search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Validate package detection by Syscollector #4731

Closed Deblintrake09 closed 11 months ago

Deblintrake09 commented 11 months ago

Description

During development of https://github.com/wazuh/wazuh-qa/issues/4590 it was detected that Graphana packages are not detected by Syscollector on Ubuntu amd64 systems.

This Issue aims to check if the issue is present in 4.7.0 or was introduced in 4.8.0.

Deblintrake09 commented 11 months ago

Research Update

4.7.0

# curl -OL https://dl.grafana.com/enterprise/release/grafana-enterprise_8.5.5_amd64.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 83.6M  100 83.6M    0     0  72.3M      0  0:00:01  0:00:01 --:--:-- 72.4M
root@ip-172-31-1-141:/home/qa# apt install ./grafana-enterprise_8.5.5_amd64.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'grafana-enterprise' instead of './grafana-enterprise_8.5.5_amd64.deb'
The following packages were automatically installed and are no longer required:
  libpython2-dev libpython2.7 libpython2.7-dev linux-image-5.13.0-1021-aws linux-modules-5.13.0-1021-aws python2-dev python2.7-dev
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  grafana-enterprise
0 upgraded, 1 newly installed, 0 to remove and 300 not upgraded.
Need to get 0 B/87.7 MB of archives.
After this operation, 296 MB of additional disk space will be used.
Get:1 /home/qa/grafana-enterprise_8.5.5_amd64.deb grafana-enterprise amd64 8.5.5 [87.7 MB]
Selecting previously unselected package grafana-enterprise.
(Reading database ... 120486 files and directories currently installed.)
Preparing to unpack .../grafana-enterprise_8.5.5_amd64.deb ...
Unpacking grafana-enterprise (8.5.5) ...
Setting up grafana-enterprise (8.5.5) ...
Adding system user `grafana' (UID 114) ...
Adding new user `grafana' (UID 114) with group `grafana' ...
Not creating home directory `/usr/share/grafana'.
### NOT starting on installation, please execute the following statements to configure grafana to start automatically using systemd
 sudo /bin/systemctl daemon-reload
 sudo /bin/systemctl enable grafana-server
### You can start grafana-server by executing
 sudo /bin/systemctl start grafana-server
Scanning processes...                                                                                                                                                                                                                                                              
Scanning linux images...                                                                                                                                                                                                                                                           

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.0 Stopped
Starting Wazuh v4.7.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

#  sudo /bin/systemctl start grafana-server
# systemctl status grafana-server
● grafana-server.service - Grafana instance
     Loaded: loaded (/lib/systemd/system/grafana-server.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-11-29 09:59:11 UTC; 12s ago
       Docs: http://docs.grafana.org
   Main PID: 7335 (grafana-server)
      Tasks: 7 (limit: 4623)
     Memory: 35.1M
        CPU: 1.091s
     CGroup: /system.slice/grafana-server.service
             └─7335 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/run/grafana/grafana-server.pid --packaging=deb cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:de>

# cat /var/ossec/logs/alerts/alerts.json | grep grafana
{"timestamp":"2023-11-29T09:54:22.318+0000","rule":{"level":7,"description":"Dpkg (Debian Package) half configured.","id":"2904","firedtimes":3,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"001","name":"ip-172-31-1-141","ip":"172.31.1.141"},"manager":{"name":"ip-172-31-10-100"},"id":"1701251662.1887473","full_log":"2023-11-29 09:54:20 status half-configured grafana-enterprise:amd64 8.5.5","decoder":{"name":"dpkg-decoder"},"data":{"dpkg_status":"status half-configured","package":"grafana-enterprise","arch":"amd64","version":"8.5.5"},"location":"/var/log/dpkg.log"}
{"timestamp":"2023-11-29T09:54:22.318+0000","rule":{"level":7,"description":"New dpkg (Debian Package) installed.","id":"2902","firedtimes":3,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"001","name":"ip-172-31-1-141","ip":"172.31.1.141"},"manager":{"name":"ip-172-31-10-100"},"id":"1701251662.1887972","full_log":"2023-11-29 09:54:20 status installed grafana-enterprise:amd64 8.5.5","decoder":{"name":"dpkg-decoder"},"data":{"dpkg_status":"status installed","package":"grafana-enterprise","arch":"amd64","version":"8.5.5"},"location":"/var/log/dpkg.log"}
{"timestamp":"2023-11-29T09:59:12.931+0000","rule":{"level":4,"description":"First time user executed sudo.","id":"5403","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"]},"agent":{"id":"001","name":"ip-172-31-1-141","ip":"172.31.1.141"},"manager":{"name":"ip-172-31-10-100"},"id":"1701251952.1889931","full_log":"Nov 29 09:59:11 ip-172-31-1-141 sudo:     root : TTY=pts/1 ; PWD=/home/qa ; USER=root ; COMMAND=/bin/systemctl start grafana-server","predecoder":{"program_name":"sudo","timestamp":"Nov 29 09:59:11","hostname":"ip-172-31-1-141"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"root","dstuser":"root","tty":"pts/1","pwd":"/home/qa","command":"/bin/systemctl start grafana-server"},"location":"/var/log/auth.log"}
{"timestamp":"2023-11-29T10:01:41.089+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-1-141","ip":"172.31.1.141"},"manager":{"name":"ip-172-31-10-100"},"id":"1701252101.1891145","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 467/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 467/systemd-resolve\nudp 172.31.1.141:68 0.0.0.0:* 465/systemd-network","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 467/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 467/systemd-resolve\nudp 172.31.1.141:68 0.0.0.0:* 465/systemd-network\ntcp6 :::3000 :::* 7335/grafana-server","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 467/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 467/systemd-resolve\nudp 172.31.1.141:68 0.0.0.0:* 465/systemd-network","location":"netstat listening ports"}

image

4.7.0

# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: ip-172-31-9-42
   IP address: any
   Status:     Active

   Operating system:    Linux |ip-172-31-9-42 |5.15.0-1015-aws |#19-Ubuntu SMP Wed Jun 22 17:44:56 UTC 2022 |x86_64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1701261158

   Syscheck last started at:  Wed Nov 29 12:32:39 2023 (Scan in progress)
   Syscheck last ended at:    Unknown

# curl -k -X GET "https://localhost:55000/syscollector/001/packages?search=grafana" -H  "Authorization: Bearer $TOKEN"
{"data": {"affected_items": [{"scan": {"id": 0, "time": "2023-11-29T12:33:31+00:00"}, "section": "default", "size": 289545, "version": "8.5.5", "description": "Grafana", "vendor": "contact@grafana.com", "name": "grafana-enterprise", "location": " ", "architecture": "amd64", "install_time": " ", "format": "deb", "source": " ", "priority": "extra", "agent_id": "001"}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "All specified syscollector information was returned", "error": 0}root@ip-172-31-0-192:/home/qa# 

# cat /var/ossec/logs/alerts/alerts.json | grep grafana
Deblintrake09 commented 11 months ago

This Issue will be closed as error was not replicated. Will be reopened if flaky behavior reappears during test development