Closed Skeptor closed 4 years ago
Executing SCA module with test policies.
OUTDATED. FIXED IN: https://github.com/wazuh/wazuh-qa/issues/97#issuecomment-515043629
wazuh-modulesd
==25992== HEAP SUMMARY:
==25992== in use at exit: 656,444 bytes in 3,878 blocks
==25992== total heap usage: 599,497 allocs, 595,619 frees, 781,553,673 bytes allocated
==25992==
==25992== 272 bytes in 1 blocks are possibly lost in loss record 75 of 120
==25992== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25992== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==25992== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==25992== by 0x5871227: allocate_stack (allocatestack.c:627)
==25992== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==25992== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==25992== by 0x13C705: CreateThread (pthreads_op.c:62)
==25992== by 0x112310: main (main.c:102)
==25992==
==25992== 1,904 bytes in 7 blocks are possibly lost in loss record 96 of 120
==25992== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25992== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==25992== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==25992== by 0x5871227: allocate_stack (allocatestack.c:627)
==25992== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==25992== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==25992== by 0x11226F: main (main.c:95)
==25992==
==25992== 2,021 bytes in 69 blocks are definitely lost in loss record 97 of 120
==25992== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25992== by 0x5B259B9: strdup (strdup.c:42)
==25992== by 0x16A01C: wm_sca_check_policy (wm_sca.c:786)
==25992== by 0x1688E0: wm_sca_read_files (wm_sca.c:473)
==25992== by 0x1682AB: wm_sca_start (wm_sca.c:352)
==25992== by 0x167C6C: wm_sca_main (wm_sca.c:233)
==25992== by 0x58706DA: start_thread (pthread_create.c:463)
==25992== by 0x5BA988E: clone (clone.S:95)
==25992==
==25992== 4,104 bytes in 1 blocks are possibly lost in loss record 104 of 120
==25992== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25992== by 0x50FFDAA: sqlite3MemMalloc (sqlite3.c:20790)
==25992== by 0x51007A2: mallocWithAlarm (sqlite3.c:24464)
==25992== by 0x510084B: sqlite3Malloc (sqlite3.c:24494)
==25992== by 0x510EC36: pcache1Alloc (sqlite3.c:45336)
==25992== by 0x510EF24: sqlite3PageMalloc (sqlite3.c:45479)
==25992== by 0x511F55F: allocateTempSpace (sqlite3.c:61560)
==25992== by 0x51218CA: btreeCursor (sqlite3.c:63234)
==25992== by 0x5121A3C: sqlite3BtreeCursor (sqlite3.c:63276)
==25992== by 0x513D44F: sqlite3VdbeExec (sqlite3.c:81807)
==25992== by 0x5136036: sqlite3Step (sqlite3.c:76693)
==25992== by 0x51361E4: sqlite3_step (sqlite3.c:76754)
==25992==
==25992== 16,226 bytes in 680 blocks are definitely lost in loss record 113 of 120
==25992== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25992== by 0x5B259B9: strdup (strdup.c:42)
==25992== by 0x16A18E: wm_sca_check_policy (wm_sca.c:794)
==25992== by 0x1688E0: wm_sca_read_files (wm_sca.c:473)
==25992== by 0x1682AB: wm_sca_start (wm_sca.c:352)
==25992== by 0x167C6C: wm_sca_main (wm_sca.c:233)
==25992== by 0x58706DA: start_thread (pthread_create.c:463)
==25992== by 0x5BA988E: clone (clone.S:95)
==25992==
==25992== LEAK SUMMARY:
==25992== definitely lost: 18,247 bytes in 749 blocks
==25992== indirectly lost: 0 bytes in 0 blocks
==25992== possibly lost: 6,280 bytes in 9 blocks
==25992== still reachable: 631,917 bytes in 3,120 blocks
==25992== of which reachable via heuristic:
==25992== length64 : 223,896 bytes in 124 blocks
==25992== suppressed: 0 bytes in 0 blocks
==25992== Reachable blocks (those to which a pointer was found) are not shown.
