search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
61 stars 30 forks source link

Release 4.3.0 - Release Candidate 7 - Windows agent installation #2855

Closed Rebits closed 2 years ago

Rebits commented 2 years ago

Description

The command to install an agent displayed by the UI step-by-step guide does not work correctly, as explained in https://github.com/wazuh/wazuh-kibana-app/issues/4085. It is required to test the proposed install command in a set of Windows OS.

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile "$home\wazuh-agent-4.2.6.msi"; Invoke-Expression "$home\wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='wazuh' WAZUH_REGISTRATION_SERVER='wazuh'"

Target Windows OS

Checks

Auditors validation

Rebits commented 2 years ago

Conclusion :green_circle: (UPDATED)

The proposed command works without problem in the following OS:

The request was aborted: Could not create SSL/TLS secure channel (SOLVED)

The proposed command works without problem in the following OS: - Windows Server 2022 - Windows Server 2019 - Windows 11 - Windows 10 - Windows 8 - Windows 7 However, a minor issue has been detected in the following OS: - Windows Server 2016 - Windows Server 2012 Powershell in this OS, by default use TLS1 but the request requires TLS1.2. This produces the following error: ``` PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1 .msi -OutFile "$home\wazuh-agent-4.3.0.msi"; Invoke-Expression "$home\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31.86. 118' WAZUH_REGISTRATION_SERVER='172.31.86.118'" Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. At line:1 char:1 + Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/win ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand C:\Users\Administrator\wazuh-agent-4.3.0.msi : The term 'C:\Users\Administrator\wazuh-agent-4.3.0.msi' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + C:\Users\Administrator\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\Admini...agent-4.3.0.msi:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException ``` We can mitigate this error changing the value of [Net.ServicePointManager]::SecurityProtocol with: ``` [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12" ``` Now the command run without errors ``` PS C:\Users\Administrator> [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12" PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1.msi -OutFi on "$home\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31.86.118' WAZUH_REGISTRATION_SERVER='172.31.86.118'" PS C:\Users\Administrator> ``` It is recommended to include this information on the documentation page
Rebits commented 2 years ago

Windows Server 2019 Base :green_circle:

### Run command in C:\windows\system32 path ![WS2019-system-path](https://user-images.githubusercontent.com/11089305/166656026-d1095dab-b731-470e-8bac-9142d823e218.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8611750/w2019.zip) ### Wazuh service ``` PS C:\Users\Administrator> get-service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Active ``` ### Alert generation ``` ** Alert 1651593734.2181264: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 03 16:02:14 (EC2AMAZ-RMH8NED) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'EC2AMAZ-RMH8NED->any'. ** Alert 1651593734.2181607: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 03 16:02:14 (EC2AMAZ-RMH8NED) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'EC2AMAZ-RMH8NED->any'. ``` ### Installation path ![ipath2019](https://user-images.githubusercontent.com/11089305/166492869-ef9bbdce-362f-4545-b2b3-0052f1f1c92f.png) ### Uninstall ![u2019](https://user-images.githubusercontent.com/11089305/166492840-65de4586-9cb1-48c1-b5f0-9950ff751196.png)
Rebits commented 2 years ago

Windows 10 :green_circle:

### Run command in C:\windows\system32 path ![W10-system-path](https://user-images.githubusercontent.com/11089305/166669804-448fc643-bdb5-41ec-8766-855f74814884.png) ### Wazuh service ``` PS C:\Users\vagrant> net start wazuhsvc The Wazuh service is starting. The Wazuh service was started successfully. PS C:\Users\vagrant> get-service wazuhsvc Status Name DisplayName ------ ---- ----------- Running wazuhsvc Wazuh PS C:\Users\vagrant> ``` ### Agent status Where `DESKTOP-PM18UJT` is the Windows 10 agent ``` Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Disconnected ID: 003, Name: W2019, IP: any, Disconnected ID: 004, Name: TESTING, IP: any, Disconnected ID: 005, Name: DESKTOP-PM18UJT, IP: any, Active ``` ### Alert generation ``` ** Alert 1651649679.1458388: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 07:34:39 (DESKTOP-PM18UJT) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'DESKTOP-PM18UJT->any'. ** Alert 1651649680.1458731: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 07:34:40 (DESKTOP-PM18UJT) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'DESKTOP-PM18UJT->any'. ``` ### Installation path ![w10-install](https://user-images.githubusercontent.com/11089305/166639487-33df28db-7a77-4182-9bec-06ffa7028ec0.png) ### Uninstall ![unintall_w10](https://user-images.githubusercontent.com/11089305/166639571-8a24495b-363c-414e-83ef-96ef9d3d65d7.png)
Rebits commented 2 years ago

