search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
66 stars 32 forks source link

AIX package and capabilities testing #3502

Closed MiguelCasaresRobles closed 2 years ago

MiguelCasaresRobles commented 2 years ago
Target version Related issue Related PR
3.1.0 https://github.com/wazuh/wazuh/issues/15228

Description

Hello team,

We built this Wazuh manager for AIX in local mode, meaning doesn't have remoted or Wazuh-DB/API. The manager will still generate alerts.

The deployment should run smoothly and we are going to cover the next uses cases to make sure they are working on the OS:

Link to package: https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/custom/3.1/wazuh-local-3.1.0-1.aix6.1.ppc.rpm

Proposed checks

Regards,

Miguel Casares

Rebits commented 2 years ago

Tester review

Tester
@Rebits

Testing environment

OS OS version Deployment Image/AMI
AIX 6.1 TL9 SiteOX -

Conclusions

AIX package seems to have unexpected behaviors:

Status

Rebits commented 2 years ago

Testing results :red_circle:

Install Wazuh manager and check that is running as expected and generate alerts :green_circle:
AIX local packages installation seems to work as expected: - **Installation**: ``` # rpm -ivh wazuh-local-3.1.0-1.aix6.1.ppc.rpm wazuh-local ################################################## ``` - **Manager startup**: ``` bash-4.4# /var/ossec/bin/ossec-control restart ossec-monitord not running... ossec-logcollector not running... ossec-syscheckd not running... ossec-analysisd not running... ossec-maild not running... ossec-execd not running... wazuh-modulesd not running... Wazuh v3.1.0 Stopped Starting Wazuh v3.1.0 (maintained by Wazuh Inc.)... Started wazuh-modulesd... Started ossec-execd... 2022/10/25 06:18:59 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-analysisd... Started ossec-syscheckd... Started ossec-logcollector... Started ossec-monitord... Completed. bash-4.4# ``` - **Logging**: Very verbose logging (`ossec.log`), expected for the 3.1 version. ``` 2022/10/25 11:18:59 ossec-testrule: INFO: Started (pid: 7864476). 2022/10/25 06:18:59 wazuh-modulesd: INFO: Process started. 2022/10/25 06:18:59 wazuh-modulesd:oscap: INFO: Module disabled. Exiting... 2022/10/25 06:18:59 wazuh-modulesd:database: INFO: Module started. 2022/10/25 06:18:59 ossec-execd: INFO: Started (pid: 14483578). 2022/10/25 06:18:59 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. ... 2022/10/25 11:18:59 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0085-pam_rules.xml' 2022/10/25 11:18:59 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0090-telnetd_rules.xml' ... 2022/10/25 06:19:06 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'. 2022/10/25 06:19:06 ossec-logcollector: INFO: Started (pid: 9699506). 2022/10/25 06:19:36 ossec-syscheckd: INFO: Syscheck scan frequency: 43200 seconds 2022/10/25 06:20:06 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2022/10/25 06:20:06 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). ``` No errors or warnings found: ``` bash-4.4# cat /var/ossec/logs/ossec.log | grep -i error\|warning bash-4.4# ``` - **Alerts**: Expected startup alert is generated ``` bash-4.4# cat /var/ossec/logs/alerts/alerts.log ** Alert 1666698328.0: mail - ossec,pci_dss_10.6.1,gpg13_10.1, 2022 Oct 25 11:45:28 soaxp181->ossec-monitord Rule: 502 (level 3) -> 'Ossec server started.' ossec: Ossec started. ```
Uninstall AIX local :yellow_circle:
Uninstallation of the package do not remove correctly every expected file [as the documentation specified](https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-aix.html): ``` bash-4.4# rpm -e wazuh-local cannot remove /var/ossec/var/run - directory not empty cannot remove /var/ossec/var/db/agents - directory not empty cannot remove /var/ossec/var/db - directory not empty cannot remove /var/ossec/var - directory not empty rmdir of /var/ossec/tmp/src/init failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory cannot remove /var/ossec/stats - directory not empty cannot remove /var/ossec/queue/syscheck - directory not empty cannot remove /var/ossec/queue/rootcheck - directory not empty cannot remove /var/ossec/queue/ossec - directory not empty cannot remove /var/ossec/queue/fts - directory not empty cannot remove /var/ossec/queue/diff - directory not empty cannot remove /var/ossec/queue/alerts - directory not empty cannot remove /var/ossec/queue - directory not empty cannot remove /var/ossec/logs/firewall - directory not empty cannot remove /var/ossec/logs/archives - directory not empty cannot remove /var/ossec/logs/alerts - directory not empty cannot remove /var/ossec/logs - directory not empty cannot remove /var/ossec/etc/shared - directory not empty cannot remove /var/ossec/etc - directory not empty cannot remove /var/ossec - directory not empty ``` However, the permissions the of remaining files are not correct: ``` bash-4.4# ls -la /var/ossec/logs/ total 80 drwxrwx--- 5 218 209 256 Oct 25 06:23 . drwxr-x--- 7 root 209 4096 Oct 25 06:23 .. -rw-rw---- 1 218 209 0 Oct 25 06:17 active-responses.log drwxr-x--- 3 218 209 256 Oct 25 06:18 alerts drwxr-x--- 3 218 209 256 Oct 25 06:18 archives drwxr-x--- 3 218 209 256 Oct 25 06:18 firewall -rw-rw---- 1 root 209 34301 Oct 25 06:20 ossec.log ``` It is required to research if these discrepancies come from known issues in v3.1 instead of the development
Reinstall changes default permissions of wazuh files :yellow_circle:
After wazuh reinstallation, due to some files remain after uninstallation, some files have not expected permissions: - *ossec.log* ``` -rw-rw---- 1 root 214 34134 Oct 25 06:33 ossec.log ``` - **/var/ossec/stats** ``` drwxr-x--- 2 233 214 256 Oct 25 06:32 hourly-average drwxr-x--- 2 233 214 256 Oct 25 06:32 totals drwxr-x--- 9 233 214 256 Oct 25 06:32 weekly-average ``` It is required to research if these discrepancies come from known issues in v3.1 instead of the development