==25992== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==25992==
==25992== For counts of detected and suppressed errors, rerun with: -v
==25992== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
wazuh-db
==26310== HEAP SUMMARY:
==26310== in use at exit: 8,616 bytes in 3 blocks
==26310== total heap usage: 6,820 allocs, 6,817 frees, 3,779,460 bytes allocated
==26310==
==26310== LEAK SUMMARY:
==26310== definitely lost: 0 bytes in 0 blocks
==26310== indirectly lost: 0 bytes in 0 blocks
==26310== possibly lost: 272 bytes in 1 blocks
==26310== still reachable: 8,344 bytes in 2 blocks
==26310== suppressed: 0 bytes in 0 blocks
==26310== Rerun with --leak-check=full to see details of leaked memory
==26310==
==26310== For counts of detected and suppressed errors, rerun with: -v
==26310== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
ossec-analysisd
==3244== HEAP SUMMARY:
==3244== in use at exit: 12,184,373 bytes in 57,542 blocks
==3244== total heap usage: 404,722 allocs, 347,180 frees, 435,580,154 bytes allocated
==3244==
==3244== 12 bytes in 2 blocks are definitely lost in loss record 50 of 510
==3244== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x5B259B9: strdup (strdup.c:42)
==3244== by 0x171DBA: Read_Rules (rules-config.c:202)
==3244== by 0x1632A9: read_main_elements (config.c:95)
==3244== by 0x163F6A: ReadConfig (config.c:245)
==3244== by 0x11A7CC: GlobalConf (config.c:99)
==3244== by 0x1314C7: main (analysisd.c:382)
==3244==
==3244== 12 bytes in 2 blocks are definitely lost in loss record 51 of 510
==3244== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x5B259B9: strdup (strdup.c:42)
==3244== by 0x1722B7: Read_Rules (rules-config.c:232)
==3244== by 0x1632A9: read_main_elements (config.c:95)
==3244== by 0x163F6A: ReadConfig (config.c:245)
==3244== by 0x11A7CC: GlobalConf (config.c:99)
==3244== by 0x1314C7: main (analysisd.c:382)
==3244==
==3244== 22 bytes in 1 blocks are definitely lost in loss record 99 of 510
==3244== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x5B259B9: strdup (strdup.c:42)
==3244== by 0x1716F1: Read_Rules (rules-config.c:171)
==3244== by 0x1632A9: read_main_elements (config.c:95)
==3244== by 0x163F6A: ReadConfig (config.c:245)
==3244== by 0x11A7CC: GlobalConf (config.c:99)
==3244== by 0x1314C7: main (analysisd.c:382)
==3244==
==3244== 24 bytes in 2 blocks are definitely lost in loss record 111 of 510
==3244== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x5B259B9: strdup (strdup.c:42)
==3244== by 0x171FD5: Read_Rules (rules-config.c:216)
==3244== by 0x1632A9: read_main_elements (config.c:95)
==3244== by 0x163F6A: ReadConfig (config.c:245)
==3244== by 0x11A7CC: GlobalConf (config.c:99)
==3244== by 0x1314C7: main (analysisd.c:382)
==3244==
==3244== 30 bytes in 2 blocks are definitely lost in loss record 119 of 510
==3244== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x5B259B9: strdup (strdup.c:42)
==3244== by 0x171AD8: Read_Rules (rules-config.c:186)
==3244== by 0x1632A9: read_main_elements (config.c:95)
==3244== by 0x163F6A: ReadConfig (config.c:245)
==3244== by 0x11A7CC: GlobalConf (config.c:99)
==3244== by 0x1314C7: main (analysisd.c:382)
==3244==
==3244== 33 bytes in 1 blocks are definitely lost in loss record 123 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x122CDE: loadmemory (rules.c:1485)
==3244== by 0x11D14D: Rules_OP_ReadRules (rules.c:475)
==3244== by 0x131A85: main (analysisd.c:570)
==3244==
==3244== 104 bytes in 1 blocks are definitely lost in loss record 217 of 510
==3244== at 0x4C31D2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x122E19: loadmemory (rules.c:1507)
==3244== by 0x11D079: Rules_OP_ReadRules (rules.c:464)
==3244== by 0x131A85: main (analysisd.c:570)
==3244==
==3244== 148 (48 direct, 100 indirect) bytes in 1 blocks are definitely lost in loss record 251 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x122698: Rules_OP_ReadRules (rules.c:1321)
==3244== by 0x131A85: main (analysisd.c:570)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 293 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x131FDD: main (analysisd.c:705)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 294 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x154096: SecurityConfigurationAssessmentInit (security_configuration_assessment.c:72)