Windows Server 2016 :red_circle:

### Error during installation An error occurs running the command ``` PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1 .msi -OutFile "$home\wazuh-agent-4.3.0.msi"; Invoke-Expression "$home\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31.86. 118' WAZUH_REGISTRATION_SERVER='172.31.86.118'" Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. At line:1 char:1 + Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/win ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand C:\Users\Administrator\wazuh-agent-4.3.0.msi : The term 'C:\Users\Administrator\wazuh-agent-4.3.0.msi' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + C:\Users\Administrator\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\Admini...agent-4.3.0.msi:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException ``` The root of this error is that Powershell by default use TLS1 but the request requires TLS1.2 ``` PS C:\Users\Administrator> [Net.ServicePointManager]::SecurityProtocol Ssl3, Tls ``` We can mitigate this error changing the value of `[Net.ServicePointManager]::SecurityProtocol` with: ``` [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12" ``` Now the command run without errors ``` PS C:\Users\Administrator> [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12" PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1.msi -OutFi on "$home\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31.86.118' WAZUH_REGISTRATION_SERVER='172.31.86.118'" PS C:\Users\Administrator> ``` ### Run command in C:\windows\system32 path ![WS2016-system-path](https://user-images.githubusercontent.com/11089305/166656168-c8fb24bb-87ba-4b26-9336-894307d6dc38.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8618704/ws2016.zip) ### Wazuh service ``` PS C:\Users\Administrator> get-service wazuhsvc Status Name DisplayName ------ ---- ----------- Running wazuhsvc Wazuh PS C:\Users\Administrator> ``` ### Agent status Where `EC2AMAZ-JD1NGT8` is the Windows Server 2016 agent ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Disconnected ID: 003, Name: W2019, IP: any, Disconnected ID: 004, Name: TESTING, IP: any, Disconnected ID: 005, Name: DESKTOP-PM18UJT, IP: any, Disconnected ID: 006, Name: EC2AMAZ-JD1NGT8, IP: any, Active ``` ### Alert generation ``` ** Alert 1651651549.2778241: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 08:05:49 (EC2AMAZ-JD1NGT8) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'EC2AMAZ-JD1NGT8->any'. ** Alert 1651651549.2778584: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 08:05:49 (EC2AMAZ-JD1NGT8) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'EC2AMAZ-JD1NGT8->any'. ``` ### Installation path ![ws2016-install](https://user-images.githubusercontent.com/11089305/166643761-458f3702-6dea-4e40-99fb-9778389f8e76.png) ### Uninstall ![ws2016-uninstall](https://user-images.githubusercontent.com/11089305/166647598-5e95e79f-2b79-4694-a54c-dcc874ef494f.png)
Rebits commented 2 years ago

Windows Server 2012 :red_circle:

