Release 4.3.0 - Demo environment - configure and generate module events

[damarisg]

The goal is to generate events from certain modules in the demo environments so that there are test events to show to clients.

Test information

Test name	Demo environment
Category	Wazuh App
Deployment option	Demo environment
Main release issue	https://github.com/wazuh/wazuh/issues/10954
Release candidate #	RC7

Research tasks

• [x] Task 1 - GCloud: Validate that the events/alerts generated. 🟢
• [ ] Task 2 - Github: Validate that the events/alerts generated.
• [x] Task 3 - CIS-CAT: Validate that the events/alerts generated. 🟢
• [x] Task 4 - OpenSCAP: Validate that the events/alerts generated. 🔴

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• [ ] @jmv74211

[mauromalara]

Task: GCloud manual testing (Local) 🟢

Conclusion 🟢

• Only the gcp-pubsub module was tested here due to the permissions of the GCP account.
• The alerts were generated correctly without issues.

Step by step

1. Login into the Google Cloud Platform
2. Create a project
3. Go to the 'Service Accounts' section and create a new service account adding the following roles: Pub/Sub Publisher, and Pub/Sub Subscriber

   ---

   Images:

---

4. Select the "Manage keys" options and create a new JSON private key

   ---

   Images:

     

---

5. Copy the private key into the instance: scp <PRIVATE_KEY_FILE> <USER>@<VM_IP>:<VM_PATH>
6. Back to GCP, go to "Topics" and create a new topic (make sure that the "Add a default subscription" option is selected)

   ---

   

   ---

7. Inside the topic, scroll down to the bottom and within the "Subscriptions" tab copy the "Subscription ID" and paste it into a text editor temporarily:

   ---

   

   ---

8. Go to "Logs Router", and select "Create sink"

   ---

   

   ---

9. Select the "Cloud Pub/Sub topic" sink service and the recently created topic; then select the "Create sink" option to finish the creation:

   ---

   

   ---

10. Add the following configuration to the /var/ossec/etc/ossec.conf file:

    <gcp-pubsub>
    <enabled>yes</enabled>
    <project_id>PROJECT_ID</project_id>
    <subscription_name>SUB_ID</subscription_name>
    <credentials_file>PATH_TO_THE_CREDENTIALS_FILE_IN_JSON_FORMAT</credentials_file>
    <pull_on_start>yes</pull_on_start>
    </gcp-pubsub>

Generate the alert

1. In GCP, go to "Topics", then create and delete an example topic:

   ---

   

   ---

2. To check if the log was generated in GCP, go to "Logs Explorer":

   ---

   

   ---

3. RESTART the manager by running: systemctl restart wazuh-manager to pull the logs from GCP.
4. Go to the Wazuh Dashboard and check if the alert is displayed:

   ---

   

   ---

[Deblintrake09]

Task 3 - CIS-CAT

Conclusion :red_circle:

Did manual local testing, and was unable alerts to be reported. There seems to be an issue with the ciscat-report.txt file, that was missing. Used FIM to monitor for the creation of new files, but it did not appear to be created in either none of the /etc/ossec subfolders (It appears that it should have been created on /var/ossec/tmp/

Use Case - Run a Scan on Start

Check that the proper messages are shown when restarting an agent

• Steps to reproduce:
  • Instal JDK 1.8.0 Ubuntu apt-get update && apt-get install openjdk-8-jre Centos yum install java-1.8.0-openjdk
  • Install and Configure CIS-CAT on agent
  • Modify agent's ossec.conf
  • restart agent
  • check logs

Configuration (cis-cat woodle):

Linux (Checked on Centos/8 and Centos/7):

  <wodle name="cis-cat">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <scan-on-start>yes</scan-on-start>

    <java_path>/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/</java_path>
    <ciscat_path>/home/vagrant/cis-cat</ciscat_path>
    <content type="xccdf" path="benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml">
    <profile>xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server</profile>
    </content>
  </wodle>

Results

• Was unable to get the alerts or report to show. It seems that the ciscat-report.txt file, is not being generated.