==3244== by 0x13205C: OS_ReadMSG (analysisd.c:747)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 295 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13261E: OS_ReadMSG (analysisd.c:887)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 296 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13263D: OS_ReadMSG (analysisd.c:890)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 297 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13265C: OS_ReadMSG (analysisd.c:893)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 298 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13267B: OS_ReadMSG (analysisd.c:896)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 299 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13269A: OS_ReadMSG (analysisd.c:899)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 300 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x1326B9: OS_ReadMSG (analysisd.c:902)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 301 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x1326D8: OS_ReadMSG (analysisd.c:905)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 272 bytes in 1 blocks are possibly lost in loss record 302 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x1328A0: OS_ReadMSG (analysisd.c:948)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 2,546 (472 direct, 2,074 indirect) bytes in 1 blocks are definitely lost in loss record 387 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x122FCF: zerorulemember (rules.c:1547)
==3244== by 0x11C543: Rules_OP_ReadRules (rules.c:299)
==3244== by 0x131A85: main (analysisd.c:570)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 400 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x132700: OS_ReadMSG (analysisd.c:909)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 401 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x132734: OS_ReadMSG (analysisd.c:914)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 402 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x132768: OS_ReadMSG (analysisd.c:919)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 403 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13279C: OS_ReadMSG (analysisd.c:924)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 404 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x1327D0: OS_ReadMSG (analysisd.c:929)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 405 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x132804: OS_ReadMSG (analysisd.c:934)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 406 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x13283B: OS_ReadMSG (analysisd.c:939)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== 3,264 bytes in 12 blocks are possibly lost in loss record 407 of 510
==3244== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3244== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==3244== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==3244== by 0x5871227: allocate_stack (allocatestack.c:627)
==3244== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==3244== by 0x1DEE08: CreateThreadJoinable (pthreads_op.c:47)
==3244== by 0x1DEEAF: CreateThread (pthreads_op.c:62)
==3244== by 0x132872: OS_ReadMSG (analysisd.c:944)
==3244== by 0x131FF8: main (analysisd.c:708)
==3244==
==3244== LEAK SUMMARY:
==3244== definitely lost: 757 bytes in 13 blocks
==3244== indirectly lost: 2,174 bytes in 7 blocks
==3244== possibly lost: 28,832 bytes in 106 blocks
==3244== still reachable: 12,152,610 bytes in 57,416 blocks
==3244== suppressed: 0 bytes in 0 blocks
==3244== Reachable blocks (those to which a pointer was found) are not shown.
==3244== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==3244==
==3244== For counts of detected and suppressed errors, rerun with: -v
==3244== ERROR SUMMARY: 27 errors from 27 contexts (suppressed: 0 from 0)
There was an error introduced merging 3.10 in the branch. The commit https://github.com/wazuh/wazuh/commit/2b6f8f6003090e3b527b97d223feb939e14ac330 solves the error.
This is the new Valgrind report of wazuh-modulesd
:
==15340== LEAK SUMMARY:
==15340== definitely lost: 0 bytes in 0 blocks
==15340== indirectly lost: 0 bytes in 0 blocks
==15340== possibly lost: 6,280 bytes in 9 blocks
==15340== still reachable: 1,407,980 bytes in 20,418 blocks
==15340== of which reachable via heuristic:
==15340== length64 : 223,848 bytes in 121 blocks
==15340== suppressed: 0 bytes in 0 blocks
==15340== Reachable blocks (those to which a pointer was found) are not shown.
==15340== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==15340==
Scan build
Done building server
scan-build: Removing directory '/tmp/scan-build-2019-07-25-154745-22303-1' because it contains no reports.
scan-build: No bugs found.
Done building agent
scan-build: Removing directory '/tmp/scan-build-2019-07-25-163919-9908-1' because it contains no reports.
scan-build: No bugs found.