### Error during installation Same behavior than `Windows Server 2016` ``` PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1 .msi -OutFile "$home\wazuh-agent-4.3.0.msi"; Invoke-Expression "$home\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31.86. 118' WAZUH_REGISTRATION_SERVER='172.31.86.118'" Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. At line:1 char:1 + Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/win ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand C:\Users\Administrator\wazuh-agent-4.3.0.msi : The term 'C:\Users\Administrator\wazuh-agent-4.3.0.msi' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + C:\Users\Administrator\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\Admini...agent-4.3.0.msi:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException ``` The root of this error is that Powershell by default use TLS1 but the request requires TLS1.2 ``` PS C:\Users\Administrator> [Net.ServicePointManager]::SecurityProtocol Ssl3, Tls ``` We can mitigate this error changing the value of `[Net.ServicePointManager]::SecurityProtocol` with: ``` [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12" ``` Now the command run without errors ``` PS C:\Users\Administrator> [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12" PS C:\Users\Administrator> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1.msi -OutFi on "$home\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='172.31.86.118' WAZUH_REGISTRATION_SERVER='172.31.86.118'" PS C:\Users\Administrator> ``` ### Run command in C:\windows\system32 path ![W2012-system-path](https://user-images.githubusercontent.com/11089305/166659174-20ff5c8d-609c-46d8-aeea-1d8c30b7bbb7.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8618829/w2012.zip) ### Wazuh service ``` PS C:\Users\Administrator> get-service wazuhsvc Status Name DisplayName ------ ---- ----------- Running wazuhsvc Wazuh PS C:\Users\Administrator> ``` ### Agent status Where `WIN-5KKMS5HIQUF` is the Windows Server 2012 agent ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Disconnected ID: 003, Name: W2019, IP: any, Disconnected ID: 004, Name: TESTING, IP: any, Disconnected ID: 005, Name: DESKTOP-PM18UJT, IP: any, Disconnected ID: 006, Name: EC2AMAZ-JD1NGT8, IP: any, Disconnected ID: 007, Name: WIN-5KKMS5HIQUF, IP: any, Active ``` ### Alert generation ``` ** Alert 1651653158.4024222: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 08:32:38 (WIN-5KKMS5HIQUF) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'WIN-5KKMS5HIQUF->any'. ** Alert 1651653159.4024565: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 08:32:39 (WIN-5KKMS5HIQUF) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'WIN-5KKMS5HIQUF->any'. ``` ### Installation path ![w2012-install](https://user-images.githubusercontent.com/11089305/166647341-26ef9c75-63d1-4750-9c5b-864949e50ef6.png) ### Uninstall ![w2012-uninstall](https://user-images.githubusercontent.com/11089305/166647442-7d7c714b-b7cf-461e-b0bd-62f76777e58a.png)
Rebits commented 2 years ago

Windows 11 :green_circle:

### Run command in C:\windows\system32 path ![W11-system-path](https://user-images.githubusercontent.com/11089305/166656384-e3253fd5-e15b-4d69-b603-261ff4406193.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8619014/w11.log.zip) ### Wazuh service ![w11-service](https://user-images.githubusercontent.com/11089305/166652395-74b683bf-733f-4845-9f45-e4256a469b03.png) ### Agent status ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Disconnected ID: 003, Name: W2019, IP: any, Disconnected ID: 004, Name: TESTING, IP: any, Disconnected ID: 005, Name: DESKTOP-PM18UJT, IP: any, Disconnected ID: 006, Name: EC2AMAZ-JD1NGT8, IP: any, Disconnected ID: 007, Name: WIN-5KKMS5HIQUF, IP: any, Disconnected ID: 008, Name: windows11, IP: any, Active ``` ### Alert generation ``` ** Alert 1651655132.5464856: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 09:05:32 (windows11) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'windows11->any'. ** Alert 1651655132.5465187: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 09:05:32 (windows11) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'windows11->any'. ``` ### Installation path ![w11-install](https://user-images.githubusercontent.com/11089305/166652381-f63b108b-e97d-4ac2-8a8d-310cff59b959.png) ### Uninstall ![w11-uninstall](https://user-images.githubusercontent.com/11089305/166652790-1e8a973d-e507-4ce8-8ab6-f531f5b9abef.png)
Rebits commented 2 years ago

Windows 7 :green_circle:

### Run command in C:\windows\system32 path ![W7-system-path](https://user-images.githubusercontent.com/11089305/166665009-ab0d241c-f161-4a64-baa8-49f019209bda.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8619508/w7.zip) ### Wazuh service ``` >> PS C:\Windows\System32> net start wazuhsvc The Wazuh service is starting. The Wazuh service was started successfully. PS C:\Windows\System32> get-service wazuhsvc Status Name DisplayName ------ ---- ----------- Running wazuhsvc Wazuh PS C:\Windows\System32> ``` ### Agent status ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Disconnected ID: 003, Name: W2019, IP: any, Disconnected ID: 004, Name: TESTING, IP: any, Disconnected ID: 005, Name: DESKTOP-PM18UJT, IP: any, Disconnected ID: 006, Name: EC2AMAZ-JD1NGT8, IP: any, Disconnected ID: 007, Name: WIN-5KKMS5HIQUF, IP: any, Disconnected ID: 008, Name: windows11, IP: any, Disconnected ID: 009, Name: DESKTOP-BKVHKDH, IP: any, Active List of agentless devices: ``` ### Alert generation ``` ** Alert 1651660323.6947089: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 10:32:03 (DESKTOP-BKVHKDH) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'DESKTOP-BKVHKDH->any'. ** Alert 1651660324.6947432: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 10:32:04 (DESKTOP-BKVHKDH) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'DESKTOP-BKVHKDH->any'. ``` ### Installation path ![installation-path](https://user-images.githubusercontent.com/11089305/166665430-2c8c3042-decc-40ae-b8b2-8da753316457.png) ### Uninstall ![uninstall-w7](https://user-images.githubusercontent.com/11089305/166665567-68086888-8d31-4a71-bf14-5a1134556c20.png)
Rebits commented 2 years ago