Logs Results

2022/05/05 18:59:59 wazuh-modulesd[26278] mq_op.c:47 at StartMQ(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'. 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1451 at wm_ciscat_info(): INFO: SHOW_MODULE_CISCAT: ---- 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1452 at wm_ciscat_info(): INFO: Timeout: 1800 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1455 at wm_ciscat_info(): INFO: Benchmark: [benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml] 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1457 at wm_ciscat_info(): INFO: Profile: [xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server] 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1461 at wm_ciscat_info(): INFO: SHOW_MODULE_CISCAT: ---- 2022/05/05 18:59:59 wazuh-modulesd[26278] mq_op.c:46 at StartMQ(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts 2022/05/05 18:59:59 wazuh-modulesd[26278] mq_op.c:47 at StartMQ(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'. 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:66 at wm_ciscat_main(): INFO: Module started. 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:173 at wm_ciscat_main(): INFO: Starting evaluation. 2022/05/05 18:59:59 wazuh-modulesd:osquery[26278] wm_osquery_monitor.c:596 at wm_osquery_monitor_main(): INFO: Module disabled. Exiting... 2022/05/05 18:59:59 wazuh-modulesd:syscollector[26278] wm_syscollector.c:123 at wm_sys_main(): INFO: Module disabled. Exiting... 2022/05/05 18:59:59 sca[26278] wm_sca.c:143 at wm_sca_main(): INFO: Module disabled. Exiting. 2022/05/05 18:59:59 wazuh-modulesd:control[26278] wm_control.c:199 at wm_control_main(): INFO: Starting control thread. 2022/05/05 18:59:59 wazuh-modulesd[26278] wmcom.c:122 at wmcom_main(): DEBUG: Local requests thread ready 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:841 at wm_ciscat_txt_parser(): DEBUG: Report result file 'tmp/ciscat-report.txt' missing: No such file or directory 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:585 at wm_ciscat_run(): ERROR: Failed reading scan results for policy '/home/vagrant/cis-cat/benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml' 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:220 at wm_ciscat_main(): INFO: Evaluation finished. 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:167 at wm_ciscat_main(): DEBUG: Sleeping until: 2022/05/05 19:04:59

General Comments

• Initially tested ona local Centos/8 machine, but the version of Cis-Cat did not have a benchmark for Centos/8 so I used a Centos/7 benchmark, expecting some output. Got a result that the ciscat-report.txt file was not present on both Systems
• Added Syscheck to monitor the results when restarting the VM, but got the same results.
• Asked in devel for who was in charge of this woodle, for help on this testing and determine if it was a bug.

Case 2 - Run a Scan scheduled by interval

Steps to reproduce:

• Modify the following tags in the agent's ossec.conf

<wodle name="cis-cat">
    <scan-on-start>no</scan-on-start>
    <interval>1m</interval>

• Restart agent
• Wait 1 minute for scan and logs to appear

[CamiRomero]

Task 4 - OpenSCAP: Validate that the events/alerts generated.

Conclusion :red_circle:

I got an error when trying to run the script /var/ossec/wodles/oscap/oscap.py because OPenSCAP has been deprecated. I am waiting to determine if it will be removed from the documentation or if it will be added to the documentation that for the integration to work, the script and policies must be installed manually.

Use Case

• Install openscap-scanner

  yum install openscap-scanner

• Edit ossec.conf on agent.

  <wodle name="open-scap">
  <disabled>no</disabled>
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>
  
  <content type="xccdf" path="ssg-centos-7-ds.xml">
  <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
  <profile>xccdf_org.ssgproject.content_profile_common</profile>
  </content>
  </wodle>

• Restart the agent

  /var/ossec/bin/wazuh-control restart

Results

Was unable to get the alerts or report to show.

Logs Results

[Deblintrake09]

Task Github: Validate that the events/alerts generated.