When launching a scan with an invalid YAML file, Valgrind reports the next summary:
OUTDATED. FIXED IN https://github.com/wazuh/wazuh-qa/issues/97#issuecomment-515080411
==14626== HEAP SUMMARY:
==14626== in use at exit: 635,764 bytes in 2,659 blocks
==14626== total heap usage: 1,382,226 allocs, 1,379,567 frees, 1,569,103,953 bytes allocated
==14626==
==14626== 89 bytes in 1 blocks are possibly lost in loss record 53 of 126
==14626== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14626== by 0x4012C94: allocate_dtv_entry (dl-tls.c:582)
==14626== by 0x4012C94: allocate_and_init (dl-tls.c:607)
==14626== by 0x4012C94: tls_get_addr_tail (dl-tls.c:787)
==14626== by 0x4019A27: __tls_get_addr (tls_get_addr.S:55)
==14626== by 0xDAF8FF1: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==14626== by 0xDAFEA35: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==14626== by 0xDAF94B2: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==14626== by 0xDB0E48E: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==14626== by 0xDB0E8CB: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==14626== by 0xDAF3B56: _nss_systemd_getpwuid_r (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==14626== by 0x5B6BD34: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:315)
==14626== by 0x5B6B497: getpwuid (getXXbyYY.c:135)
==14626== by 0x5234729: user_from_uid (pwcache.c:42)
==14626==
==14626== 272 bytes in 1 blocks are possibly lost in loss record 76 of 126
==14626== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14626== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==14626== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==14626== by 0x5871227: allocate_stack (allocatestack.c:627)
==14626== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==14626== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==14626== by 0x13C705: CreateThread (pthreads_op.c:62)
==14626== by 0x167C31: wm_sca_main (wm_sca.c:220)
==14626== by 0x58706DA: start_thread (pthread_create.c:463)
==14626== by 0x5BA988E: clone (clone.S:95)
==14626==
==14626== 272 bytes in 1 blocks are possibly lost in loss record 77 of 126
==14626== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14626== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==14626== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==14626== by 0x5871227: allocate_stack (allocatestack.c:627)
==14626== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==14626== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==14626== by 0x13C705: CreateThread (pthreads_op.c:62)
==14626== by 0x112310: main (main.c:102)
==14626==
==14626== 1,904 bytes in 7 blocks are possibly lost in loss record 104 of 126
==14626== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14626== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==14626== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==14626== by 0x5871227: allocate_stack (allocatestack.c:627)
==14626== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==14626== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==14626== by 0x11226F: main (main.c:95)
==14626==
==14626== 3,072 bytes in 2 blocks are definitely lost in loss record 109 of 126
==14626== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14626== by 0x51A5D88: yaml_malloc (in /var/ossec/lib/libwazuhext.so)
==14626== by 0x51C21B5: yaml_parser_load (in /var/ossec/lib/libwazuhext.so)
==14626== by 0x195585: yaml_parse_file (yaml2json.c:46)
==14626== by 0x16877B: wm_sca_read_files (wm_sca.c:454)
==14626== by 0x1682AB: wm_sca_start (wm_sca.c:352)
==14626== by 0x167C6C: wm_sca_main (wm_sca.c:233)
==14626== by 0x58706DA: start_thread (pthread_create.c:463)
==14626== by 0x5BA988E: clone (clone.S:95)
==14626==
==14626== 4,104 bytes in 1 blocks are possibly lost in loss record 114 of 126
==14626== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14626== by 0x50FFDAA: sqlite3MemMalloc (sqlite3.c:20790)
==14626== by 0x51007A2: mallocWithAlarm (sqlite3.c:24464)
==14626== by 0x510084B: sqlite3Malloc (sqlite3.c:24494)
==14626== by 0x510EC36: pcache1Alloc (sqlite3.c:45336)
==14626== by 0x510EF24: sqlite3PageMalloc (sqlite3.c:45479)
==14626== by 0x511F55F: allocateTempSpace (sqlite3.c:61560)
==14626== by 0x51218CA: btreeCursor (sqlite3.c:63234)
==14626== by 0x5121A3C: sqlite3BtreeCursor (sqlite3.c:63276)
==14626== by 0x513D44F: sqlite3VdbeExec (sqlite3.c:81807)
==14626== by 0x5136036: sqlite3Step (sqlite3.c:76693)
==14626== by 0x51361E4: sqlite3_step (sqlite3.c:76754)
==14626==
==14626== LEAK SUMMARY:
==14626== definitely lost: 3,072 bytes in 2 blocks
==14626== indirectly lost: 0 bytes in 0 blocks
==14626== possibly lost: 6,641 bytes in 11 blocks
==14626== still reachable: 626,051 bytes in 2,646 blocks
==14626== of which reachable via heuristic:
==14626== length64 : 223,848 bytes in 121 blocks
==14626== suppressed: 0 bytes in 0 blocks
==14626== Reachable blocks (those to which a pointer was found) are not shown.