Windows 8 :green_circle:

### Run command in C:\windows\system32 path ![w8-system-path](https://user-images.githubusercontent.com/11089305/166676519-97f55d66-8c09-494d-a667-96650f972652.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8620110/wi8.zip) ### Wazuh service ![w8-service](https://user-images.githubusercontent.com/11089305/166675406-ff5bc858-3fd1-4025-aa53-bca3e540747d.png) ### Agent status ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Disconnected ID: 002, Name: EC2AMAZ-RMH8NED, IP: any, Disconnected ID: 003, Name: W2019, IP: any, Disconnected ID: 004, Name: TESTING, IP: any, Disconnected ID: 005, Name: DESKTOP-PM18UJT, IP: any, Disconnected ID: 006, Name: EC2AMAZ-JD1NGT8, IP: any, Disconnected ID: 007, Name: WIN-5KKMS5HIQUF, IP: any, Disconnected ID: 008, Name: windows11, IP: any, Disconnected ID: 009, Name: DESKTOP-BKVHKDH, IP: any, Disconnected ID: 010, Name: win-8-1-pro-x64, IP: any, Active ``` ### Alert generation ``` ** Alert 1651665492.7253999: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 11:58:12 (win-8-1-pro-x64) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'win-8-1-pro-x64->any'. ** Alert 1651665492.7254342: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 11:58:12 (win-8-1-pro-x64) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'win-8-1-pro-x64->any'. ``` ### Installation path ![w8-install](https://user-images.githubusercontent.com/11089305/166676881-9d567627-9f2b-4ac9-808b-e8a48ee62a8f.png) ### Uninstall ![uninstall-w8](https://user-images.githubusercontent.com/11089305/166676975-cb1a2189-1ec2-4950-9cfa-44de53ed870a.png)
Rebits commented 2 years ago

Windows Server 2022 Base :green_circle:

### Run command in C:\windows\system32 path ![WS20222-system-path](https://user-images.githubusercontent.com/11089305/166655954-dd787929-9475-4dbf-b526-c3dd36b53a48.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8611648/w2022.zip) ### Wazuh service ``` PS C:\Users\Administrator> get-service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ``` [root@ip-172-31-86-118 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-86-118.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-NMEL9U7, IP: any, Active ``` ### Alert generation ``` ** Alert 1651592192.759260: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 03 15:36:32 (EC2AMAZ-NMEL9U7) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'EC2AMAZ-NMEL9U7->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/11089305/166486534-3ee555e8-791a-4184-8fb8-a2d87da937f1.png) ### Uninstall ![unsintall_process](https://user-images.githubusercontent.com/11089305/166486690-89acedd9-4315-46a6-9ebb-ce3e5cb7746a.png)
fedepacher commented 2 years ago

Update 2022/05/04

In this set of tests, it will install an agent in different Windows OS using the following command:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile ${env:tmp}\wazuh-agent-4.2.6.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='172.31.31.234' WAZUH_REGISTRATION_SERVER='172.31.31.234' WAZUH_AGENT_GROUP='default'
fedepacher commented 2 years ago

Windows Server 2022 Base :green_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166832861-be2b99df-02f8-44db-9424-2dcbff964148.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8627438/ossec.log) ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166833069-7ab0deee-af5d-4598-ac31-9a69894b6378.png) ``` [root@ip-172-31-31-234 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-31-234.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-5TJV2QB, IP: any, Active ``` ### Alert generation ``` ** Alert 1651700030.560337: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 21:33:50 (EC2AMAZ-5TJV2QB) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'EC2AMAZ-5TJV2QB->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166832837-2a61565d-9acc-40c9-b504-7facc9b7cb76.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166833405-9ec7cc29-3547-4346-81b5-5fc98c548403.png)
fedepacher commented 2 years ago