Conclusion

Only manual tests on local environment was done up until now. I was able to generate alerts while monitoring from Master, and Agent (Linux and Windows).

Use Case

The process for the testing done was as follows:

1. Generate an Enterprise Cloud account organization
2. Generated a personal token, from the account linked to the organization
3. Configure Wazuh master to monitor the account with the following block

   <github>
   <enabled>yes</enabled>
   <interval>10s</interval>
   <time_delay>1s</time_delay>
   <curl_max_size>1M</curl_max_size>
   <only_future_events>yes</only_future_events>
   <api_auth>
       <org_name>TestWazuh</org_name>
       <api_token>API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT</api_token>
   </api_auth>
   <api_parameters>
       <event_type>all</event_type>
   </api_parameters>
   </github>

   4.- Restart master. 5.- Generated Events by adding new users, or repositories from github page. {"timestamp":"2022-05-05T21:03:49.073+0000","rule":{"level":3,"description":"GitHub module internal event, 3 request fail.","id":"91448","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651784629.1072417","decoder":{"name":"json"},"data":{"integration":"github","github":{"actor":"wazuh","organization":"TestOrgWazuh","event_type":"git","response":"{\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/reference/orgs#get-audit-log\"}"}},"location":"github"} {"timestamp":"2022-05-05T21:03:49.556+0000","rule":{"level":3,"description":"GitHub module internal event, 3 request fail.","id":"91448","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651784629.1073017","decoder":{"name":"json"},"data":{"integration":"github","github":{"actor":"wazuh","organization":"TestOrgWazuh","event_type":"web","response":"{\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/reference/orgs#get-audit-log\"}"}},"location":"github"} {"timestamp":"2022-05-05T21:31:20.004+0000","rule":{"level":5,"description":"GitHub Workflows created workflow run.","id":"91409","firedtimes":1,"mail":false,"groups":["github","git","git_workflows"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786280.2531689","decoder":{"name":"json"},"data":{"integration":"github","github":{"repo":"TestWazuh/demo-repository","started_at":"2022-05-05T21:30:42.000Z","event":"issues","head_sha":"aa40eb4bf718a888ee4163ab4e1d5b8ef93fed11","public_repo":"false","_document_id":"MHLKHR236po7hg6yReTmAA","created_at":"1651786242624.000000","action":"workflows.created_workflow_run","org":"TestWazuh","run_number":"1","workflow_id":"25535484","trigger_id":"1227195026","actor":"Deblintrake09","workflow_run_id":"2278370713.000000","@timestamp":"1651786242624.000000","head_branch":"main","name":"Auto Assign"}},"location":"github"} {"timestamp":"2022-05-05T21:31:20.014+0000","rule":{"level":5,"description":"GitHub Workflows prepared workflow job.","id":"91414","firedtimes":1,"mail":false,"groups":["github","git","git_workflows"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786280.2532964","decoder":{"name":"json"},"data":{"integration":"github","github":{"is_hosted_runner":"true","repo":"TestWazuh/demo-repository","job_workflow_ref":"TestWazuh/demo-repository/.github/workflows/auto-assign.yml@refs/heads/main","_document_id":"3426:7FDC:209975:1B1D4D9:62744208","created_at":"1651786248895.000000","action":"workflows.prepared_workflow_job","org":"TestWazuh","runner_labels":["ubuntu-latest"],"runner_id":"0","secrets_passed":[],"workflow_run_id":"2278370713.000000","@timestamp":"1651786248895.000000","job_name":"run","runner_group_id":"0"}},"location":"github"} {"timestamp":"2022-05-05T21:31:20.025+0000","rule":{"level":5,"description":"GitHub Workflows completed workflow run.","id":"91408","firedtimes":1,"mail":false,"groups":["github","git","git_workflows"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786280.2534250","decoder":{"name":"json"},"data":{"integration":"github","github":{"repo":"TestWazuh/demo-repository","started_at":"2022-05-05T21:30:42.000Z","event":"issues","run_attempt":"1","head_sha":"aa40eb4bf718a888ee4163ab4e1d5b8ef93fed11","public_repo":"false","_document_id":"pjPCNZBIrJr5OdFQ5Kzo_w","conclusion":"failure","created_at":"1651786255404.000000","action":"workflows.completed_workflow_run","org":"TestWazuh","run_number":"1","workflow_id":"25535484","trigger_id":"1227195026","actor":"Deblintrake09","workflow_run_id":"2278370713.000000","@timestamp":"1651786255404.000000","head_branch":"main","completed_at":"2022-05-05T21:30:55.000Z","name":"Auto Assign"}},"location":"github"} {"timestamp":"2022-05-05T21:34:23.232+0000","rule":{"level":3,"description":"GitHub Repo.","id":"91310","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786463.2535707","decoder":{"name":"json"},"data":{"integration":"github","github":{"visibility":"private","org":"TestWazuh","public_repo":"false","repo":"TestWazuh/test-repo-2","@timestamp":"1651786446629.000000","_document_id":"TH5Stc1B9gvNwa1Bw8ZpHQ","created_at":"1651786446629.000000","actor":"Deblintrake09","action":"repo.change_merge_setting","actor_location":{"country_code":"AR"}}},"location":"github"}