==14626== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==14626==
==14626== For counts of detected and suppressed errors, rerun with: -v
==14626== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
Fixed memory leak when parsing an invalid YAML file. Solved in this commit.
==27920== HEAP SUMMARY:
==27920== in use at exit: 666,599 bytes in 3,911 blocks
==27920== total heap usage: 866,406 allocs, 862,495 frees, 860,048,923 bytes allocated
==27920==
==27920== 89 bytes in 1 blocks are possibly lost in loss record 53 of 124
==27920== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27920== by 0x4012C94: allocate_dtv_entry (dl-tls.c:582)
==27920== by 0x4012C94: allocate_and_init (dl-tls.c:607)
==27920== by 0x4012C94: tls_get_addr_tail (dl-tls.c:787)
==27920== by 0x4019A27: __tls_get_addr (tls_get_addr.S:55)
==27920== by 0xDAF8FF1: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==27920== by 0xDAFEA35: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==27920== by 0xDAF94B2: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==27920== by 0xDB0E48E: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==27920== by 0xDB0E8CB: ??? (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==27920== by 0xDAF3B56: _nss_systemd_getpwuid_r (in /lib/x86_64-linux-gnu/libnss_systemd.so.2)
==27920== by 0x5B6BD34: getpwuid_r@@GLIBC_2.2.5 (getXXbyYY_r.c:315)
==27920== by 0x5B6B497: getpwuid (getXXbyYY.c:135)
==27920== by 0x5234729: user_from_uid (pwcache.c:42)
==27920==
==27920== 272 bytes in 1 blocks are possibly lost in loss record 77 of 124
==27920== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27920== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==27920== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==27920== by 0x5871227: allocate_stack (allocatestack.c:627)
==27920== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==27920== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==27920== by 0x13C705: CreateThread (pthreads_op.c:62)
==27920== by 0x112310: main (main.c:102)
==27920==
==27920== 2,176 bytes in 8 blocks are possibly lost in loss record 103 of 124
==27920== at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27920== by 0x40134A6: allocate_dtv (dl-tls.c:286)
==27920== by 0x40134A6: _dl_allocate_tls (dl-tls.c:530)
==27920== by 0x5871227: allocate_stack (allocatestack.c:627)
==27920== by 0x5871227: pthread_create@@GLIBC_2.2.5 (pthread_create.c:644)
==27920== by 0x13C65E: CreateThreadJoinable (pthreads_op.c:47)
==27920== by 0x11226F: main (main.c:95)
==27920==
==27920== 4,104 bytes in 1 blocks are possibly lost in loss record 109 of 124
==27920== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27920== by 0x50FFDAA: sqlite3MemMalloc (sqlite3.c:20790)
==27920== by 0x51007A2: mallocWithAlarm (sqlite3.c:24464)
==27920== by 0x510084B: sqlite3Malloc (sqlite3.c:24494)
==27920== by 0x510EC36: pcache1Alloc (sqlite3.c:45336)
==27920== by 0x510EF24: sqlite3PageMalloc (sqlite3.c:45479)
==27920== by 0x511F55F: allocateTempSpace (sqlite3.c:61560)
==27920== by 0x51218CA: btreeCursor (sqlite3.c:63234)
==27920== by 0x5121A3C: sqlite3BtreeCursor (sqlite3.c:63276)
==27920== by 0x513D44F: sqlite3VdbeExec (sqlite3.c:81807)
==27920== by 0x5136036: sqlite3Step (sqlite3.c:76693)
==27920== by 0x51361E4: sqlite3_step (sqlite3.c:76754)
==27920==
==27920== LEAK SUMMARY:
==27920== definitely lost: 0 bytes in 0 blocks
==27920== indirectly lost: 0 bytes in 0 blocks
==27920== possibly lost: 6,641 bytes in 11 blocks
==27920== still reachable: 659,958 bytes in 3,900 blocks
==27920== of which reachable via heuristic:
==27920== length64 : 223,848 bytes in 121 blocks
==27920== suppressed: 0 bytes in 0 blocks
==27920== Reachable blocks (those to which a pointer was found) are not shown.
==27920== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==27920==
==27920== For counts of detected and suppressed errors, rerun with: -v
==27920== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
OUTDATED. FIXED IN https://github.com/wazuh/wazuh/pull/3286/commits/bc1222d83484dab2b8c6efdca6dd05e8a2c1846f
There was a problem when trying to check the integrity from file _sca_win_registry_testsuite.yml.