Windows Server 2019 Base :yellow_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166836330-a63f45cf-ab66-41d5-88b5-2e8cbe9a1263.png) ### Logs :red_circle: [ossec.log](https://github.com/wazuh/wazuh-qa/files/8627758/ossec.log) Note: There is an error and warning message in the `ossec.log` file ``` 2022/05/04 22:25:24 wazuh-agent: WARNING: Could not clean up shared directory. 2022/05/04 22:26:34 wazuh-agent: ERROR: Could not get message for (Application) ``` ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166836617-0750a043-676f-48ce-8406-cd082d6e64c7.png) ``` [root@ip-172-31-31-234 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-31-234.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-5TJV2QB, IP: any, Disconnected ID: 002, Name: EC2AMAZ-S75190E, IP: any, Active ``` ### Alert generation ``` ** Alert 1651703132.860518: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 22:25:32 (EC2AMAZ-S75190E) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'EC2AMAZ-S75190E->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166836925-e0734c0c-4463-40a8-b2f0-a9bf50c6750b.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166837024-e56cfa16-d909-43d1-8299-513d2ce8b662.png)
fedepacher commented 2 years ago

Windows Server 2016 Base :green_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166839518-a5907d1e-fe99-42bf-a24b-462fa2d0258a.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8627892/ossec.log) ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166839615-1a4c583e-8e9a-4145-a24a-465be7881fb8.png) ``` [root@ip-172-31-31-234 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-31-234.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-5TJV2QB, IP: any, Disconnected ID: 002, Name: EC2AMAZ-S75190E, IP: any, Disconnected ID: 003, Name: EC2AMAZ-NL8H3TG, IP: any, Active ``` ### Alert generation ``` ** Alert 1651704825.1146053: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 22:53:45 (EC2AMAZ-NL8H3TG) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'EC2AMAZ-NL8H3TG->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166840015-3eda9c1a-4b7e-4066-9537-d701dc8aa95b.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166840095-ef518418-fa9c-4b51-b8bb-7dc27d068a1c.png)
fedepacher commented 2 years ago

Windows Server 2012 Base :green_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166840979-8171aea0-0d59-4960-a2da-53eb8461d4d6.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8627936/ossec.log) ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166841056-8e0e0e07-c5ee-4b7b-883b-f3c7b4bdef2b.png) ``` [root@ip-172-31-31-234 ec2-user]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-31-234.ec2.internal (server), IP: 127.0.0.1, Active/Local ID: 001, Name: EC2AMAZ-5TJV2QB, IP: any, Disconnected ID: 002, Name: EC2AMAZ-S75190E, IP: any, Disconnected ID: 003, Name: EC2AMAZ-NL8H3TG, IP: any, Disconnected ID: 004, Name: WIN-TUEB5NVOU34, IP: any, Active ``` ### Alert generation ``` ** Alert 1651706326.1411444: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 04 23:18:46 (WIN-TUEB5NVOU34) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'WIN-TUEB5NVOU34->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166841189-45a42ffc-d948-4e66-a469-740f7bf4712d.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166841259-e9b61695-5592-4026-ba75-e25fbb6d0584.png)
fedepacher commented 2 years ago

Windows 11 :green_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166849576-d9882472-956b-4a85-8e44-704d11b9278e.png) ### Logs [ossec.log](https://github.com/wazuh/wazuh-qa/files/8628241/ossec.log) ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166849597-f16bbbfe-a9ed-42b6-9490-1e7db0abb1a8.png) ``` [root@centos-manager1 /]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: centos-manager1 (server), IP: 127.0.0.1, Active/Local ID: 003, Name: DESKTOP-G6KK08C, IP: any, Disconnected ID: 004, Name: DESKTOP-9QHFQ7B, IP: any, Active ``` ### Alert generation ``` ** Alert 1651711404.151185: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 05 00:43:24 (DESKTOP-9QHFQ7B) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'DESKTOP-9QHFQ7B->any'. ** Alert 1651711405.151527: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 05 00:43:25 (DESKTOP-9QHFQ7B) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'DESKTOP-9QHFQ7B->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166849881-9760a733-a83e-4947-961d-75b049bb13f0.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166850017-9ffc73a7-61f5-48b3-82fb-31a82e7230c6.png)
fedepacher commented 2 years ago