Full permissions - Clean install ``` bash-4.4# ls -la /var/ossec/* -R -R not found /var/ossec/active-response: total 16 drwxr-x--- 3 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxr-x--- 2 root ossec 4096 Oct 25 06:30 bin /var/ossec/agentless: total 136 drwxr-x--- 2 root ossec 4096 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. -rwxr-x--- 1 root ossec 2422 Oct 25 03:41 main.exp -rwxr-x--- 1 root ossec 2348 Oct 25 03:41 register_host.sh -rwxr-x--- 1 root ossec 1445 Oct 25 03:41 ssh.exp -rwxr-x--- 1 root ossec 5252 Oct 25 03:41 ssh_asa-fwsmconfig_diff -rwxr-x--- 1 root ossec 5372 Oct 25 03:41 ssh_foundry_diff -rwxr-x--- 1 root ossec 867 Oct 25 03:41 ssh_generic_diff -rwxr-x--- 1 root ossec 1060 Oct 25 03:41 ssh_integrity_check_bsd -rwxr-x--- 1 root ossec 1067 Oct 25 03:41 ssh_integrity_check_linux -rwxr-x--- 1 root ossec 1473 Oct 25 03:41 ssh_nopass.exp -rwxr-x--- 1 root ossec 5234 Oct 25 03:41 ssh_pixconfig_diff -rwxr-x--- 1 root ossec 772 Oct 25 03:41 sshlogin.exp -rwxr-x--- 1 root ossec 1350 Oct 25 03:41 su.exp /var/ossec/backup: total 8 drwxr-x--- 2 root ossec 256 Oct 25 03:41 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. /var/ossec/bin: total 100208 drwxr-x--- 2 root ossec 4096 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. -rwxr-x--- 1 root system 1125807 Oct 25 03:41 agent_control -rwxr-x--- 1 root system 8650 Oct 25 03:41 agent_groups -rwxr-x--- 1 root system 5871 Oct 25 03:41 agent_upgrade -rwxr-x--- 1 root system 478281 Oct 25 03:41 clear_stats -rwxr-x--- 1 root system 7382 Oct 25 03:41 cluster_control -rwxr-x--- 1 root system 665959 Oct 25 03:41 list_agents -rwxr-x--- 1 root system 1433295 Oct 25 03:41 manage_agents -rwxr-x--- 1 root system 1977244 Oct 25 03:41 ossec-agentlessd -rwxr-x--- 1 root system 2932118 Oct 25 03:41 ossec-analysisd -rwxr-x--- 1 root system 8349 Oct 25 03:41 ossec-control -rwxr-x--- 1 root system 2009205 Oct 25 03:41 ossec-csyslogd -rwxr-x--- 1 root system 2127040 Oct 25 03:41 ossec-dbd -rwxr-x--- 1 root system 3472402 Oct 25 03:41 ossec-execd -rwxr-x--- 1 root system 1986358 Oct 25 03:41 ossec-integratord -rwxr-x--- 1 root system 2197158 Oct 25 03:41 ossec-logcollector -rwxr-x--- 1 root system 2970117 Oct 25 03:41 ossec-logtest -rwxr-x--- 1 root system 437581 Oct 25 03:41 ossec-lua -rwxr-x--- 1 root system 262630 Oct 25 03:41 ossec-luac -rwxr-x--- 1 root system 2056092 Oct 25 03:41 ossec-maild -rwxr-x--- 1 root system 2022206 Oct 25 03:41 ossec-makelists -rwxr-x--- 1 root system 2194634 Oct 25 03:41 ossec-monitord -rwxr-x--- 1 root system 574930 Oct 25 03:41 ossec-regex -rwxr-x--- 1 root system 899767 Oct 25 03:41 ossec-reportd -rwxr-x--- 1 root system 2473185 Oct 25 03:41 ossec-syscheckd -rwxr-x--- 1 root system 3562710 Oct 25 03:41 rootcheck_control -rwxr-x--- 1 root system 3569259 Oct 25 03:41 syscheck_control -rwxr-x--- 1 root system 3545475 Oct 25 03:41 syscheck_update -rwxr-x--- 1 root system 21148 Oct 25 03:41 update_ruleset -rwxr-x--- 1 root system 4503 Oct 25 03:41 util.sh -rwxr-x--- 1 root system 1898938 Oct 25 03:41 verify-agent-conf -rwxr-x--- 1 root system 11129 Oct 25 03:41 wazuh-clusterd -rwxr-x--- 1 root system 4302951 Oct 25 03:41 wazuh-modulesd /var/ossec/etc: total 64 drwxrwx--- 7 ossec ossec 4096 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxrwx--- 2 root ossec 256 Oct 25 06:30 decoders -rw-r----- 1 root ossec 7033 Oct 25 03:41 internal_options.conf drwxr-x--- 3 root ossec 256 Oct 25 06:30 lists -rw-r----- 1 root ossec 320 Oct 25 03:41 local_internal_options.conf -rw-r--r-- 1 root system 5687 Oct 25 06:30 ossec.conf drwxrwx--- 2 root ossec 4096 Oct 25 06:30 rootcheck drwxrwx--- 2 root ossec 256 Oct 25 06:30 rules drwxrwx--- 2 root ossec 256 Oct 25 03:41 shared /var/ossec/framework: total 16 drwxr-x--- 4 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxr-x--- 2 root ossec 256 Oct 25 06:30 lib drwxr-x--- 2 root ossec 4096 Oct 25 06:30 wazuh /var/ossec/integrations: total 40 drwxr-x--- 2 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. -rwxr-x--- 1 root ossec 1343 Oct 25 03:41 pagerduty -rwxr-x--- 1 root ossec 1166 Oct 25 03:41 slack -rwxr-x--- 1 root ossec 5960 Oct 25 03:41 virustotal /var/ossec/logs: total 8 drwxrwx--- 7 ossec ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. -rw-rw---- 1 ossec ossec 0 Oct 25 06:30 active-responses.log drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 alerts drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 archives drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 firewall drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 ossec drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 vuls /var/ossec/lua: total 8 drwxr-x--- 4 root system 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxr-x--- 2 root system 256 Oct 25 03:41 compiled drwxr-x--- 2 root system 256 Oct 25 03:41 native /var/ossec/queue: total 16 drwxr-x--- 11 root ossec 4096 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxrwx--- 2 ossecr ossec 256 Oct 25 03:41 agent-info drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 agentless drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 agents drwxrwx--- 2 ossec ossec 256 Oct 25 03:41 alerts drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 diff drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 fts drwxrwx--- 2 ossec ossec 256 Oct 25 03:41 ossec drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 rootcheck drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 syscheck /var/ossec/ruleset: total 48 drwxr-x--- 4 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. -rw-r----- 1 root ossec 41 Oct 25 03:41 VERSION drwxr-x--- 2 root ossec 8192 Oct 25 06:30 decoders drwxr-x--- 2 root ossec 8192 Oct 25 06:30 rules /var/ossec/stats: total 8 drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. /var/ossec/tmp: total 16 drwxr-x--T 2 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. -rwxr-x--- 1 root system 2873 Oct 25 03:41 gen_ossec.sh /var/ossec/var: total 8 drwxr-x--- 6 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxrwx--- 3 root ossec 256 Oct 25 06:30 db drwxrwx--- 2 root ossec 256 Oct 25 03:41 run drwxrwx--- 2 root ossec 256 Oct 25 03:41 upgrade drwxrwx--- 2 root ossec 256 Oct 25 03:41 wodles /var/ossec/wodles: total 8 drwxr-x--- 5 root ossec 256 Oct 25 06:30 . drwxr-x--- 18 root ossec 4096 Oct 25 06:30 .. drwxr-x--- 2 root ossec 256 Oct 25 06:30 ciscat drwxr-x--- 3 root ossec 256 Oct 25 06:30 oscap drwxr-x--- 3 root ossec 256 Oct 25 06:30 vuls ```