SCA module:
results: passed:passed:passed:passed:passed:passed:passed:failed:failed:failed:failed:failed:failed:failed::
hash: 8e5a1b9f0f2b4c2730531413cec8a0d4f0ae1e68d2eb7721c5858203343daddc
DB:
results: passed:passed:passed:failed:failed:failed:passed:passed:passed:passed:failed:failed:failed:failed::
hash: b7263a6adefa09232beb380b52b655dd10be78fb6f6f2c05ac7bb50db116dd74
The database orders by ID the results obtained, but the agent doesn't. This leads to an infinite loop of integrity checksum failures.
For example, if the YAML policy has the IDs 1,0,2,3,4, and the results are failed:passed:passed:passed:failed
, the database will store them ordered by ID as 0,1,2,3,4, passed:failed:passed:passed:failed
.
Dr. Memory report:
Dr. Memory version 2.1.0 build 1 built on Mar 18 2019 00:02:08
Windows version: WinVer=63;Rel=;Build=9600;Edition=Professional
Dr. Memory results for pid 4728: "ossec-agent.exe"
Application cmdline: ".\ossec-agent.exe start"
Recorded 117 suppression(s) from default C:\Program Files (x86)\Dr. Memory\bin\suppress-default.txt
Adding a check which runs the command yes
:
- id: 300107
title: INVALID -- Non executable file (will trigger leak reports due to execvp failing)
condition: any
rules:
- c:yes ram -> r:ram
Generates an error of memory allocation:
==3290==ERROR: AddressSanitizer failed to allocate 0x20000 (131072) bytes at address 6320005d0000 (errno: 12)
==3290==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:184 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
==3290==WARNING: readlink("/proc/self/exe") failed with errno 2, some stack frames may not be symbolized
#0 0x7f6b5bfbf631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
#1 0x7f6b5bfc45e3 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
#2 0x7f6b5bfcc1df (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad1df)
#3 0x7f6b5bf4334b (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2434b)
#4 0x7f6b5bf43897 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x24897)
#5 0x7f6b5bf438f5 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x248f5)
#6 0x7f6b5bf4274b (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2374b)
#7 0x7f6b5bfb75d2 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
#8 0x7f6b5b9b9b34 (/var/ossec/bin/../lib/libwazuhext.so+0x2c0b34)
#9 0x7f6b5b9ba52c (/var/ossec/bin/../lib/libwazuhext.so+0x2c152c)
#10 0x7f6b5b9ba5d5 (/var/ossec/bin/../lib/libwazuhext.so+0x2c15d5)
#11 0x7f6b5b9c882d (/var/ossec/bin/../lib/libwazuhext.so+0x2cf82d)
#12 0x7f6b5b9c8b5a (/var/ossec/bin/../lib/libwazuhext.so+0x2cfb5a)
#13 0x7f6b5b9c95e5 (/var/ossec/bin/../lib/libwazuhext.so+0x2d05e5)
#14 0x7f6b5b9c975f (/var/ossec/bin/../lib/libwazuhext.so+0x2d075f)
#15 0x7f6b5b9c978e (/var/ossec/bin/../lib/libwazuhext.so+0x2d078e)
#16 0x7f6b5b9c7b05 (/var/ossec/bin/../lib/libwazuhext.so+0x2ceb05)
#17 0x7f6b5b9cf1d5 (/var/ossec/bin/../lib/libwazuhext.so+0x2d61d5)
#18 0x7f6b5b9cf6b4 (/var/ossec/bin/../lib/libwazuhext.so+0x2d66b4)
#19 0x7f6b5b9d838d (/var/ossec/bin/../lib/libwazuhext.so+0x2df38d)
#20 0x7f6b5b9d99fa (/var/ossec/bin/../lib/libwazuhext.so+0x2e09fa)
#21 0x7f6b5b9da191 (/var/ossec/bin/../lib/libwazuhext.so+0x2e1191)
#22 0x7f6b5b9f7390 (/var/ossec/bin/../lib/libwazuhext.so+0x2fe390)
#23 0x7f6b5b9efdcd (/var/ossec/bin/../lib/libwazuhext.so+0x2f6dcd)
#24 0x7f6b5b9eff78 (/var/ossec/bin/../lib/libwazuhext.so+0x2f6f78)
#25 0x4173c5 (/proc/self/exe+0x4173c5)
#26 0x417103 (/proc/self/exe+0x417103)
#27 0x42b020 (/proc/self/exe+0x42b020)
#28 0x41e7b3 (/proc/self/exe+0x41e7b3)
#29 0x409030 (/proc/self/exe+0x409030)
#30 0x7f6b5b4e36b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#31 0x7f6b5b21941c (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
The timeout doesn't work for this command as it generates an output and the timeout checks whether a command does show output at a certain threshold.
