jnasselle commented 1 year ago

Target version	Release candidate	Main release testing issue
4.5.2	RC1	https://github.com/wazuh/wazuh/issues/18618

Description

This issue aims to execute some manual smoke and backward compatibility tests related to https://github.com/wazuh/wazuh/issues/18219 changes

Proposed checks

Check current manager (v4.5.2-rc1) behavior with older Wazuh Agents on different OS families

Wazuh agent versions (last patch version for last minors that have relevant changes):
- v4.1.5: legacy syscollector sync
- v4.2.7: syscollector rework
- v4.4.5: syscollector deltas
- OS (one per package manager supported):
- [x] Windows: last wide-used version
- [x] Linux
  - [x] RPM Legacy: Amazon Linux 2
  - [x] RPM new: / OpenSuse Tumbleweed
  - [x] DEB: Ubuntu 22.04 LTS
  - [x] macOS (Ventura) Brew/Pkg
  - [x] Solaris 11

From version to version, Upgrading it is the method to be used

Scope and history

Whole sync information sent: available before 4.2. All inventory info was sent in each scan
Rsync: sync algorithm based on binary search. Available in syscollector since 4.2 (only available sync mechanism) up to nowadays (restricted only on the first scan and combined with dbsync/deltas from the second scan)
Dbsync and deltas: sync algorithm based on diff since the last scan. Available in syscollector since 4.4 up to nowadays (restricted only in second and further scans)

Preconditions

Set up an v4.5.2-rc1 Wazuh Manager. OVA or AMI is the simpler way
- Set 'echo wazuh_db.debug=2>> local_internal_options.conf ' and restart
For each OS and Agent version
- Install the Agent version on the selected OS
- Set connection information according to Manager information
- Set syscollector frequency to allow a fluent manual testing and debug: 4/5 minutes should be OK
- Set syscollector packages scan only
- Disable SCA, Syscheck, Rootcheck and other modules to simplify log handing
- Start the agent

Expected results

Manager packages inventory for the agent is ALWAYS consistent
Manager's daemons do not show any ERROR/WARNING /CRITICAL error
Manager's daemons, specially analysisd, modulesd and wazuhdb still run after/duning syscollector information handling

For 4.1.5 agents:

Any scan sync sending all information at once For 4.2.7 agents::
Any scan sync using Rsync For 4.4.5 agents:
First scan sync using Rsync
Second scan and further ones
- Sync using Dbsync/deltas
- Sync using Rsync -> avoiding sync because Dbsync/deltas populated OK

jnasselle commented 1 year ago

DEB - Ubuntu 22.04 LTS :red_circle:

Running on ubuntu:22:04 container

Manager: v4.5.2-rc1 OVA

TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=002
TESTPACKAGE=7zip

Package to be installed/removed

Wazuh Agent 4.1.5

Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.1.5-1_amd64.deb Agent info
```
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002
```

Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Disconnected

Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.1.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693324872

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/002/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:11: No such file or directory

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7zip", [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:14: No such file or directory /var/ossec/logs/ossec.log:2023/08/29 16:14:07 wazuh-db[18548] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: package save 1500947758|2023/08/29 16:14:07|deb|7zip|optional|utils|2396|Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com|NULL|21.07+dfsg-4|amd64|NULL|NULL|7-Zip file archiver with a high compression ratio|NULL|569f6ff9040271f10542b6ca7e8afd8055b7a7de

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:20: No such file or directory

  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: package" | grep $TESTPACKAGE grep: 16:20: No such file or directory


## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.7-1_amd64.deb

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002 Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Active

Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693326449

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "DB($AGENTID) syscollector_packages" | grep $TESTPACKAGE grep: 16:26: No such file or directory

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# LASTSCAN=$(curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' | date +"%Y/%m/%d %H:%M" -f -) [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7zip", [root@wazuh-server wazuh-user]# grep -A10000 $LASTSCAN /var/ossec/logs/ossec.log | grep "Agent $AGENTID query: syscollector_packages" | grep $TESTPACKAGE grep: 16:32: No such file or directory /var/ossec/logs/ossec.log:2023/08/29 16:32:35 wazuh-db[20214] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 16:32:35","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE

[root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 16:32:35 wazuh-db[20214] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 16:32:35","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}

  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 16:32:35 wazuh-db[20214] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 16:32:35","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}

## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.4.5-1_amd64.deb

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Active

Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693328438

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager

  - First scan: no package :green_circle:

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-29T17:00:38+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection :red_circle:

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-29T17:03:38+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7zip", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 17:03:39 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: dbsync packages INSERTED {"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:38","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"} 2023/08/29 17:03:42 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:42","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")

[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-29T17:12:44+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/29 17:03:39 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: dbsync packages INSERTED {"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:38","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"} 2023/08/29 17:03:42 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: syscollector_packages save2 {"attributes":{"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:03:42","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"},"index":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","timestamp":""} 2023/08/29 17:12:45 wazuh-db[22172] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 002 query: dbsync packages DELETED {"architecture":"amd64","checksum":"69d774cf970b11a6cac9c87f9792a1de1e9049fa","description":"7-Zip file archiver with a high compression ratio","format":"deb","groups":"utils","install_time":null,"item_id":"569f6ff9040271f10542b6ca7e8afd8055b7a7de","location":null,"multiarch":null,"name":"7zip","priority":"optional","scan_time":"2023/08/29 17:12:44","size":2396,"source":null,"vendor":"Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com","version":"21.07+dfsg-4"}

jnasselle commented 1 year ago

MSI - Windows Server 2022 :green_circle:

Running on Windows Server 2022 Vagrant Box

Manager: v4.5.2-rc1 OVA

TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=003
TESTPACKAGE=7-zip

Package to be installed/removed

Wazuh Agent 4.1.5

Package: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.1.5-1.msi Agent info
```
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003
```

Wazuh agent_control. Agent information: Agent ID: 003 Agent Name: WIN-FO8Q4O72AK8 IP address: any Status: Active

Operating system: Microsoft Windows Server 2022 Standard Evaluation Client version: Wazuh v4.1.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693393139

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# AGENTID=003 [root@wazuh-server wazuh-user]# TESTPACKAGE=7zip [root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T10:59:33+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:02:33+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7-Zip 23.01 (x64 edition)", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:02:33 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: package save 289995595|2023/08/30 11:02:33|win|7-Zip 23.01 (x64 edition)|NULL|NULL|NULL|Igor Pavlov|20230830|23.01.00.0|x86_64|NULL|NULL|NULL|NULL|953f5b92ba965da6e7d631d9801966069ff93c4b

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:05:33+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:02:33 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: package save 289995595|2023/08/30 11:02:33|win|7-Zip 23.01 (x64 edition)|NULL|NULL|NULL|Igor Pavlov|20230830|23.01.00.0|x86_64|NULL|NULL|NULL|NULL|953f5b92ba965da6e7d631d9801966069ff93c4b


## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.7-1.msi

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information: Agent ID: 003 Agent Name: WIN-FO8Q4O72AK8 IP address: any Status: Active

Operating system: Microsoft Windows Server 2022 Standard Evaluation Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693393926

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:24:20+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:15:49+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7-Zip 23.01 (x64 edition)", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:12:49 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:12:49","vendor":"Igor Pavlov","version":"23.01.00.0"},"index":"953f5b92ba965da6e7d631d9801966069ff93c4b","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:18:50+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:12:49 wazuh-db[19381] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:12:49","vendor":"Igor Pavlov","version":"23.01.00.0"},"index":"953f5b92ba965da6e7d631d9801966069ff93c4b","timestamp":""}


## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.4.5-1_amd64.deb

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: 58346f6ed610 IP address: any Status: Active

Operating system: Linux |58346f6ed610 |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693328438

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager

  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:24:20+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection :red_circle:

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:27:26+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "7-Zip 23.01 (x64 edition)", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:27:26 wazuh-db[21340] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:27:26","vendor":"Igor Pavlov","version":"23.01.00.0"}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T11:30:31+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 11:27:26 wazuh-db[21340] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","format":"win","install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"name":"7-Zip 23.01 (x64 edition)","scan_time":"2023/08/30 11:27:26","vendor":"Igor Pavlov","version":"23.01.00.0"} 2023/08/30 11:30:32 wazuh-db[21340] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 003 query: dbsync packages DELETED {"architecture":"x86_64","checksum":"e63c0b1b58f203ab98849cbb145e9c7ba399abe5","description":null,"format":"win","groups":null,"install_time":"20230830","item_id":"953f5b92ba965da6e7d631d9801966069ff93c4b","location":null,"multiarch":null,"name":"7-Zip 23.01 (x64 edition)","priority":null,"scan_time":"2023/08/30 11:30:31","size":0,"source":null,"vendor":"Igor Pavlov","version":"23.01.00.0"}

jnasselle commented 1 year ago

RPM (BarkleyDB database)- Amazon Linux 2 :red_circle:

Running on amazonlinux:2 container

Manager: v4.5.2-rc1 OVA

TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=004
TESTPACKAGE=tree

Package to be installed/removed

Wazuh Agent 4.1.5

Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.1.5-1.x86_64.rpm

Agent info

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: 14d8320b0aed
   IP address: any
   Status:     Active

   Operating system:    Linux |14d8320b0aed |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64
   Client version:      Wazuh v4.1.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1693398519

   Syscheck last started at:  Unknown
   Syscheck last ended at:    Unknown

Agent
- First scan: no package
- Second scan: new package detection
- Third scan: package removal
- First scan: no package

Manager

First scan: no package


[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 
2023-08-30T12:28:39+00:00
[root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE
[root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:33:39+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:33:41 wazuh-db[23099] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: package save 1794708488|2023/08/30 12:33:39|rpm|tree|NULL|Applications/File|83|Amazon Linux|2023/08/30 12:32:16|1.6.0-10.amzn2.0.1|x86_64|NULL|tree-1.6.0-10.amzn2.0.1.src.rpm|File system tree viewer|NULL|9e25b1d02942003bd23c49399339950088eaf575

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:38:39+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:33:41 wazuh-db[23099] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: package save 1794708488|2023/08/30 12:33:39|rpm|tree|NULL|Applications/File|83|Amazon Linux|2023/08/30 12:32:16|1.6.0-10.amzn2.0.1|x86_64|NULL|tree-1.6.0-10.amzn2.0.1.src.rpm|File system tree viewer|NULL|9e25b1d02942003bd23c49399339950088eaf575


## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.2.7-1.x86_64.rpm

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information: Agent ID: 004 Agent Name: 14d8320b0aed IP address: any Status: Active

Operating system: Linux |14d8320b0aed |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693399666

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:47:39+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:52:40+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:52:42 wazuh-db[24498] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1ddf5f3d2908c71dc74be48f388df7d98ada699e","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693399711","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 12:52:41","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T12:57:41+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 12:52:42 wazuh-db[24498] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1ddf5f3d2908c71dc74be48f388df7d98ada699e","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693399711","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 12:52:41","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""} [root@wazuh-server wazuh-user]#


## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.4.5-1.x86_64.rpm

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information: Agent ID: 004 Agent Name: 14d8320b0aed IP address: any Status: Active

Operating system: Linux |14d8320b0aed |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693400556

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager

  - First scan: no package

[[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T13:01:18+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection :red_circle:

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T13:06:18+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 13:06:18 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:18","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"} 2023/08/30 13:06:21 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:21","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T13:11:20+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 13:06:18 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:18","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"} 2023/08/30 13:06:21 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","name":"tree","scan_time":"2023/08/30 13:06:21","size":85345,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"},"index":"9e25b1d02942003bd23c49399339950088eaf575","timestamp":""} 2023/08/30 13:11:20 wazuh-db[25944] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 004 query: dbsync packages DELETED {"architecture":"x86_64","checksum":"1a6acd803bdab9bffbef01baeea0e108a0411ccc","description":"File system tree viewer","format":"rpm","groups":"Applications/File","install_time":"1693400609","item_id":"9e25b1d02942003bd23c49399339950088eaf575","location":null,"multiarch":null,"name":"tree","priority":null,"scan_time":"2023/08/30 13:11:20","size":85345,"source":null,"vendor":"Amazon Linux","version":"1.6.0-10.amzn2.0.1"}

jnasselle commented 1 year ago

RPM - OpenSUSE Tumbleweed :red_circle:

Running on opensuse/tumbleweed container
Manager: v4.5.2-rc1 OVA
```
TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=005
TESTPACKAGE=tree
```
Wazuh Agent 4.1.5 - Skipped since RPM DB backend is not supported

Wazuh Agent 4.2.7 - Skipped since RPM DB backend is not supported

Wazuh Agent 4.4.5

Package: https://packages.wazuh.com/4.x/yum/wazuh-agent-4.4.5-1.x86_64.rpm
```
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005
```

Wazuh agent_control. Agent information: Agent ID: 005 Agent Name: 00e7e3eeaabf IP address: any Status: Active

Operating system: Linux |00e7e3eeaabf |5.15.125-1-MANJARO |#1 SMP PREEMPT Wed Aug 9 06:31:14 UTC 2023 |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693418923

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager

  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:08:43+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection :red_circle:

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:11:43+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "tree", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 18:11:44 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:43","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"} 2023/08/30 18:11:47 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:47","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"},"index":"ab3a3e4eb745f4ed3816731ff4480553ed590198","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:17:47+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 18:11:44 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: dbsync packages INSERTED {"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:43","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"} 2023/08/30 18:11:47 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: syscollector_packages save2 {"attributes":{"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","name":"tree","scan_time":"2023/08/30 18:11:47","size":146359,"vendor":"openSUSE","version":"2.1.1-1.2"},"index":"ab3a3e4eb745f4ed3816731ff4480553ed590198","timestamp":""} 2023/08/30 18:17:48 wazuh-db[30247] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 005 query: dbsync packages DELETED {"architecture":"x86_64","checksum":"2fea36714f2aaabbf6530b0ca166d28f8e1f5346","description":"Tree is a recursive directory listing command that produces a depth\nindented listing of files, which is colorized ala dircolors if the\nLS_COLORS environment variable is set and output is to tty.","format":"rpm","groups":"Productivity/File utilities","install_time":"1693418974","item_id":"ab3a3e4eb745f4ed3816731ff4480553ed590198","location":null,"multiarch":null,"name":"tree","priority":null,"scan_time":"2023/08/30 18:17:47","size":146359,"source":null,"vendor":"openSUSE","version":"2.1.1-1.2"}

jnasselle commented 1 year ago

RPM - Solaris 11.3 :green_circle:

Running on Solais 11.3 Vagrant box

Manager: v4.5.2-rc1 OVA

TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=006
TESTPACKAGE=p7zip

Package to be installed/removed

Wazuh Agent 4.1.5 - Skipped since package scan is not supported

Wazuh Agent 4.2.7 - - Skipped since package scan is not supported

Wazuh Agent 4.4.5

Package: https://packages.wazuh.com/4.x/solaris/i386/11/wazuh-agent_v4.4.5-sol11-i386.p5p https://www.opencsw.org/packages/p7zip/
```
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006
```

Wazuh agent_control. Agent information: Agent ID: 006 Agent Name: solaris IP address: any Status: Active

Operating system: SunOS |solaris |5.11 |11.3 |i86pc Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693421923

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager

  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T18:57:55+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection :red_circle:

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-30T19:02:55+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "p7zip", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/30 19:02:55 wazuh-db[32240] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 006 query: dbsync packages INSERTED {"architecture":"i386","checksum":"83cc5b3e0dad9a2dcc160a0d12af2f1004efdb82","description":"p7zip - File archiver with high compression ratio","format":"pkg","groups":"application","install_time":"2023/08/30 15:01:00","item_id":"c14458a3bc5f6b9e677700bb2c27ce22c9bc7d3c","location":null,"multiarch":null,"name":"p7zip","priority":null,"scan_time":"2023/08/30 19:02:55","size":0,"source":" ","vendor":"http://p7zip.sourceforge.net/ packaged for CSW by Maciej Blizinski","version":"9.20.1"}

jnasselle commented 1 year ago

macOS Ventura :green_circle:

Running on macOS Ventura VM on Apple Silicon M2

Manager: v4.5.2-rc1 AMI

TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
AGENTID=001
TESTPACKAGE=Keka

Package to be installed/removed

Wazuh Agent 4.1.5

Package: https://packages.wazuh.com/4.x/macos/wazuh-agent-4.1.5-2.pkg Agent info
```
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
```

Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: Maquina-virtual-de-wazuh.local IP address: any Status: Active

Operating system: Darwin |Maquina-virtual-de-wazuh.local |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:19 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_VMAPPLE |x86_64 Client version: Wazuh v4.1.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693490521

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T11:01:35+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T11:05:35+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "Keka", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:05:36 wazuh-db[12662] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: package save 1555793785|2023/08/31 11:05:35|pkg|Keka|NULL|public.app-category.utilities|NULL|NULL|NULL|1.3.3|NULL|NULL|NULL|com.aone.keka|/Applications/Keka.app|fed9948f69db2bbb139c4b301d61be20736c168c

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T11:09:35+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:05:36 wazuh-db[12662] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: package save 1555793785|2023/08/31 11:05:35|pkg|Keka|NULL|public.app-category.utilities|NULL|NULL|NULL|1.3.3|NULL|NULL|NULL|com.aone.keka|/Applications/Keka.app|fed9948f69db2bbb139c4b301d61be20736c168c


## Wazuh Agent 4.2.7
Package: https://packages.wazuh.com/4.x/macos/wazuh-agent-4.2.7-1.pkg

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: Maquina-virtual-de-wazuh.local IP address: any Status: Active

Operating system: Darwin |Maquina-virtual-de-wazuh.local |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:19 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_VMAPPLE |x86_64 Client version: Wazuh v4.2.7 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693491129

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager
  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:10:28+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:14:30+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "Keka", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:14:48 wazuh-db[14485] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: syscollector_packages save2 {"attributes":{"architecture":null,"checksum":"54014c7d1447692c1175af81e98cab001940737c","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","item_id":"fed9948f69db2bbb139c4b301d61be20736c168c","location":"/Applications/Keka.app/Contents/Info.plist","name":"Keka","scan_time":"2023/08/31 14:14:48","source":"utilities","version":"1.3.3"},"index":"fed9948f69db2bbb139c4b301d61be20736c168c","timestamp":""}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:18:32+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:14:48 wazuh-db[14485] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: syscollector_packages save2 {"attributes":{"architecture":null,"checksum":"54014c7d1447692c1175af81e98cab001940737c","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","item_id":"fed9948f69db2bbb139c4b301d61be20736c168c","location":"/Applications/Keka.app/Contents/Info.plist","name":"Keka","scan_time":"2023/08/31 14:14:48","source":"utilities","version":"1.3.3"},"index":"fed9948f69db2bbb139c4b301d61be20736c168c","timestamp":""}


## Wazuh Agent 4.4.5
Package: https://packages.wazuh.com/4.x/macos/wazuh-agent-4.4.5-1.pkg

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: Maquina-virtual-de-wazuh.local IP address: any Status: Active

Operating system: Darwin |Maquina-virtual-de-wazuh.local |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:19 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_VMAPPLE |x86_64 Client version: Wazuh v4.4.5 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1693491700