Full permissions - Reinstalled ``` bash-4.4# ls -la /var/ossec/* -R -R not found /var/ossec/active-response: total 16 drwxr-x--- 3 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxr-x--- 2 root ossec 4096 Oct 25 06:33 bin /var/ossec/agentless: total 136 drwxr-x--- 2 root ossec 4096 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. -rwxr-x--- 1 root ossec 2422 Oct 25 03:41 main.exp -rwxr-x--- 1 root ossec 2348 Oct 25 03:41 register_host.sh -rwxr-x--- 1 root ossec 1445 Oct 25 03:41 ssh.exp -rwxr-x--- 1 root ossec 5252 Oct 25 03:41 ssh_asa-fwsmconfig_diff -rwxr-x--- 1 root ossec 5372 Oct 25 03:41 ssh_foundry_diff -rwxr-x--- 1 root ossec 867 Oct 25 03:41 ssh_generic_diff -rwxr-x--- 1 root ossec 1060 Oct 25 03:41 ssh_integrity_check_bsd -rwxr-x--- 1 root ossec 1067 Oct 25 03:41 ssh_integrity_check_linux -rwxr-x--- 1 root ossec 1473 Oct 25 03:41 ssh_nopass.exp -rwxr-x--- 1 root ossec 5234 Oct 25 03:41 ssh_pixconfig_diff -rwxr-x--- 1 root ossec 772 Oct 25 03:41 sshlogin.exp -rwxr-x--- 1 root ossec 1350 Oct 25 03:41 su.exp /var/ossec/backup: total 8 drwxr-x--- 2 root ossec 256 Oct 25 03:41 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. /var/ossec/bin: total 100304 drwxr-x--- 2 root ossec 4096 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. -rwxr-x--- 1 root system 1125807 Oct 25 03:41 agent_control -rwxr-x--- 1 root system 8650 Oct 25 03:41 agent_groups -rwxr-x--- 1 root system 5871 Oct 25 03:41 agent_upgrade -rwxr-x--- 1 root system 478281 Oct 25 03:41 clear_stats -rwxr-x--- 1 root system 7382 Oct 25 03:41 cluster_control -rwxr-x--- 1 root system 665959 Oct 25 03:41 list_agents -rwxr-x--- 1 root system 1433295 Oct 25 03:41 manage_agents -rwxr-x--- 1 root system 1977244 Oct 25 03:41 ossec-agentlessd -rwxr-x--- 1 root system 2932118 Oct 25 03:41 ossec-analysisd -rwxr-x--- 1 root system 8349 Oct 25 03:41 ossec-control -rwxr-x--- 1 root system 2009205 Oct 25 03:41 ossec-csyslogd -rwxr-x--- 1 root system 2127040 Oct 25 03:41 ossec-dbd -rwxr-x--- 1 root system 3472402 Oct 25 03:41 ossec-execd -rwxr-x--- 1 root system 1986358 Oct 25 03:41 ossec-integratord -rwxr-x--- 1 root system 2197158 Oct 25 03:41 ossec-logcollector -rwxr-x--- 1 root system 2970117 Oct 25 03:41 ossec-logtest -rwxr-x--- 1 root system 437581 Oct 25 03:41 ossec-lua -rwxr-x--- 1 root system 262630 Oct 25 03:41 ossec-luac -rwxr-x--- 1 root system 2056092 Oct 25 03:41 ossec-maild -rwxr-x--- 1 root system 2022206 Oct 25 03:41 ossec-makelists -rwxr-x--- 1 root system 2194634 Oct 25 03:41 ossec-monitord -rwxr-x--- 1 root system 574930 Oct 25 03:41 ossec-regex -rwxr-x--- 1 root system 899767 Oct 25 03:41 ossec-reportd -rwxr-x--- 1 root system 2473185 Oct 25 03:41 ossec-syscheckd -rwxr-x--- 1 root system 3562710 Oct 25 03:41 rootcheck_control -rwxr-x--- 1 root system 3569259 Oct 25 03:41 syscheck_control -rwxr-x--- 1 root system 3545475 Oct 25 03:41 syscheck_update -rwxr-x--- 1 root system 21148 Oct 25 03:41 update_ruleset -rwxr-x--- 1 root system 4503 Oct 25 03:41 util.sh -rwxr-x--- 1 root system 1898938 Oct 25 03:41 verify-agent-conf -rwxr-x--- 1 root system 11129 Oct 25 03:41 wazuh-clusterd -rwxr-x--- 1 root system 4302951 Oct 25 03:41 wazuh-modulesd /var/ossec/etc: total 64 drwxrwx--- 7 ossec ossec 4096 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxrwx--- 2 root ossec 256 Oct 25 06:33 decoders -rw-r----- 1 root ossec 7033 Oct 25 03:41 internal_options.conf drwxr-x--- 3 root ossec 256 Oct 25 06:33 lists -rw-r----- 1 root ossec 320 Oct 25 03:41 local_internal_options.conf -rw-r--r-- 1 root system 5687 Oct 25 06:33 ossec.conf drwxrwx--- 2 root ossec 4096 Oct 25 06:33 rootcheck drwxrwx--- 2 root ossec 256 Oct 25 06:33 rules drwxrwx--- 2 root ossec 256 Oct 25 03:41 shared /var/ossec/framework: total 16 drwxr-x--- 4 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxr-x--- 2 root ossec 256 Oct 25 06:33 lib drwxr-x--- 2 root ossec 4096 Oct 25 06:33 wazuh /var/ossec/integrations: total 40 drwxr-x--- 2 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. -rwxr-x--- 1 root ossec 1343 Oct 25 03:41 pagerduty -rwxr-x--- 1 root ossec 1166 Oct 25 03:41 slack -rwxr-x--- 1 root ossec 5960 Oct 25 03:41 virustotal /var/ossec/logs: total 80 drwxrwx--- 7 ossec ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. -rw-rw---- 1 ossec ossec 0 Oct 25 06:33 active-responses.log drwxr-x--- 3 ossec ossec 256 Oct 25 03:41 alerts drwxr-x--- 3 ossec ossec 256 Oct 25 03:41 archives drwxr-x--- 3 ossec ossec 256 Oct 25 03:41 firewall drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 ossec -rw-rw---- 1 root 214 34134 Oct 25 06:33 ossec.log drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 vuls /var/ossec/lua: total 8 drwxr-x--- 4 root system 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxr-x--- 2 root system 256 Oct 25 03:41 compiled drwxr-x--- 2 root system 256 Oct 25 03:41 native /var/ossec/queue: total 16 drwxr-x--- 11 root ossec 4096 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxrwx--- 2 ossecr ossec 256 Oct 25 03:41 agent-info drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 agentless drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 agents drwxrwx--- 2 ossec ossec 256 Oct 25 03:41 alerts drwxr-x--- 3 ossec ossec 256 Oct 25 03:41 diff drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 fts drwxrwx--- 2 ossec ossec 256 Oct 25 03:41 ossec drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 rootcheck drwxr-x--- 2 ossec ossec 256 Oct 25 03:41 syscheck /var/ossec/ruleset: total 48 drwxr-x--- 4 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. -rw-r----- 1 root ossec 41 Oct 25 03:41 VERSION drwxr-x--- 2 root ossec 8192 Oct 25 06:33 decoders drwxr-x--- 2 root ossec 8192 Oct 25 06:33 rules /var/ossec/stats: total 8 drwxr-x--- 5 ossec ossec 256 Oct 25 03:41 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxr-x--- 2 233 214 256 Oct 25 06:32 hourly-average drwxr-x--- 2 233 214 256 Oct 25 06:32 totals drwxr-x--- 9 233 214 256 Oct 25 06:32 weekly-average /var/ossec/tmp: total 16 drwxr-x--T 2 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. -rwxr-x--- 1 root system 2873 Oct 25 03:41 gen_ossec.sh /var/ossec/var: total 16 drwxr-x--- 6 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxrwx--- 3 root ossec 256 Oct 25 06:33 db drwxrwx--- 2 root ossec 4096 Oct 25 03:41 run drwxrwx--- 2 root ossec 256 Oct 25 03:41 upgrade drwxrwx--- 2 root ossec 256 Oct 25 03:41 wodles /var/ossec/wodles: total 8 drwxr-x--- 5 root ossec 256 Oct 25 06:33 . drwxr-x--- 18 root ossec 4096 Oct 25 06:33 .. drwxr-x--- 2 root ossec 256 Oct 25 06:33 ciscat drwxr-x--- 3 root ossec 256 Oct 25 06:33 oscap drwxr-x--- 3 root ossec 256 Oct 25 06:33 vuls ```
Monitor system/application logs, using rules (signatures) to detect threats :red_circle:
