Release 4.3.0 - Demo environment - CIS-CAT, Github and OpenScap status research

[damarisg]

Description

As specified in https://github.com/wazuh/wazuh-qa/issues/2866, it was required to check the status of some of the modules of Wazuh. Thi issue has been created to track the work performed by the qa-thunder team:

Tasks	Details	Assigned to	Status
CIS-CAT	Comments	Andres	🔴
OPEN-SCAP	Comments	Camila	🔴
GITHUB	Comments	Andres	🔴

[damarisg]

Task CIS-CAT

Conclusion :red_circle:

Did manual local testing, and was unable alerts to be reported. There seems to be an issue with the ciscat-report.txt file, that was missing. Used FIM to monitor for the creation of new files, but it did not appear to be created in either none of the /etc/ossec subfolders (It appears that it should have been created on /var/ossec/tmp/

Use Case - Run a Scan on Start

Check that the proper messages are shown when restarting an agent

• Steps to reproduce:
  • Instal JDK 1.8.0 Ubuntu apt-get update && apt-get install openjdk-8-jre Centos yum install java-1.8.0-openjdk
  • Install and Configure CIS-CAT on agent
  • Modify agent's ossec.conf
  • restart agent
  • check logs

Configuration (cis-cat woodle):

Linux (Checked on Centos/8 and Centos/7):

  <wodle name="cis-cat">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <scan-on-start>yes</scan-on-start>

    <java_path>/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/</java_path>
    <ciscat_path>/home/vagrant/cis-cat</ciscat_path>
    <content type="xccdf" path="benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml">
    <profile>xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server</profile>
    </content>
  </wodle>

Results

• Was unable to get the alerts or report to show. It seems that the ciscat-report.txt file, is not being generated.

Logs Results

2022/05/05 18:59:59 wazuh-modulesd[26278] mq_op.c:47 at StartMQ(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'. 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1451 at wm_ciscat_info(): INFO: SHOW_MODULE_CISCAT: ---- 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1452 at wm_ciscat_info(): INFO: Timeout: 1800 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1455 at wm_ciscat_info(): INFO: Benchmark: [benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml] 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1457 at wm_ciscat_info(): INFO: Profile: [xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server] 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:1461 at wm_ciscat_info(): INFO: SHOW_MODULE_CISCAT: ---- 2022/05/05 18:59:59 wazuh-modulesd[26278] mq_op.c:46 at StartMQ(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts 2022/05/05 18:59:59 wazuh-modulesd[26278] mq_op.c:47 at StartMQ(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'. 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:66 at wm_ciscat_main(): INFO: Module started. 2022/05/05 18:59:59 wazuh-modulesd:ciscat[26278] wm_ciscat.c:173 at wm_ciscat_main(): INFO: Starting evaluation. 2022/05/05 18:59:59 wazuh-modulesd:osquery[26278] wm_osquery_monitor.c:596 at wm_osquery_monitor_main(): INFO: Module disabled. Exiting... 2022/05/05 18:59:59 wazuh-modulesd:syscollector[26278] wm_syscollector.c:123 at wm_sys_main(): INFO: Module disabled. Exiting... 2022/05/05 18:59:59 sca[26278] wm_sca.c:143 at wm_sca_main(): INFO: Module disabled. Exiting. 2022/05/05 18:59:59 wazuh-modulesd:control[26278] wm_control.c:199 at wm_control_main(): INFO: Starting control thread. 2022/05/05 18:59:59 wazuh-modulesd[26278] wmcom.c:122 at wmcom_main(): DEBUG: Local requests thread ready 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:841 at wm_ciscat_txt_parser(): DEBUG: Report result file 'tmp/ciscat-report.txt' missing: No such file or directory 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:585 at wm_ciscat_run(): ERROR: Failed reading scan results for policy '/home/vagrant/cis-cat/benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml' 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:220 at wm_ciscat_main(): INFO: Evaluation finished. 2022/05/05 19:00:03 wazuh-modulesd:ciscat[26278] wm_ciscat.c:167 at wm_ciscat_main(): DEBUG: Sleeping until: 2022/05/05 19:04:59

General Comments

• Initially tested ona local Centos/8 machine, but the version of Cis-Cat did not have a benchmark for Centos/8 so I used a Centos/7 benchmark, expecting some output. Got a result that the ciscat-report.txt file was not present on both Systems
• Added Syscheck to monitor the results when restarting the VM, but got the same results.
• Asked in devel for who was in charge of this woodle, for help on this testing and determine if it was a bug.

Case 2 - Run a Scan scheduled by interval

Steps to reproduce:

• Modify the following tags in the agent's ossec.conf

<wodle name="cis-cat">
    <scan-on-start>no</scan-on-start>
    <interval>1m</interval>

• Restart agent
• Wait 1 minute for scan and logs to appear

[damarisg]

Task OpenSCAP: Validate that the events/alerts generated.

Conclusion :red_circle:

I got an error when trying to run the script /var/ossec/wodles/oscap/oscap.py because OPenSCAP has been deprecated. I am waiting to determine if it will be removed from the documentation or if it will be added to the documentation that for the integration to work, the script and policies must be installed manually.