6.- Changed monitoring to a centos/8 Agent and generated new events (created new files and committed)

• Commit 2 and its alerts
• Commit 3 and its alerts

7.- Changed monitoring to a Windows10 Agent and generated new events (created new files and committed)

• Commit 4 and it's alerts

[Deblintrake09]

Task Github: Validate that the events/alerts generated. - Attempt 2

Conclusion :red_circle:

Only manual tests on local environment was done up until now. Tried to properly generate alerts but was unable to get all events to appear.

Use Case

The process for the testing done was as follows:

1. Generated an Enterprise Cloud account organization
2. Generated a personal token, from the account linked to the organization
3. Configure Wazuh master to monitor the account with the following block

   <github>
   <enabled>yes</enabled>
   <interval>10s</interval>
   <time_delay>1s</time_delay>
   <curl_max_size>1M</curl_max_size>
   <only_future_events>yes</only_future_events>
   <api_auth>
       <org_name>TestOrgWazuh2</org_name>
       <api_token>API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT</api_token>
   </api_auth>
   <api_parameters>
       <event_type>all</event_type>
   </api_parameters>
   </github>

   4.- Restart master. 5.- Check that the organization is being monitored

   2022/05/06 19:37:23 wazuh-modulesd:github[11366] wm_github.c:222 at wm_github_execute_scan(): DEBUG: Scanning organization: 'TestOrgWazuh2'

6.- Try Generated Events by adding new users, or repositories from github page. No events generated

7.- Tried to get audit data with a curl call, to check endoint and data used inside the config:

curl -i -u testorgwazuh2:API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT https://api.github.com/orgs/testorgwazuh2/audit-log

Got response:

HTTP/2 200 server: GitHub.com date: Fri, 06 May 2022 19:56:31 GMT content-type: application/json; charset=utf-8 content-length: 10004 cache-control: private, max-age=60, s-maxage=60 vary: Accept, Authorization, Cookie, X-GitHub-OTP etag: "4c9d2cd16b48e425fcb996c75ecfb6c045a15260f9d3ea191f6878267c174e38" x-oauth-scopes: admin:enterprise, admin:org, admin:org_hook, admin:repo_hook x-accepted-oauth-scopes: admin:org, read:org, write:org github-authentication-token-expiration: 2022-06-05 19:34:51 UTC x-github-media-type: github.v3; format=json x-ratelimit-limit: 5000 x-ratelimit-remaining: 4776 x-ratelimit-reset: 1651869354 x-ratelimit-used: 224 x-ratelimit-resource: core access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset access-control-allow-origin: * strict-transport-security: max-age=31536000; includeSubdomains; preload x-frame-options: deny x-content-type-options: nosniff x-xss-protection: 0 referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin content-security-policy: default-src 'none' vary: Accept-Encoding, Accept, X-Requested-With x-github-request-id: A0D0:0D48:34EB4B:41960C:62757D6F