Unexpected errors detected during runtime ``` 2022/10/25 06:57:25 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20 2022/10/25 06:57:25 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'. 2022/10/25 06:57:25 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example.log'. 2022/10/25 06:57:25 ossec-logcollector: INFO: Started (pid: 13893802). 2022/10/25 06:57:45 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db' 2022/10/25 06:57:45 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'. 2022/10/25 06:57:55 ossec-syscheckd: INFO: Syscheck scan frequency: 43200 seconds 2022/10/25 06:57:59 wazuh-modulesd: ERROR: Couldn't create SQLite database 'var/db/agents/000-localhost.db' 2022/10/25 06:57:59 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'. 2022/10/25 06:58:25 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2022/10/25 06:58:25 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). ``` Regardless, alerts are generated correctly. Consider the following configuration: ``` syslog /tmp/example.log ``` Expected alerts are generated for testing events: - `echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example.log` ``` ** Alert 1666706372.14769: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 25 13:59:32 ecaz->/tmp/example.log Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` - `echo "Nov 9 11:36:55 ecaz telnetd[8813]: refused connect from" >> /tmp/example.log` ``` ** Alert 1666707004.20402: - syslog,access_control,access_denied,pci_dss_10.2.4, 2022 Oct 25 14:10:04 ecaz->/tmp/example.log Rule: 2503 (level 5) -> 'syslog: Connection blocked by Tcp Wrappers.' Nov 9 11:36:55 ecaz telnetd[8813]: refused connect from ```
Scan files/directories to monitor their integrity. For example configuration files or system binaries :red_circle:
ossec.conf ``` no 60 yes yes no /etc/example /etc/ssl/private.key yes ```
The Syscheck module presents some unexpected behaviors: - Used frequency is greater than expected. If we configured the syscheck frequency as `60`, the real used syscheck frequency is greater than 6 minutes ``` 2022/10/25 10:30:28 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2022/10/25 10:30:28 ossec-syscheckd: DEBUG: Sending database completed message. .. 2022/10/25 10:36:02 ossec-syscheckd: INFO: Starting syscheck scan. ``` - File deletion is not detected - Multiple debug lines regarding not monitoring files appear in the `ossec.log` file: ``` 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check FS status for '/tmp/vgdata', but we don't know how on this OS. 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check FS status for '/tmp', but we don't know how on this OS. 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check NFS status for '/boot', but we don't know how on this OS. 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check NFS status for '/usr/local', but we don't know how on this OS. 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check NFS status for '/var/tmp', but we don't know how on this OS. 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check FS status for '/var/tmp', but we don't know how on this OS. 2022/10/25 10:30:51 ossec-syscheckd: DEBUG: Attempted to check NFS status for '/sys', but we don't know how on this OS. ``` File changes and file creations seem to work as expected - **File creation** ``` ** Alert 1666712162.89222: - ossec,syscheck,pci_dss_11.5,gpg13_4.11, 2022 Oct 25 15:36:02 soaxp181->syscheck Rule: 554 (level 5) -> 'File added to the system.' New file '/tmp/testing/example/test1' added to the file system. File: /tmp/testing/example/test1 New size: 9 New permissions: 100644 New user: root (0) New group: system (0) New MD5: 2a12e4fd4f078d1c4643dfa7d6af220c New SHA1: 03653ed5e085fdfed87eabee5959202abdfa6f90 New date: Tue Oct 25 15:30:45 2022 New inode: 8203 ``` - **File change**: ``` ** Alert 1666712492.91617: - ossec,syscheck,pci_dss_11.5,gpg13_4.11, 2022 Oct 25 15:41:32 soaxp181->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/tmp/testing/example/test5' Size changed from '9' to '18' Old md5sum was: '990f56ee9c04cbf75bae5a231807e2d0' New md5sum is : 'f85cf644e7d593d0f7ba5c11442060f1' Old sha1sum was: '4255fccb4eac033461cd553f1b158bcba2fdbfd2' New sha1sum is : 'dcbb1ce7404ad0738e6b1361481809aecbe690ea' File: /tmp/testing/example/test5 Old size: 9 New size: 18 New permissions: 100644 New user: root (0) New group: system (0) Old MD5: 990f56ee9c04cbf75bae5a231807e2d0 New MD5: f85cf644e7d593d0f7ba5c11442060f1 Old SHA1: 4255fccb4eac033461cd553f1b158bcba2fdbfd2 New SHA1: dcbb1ce7404ad0738e6b1361481809aecbe690ea Old date: Tue Oct 25 15:31:09 2022 New date: Tue Oct 25 15:39:43 2022 New inode: 8207 ```
Detect malware behavior (more specifically rootkits), by looking for hidden files, hidden processes, or hidden ports :red_circle:
Rootcheck seems to be broken. It is not possible to open the rootcheck database: ``` 2022/10/25 08:51:45 wazuh-modulesd:database: ERROR: Couldn't open database for file '/var/ossec/queue/rootcheck/rootcheck'. ``` Regardless, rootcheck alerts are generated in the environment ``` ** Alert 1666706860.19662: - ossec,rootcheck, 2022 Oct 25 14:07:40 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/_master' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/_master ** Alert 1666706860.20030: - ossec,rootcheck, 2022 Oct 25 14:07:40 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/_notifier ```
Trigger automatic responses when a threat is detected :green_circle:
ossec.conf ``` no restart-ossec local sshd,|pci_dss_11.4, ```
The active response seems to work as expected. In this case, we are going to use `sshd: authentication failed.` alert to restart `wazuh-local`. Using specified configuration and reproducing the alert event, wazuh-local restart as expected. - **active-response.log**: ``` Tue Oct 25 11:00:52 CDT 2022 /var/ossec/active-response/bin/restart-ossec.sh add - - 1666713652.92673 5716 ``` - **ossec.log** ``` 2022/10/25 11:00:52 ossec-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 11:00:52 ossec-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 16:00:52 ossec-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 11:00:52 ossec-execd: INFO: (1314): Shutdown received. Deleting responses. 2022/10/25 11:00:52 ossec-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... ```
Rebits commented 2 years ago