Update from 3.9 to 3.10 and run an SCA scan:
Databases are correctly purged, they do not generate any error. With this update, the configuration is still the same, this means that it will show this kind of messages when it has been updated.
2019/08/02 06:26:35 sca: WARNING: Policy file not found: '/var/ossec/ruleset/sca/cis_debian_linux_rcl.yml'. Skipping it.
2019/08/02 06:26:35 sca: WARNING: Policy file not found: '/var/ossec/ruleset/sca/system_audit_rcl.yml'. Skipping it.
2019/08/02 06:26:35 sca: WARNING: Policy file not found: '/var/ossec/ruleset/sca/system_audit_ssh.yml'. Skipping it.
2019/08/02 06:26:35 sca: WARNING: Policy file not found: '/var/ossec/ruleset/sca/system_audit_pw.yml'. Skipping it.
Agent remote configuration
OUTDATED. FIXED IN https://github.com/wazuh/wazuh-qa/issues/97#issuecomment-518591038
With an agent having its default SCA configuration:
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
With the next agent.conf set:
<agent_config>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>2m</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy enable="no">cis_debian9_L2.yml</policy>
</policies>
</sca>
</agent_config>
We obtain the next result:
2019/08/02 11:51:34 sca: INFO: Adding policy file 'cis_debian9_L2.yml' by default.
2019/08/02 11:51:34 sca: INFO: Adding policy file 'cis_debian9_L1.yml' by default.
2019/08/02 11:51:34 sca: INFO: Adding policy file 'cis_debian9_L2.yml' by default.
2019/08/02 11:51:34 sca: INFO: Adding policy file 'cis_debian9_L1.yml' by default.
And after finishing the evaluation of the first two files:
2019/08/02 11:51:40 sca: WARNING: Found duplicated policy ID: cis_debian9_L2. File 'cis_debian9_L2.yml' contains the same ID.
2019/08/02 11:51:40 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_debian9_L2.yml'. Skipping it.
2019/08/02 11:51:40 sca: WARNING: Found duplicated policy ID: cis_debian9_L1. File 'cis_debian9_L1.yml' contains the same ID.
2019/08/02 11:51:40 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_debian9_L1.yml'. Skipping it.
Also, notice that we have set the policy _cis_debian9L2.yml file to disabled in the remote configuration, but enable
instead of enabled
, but it does not show any configuration warning or error.
If we set the same configuration but with enabled
, the module reads the ossec.conf first, runs the scan and then the remote configuration, which only enables the _cis_debian9L1.yml policy, and shows it as duplicated.
2019/08/05 08:57:28 sca: INFO: Evaluation finished for policy 'cis_debian9_L1.yml'
2019/08/05 08:57:28 sca: INFO: Starting evaluation of policy: 'cis_debian9_L2.yml'
2019/08/05 08:57:30 ossec-logcollector: INFO: Agent is now online. Process unlocked, continuing...
2019/08/05 08:57:31 sca: INFO: Evaluation finished for policy 'cis_debian9_L2.yml'
2019/08/05 08:57:31 sca: WARNING: Found duplicated policy ID: cis_debian9_L1. File 'cis_debian9_L1.yml' contains the same ID.
2019/08/05 08:57:31 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_debian9_L1.yml'. Skipping it.
The Wazuh manager removes the information of a disabled policy when a new scan is received. This feature works fine while SCA is running. In the case that the disabled policy is the only monitored policy the SCA module stop working (Expected behaviour). If SCA stops running the manager never receive an event with the new policies. In this case, the information isn't purged. It will be purged when the manager receives a new SCA event with the policies.
Checking the correct policies for Windows are installed at ruleset/sca
Every Windows has only _sca_winaudit.yml at ruleset/sca, without considering the Windows version. For example, A Windows Server 2012 does not have a _cis_win2012r2memberL1.yml file.