Syscheck last started at: Unknown Syscheck last ended at: Unknown

- Agent
  - First scan: no package
  - Second scan: new package detection
  - Third scan: package removal
  - First scan: no package
- Manager

  - First scan: no package

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:21:34+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE

  - Second scan: new package detection

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:23:34+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE "name": "Keka", [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:23:35 wazuh-db[16280] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: dbsync packages INSERTED {"architecture":" ","checksum":"74d2ce58ac8206cfe99fc64b3361fd61025ea1b1","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","install_time":" ","item_id":"b9daec2d30cfb17dc2c990002bf4b3c6ec42de5d","location":"/Applications/Keka.app/Contents/Info.plist","multiarch":" ","name":"Keka","priority":" ","scan_time":"2023/08/31 14:23:34","size":0,"source":"utilities","vendor":"aone","version":"1.3.3"}

  - Third scan: package removal

[root@wazuh-server wazuh-user]# TOKEN=$(curl -s -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/os?select=scan.time&pretty=true" -H "Authorization: Bearer $TOKEN" | jq -r '.data.affected_items[0].scan.time' 2023-08-31T14:25:45+00:00 [root@wazuh-server wazuh-user]# curl -s -k -X GET "https://localhost:55000/syscollector/$AGENTID/packages?select=name&pretty=true" -H "Authorization: Bearer $TOKEN" | grep $TESTPACKAGE [root@wazuh-server wazuh-user]# grep "Agent $AGENTID query:" /var/ossec/logs/ossec.log| grep $TESTPACKAGE 2023/08/31 14:23:35 wazuh-db[16280] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: dbsync packages INSERTED {"architecture":" ","checksum":"74d2ce58ac8206cfe99fc64b3361fd61025ea1b1","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","install_time":" ","item_id":"b9daec2d30cfb17dc2c990002bf4b3c6ec42de5d","location":"/Applications/Keka.app/Contents/Info.plist","multiarch":" ","name":"Keka","priority":" ","scan_time":"2023/08/31 14:23:34","size":0,"source":"utilities","vendor":"aone","version":"1.3.3"} 2023/08/31 14:25:46 wazuh-db[16280] wdb_parser.c:263 at wdb_parse(): DEBUG: Agent 001 query: dbsync packages DELETED {"architecture":" ","checksum":"74d2ce58ac8206cfe99fc64b3361fd61025ea1b1","description":"com.aone.keka","format":"pkg","groups":"public.app-category.utilities","install_time":" ","item_id":"b9daec2d30cfb17dc2c990002bf4b3c6ec42de5d","location":"/Applications/Keka.app/Contents/Info.plist","multiarch":" ","name":"Keka","priority":" ","scan_time":"2023/08/31 14:25:45","size":0,"source":"utilities","vendor":"aone","version":"1.3.3"}

BelenValdivia commented 1 year ago

LGTM!

davidjiglesias commented 1 year ago

LGTM!

wazuh / wazuh-qa

Validate Syscollector packages sync and `sys_programs` schema changes #4472

Description

Proposed checks

Scope and history

Preconditions

Expected results

DEB - Ubuntu 22.04 LTS :red_circle:

Wazuh Agent 4.1.5

MSI - Windows Server 2022 :green_circle:

Wazuh Agent 4.1.5

RPM (BarkleyDB database)- Amazon Linux 2 :red_circle:

Wazuh Agent 4.1.5

RPM - OpenSUSE Tumbleweed :red_circle:

Wazuh Agent 4.1.5 - Skipped since RPM DB backend is not supported

Wazuh Agent 4.2.7 - Skipped since RPM DB backend is not supported

Wazuh Agent 4.4.5

RPM - Solaris 11.3 :green_circle:

Wazuh Agent 4.1.5 - Skipped since package scan is not supported

Wazuh Agent 4.2.7 - - Skipped since package scan is not supported

Wazuh Agent 4.4.5

macOS Ventura :green_circle:

Wazuh Agent 4.1.5