opensearch.username: kibanaserver +opensearch.password: kibanaserver +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true @@ -12,4 +12,3 @@ server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home - Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: content changed '{sha256}0255c58693ccb17fb84260a7ec6d0a3a9422b94d001e39b77a82e0ff81e2ecbf' to '{sha256}74ff59a251cbd87e132b8e88826b954f1b0f331dc53550e92a6bb73dc01b8918' (corrective) Info: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]: Scheduling refresh of Service[wazuh-dashboard] Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/]/ensure: created (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config]/ensure: created (corrective) Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]/ensure: defined content as '{sha256}3a9783f9c7ecfdee95b0c829af68499e2f6c43a5fb04d031493819ae4dcd6fc7' (corrective) Info: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]: Scheduling refresh of Service[wazuh-dashboard] Notice: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]/ensure: ensure changed 'stopped' to 'running' (corrective) Info: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]: Unscheduling refresh on Service[wazuh-dashboard] Notice: Applied catalog in 351.63 seconds root@ip-172-31-35-39:/home/ubuntu# ```

Debian 11

```console Info: Caching catalog for ip-172-31-36-23.ec2.internal Info: Applying configuration version '1709892589' Notice: /Stage[repo]/Wazuh::Repo/Exec[import-wazuh-key]/returns: executed successfully (corrective) Notice: /Stage[repo]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{sha256}ec580bdfc247ff6924e89262de6bec97786cdd7fb640ac6c6215ba1913a5c217' (corrective) Info: /Stage[repo]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: created Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /etc/wazuh-indexer] Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /usr/share/wazuh-indexer] Info: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /var/lib/wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]/returns: executed successfully Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/owner: owner changed 'root' to 'wazuh-indexer' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/group: group changed 'root' to 'wazuh-indexer' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/mode: mode changed '0755' to '0500' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-node-1.pem]/ensure: defined content as '{sha256}6122ba624bce3183196c775e3bb81dd11ff8fda5f7066b1b46e9af1569fffc4e' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-node-1-key.pem]/ensure: defined content as '{sha256}d1793fc7f7bf712bc6024b8078f682b4eab803e496b5f216bf1dc8af3501a5dd' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/root-ca.pem]/ensure: defined content as '{sha256}ee1d731b818bb88bd0d27c0c4c960df409ba8e296337d04417fb5fd475de584c' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin.pem]/ensure: defined content as '{sha256}94ece1c9d00f3770b27ec6e98e6b89c13246bbab651c28094b74a24866b4866d' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin-key.pem]/ensure: defined content as '{sha256}f8a5202cba17926a1290b15fbde77f04abaccdb48dea47dd6b2e0d4f2ef34662' Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content: --- /etc/wazuh-indexer/opensearch.yml 2024-03-01 16:35:52.000000000 +0000 +++ /tmp/puppet-file20240308-4726-1axv6vt 2024-03-08 10:12:18.235514662 +0000 @@ -2,41 +2,28 @@ node.name: "node-1" cluster.initial_master_nodes: - "node-1" -#- "node-2" -#- "node-3" cluster.name: "wazuh-cluster" -#discovery.seed_hosts: -# - "node-1-ip" -# - "node-2-ip" -# - "node-3-ip" -node.max_local_storage_nodes: "3" -path.data: /var/lib/wazuh-indexer -path.logs: /var/log/wazuh-indexer - -plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem -plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem +node.max_local_storage_nodes: "1" +path.data: "/var/lib/wazuh-indexer" +path.logs: "/var/log/wazuh-indexer" +plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer-node-1.pem +plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-node-1-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem -plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem +plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer-node-1.pem +plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-node-1-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false - plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: -- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" -#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" -#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" +- "CN=indexer-node-1,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" - -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] - -### Option