Use Case

• Install openscap-scanner

  yum install openscap-scanner

• Edit ossec.conf on agent.

  <wodle name="open-scap">
  <disabled>no</disabled>
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>
  
  <content type="xccdf" path="ssg-centos-7-ds.xml">
  <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
  <profile>xccdf_org.ssgproject.content_profile_common</profile>
  </content>
  </wodle>

• Restart the agent

  /var/ossec/bin/wazuh-control restart

Results

Was unable to get the alerts or report to show.

Logs Results

[damarisg]

Task Github: Validate that the events/alerts generated.

Conclusion

Only manual tests on local environment was done up until now. I was able to generate alerts while monitoring from Master, and Agent (Linux and Windows).

Use Case

The process for the testing done was as follows:

1. Generate an Enterprise Cloud account organization
2. Generated a personal token, from the account linked to the organization
3. Configure Wazuh master to monitor the account with the following block

   <github>
   <enabled>yes</enabled>
   <interval>10s</interval>
   <time_delay>1s</time_delay>
   <curl_max_size>1M</curl_max_size>
   <only_future_events>yes</only_future_events>
   <api_auth>
       <org_name>TestWazuh</org_name>
       <api_token>API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT</api_token>
   </api_auth>
   <api_parameters>
       <event_type>all</event_type>
   </api_parameters>
   </github>

   4.- Restart master. 5.- Generated Events by adding new users, or repositories from github page. {"timestamp":"2022-05-05T21:03:49.073+0000","rule":{"level":3,"description":"GitHub module internal event, 3 request fail.","id":"91448","firedtimes":1,"mail":false,"groups":["github","git"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651784629.1072417","decoder":{"name":"json"},"data":{"integration":"github","github":{"actor":"wazuh","organization":"TestOrgWazuh","event_type":"git","response":"{\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/reference/orgs#get-audit-log\"}"}},"location":"github"} {"timestamp":"2022-05-05T21:03:49.556+0000","rule":{"level":3,"description":"GitHub module internal event, 3 request fail.","id":"91448","firedtimes":2,"mail":false,"groups":["github","git"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651784629.1073017","decoder":{"name":"json"},"data":{"integration":"github","github":{"actor":"wazuh","organization":"TestOrgWazuh","event_type":"web","response":"{\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/reference/orgs#get-audit-log\"}"}},"location":"github"} {"timestamp":"2022-05-05T21:31:20.004+0000","rule":{"level":5,"description":"GitHub Workflows created workflow run.","id":"91409","firedtimes":1,"mail":false,"groups":["github","git","git_workflows"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786280.2531689","decoder":{"name":"json"},"data":{"integration":"github","github":{"repo":"TestWazuh/demo-repository","started_at":"2022-05-05T21:30:42.000Z","event":"issues","head_sha":"aa40eb4bf718a888ee4163ab4e1d5b8ef93fed11","public_repo":"false","_document_id":"MHLKHR236po7hg6yReTmAA","created_at":"1651786242624.000000","action":"workflows.created_workflow_run","org":"TestWazuh","run_number":"1","workflow_id":"25535484","trigger_id":"1227195026","actor":"Deblintrake09","workflow_run_id":"2278370713.000000","@timestamp":"1651786242624.000000","head_branch":"main","name":"Auto Assign"}},"location":"github"} {"timestamp":"2022-05-05T21:31:20.014+0000","rule":{"level":5,"description":"GitHub Workflows prepared workflow job.","id":"91414","firedtimes":1,"mail":false,"groups":["github","git","git_workflows"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786280.2532964","decoder":{"name":"json"},"data":{"integration":"github","github":{"is_hosted_runner":"true","repo":"TestWazuh/demo-repository","job_workflow_ref":"TestWazuh/demo-repository/.github/workflows/auto-assign.yml@refs/heads/main","_document_id":"3426:7FDC:209975:1B1D4D9:62744208","created_at":"1651786248895.000000","action":"workflows.prepared_workflow_job","org":"TestWazuh","runner_labels":["ubuntu-latest"],"runner_id":"0","secrets_passed":[],"workflow_run_id":"2278370713.000000","@timestamp":"1651786248895.000000","job_name":"run","runner_group_id":"0"}},"location":"github"} {"timestamp":"2022-05-05T21:31:20.025+0000","rule":{"level":5,"description":"GitHub Workflows completed workflow run.","id":"91408","firedtimes":1,"mail":false,"groups":["github","git","git_workflows"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786280.2534250","decoder":{"name":"json"},"data":{"integration":"github","github":{"repo":"TestWazuh/demo-repository","started_at":"2022-05-05T21:30:42.000Z","event":"issues","run_attempt":"1","head_sha":"aa40eb4bf718a888ee4163ab4e1d5b8ef93fed11","public_repo":"false","_document_id":"pjPCNZBIrJr5OdFQ5Kzo_w","conclusion":"failure","created_at":"1651786255404.000000","action":"workflows.completed_workflow_run","org":"TestWazuh","run_number":"1","workflow_id":"25535484","trigger_id":"1227195026","actor":"Deblintrake09","workflow_run_id":"2278370713.000000","@timestamp":"1651786255404.000000","head_branch":"main","completed_at":"2022-05-05T21:30:55.000Z","name":"Auto Assign"}},"location":"github"} {"timestamp":"2022-05-05T21:34:23.232+0000","rule":{"level":3,"description":"GitHub Repo.","id":"91310","firedtimes":1,"mail":false,"groups":["github","git","git_repo"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1651786463.2535707","decoder":{"name":"json"},"data":{"integration":"github","github":{"visibility":"private","org":"TestWazuh","public_repo":"false","repo":"TestWazuh/test-repo-2","@timestamp":"1651786446629.000000","_document_id":"TH5Stc1B9gvNwa1Bw8ZpHQ","created_at":"1651786446629.000000","actor":"Deblintrake09","action":"repo.change_merge_setting","actor_location":{"country_code":"AR"}}},"location":"github"}