Windows 10 :yellow_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166844229-ba2cada1-4137-4833-b00d-0298a897fa51.png) ### Logs :red_circle: [ossec.log](https://github.com/wazuh/wazuh-qa/files/8628043/ossec.log) Note: There is an error message in the `ossec.log` file ``` 2022/05/04 23:55:55 wazuh-agent: ERROR: Could not get message for (Application) ``` ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166844381-731872e2-379f-4cc9-8d7c-32860f7877c4.png) ``` [root@centos-manager1 /]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: centos-manager1 (server), IP: 127.0.0.1, Active/Local ID: 003, Name: DESKTOP-G6KK08C, IP: any, Active ``` ### Alert generation ``` ** Alert 1651709141.28309: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 05 00:05:41 (DESKTOP-G6KK08C) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'DESKTOP-G6KK08C->any'. ** Alert 1651709183.28650: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 05 00:06:23 (DESKTOP-G6KK08C) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'DESKTOP-G6KK08C->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166845397-68a22484-d439-4291-bd98-429a57d2d231.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166846768-208d7d15-6722-4bef-b767-2e84f0176b68.png)
fedepacher commented 2 years ago

Windows 8 :yellow_circle:

### Run command in C:\windows\system32 path ![install_cmd](https://user-images.githubusercontent.com/28990973/166864852-cb2eebce-9bf6-43d4-8a12-f277e33baf39.png) ### Logs :red_circle: [ossec.log](https://github.com/wazuh/wazuh-qa/files/8628749/ossec.log) Note: There is an error message in the `ossec.log` file ``` 2022/05/05 05:41:55 wazuh-agent: ERROR: Could not get message for (Application) ``` ### Wazuh service ``` PS C:\Users\Administrator> Get-Service Wazuhsvc Status Name DisplayName ------ ---- ----------- Running Wazuhsvc Wazuh ``` ### Agent status ![agent_status](https://user-images.githubusercontent.com/28990973/166864890-6cf0de16-8bb1-4c0b-abff-68e980ffd6d8.png) ``` [root@centos-manager1 /]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: centos-manager1 (server), IP: 127.0.0.1, Active/Local ID: 003, Name: DESKTOP-G6KK08C, IP: any, Disconnected ID: 004, Name: DESKTOP-9QHFQ7B, IP: any, Disconnected ID: 005, Name: IE11WIN8_1, IP: any, Active ``` ### Alert generation ``` ** Alert 1651725624.270: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 05 04:40:24 (IE11WIN8_1) any->wazuh-remoted Rule: 506 (level 3) -> 'Ossec agent stopped.' ossec: Agent stopped: 'IE11WIN8_1->any'. ** Alert 1651725624.599: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2022 May 05 04:40:24 (IE11WIN8_1) any->ossec Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'IE11WIN8_1->any'. ``` ### Installation path ![install_path](https://user-images.githubusercontent.com/28990973/166864940-0b865e11-5761-4581-b61c-7df3bf8b3944.png) ### Uninstall ![uninstall](https://user-images.githubusercontent.com/28990973/166865037-59752635-fc8d-41a3-b7ae-b3cdaedb6ecf.png)
fedepacher commented 2 years ago

Windows 7 :red_circle:

### Run command in C:\windows\system32 path :red_circle: ![Screenshot from 2022-05-05 00-19-00](https://user-images.githubusercontent.com/28990973/166859481-638521c1-ff25-4f74-9ee8-4f0fed8d304c.png) At the time, I could not figure out how to solve this problem. To achieve this result I have used the vagrant box `designerror/windows-7`. This box was the only one I could make work in my environment.
okynos commented 2 years ago

I have tested the command in Windows 7 instance, the command doesn't work because such command doesn't exists as @fedepacher points out. We have to research a new way to perform the download in older powershell terminal suggestion to start research: (New-Object System.Net.WebClient).DownloadString("URL")

vikman90 commented 2 years ago

Related issue: https://github.com/wazuh/wazuh-kibana-app/issues/4085.