Updates - 25/10/2022

New packages were generated by @wazuh/cicd team for AIX 5.3 and 6.1

Rebits commented 2 years ago

Testing after requested changes

Conclusions :yellow_circle:

Unexpected behaviors were found:

Testing results :yellow_circle:

Install Wazuh manager and check that is running as expected and generate alerts :green_circle:
AIX local packages installation seems to work as expected: - **Installation**: ``` # rpm -ivh wazuh-local-3.1.0-1.aix6.1.ppc.rpm wazuh-local ################################################## ``` - **Manager startup**: ``` bash-4.4# /var/ossec/bin/ossec-control restart ossec-monitord not running... ossec-logcollector not running... ossec-syscheckd not running... ossec-analysisd not running... ossec-maild not running... ossec-execd not running... wazuh-modulesd not running... Wazuh v3.1.0 Stopped Starting Wazuh v3.1.0 (maintained by Wazuh Inc.)... Started wazuh-modulesd... Started ossec-execd... 2022/10/25 06:18:59 ossec-maild: INFO: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-analysisd... Started ossec-syscheckd... Started ossec-logcollector... Started ossec-monitord... Completed. bash-4.4# ``` - **Logging**: Very verbose logging (`ossec.log`), expected for the 3.1 version. ``` ... 2022/10/25 16:40:05 ossec-monitord: INFO: Started (pid: 15597570). 2022/10/25 11:40:09 ossec-syscheckd: INFO: Started (pid: 15663140). 2022/10/25 11:40:09 rootcheck: INFO: Started (pid: 15663140). ... 2022/10/25 11:40:11 ossec-logcollector: INFO: Monitoring output of command(360): df -P 2022/10/25 11:40:11 ossec-logcollector: INFO: Monitoring full output of command(360): nestat -tu | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -n -k 4 | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d 2022/10/25 11:40:11 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20 2022/10/25 11:40:11 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'. 2022/10/25 11:40:11 ossec-logcollector: INFO: Started (pid: 16908296). ``` No errors or warnings found: ``` bash-4.4# cat /var/ossec/logs/ossec.log | grep -iE "error|warning" bash-4.4# ``` - **Alerts**: Expected startup alert is generated ``` ** Alert 1666716015.0: mail - ossec,pci_dss_10.6.1,gpg13_10.1, 2022 Oct 25 16:40:15 soaxp181->ossec-monitord Rule: 502 (level 3) -> 'Ossec server started.' ossec: Ossec started. ```
Uninstall AIX local :yellow_circle:
Uninstallation of the package does not remove correctly every expected file [as the documentation specified](https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-aix.html): ``` bash-4.4# rpm -e wazuh-local rmdir of /var/ossec/tmp/src/init failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory cannot remove /var/ossec/stats - directory not empty cannot remove /var/ossec/queue/syscheck - directory not empty cannot remove /var/ossec/queue/rootcheck - directory not empty cannot remove /var/ossec/queue/ossec - directory not empty cannot remove /var/ossec/queue/fts - directory not empty cannot remove /var/ossec/queue/diff - directory not empty cannot remove /var/ossec/queue/alerts - directory not empty cannot remove /var/ossec/queue - directory not empty cannot remove /var/ossec/logs/firewall - directory not empty cannot remove /var/ossec/logs/archives - directory not empty cannot remove /var/ossec/logs/alerts - directory not empty cannot remove /var/ossec/logs - directory not empty cannot remove /var/ossec/etc/shared - directory not empty cannot remove /var/ossec/etc - directory not empty cannot remove /var/ossec - directory not empty ``` However, the permissions the of remaining files are not correct: ``` -rw-rw---- 1 root 221 34847 Oct 25 11:42 ossec.log drwxr-x--- 3 254 221 256 Oct 25 11:40 2022 -rw-r----- 2 254 221 400 Oct 25 11:40 alerts.json -rw-r----- 2 254 221 180 Oct 25 11:40 alerts.log drwxr-x--- 2 254 221 256 Oct 25 11:40 hourly-average drwxr-x--- 2 254 221 256 Oct 25 11:40 totals drwxr-x--- 9 254 221 256 Oct 25 11:40 weekly-average ``` It is required to research if these discrepancies come from known issues in v3.1 instead of the development
Reinstall changes default permissions of wazuh files :yellow_circle:
After wazuh reinstallation, due to some files remaining after uninstallation, some files have not expected permissions: - *ossec.log* ``` -rw-rw---- 1 root 221 34847 Oct 25 11:42 ossec.log ``` - **/var/ossec/stats** ``` drwxr-x--- 2 254 221 256 Oct 25 11:40 hourly-average drwxr-x--- 2 254 221 256 Oct 25 11:40 totals drwxr-x--- 9 254 221 256 Oct 25 11:40 weekly-average ``` It is required to research if these discrepancies come from known issues in v3.1 instead of the development
Full permissions - Clean install **All files permissions and ownership**: [clean.zip](https://github.com/wazuh/wazuh-qa/files/9862381/clean.zip)
Full permissions - Reinstall **All files permissions and ownership**: [reinstall.zip](https://github.com/wazuh/wazuh-qa/files/9862379/reinstall.zip)
Reinstall after deleting all wazuh related files :green_circle:
After wazuh uninstallation, we remove all wazuh-related files using the: ``` bash-4.4# rm -rf /var/ossec/* ``` `wazuh-local` installation seems to work as expected: ``` bash-4.4# rpm -ihv wazuh-local-3.1.0-1.aix6.1.ppc.rpm wazuh-local ################################################## ``` No errors or warnings were detected during uptime: ``` /var/ossec/bin/ossec-control restart cat /var/ossec/logs/ossec.log | grep -iE "error|warning" ``` Also the `ossec.log` file has the correct permissions and ownership: ``` bash-4.4# ls -la /var/ossec/logs/ total 80 drwxrwx--- 7 ossec ossec 256 Oct 26 11:04 . drwxr-x--- 18 root ossec 4096 Oct 26 11:04 .. -rw-rw---- 1 ossec ossec 0 Oct 26 11:04 active-responses.log drwxr-x--- 3 ossec ossec 256 Oct 26 11:04 alerts drwxr-x--- 3 ossec ossec 256 Oct 26 11:04 archives drwxr-x--- 3 ossec ossec 256 Oct 26 11:04 firewall drwxr-x--- 2 ossec ossec 256 Oct 25 10:46 ossec -rw-rw---- 1 root ossec 34068 Oct 26 11:05 ossec.log drwxr-x--- 2 ossec ossec 256 Oct 25 10:46 vuls ```
Monitor system/application logs, using rules (signatures) to detect threats :green_circle:
Alerts are generated correctly. Consider the following configuration: ``` syslog /tmp/example.log ``` Expected alerts are generated for testing events: - `echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example.log` ``` ** Alert 1666717094.180: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 25 16:58:14 ecaz->/tmp/example.log Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` - `echo "Nov 9 11:36:55 ecaz telnetd[8813]: refused connect from" >> /tmp/example.log` ``` ** Alert 1666717116.520: - syslog,access_control,access_denied,pci_dss_10.2.4, 2022 Oct 25 16:58:36 ecaz->/tmp/example.log Rule: 2503 (level 5) -> 'syslog: Connection blocked by Tcp Wrappers.' Nov 9 11:36:55 ecaz telnetd[8813]: refused connect from ```
Scan files/directories to monitor their integrity. For example configuration files or system binaries :green_circle:
ossec.conf ``` no 60 yes yes no /etc/example /etc/ssl/private.key yes ```
The Syscheck module presents some unexpected behaviors: - The used frequency is greater than expected. If we configured the syscheck frequency as 60, the real used syscheck frequency is greater than 6 minutes ``` 2022/10/25 12:09:09 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2022/10/25 12:09:19 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). ... 2022/10/25 12:14:53 ossec-syscheckd: INFO: Starting syscheck scan. ``` After a meeting with @vikman90 it seems that **file deletion** is not supported in this version for schedule mode. Also, it is expected big delays between syscheck scans.
- **Sycheck scan**: ``` 2022/10/25 12:01:58 ossec-syscheckd: INFO: Monitoring directory: '/etc/example/', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode. 2022/10/25 12:01:58 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key' ... 2022/10/25 12:02:30 ossec-syscheckd: INFO: Syscheck scan frequency: 60 seconds ``` - **File creation** ``` ** Alert 1666717564.11875: - ossec,syscheck,pci_dss_11.5,gpg13_4.11, 2022 Oct 25 17:06:04 soaxp181->syscheck Rule: 554 (level 5) -> 'File added to the system.' New file '/etc/example/test1' added to the file system. File: /etc/example/test1 New size: 9 New permissions: 100644 New user: root (0) New group: system (0) New MD5: 2a12e4fd4f078d1c4643dfa7d6af220c New SHA1: 03653ed5e085fdfed87eabee5959202abdfa6f90 New date: Tue Oct 25 17:05:29 2022 New inode: 28812 ``` - **File checksum change** ``` ** Alert 1666717749.17814: - ossec,syscheck,pci_dss_11.5,gpg13_4.11, 2022 Oct 25 17:09:09 soaxp181->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/etc/example/test1' Size changed from '9' to '19' Old md5sum was: '2a12e4fd4f078d1c4643dfa7d6af220c' New md5sum is : 'e5c330254a4a704daa58e2ca0531409d' Old sha1sum was: '03653ed5e085fdfed87eabee5959202abdfa6f90' New sha1sum is : '6489967b9114e8e83d7c8a661278433ed1007b20' File: /etc/example/test1 Old size: 9 New size: 19 New permissions: 100644 New user: root (0) New group: system (0) Old MD5: 2a12e4fd4f078d1c4643dfa7d6af220c New MD5: e5c330254a4a704daa58e2ca0531409d Old SHA1: 03653ed5e085fdfed87eabee5959202abdfa6f90 New SHA1: 6489967b9114e8e83d7c8a661278433ed1007b20 Old date: Tue Oct 25 17:05:29 2022 New date: Tue Oct 25 17:07:59 2022 New inode: 28812 ``` - **File deletion** ``` ```
Detect malware behavior (more specifically rootkits), by looking for hidden files, hidden processes, or hidden ports :green_circle:
Rootcheck seems to work as expected. **Rootcheck scan**: ``` 2022/10/25 12:09:39 rootcheck: INFO: Starting rootcheck scan. 2022/10/25 12:09:53 rootcheck: INFO: Ending rootcheck scan. ``` **Alerts**: ``` ** Alert 1666717780.19136: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Trojaned version of file '/usr/sbin/ifconfig' detected. Signature used: 'bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]' (Generic). title: Trojaned version of file detected. file: /usr/sbin/ifconfig ** Alert 1666717780.19503: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Trojaned version of file '/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic). title: Trojaned version of file detected. file: /bin/netstat ** Alert 1666717780.19849: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic). title: Trojaned version of file detected. file: /usr/bin/netstat ** Alert 1666717780.20203: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Trojaned version of file '/usr/sbin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic). title: Trojaned version of file detected. file: /usr/sbin/netstat ** Alert 1666717780.20559: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 3: Root can log in. File: /etc/ssh/sshd_config. Reference: 3 . title: SSH Hardening - 3: Root can log in. file: /etc/ssh/sshd_config ** Alert 1666717780.20855: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 4: No Public Key authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 4 . title: SSH Hardening - 4: No Public Key authentication file: /etc/ssh/sshd_config ** Alert 1666717780.21193: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 5: Password Authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . title: SSH Hardening - 5: Password Authentication file: /etc/ssh/sshd_config ** Alert 1666717780.21521: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 6: Empty passwords allowed {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 6 . title: SSH Hardening - 6: Empty passwords allowed file: /etc/ssh/sshd_config ** Alert 1666717780.21849: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 7 . title: SSH Hardening - 7: Rhost or shost used for authentication file: /etc/ssh/sshd_config ** Alert 1666717780.22207: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . title: SSH Hardening - 8: Wrong Grace Time file: /etc/ssh/sshd_config ** Alert 1666717780.22521: - ossec,rootcheck, 2022 Oct 25 17:09:40 soaxp181->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 . title: SSH Hardening - 9: Wrong Maximum number of authentication attempts file: /etc/ssh/sshd_config ** Alert 1666717782.22897: - ossec,rootcheck, 2022 Oct 25 17:09:42 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/5373994/attachNotificationSync' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/5373994/attachNotificationSync ** Alert 1666717782.23311: - ossec,rootcheck, 2022 Oct 25 17:09:42 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/_attachlock' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/_attachlock ** Alert 1666717782.23687: - ossec,rootcheck, 2022 Oct 25 17:09:42 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/_master' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/_master ** Alert 1666717782.24055: - ossec,rootcheck, 2022 Oct 25 17:09:42 soaxp181->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.com_ibm_tools_attach/_notifier ```
Trigger automatic responses when a threat is detected :green_circle:
ossec.conf ``` no restart-ossec local sshd,|pci_dss_11.4, ```
The active response seems to work as expected. In this case, we are going to use `sshd: authentication failed.` alert to restart `wazuh-local`. Using specified configuration and reproducing the alert event, wazuh-local restart as expected. - **active-response.log**: ``` Tue Oct 25 12:16:58 CDT 2022 /var/ossec/active-response/bin/restart-ossec.sh add - - 1666718218.25539 5716 ``` - **ossec.log** ``` 2022/10/25 12:16:58 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. 2022/10/25 17:16:58 ossec-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 12:16:58 ossec-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 12:16:58 ossec-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 17:16:58 ossec-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2022/10/25 12:16:58 ossec-execd: INFO: (1314): Shutdown received. Deleting responses. ```
Rebits commented 2 years ago