[ { "actor": "Deblintrake09", "action": "repo.add_member", "repo": "TestOrgWazuh2/testrepo1", "visibility": "private", "permission": "admin", "_document_id": "jPdsYFbIe3TS7YI7bJdzkQ", "created_at": 1651866543473, "user": "Deblintrake09", "org": "TestOrgWazuh2", "public_repo": false, "@timestamp": 1651866543473, "actor_location": { "country_code": "AR" } }...,

Attempt 3 - Standalone account

Description

Tried to get response to properly work from standalone account wazuh-qa-demo-git created from. Got erratic behavior. Some Alerts would fire, while others would not.

Actions Taken:

• Created testrepo2, added myself as collaborator and made some commits that were pushed. Got Alerts
• Created testrepo3 cloned and created new branch and pushed files. Got no Alerts
• Created testrepo4 cloned and added myself as collaborator. Got Alerts
• Also found some alerts of repos being cloned from users from Rusia and Finland (both are public repos).

Log files

• alerts.log from manager
• ossec.log from agent

[jmv74211]

Update on Gcloud

I have been testing configurations and use cases to generate different events and alerts using the Google Cloud module.

As of today, we have two possible configuration blocks for the Google cloud module:

• gcp-pubsub: Event-driven systems and streaming analytics.
• gcp-bucket: Collect any log stored in the Google Cloud Storage bucket.

gcp-pubsub

We propose to generate the following use cases: - Add a new user to the project. - Create a dashboard - Delete the dashboard - Enable an API service - Disable API service - Edit user role - Add new role for that user - Remove user from project - AuditLogs/AccessApproval/check Admin Read The configuration to be applied is as follows ``` yes PROJECT_ID SUB_NAME wodles/gcloud/credentials.json 10s no ```