to allow Filebeat-oss 7.10.2 to work ### +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false compatibility.override_main_response_version: true \ No newline at end of file Notice: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]/content: content changed '{sha256}d95d40b8ee093f122d8015d4a267eddbd92ba3e323c70f2ac7ab7d8ff9e584fe' to '{sha256}7a968bc98cfb330d90f1681ead16418cda35a525b8cf5ad1ec2f4dd01d16eab2' Info: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer] Notice: /Stage[securityadmin]/Wazuh::Securityadmin/Exec[Initialize the Opensearch security index in Wazuh indexer]/returns: executed successfully Notice: /Stage[manager]/Wazuh::Manager/Package[wazuh-manager]/ensure: created Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: --- /var/ossec/etc/shared/default/agent.conf 2024-03-01 16:41:12.000000000 +0000 +++ /tmp/puppet-file20240308-4726-1mur9rq 2024-03-08 10:15:11.264469376 +0000 @@ -2,4 +2,4 @@ - + \ No newline at end of file Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: content changed '{sha256}d76908d51018ec72afc1a7e17fbc3971c6a812446fd930fdba5ed66f1af47ed0' to '{sha256}ea2cf84c0fdc6dd290d7cba0ad0eac63850d56203aeb882568f69f22d98dccf9' Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/owner: owner changed 'wazuh' to 'root' Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/mode: mode changed '0660' to '0640' Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager] Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: --- /var/ossec/etc/rules/local_rules.xml 2024-03-01 16:41:12.000000000 +0000 +++ /tmp/puppet-file20240308-4726-1sbugba 2024-03-08 10:15:11.288469490 +0000 @@ -1,14 +1,12 @@ - - - - - + 5716 1.1.1.1 @@ -16,4 +14,28 @@ authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - + + + + + + + + + + + + Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: content changed '{sha256}991dc926bd2e3aec88bd79be1c8b458777f64f489b3e6524e682ac33620425f4' to '{sha256}4b0ffe3d22c782a75fa5559839751959cc9cb33256ca06efcca298cb0109a342' Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/owner: owner changed 'wazuh' to 'root' Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/mode: mode changed '0660' to '0640' Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager] Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager] Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content: --- /var/ossec/etc/decoders/local_decoder.xml 2024-03-01 16:41:12.000000000 +0000 +++ /tmp/puppet-file20240308-4726-10ob7oh 2024-03-08 10:15:11.312469606 +0000 @@ -1,8 +1,6 @@ - - - yes yes no no - no - smtp.example.wazuh.com - wazuh@example.wazuh.com - recipient@example.wazuh.com - 12 - alerts.log 10m 0 - yes + no + 127.0.0.1 + ^localhost.localdomain$ + 10.0.0.2 @@ -26,7 +17,6 @@ 12 - plain @@ -38,8 +28,9 @@ 131072 - - + + + no yes yes @@ -48,144 +39,117 @@ yes yes yes - - 43200 - - etc/rootcheck/rootkit_files.txt - etc/rootcheck/rootkit_trojans.txt - + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt yes - + - + yes 1800 1d yes + + + yes + 1800 + 1d + yes wodles/java wodles/ciscat - + + - - + yes yes - /var/log/osquery/osqueryd.results.log + /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes - + - - - no - 1h - yes - yes - yes - yes - yes - yes - yes - - - - 10 - - + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + - + yes yes 12h yes + - - - yes - yes - 60m - - - + + # Configuration for Vulnerability detection + + yes + yes + 60m + +# indexer configuration for vulnerability detection + + yes + + https://127.0.0.1:9200 + + + + /etc/filebeat/certs/root-ca.pem + + /etc/filebeat/certs/filebeat.pem + /etc/filebeat/certs/filebeat-key.pem + + + + + no + 43200 + yes + no + 10 + yes - - https://0.0.0.0:9200 - - - - /etc/filebeat/certs/root-ca.pem - - /etc/filebeat/certs/filebeat.pem - /etc/filebeat/certs/filebeat-key.pem - - - - - - no - - - 43200 - - yes - - - yes + 5m + 1h + 10 + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + /sys/kernel/security + /sys/kernel/debug + /dev/core + ^/proc + .log$|.swp$ + /etc/ssl/private.key + yes + - - no - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - .log$|.swp$ - - - /etc/ssl/private.key - - yes - yes - yes - yes - - - 10 - - - 50 - - - - yes - 5m - 10 - - - - - - 127.0.0.1 - ^localhost.localdomain$ - 172.31.0.2 - disable-account @@ -194,8 +158,8 @@ - restart-wazuh - restart-wazuh + restart-ossec + restart-ossec @@ -218,123 +182,124 @@ win_route-null - route-null.exe + route-null + yes + + + + win_route-null-2012 + route-null-2012 yes netsh - netsh.exe + netsh + yes + + + + netsh-win-2016 + netsh-win-2016 yes - + + + syslog + /var/log/syslog + + + syslog + /var/log/dpkg.log + + + syslog + /var/log/kern.log + + + syslog + /var/log/auth.log + + + syslog + /var/ossec/logs/active-responses.log + - command df -P 360 - full_command netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d netstat listening ports 360 - full_command last -n 20 360 - - + + + + + ruleset/decoders ruleset/rules 0215-policy_rules.xml - etc/lists/audit-keys - etc/lists/amazon/aws-eventnames - etc/lists/security-eventchannel - - + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + etc/decoders etc/rules - - - - yes - 1 - 64 - 15m - + - - - no - 1515 - no - yes - no - HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH - - no - etc/sslmanager.cert - etc/sslmanager.key - no - - - - wazuh - node01 - master - - 1516 - 0.0.0.0 - - NODE_IP - - no - yes - - - - - syslog - /var/ossec/logs/active-responses.log - - - syslog - /var/log/messages - + + + no + 1515 + yes + + yes + yes + 1h + 1h + + yes + no + yes + HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + no + /var/ossec/etc/sslmanager.cert + /var/ossec/etc/sslmanager.key + no + - - syslog - /var/log/auth.log - - - syslog - /var/log/syslog - - - syslog - /var/log/dpkg.log - + + + wazuh + node01 + master + KEY + 1516 + 0.0.0.0 + + NODE_IP + + no + yes + - - syslog - /var/log/kern.log - Info: Computing checksum on file /var/ossec/etc/ossec.conf Info: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 414bc79c29a4b27964a36d32f3191070e83e0486ed37057f7f5b977da12ff102 Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}414bc79c29a4b27964a36d32f3191070e83e0486ed37057f7f5b977da12ff102' to '{sha256}d801d178273a64d34ad24c7d14dcdc62bc89f94454c96bebb81fa54c3937438c' Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640' Info: Concat[manager_ossec.conf]: Scheduling refresh of Service[wazuh-manager] Notice: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]: Unscheduling refresh on Service[wazuh-manager] Notice: /Stage[dashboard]/Wazuh::Dashboard/Package[wazuh-dashboard]/ensure: created Notice: /Stage[dashboard]/Wazuh::Dashboard/Exec[ensure full path of /etc/wazuh-dashboard/certs]/returns: executed successfully Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/owner: owner changed 'root' to 'wazuh-dashboard' Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/group: group changed 'root' to 'wazuh-dashboard' Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]/mode: mode changed '0755' to '0500' Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard.pem]/ensure: defined content as '{sha256}71aef4c05cd48dc549be1b6469110b27accb27e58cc321ffda76672ad90d8305' Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard-key.pem]/ensure: defined content as '{sha256}e3597a85ab1731acd5f9892df45a8f5e6902815f0fb0803a4eb49c36a044aafd' Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/root-ca.pem]/ensure: defined content as '{sha256}ee1d731b818bb88bd0d27c0c4c960df409ba8e296337d04417fb5fd475de584c' Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: --- /etc/wazuh-dashboard/opensearch_dashboards.yml 2024-03-01 16:41:39.000000000 +0000 +++ /tmp/puppet-file20240308-4726-10w4767 2024-03-08 10:19:39.510159101 +0000 @@ -2,9 +2,9 @@ server.port: 443 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate -#opensearch.username: -#opensearch.password: -opensearch.requestHeadersAllowlist: ["securitytenant","authorization"] +opensearch.username: kibanaserver +opensearch.password: kibanaserver +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true @@ -12,4 +12,3 @@ server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home - Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]/content: content changed '{sha256}0255c58693ccb17fb84260a7ec6d0a3a9422b94d001e39b77a82e0ff81e2ecbf' to '{sha256}74ff59a251cbd87e132b8e88826b954f1b0f331dc53550e92a6bb73dc01b8918' Info: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]: Scheduling refresh of Service[wazuh-dashboard] Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/]/ensure: created Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config]/ensure: created Notice: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]/ensure: defined content as '{sha256}3a9783f9c7ecfdee95b0c829af68499e2f6c43a5fb04d031493819ae4dcd6fc7' Info: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]: Scheduling refresh of Service[wazuh-dashboard] Notice: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]: Unscheduling refresh on Service[wazuh-dashboard] Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update] Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event Notice: Applied catalog in 592.05 seconds ```

Ubuntu 20

Debian 11 debian11

wazuh / wazuh-puppet

Wazuh Agent Repository maintained via Puppet using old deprecated apt-key function #939

Update Report

Workaround

Update Report

Testing