Update - 25/10/2022

Rebits commented 2 years ago

Testing results - Logcollector :green_circle:

Multiple files matching monitoring: /tmp/example/* :green_circle:

Multiple files are detected and monitored correctly using wildcard `*`
ossec.log ``` 2022/10/26 06:09:36 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/example'. 2022/10/26 06:09:36 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/example2'. 2022/10/26 06:09:36 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1'. 2022/10/26 06:09:36 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2'. 2022/10/26 06:09:36 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test3'. 2022/10/26 06:09:36 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test4'. ```
/tmp/example ``` example example2 test1 test2 test3 test4 ```
alert.log ``` ** Alert 1666782834.14968: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 11:13:54 ecaz->/tmp/example/test2 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ```
Multiple files matching monitoring: /tmp/example/test? :green_circle:

Multiple files are detected and monitored correctly using wildcard `?
ossec.conf ``` syslog /tmp/example/test? ```
ossec.log ``` 2022/10/26 06:15:20 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1'. 2022/10/26 06:15:20 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2'. 2022/10/26 06:15:20 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test3'. 2022/10/26 06:15:20 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test4'. ```
/tmp/example ``` example example2 test1 test2 test3 test4 ```
alert.log ``` ** Alert 1666782964.15840: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 11:16:04 ecaz->/tmp/example/test2 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ```
Strftime format: /tmp/example/file.log-%Y-%m-%d :green_circle:

Expected log file was detected using strftime format.
ossec.conf ``` syslog /tmp/example/file.log-%Y-%m-%d ```
ossec.log ``` 2022/10/26 06:17:57 ossec-logcollector: INFO: (1952): Monitoring variable log file: '/tmp/example/file.log-2022-10-26'. ```
/tmp/example ``` bash-4.4# ls /tmp/example example file.log-2022-10-26 test2 test4 example2 test1 test3 ```
alert.log ``` ** Alert 1666783085.16368: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 11:18:05 ecaz->/tmp/example/file.log-2022-10-26 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ```
New files are monitored after restart :green_circle: New files in a monitored directory that match specified regex are correctly detected after restarting:
ossec.log ``` 2022/10/26 06:21:48 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1'. 2022/10/26 06:21:48 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2'. 2022/10/26 06:21:48 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test3'. 2022/10/26 06:21:48 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test4'. 2022/10/26 06:21:48 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test_new'. ```
File deletion handling :green_circle:
As expected, if during runtime a monitored file is deleted, this is detected by the logcollector daemon: ``` 2022/10/26 06:29:45 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. ``` Logcollector will try to open the file every `logcollector.vcheck_files` seconds (local internal options configuration). ``` 2022/10/26 06:31:01 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:31:05 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:31:09 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. ``` However, after `logcollector.open_attempts`, logcollector should stop try to open the file. This does not occurs in the environment: ``` 2022/10/26 06:32:53 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:32:57 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:01 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:05 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:09 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:13 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:17 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:21 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:25 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:29 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:33 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:37 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:41 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:45 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. 2022/10/26 06:33:49 ossec-logcollector: ERROR: (1103): Could not open file '/tmp/example/test_new4' due to [(2)-(No such file or directory)]. ``` After talking with @vikman90 it seems that this is a known bug, fixed in [`3.7.2`](https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md#v372---2018-12-17)
Log Format: json :green_circle:
JSON format files are monitored correctly
ossec.conf ``` json /tmp/example/test*.json ```
ossec.log ``` 2022/10/26 09:00:40 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/testjson.json'. ```
We generate a json event using the following command: ``` echo "{"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com"}" >> /tmp/example/testjson.json ``` Expected alert is correctly generated ``` ** Alert 1666797788.82410: - ids,suricata, 2022 Oct 26 15:23:08 soaxp175->/tmp/example/testjson.json Rule: 86601 (level 3) -> 'Suricata: Alert - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number' {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com","testing1":"testing1"} timestamp: 2016-05-02T17:46:48.515262+0000 flow_id: 1234 in_iface: eth0 event_type: alert src_ip: 16.10.10.10 src_port: 5555 dest_ip: 16.10.10.11 dest_port: 80 proto: TCP alert.action: allowed alert.gid: 1 alert.signature_id: 2019236 alert.rev: 3 alert.signature: ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number alert.category: Attempted Administrator Privilege Gain alert.severity: 1 payload: 21YW5kXBtgdW5zIGRlcHJY2F0QgYWI payload_printable: this_is_an_example stream: 0 host: suricata.com ```
Enrich JSON events with label option :green_circle:
Label option seems to work as expected.
ossec.conf ``` json /tmp/example/test*.json ```
ossec.log ``` 2022/10/26 09:00:40 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/testjson.json'. ```
We generate a json event using the following command: ``` echo "{"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com"}" >> /tmp/example/testjson.json ``` Expected alert with custom label is correctly generated ``` ** Alert 1666797788.82410: - ids,suricata, 2022 Oct 26 15:23:08 soaxp175->/tmp/example/testjson.json Rule: 86601 (level 3) -> 'Suricata: Alert - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number' {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com","testing1":"testing1"} timestamp: 2016-05-02T17:46:48.515262+0000 flow_id: 1234 in_iface: eth0 event_type: alert src_ip: 16.10.10.10 src_port: 5555 dest_ip: 16.10.10.11 dest_port: 80 proto: TCP alert.action: allowed alert.gid: 1 alert.signature_id: 2019236 alert.rev: 3 alert.signature: ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number alert.category: Attempted Administrator Privilege Gain alert.severity: 1 payload: 21YW5kXBtgdW5zIGRlcHJY2F0QgYWI payload_printable: this_is_an_example stream: 0 host: suricata.com testing1: testing1 ```
Command monitoring df :green_circle:
Basic command monitoring seems to work as expected
ossec.conf ``` command df 10 ```
ossec.log ``` 2022/10/26 09:08:41 ossec-logcollector: INFO: Monitoring output of command(10): df ```
Every `10` seconds, specified fequency, appears in the `archives.log` the `df` command output: ``` 2022 Oct 26 14:09:07 soaxp175->df ossec: output: 'df': Filesystem 512-blocks Free %Used Iused %Iused Mounted on ... 2022 Oct 26 14:09:19 soaxp175->df ossec: output: 'df': Filesystem 512-blocks Free %Used Iused %Iused Mounted on ```
Full command monitoring df :green_circle:
Basic command monitoring seems to work as expected
ossec.conf ``` full_command df 10 ```
ossec.log ``` 2022/10/26 09:15:23 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20 ```
Every `10` seconds, specified fequency, appears in the `archives.log` the `df` command output: ``` 2022 Oct 26 14:15:49 soaxp175->df ossec: output: 'df': Filesystem 512-blocks Free %Used Iused %Iused Mounted on .... 2022 Oct 26 14:16:01 soaxp175->df ossec: output: 'df': Filesystem 512-blocks Free %Used Iused %Iused Mounted on 2022 Oct 26 14:16:01 soaxp175->df ossec: output: 'df': /dev/hd4 2097152 1789048 15% ```
Comand monitoring using an alias :green_circle:
Alias option seems to work as expected
ossec.conf ``` full_command df 10 testingcommand ```
ossec.log ``` 2022/10/26 09:17:45 ossec-logcollector: INFO: Monitoring output of command(10): df ```
Alias is used as expected: ``` 2022 Oct 26 14:21:11 soaxp175->testingcommand ossec: output: 'testingcommand': /dev/livedump 1048576 1047760 1% 4 1% /var/adm/ras/livedump ```
Monitoring more than 2000 files simultaneously :green_circle:
`ossec.conf` ``` syslog /tmp/example/* ```
`ossec.log` ``` 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test10'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test100'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1000'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1001'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1002'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1003'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1004'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1005'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1006'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1007'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1008'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1009'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test101'. 2022/10/26 12:02:32 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test1010'. ```
All files were detected and monitored. No warnings or errors were produced ``` bash-4.4# cat /var/ossec/logs/ossec.log | grep -i error\|warning bash-4.4# ```
Monitoring more than 10000 files simultaneously :green_circle:
`ossec.conf` ``` syslog /tmp/example/* ```
`ossec.log` ``` 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2729'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test273'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2730'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2731'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2732'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2733'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2734'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2735'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2736'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2737'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2738'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2739'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test274'. 2022/10/26 12:11:41 ossec-logcollector: INFO: (1950): Analyzing file: '/tmp/example/test2740'. ```
Only approximately 2800 files were correctly monitored. No warnings or errors were produced ``` bash-4.4# cat /var/ossec/logs/ossec.log | grep -i error\|warning bash-4.4# ``` Expected behaviours in v3.1
Rebits commented 2 years ago

Testing results - CSyslog :green_circle:

Basic syslog configuration :green_circle:
Basic Syslog output seems to work as expected:
ossec.conf ``` 54.174.10.114 1514 ```
ossec.log ``` 2022/10/26 15:22:39 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '54.174.10.114:1514'. ```
We generate an alert using the following command: ``` echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example/test1 ``` Alert is generated in `alert.log`: ``` ** Alert 1666798342.83888: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 15:32:22 ecaz->/tmp/example/test1 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` In the Syslog server we get, as expected, the generated alert: ``` 2022-10-26T15:34:14+00:00 soaxp175 ossec: Alert Level: 5; Rule: 5716 - sshd: authentication failed.; Location: ecaz->/tmp/example/test1; classification: syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,; srcip: 192.168.10.161; user: root; Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ```
Level filter :green_circle:
The level filter seems to work as expected
ossec.conf ``` 54.174.10.114 1514 5 ```
ossec.log ``` 2022/10/26 15:22:39 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '54.174.10.114:1514'. ```
We generate an alert using the following command: ``` echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example/test1 ``` Alert is generated in `alert.log`: ``` ** Alert 1666798342.83888: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 15:32:22 ecaz->/tmp/example/test1 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` In the Syslog server we get, as expected the generated alert: ``` 2022-10-26T15:39:58+00:00 soaxp175 ossec: Alert Level: 10; Rule: 5720 - sshd: Multiple authentication failures.; Location: ecaz->/tmp/example/test1; classification: syslog,sshd,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,; srcip: 192.168.10.161; user: root; Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` If we generate an alert with a lower level, for example, the alert `86601`, it will not be forwarded to the Syslog server.
Group filter :green_circle:
The group filter seems to work as expected
ossec.conf ``` 54.174.10.114 1514 sshd ```
ossec.log ``` 2022/10/26 15:22:39 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '54.174.10.114:1514'. ```
We generate an alert using the following command: ``` echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example/test1 ``` Alert is generated in `alert.log`: ``` ** Alert 1666798342.83888: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 15:32:22 ecaz->/tmp/example/test1 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` In the Syslog server we get, as expected the generated alert: ``` 2022-10-26T15:41:55+00:00 soaxp175 ossec: Alert Level: 5; Rule: 5716 - sshd: authentication failed.; Location: ecaz->/tmp/example/test1; classification: syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,; srcip: 192.168.10.161; user: root; Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` If we generate an alert that does not belong to group `sshd`, for example, the alert `86601`, this is not forwarded to the Syslog server.
Location filter :green_circle:
The location filter seems to work as expected
ossec.conf ``` 54.174.10.114 1514 /tmp/example/test1 ```
ossec.log ``` 2022/10/26 15:22:39 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '54.174.10.114:1514'. ```
We generate an alert using the following command: ``` echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example/test1 ``` Alert is generated in `alert.log`: ``` ** Alert 1666798342.83888: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 15:32:22 ecaz->/tmp/example/test1 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` In the Syslog server we get, as expected the generated alert: ``` 2022-10-26T15:41:55+00:00 soaxp175 ossec: Alert Level: 5; Rule: 5716 - sshd: authentication failed.; Location: ecaz->/tmp/example/test1; classification: syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,; srcip: 192.168.10.161; user: root; Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` If we generate an alert, appending the event in another file different from `/tmp/example/test1`, for example `/tmp/example/test2`, the alert is not forwarded to the Syslog server.
Rule_id filter :green_circle:
The rule id filter seems to work as expected
ossec.conf ``` 54.174.10.114 1514 86601 ```
ossec.log ``` 2022/10/26 15:22:39 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '54.174.10.114:1514'. ```
We generate an alert using the following command: ``` echo '{"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com"}' >> /tmp/example/testjson.json ``` Alert is generated in `alert.log`: ``` ** Alert 1666799120.98721: - ids,suricata, 2022 Oct 26 15:45:20 soaxp175->/tmp/example/testjson.json Rule: 86601 (level 3) -> 'Suricata: Alert - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number' {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com","testing1":"testing1"} timestamp: 2016-05-02T17:46:48.515262+0000 flow_id: 1234 in_iface: eth0 event_type: alert src_ip: 16.10.10.10 src_port: 5555 dest_ip: 16.10.10.11 dest_port: 80 proto: TCP alert.action: allowed alert.gid: 1 alert.signature_id: 2019236 alert.rev: 3 alert.signature: ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number alert.category: Attempted Administrator Privilege Gain alert.severity: 1 payload: 21YW5kXBtgdW5zIGRlcHJY2F0QgYWI payload_printable: this_is_an_example stream: 0 host: suricata.com testing1: testing1 ``` In the rsyslog server we get, as expected the generated alert: ``` 2022-10-26T15:43:53+00:00 soaxp175 ossec: Alert Level: 3; Rule: 86601 - Suricata: Alert - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number; Location: soaxp175->/tmp/example/testjson.json; classification: ids,suricata,; {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com","testing1":"testing1"} ``` If we generate a different alert than `86601`, for example `5716`, it will not be forwarded to the rsyslog server.
Format json :green_circle:
Syslog alerts are correctly generated for JSON format
ossec.conf ``` 54.174.10.114 1514 json ```
ossec.log ``` 2022/10/26 15:22:39 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '54.174.10.114:1514'. ```
We generate an alert using the following command: ``` echo "Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2" >> /tmp/example/test1 ``` Alert is generated in `alert.log`: ``` ** Alert 1666798342.83888: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1, 2022 Oct 26 15:32:22 ecaz->/tmp/example/test1 Rule: 5716 (level 5) -> 'sshd: authentication failed.' Src IP: 192.168.10.161 Src Port: 1066 User: root Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2 ``` In the rsyslog server we get, as expected the generated alert: ``` 2022-10-26T15:32:49+00:00 soaxp175 ossec: {"timestamp":"2022-10-26T15:32:48","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed","gpg13_7.1"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"000","name":"soaxp175"},"manager":{"name":"soaxp175"},"id":"1666798368.84232","full_log":"Nov 9 11:36:55 ecaz sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Nov 9 11:36:55","hostname":"ecaz"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.10.161","srcport":"1066","dstuser":"root"},"location":"/tmp/example/test1"} ```
jmv74211 commented 2 years ago

QA review

This will be discussed with the development team, and this will be approved or not on this basis.

Rebits commented 2 years ago

Testing results - Integration :yellow_circle:

Basic Slack integration :yellow_circle: Slack integration does not work correctly. Integration logs suggest that the hook or payload is invalid, although that is not the case. ``` Slack integration failed to run. Either invalid hook url or payload ``` The same integration has been tested in a 4.3.9 centos manager package, working as expected. ![image](https://user-images.githubusercontent.com/11089305/198250438-1e0993db-592a-4619-b73a-f840a51b5bff.png)
ossec.conf ``` slack HOOK_URL json ```
integations.log ``` Thu Oct 27 04:36:34 CDT 2022 /var/ossec/integrations/slack /tmp/slack-1666863394--27532.alert HOOK Thu Oct 27 04:36:34 CDT 2022 /var/ossec/integrations/slack Slack integration failed to run. Either invalid hook url or payload. ```
jmv74211 commented 2 years ago

QA review update

As a summary of everything tested, we have the following points:

(1). Uninstall and reinstall of the wazuh-manager package does not seem to work correctly, because certain files and directories are not deleted.

This is known and also occurs in current versions and reported in wazuh-packages#607. In the documentation itself, it is recommended that to do a complete uninstall, you manually delete /var/ossec afterwards.

(2). Logcollector does not handle correctly monitored file deletion. According to the documentation, it should try to open a monitored file logcollector.open_attempts times. However, that is not the case, trying to access to deleted files permanently.

According to the development team, it is possible that for this version this was known, and that this behavior was changed in the force reload added in version 3.7.1 at wazuh#2022.

The development team tells us that it is tested in 4.4 and that it works correctly.

(3). Minor errors in AIX installation documentation.

This has been reported in wazuh-documentation#5710

(4). Integration for slack does not work.

To test integratord, integration with slack has been used. The result was that it did not work correctly, but it seems to be caused by the slack script itself, rather than the module. This script was refactored in 3.2.2 wazuh#443.

If requested, more tests could be done with the integrator module.