Alert example

``` {"timestamp":"2022-05-09T09:21:51.132+0000","rule":{"level":3,"description":"GCP notice event on project wazuh-testing, monitored resource type: project.","id":"65042","firedtimes":1,"mail":false,"groups":["gcp"]},"agent":{"id":"001","name":"agent1","ip":"10.0.2.15"},"manager":{"name":"kibana"},"id":"1652088111.4372190","decoder":{"name":"json"},"data":{"integration":"gcp","gcp":{"insertId":"-bwzyjse17zky","logName":"projects/wazuh-testing/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xx@yy.com"},"authorizationInfo":[{"granted":true,"permission":"resourcemanager.projects.setIamPolicy","resource":"projects/wazuh-testing","resourceAttributes":{"name":"projects/wazuh-testing","service":"cloudresourcemanager.googleapis.com","type":"cloudresourcemanager.googleapis.com/Project"}},{"granted":true,"permission":"resourcemanager.projects.setIamPolicy","resource":"projects/wazuh-testing","resourceAttributes":{"name":"projects/wazuh-testing","service":"cloudresourcemanager.googleapis.com","type":"cloudresourcemanager.googleapis.com/Project"}}],"methodName":"SetIamPolicy","request":{"@type":"type.googleapis.com/google.iam.v1.SetIamPolicyRequest","policy":{"auditConfigs":[{"auditLogConfigs":[{"logType":"ADMIN_READ"}],"service":"accessapproval.googleapis.com"}],"bindings":[{"members":["user:xx@yy.com"],"role":"roles/owner"},{"members":["serviceAccountxx@yy.com-testing.iam.gserviceaccount.com"],"role":"roles/pubsub.publisher"},{"members":["serviceAccount:service-973090728298@gcp-sa-pubsub.iam.gserviceaccount.com"],"role":"roles/pubsub.serviceAgent"},{"members":["serviceAccountxx@yy.com-testing.iam.gserviceaccount.com"],"role":"roles/pubsub.subscriber"},{"members":["user:xx@yy.com"],"role":"roles/viewer"}],"etag":"BwXeVaqFQFo="},"resource":"wazuh-testing"},"requestMetadata":{"callerIp":"217.216.90.245","callerSuppliedUserAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/wazuh-testing","response":{"@type":"type.googleapis.com/google.iam.v1.Policy","auditConfigs":[{"auditLogConfigs":[{"logType":"ADMIN_READ"}],"service":"accessapproval.googleapis.com"}],"bindings":[{"members":["user:xx@yy.com"],"role":"roles/owner"},{"members":["serviceAccountxx@yy.com-testing.iam.gserviceaccount.com"],"role":"roles/pubsub.publisher"},{"members":["serviceAccount:service-973090728298@gcp-sa-pubsub.iam.gserviceaccount.com"],"role":"roles/pubsub.serviceAgent"},{"members":["serviceAccountxx@yy.com-testing.iam.gserviceaccount.com"],"role":"roles/pubsub.subscriber"},{"members":["user:xx@yy.com"],"role":"roles/viewer"}],"etag":"BwXekLzIqhw="},"serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"user:xx@yy.com","role":"roles/viewer"}]}},"serviceName":"cloudresourcemanager.googleapis.com"},"receiveTimestamp":"2022-05-09T09:21:47.952274142Z","resource":{"labels":{"project_id":"wazuh-testing"},"type":"project"},"severity":"NOTICE","timestamp":"2022-05-09T09:21:46.953642Z"}},"location":"Wazuh-GCloud"} ```

gcp-bucket

A new bucket named `demo_environment` has been created in the `wazuh-dev` account for testing purposes. Inside this bucket a directory named `access_logs` has been created where log files to be processed using the `gcp-bucket` module are located. It is proposed to generate the following use cases: - Add new log file - Update file contents - Delete log file The applied configuration is as follows: ``` no 10s demo_environment wodles/gcloud/credentials_dev.json access_logs/ no ``` After applying this configuration and for example adding a new file, the event arrives correctly to the `wazuh-manager`. ``` 2022 May 09 09:10:29 (agent1) any->Wazuh-GCloud {"integration": "gcp", "gcp": {"field_1 field_2 field_3": "value_1 value_2 value_3", "source": "gcp_bucket"}} ``` But no alert is generated, since there are no default rules for such cases.

It is pending to apply the necessary configuration in an agent of the DEMO environment to generate these alerts

[Rebits]

Update CIS-CAT :green_circle:

CIS-CAT alerts have been generated correctly for Centos7 and Ubuntu16

Centos7