6.- Changed monitoring to a centos/8 Agent and generated new events (created new files and committed)

• Commit 2 and its alerts
• Commit 3 and its alerts

7.- Changed monitoring to a Windows10 Agent and generated new events (created new files and committed)

• Commit 4 and it's alerts

Task Github: Validate that the events/alerts generated. - Attempt 2

Conclusion :red_circle:

Only manual tests on local environment was done up until now. Tried to properly generate alerts but was unable to get all events to appear.

Use Case

The process for the testing done was as follows:

1. Generated an Enterprise Cloud account organization
2. Generated a personal token, from the account linked to the organization
3. Configure Wazuh master to monitor the account with the following block

   <github>
   <enabled>yes</enabled>
   <interval>10s</interval>
   <time_delay>1s</time_delay>
   <curl_max_size>1M</curl_max_size>
   <only_future_events>yes</only_future_events>
   <api_auth>
       <org_name>TestOrgWazuh2</org_name>
       <api_token>API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT</api_token>
   </api_auth>
   <api_parameters>
       <event_type>all</event_type>
   </api_parameters>
   </github>

   4.- Restart master. 5.- Check that the organization is being monitored

   2022/05/06 19:37:23 wazuh-modulesd:github[11366] wm_github.c:222 at wm_github_execute_scan(): DEBUG: Scanning organization: 'TestOrgWazuh2'

6.- Try Generated Events by adding new users, or repositories from github page. No events generated

7.- Tried to get audit data with a curl call, to check endoint and data used inside the config:

curl -i -u testorgwazuh2:API_TOKEN_FROM_PERSONAL_GITHUB_ACCOUNT https://api.github.com/orgs/testorgwazuh2/audit-log

Got response:

HTTP/2 200 server: GitHub.com date: Fri, 06 May 2022 19:56:31 GMT content-type: application/json; charset=utf-8 content-length: 10004 cache-control: private, max-age=60, s-maxage=60 vary: Accept, Authorization, Cookie, X-GitHub-OTP etag: "4c9d2cd16b48e425fcb996c75ecfb6c045a15260f9d3ea191f6878267c174e38" x-oauth-scopes: admin:enterprise, admin:org, admin:org_hook, admin:repo_hook x-accepted-oauth-scopes: admin:org, read:org, write:org github-authentication-token-expiration: 2022-06-05 19:34:51 UTC x-github-media-type: github.v3; format=json x-ratelimit-limit: 5000 x-ratelimit-remaining: 4776 x-ratelimit-reset: 1651869354 x-ratelimit-used: 224 x-ratelimit-resource: core access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset access-control-allow-origin: * strict-transport-security: max-age=31536000; includeSubdomains; preload x-frame-options: deny x-content-type-options: nosniff x-xss-protection: 0 referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin content-security-policy: default-src 'none' vary: Accept-Encoding, Accept, X-Requested-With x-github-request-id: A0D0:0D48:34EB4B:41960C:62757D6F

[ { "actor": "Deblintrake09", "action": "repo.add_member", "repo": "TestOrgWazuh2/testrepo1", "visibility": "private", "permission": "admin", "_document_id": "jPdsYFbIe3TS7YI7bJdzkQ", "created_at": 1651866543473, "user": "Deblintrake09", "org": "TestOrgWazuh2", "public_repo": false, "@timestamp": 1651866543473, "actor_location": { "country_code": "AR" } }...,

Attempt 3 - Standalone account

Description

Tried to get response to properly work from standalone account wazuh-qa-demo-git created from. Got erratic behavior. Some Alerts would fire, while others would not.

Actions Taken:

• Created testrepo2, added myself as collaborator and made some commits that were pushed. Got Alerts
• Created testrepo3 cloned and created new branch and pushed files. Got no Alerts
• Created testrepo4 cloned and added myself as collaborator. Got Alerts
• Also found some alerts of repos being cloned from users from Rusia and Finland (both are public repos).

Log files

• alerts.log from manager
• ossec.log from agent