- `ossec.conf`: ``` no 1800 1d yes /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/ wodles/ciscat xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server ``` - `alert.log`: ``` ** Alert 1652095691.3062778: - ciscat,pci_dss_2.2,nist_800_53_CM.1,gdpr_IV_35.7.d, 2022 May 09 11:28:11 (centos3) any->wodle_cis-cat Rule: 87418 (level 7) -> 'CIS-CAT: Ensure permissions on /etc/group- are configured (failed)' {"type":"scan_result","scan_id":433164300,"cis":{"rule_id":"6.1.8","rule_title":"Ensure permissions on /etc/group- are configured","group":"System Maintenance","description":"The /etc/group- file contains a backup list of all the valid groups defined in the system.","rationale":"It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.","remediation":"Run the following command to set permissions on /etc/group- : # chown root:root /etc/group-# chmod 600 /etc/group-","result":"fail"}} type: scan_result scan_id: 433164300 cis.rule_id: 6.1.8 cis.rule_title: Ensure permissions on /etc/group- are configured cis.group: System Maintenance cis.description: The /etc/group- file contains a backup list of all the valid groups defined in the system. cis.rationale: It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. cis.remediation: Run the following command to set permissions on /etc/group- : # chown root:root /etc/group-# chmod 600 /etc/group- cis.result: fail ``` - `ossec.log` ``` [root@centos3 vagrant]# tail -f /var/ossec/logs/ossec.log | grep ciscat 2022/05/09 11:27:23 wazuh-modulesd:ciscat: INFO: Module started. 2022/05/09 11:27:23 wazuh-modulesd:ciscat: INFO: Starting evaluation. 2022/05/09 11:28:13 wazuh-modulesd:ciscat: INFO: Evaluation finished. ```

Ubuntu 16.04.7

- `ossec.conf` ``` no 1800 1d yes /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/ wodles/ciscat xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server ``` - `alert.log`: ``` ** Alert 1652095691.3062778: - ciscat,pci_dss_2.2,nist_800_53_CM.1,gdpr_IV_35.7.d, 2022 May 09 11:28:11 (ubuntu) any->wodle_cis-cat Rule: 87418 (level 7) -> 'CIS-CAT: Ensure permissions on /etc/group- are configured (failed)' {"type":"scan_result","scan_id":433164300,"cis":{"rule_id":"6.1.8","rule_title":"Ensure permissions on /etc/group- are configured","group":"System Maintenance","description":"The /etc/group- file contains a backup list of all the valid groups defined in the system.","rationale":"It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.","remediation":"Run the following command to set permissions on /etc/group- : # chown root:root /etc/group-# chmod 600 /etc/group-","result":"fail"}} type: scan_result scan_id: 433164300 cis.rule_id: 6.1.8 cis.rule_title: Ensure permissions on /etc/group- are configured cis.group: System Maintenance cis.description: The /etc/group- file contains a backup list of all the valid groups defined in the system. cis.rationale: It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. cis.remediation: Run the following command to set permissions on /etc/group- : # chown root:root /etc/group-# chmod 600 /etc/group- cis.result: fail ``` - `ossec.log` ``` root@ubuntu:/home/vagrant# tail -f /var/ossec/logs/ossec.log | grep cisca 2022/05/09 11:29:34 wazuh-modulesd:ciscat: INFO: Module started. 2022/05/09 11:29:34 wazuh-modulesd:ciscat: INFO: Starting evaluation. 2022/05/09 11:30:13 wazuh-modulesd:ciscat: INFO: Evaluation finished. ```

[Rebits]

Update OpenScap :red_circle:

As explained in this comment, openscap is deprecated and it does not work properly in wazuh 4.3

In order to make oscap work, it is required to get the oscap wodle script and content. This should be placed on relative path wodle/oscap/.

Also, we need to take into account that oscap python script required python2.

After taking all these considerations we have achieved generate oscap events

Centos7

- `ossec.log` ``` 2022/05/09 12:44:53 wazuh-modulesd:oscap: INFO: Module started. 2022/05/09 12:44:53 wazuh-modulesd:oscap: INFO: Starting evaluation. 2022/05/09 12:44:53 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2022/05/09 12:49:21 wazuh-modulesd:oscap: INFO: Evaluation finished. ``` - `alert.log` ``` ** Alert 1652100275.15337509: - oscap,oscap-report,pci_dss_2.2,nist_800_53_CM.1,tsc_CC6.8,tsc_CC7.1,tsc_CC7.2,tsc_CC8.1, 2022 May 09 12:44:35 (centos3) any->wodle_open-scap Rule: 81542 (level 5) -> 'OpenSCAP Report overview: Score less than 80' oscap: msg: "xccdf-overview", scan-id: "0001652100198", content: "ssg-centos-7-ds.xml", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-7", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Systems", score: "75.000000". oscap.scan.id: 0001652100198 oscap.scan.content: ssg-centos-7-ds.xml oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_RHEL-7 oscap.scan.profile.id: xccdf_org.ssgproject.content_profile_common oscap.scan.profile.title: Common Profile for General-Purpose Systems oscap.scan.score: 75.000000 ``` - `ossec.conf` ``` no 1800 1d yes xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common ```