Agent remote configuration
The problem was that the array of policies to be scanned was adding every file included in the ossec.conf file. Checking if the policy has already been added fixes the issue.
Testing
==17687==
==17687== HEAP SUMMARY:
==17687== in use at exit: 776,126 bytes in 7,087 blocks
==17687== total heap usage: 157,465 allocs, 150,378 frees, 112,502,675 bytes allocated
==17687==
==17687== LEAK SUMMARY:
==17687== definitely lost: 0 bytes in 0 blocks
==17687== indirectly lost: 0 bytes in 0 blocks
==17687== possibly lost: 6,280 bytes in 9 blocks
==17687== still reachable: 769,846 bytes in 7,078 blocks
==17687== of which reachable via heuristic:
==17687== length64 : 223,896 bytes in 124 blocks
==17687== suppressed: 0 bytes in 0 blocks
==17687== Rerun with --leak-check=full to see details of leaked memory
==17687==
==17687== For counts of detected and suppressed errors, rerun with: -v
==17687== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Log sample
Configuration blocks:
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>60s</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy enabled="no">cis_debian9_L2.yml</policy>
</policies>
</sca>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy enabled="yes">cis_debian9_L2.yml</policy>
<policy enabled="yes">cis_debian9_L1.yml</policy>
</policies>
</sca>
ossec.log output:
2019/08/06 11:43:44 sca: INFO: Adding policy file 'cis_debian9_L2.yml' by default.
2019/08/06 11:43:44 sca: INFO: Adding policy file 'cis_debian9_L1.yml' by default.
2019/08/06 11:43:44 sca: INFO: Disabling policy 'cis_debian9_L2.yml' by configuration.
2019/08/06 11:43:45 ossec-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2019/08/06 11:43:45 ossec-dbd: INFO: Database not configured. Clean exit.
2019/08/06 11:43:45 ossec-integratord: INFO: Remote integrations not configured. Clean exit.
2019/08/06 11:43:45 ossec-agentlessd: INFO: Not configured. Exiting.
2019/08/06 11:43:45 ossec-authd: INFO: Started (pid: 22677).
2019/08/06 11:43:45 ossec-authd: INFO: Accepting connections on port 1515. No password required.
2019/08/06 11:43:45 ossec-authd: INFO: Setting network timeout to 1.000000 sec.
2019/08/06 11:43:45 wazuh-db: INFO: Started (pid: 22686).
2019/08/06 11:43:45 ossec-execd: INFO: Started (pid: 22704).
2019/08/06 11:43:45 ossec-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2019/08/06 11:43:45 rootcheck: ERROR: System audit file not configured.
2019/08/06 11:43:45 ossec-remoted: INFO: Started (pid: 22726). Listening on port 1514/UDP (secure).
2019/08/06 11:43:45 ossec-monitord: INFO: Started (pid: 22738).
2019/08/06 11:43:45 sca: INFO: Adding policy file 'cis_debian9_L2.yml' by default.
2019/08/06 11:43:45 sca: INFO: Adding policy file 'cis_debian9_L1.yml' by default.
2019/08/06 11:43:45 sca: INFO: Disabling policy 'cis_debian9_L2.yml' by configuration.
2019/08/06 11:43:45 wazuh-modulesd: INFO: Process started.
2019/08/06 11:43:45 wazuh-modulesd:oscap: INFO: Module disabled. Exiting...
2019/08/06 11:43:45 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2019/08/06 11:43:45 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2019/08/06 11:43:45 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...
2019/08/06 11:43:45 wazuh-modulesd:database: INFO: Module started.
2019/08/06 11:43:45 wazuh-modulesd:download: INFO: Module started
2019/08/06 11:43:45 sca: INFO: Module started.
2019/08/06 11:43:45 ossec-analysisd: INFO: Total rules enabled: '3395'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/random.seed'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/sys/kernel/security'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/sys/kernel/debug'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '/dev/core'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '^/proc'
2019/08/06 11:43:45 ossec-analysisd: INFO: Ignoring file: '.log$|.swp$'
2019/08/06 11:43:45 ossec-analysisd: INFO: Started (pid: 22712).
2019/08/06 11:43:46 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2019/08/06 11:43:46 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2019/08/06 11:43:46 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2019/08/06 11:43:46 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2019/08/06 11:43:46 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2019/08/06 11:43:46 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2019/08/06 11:43:46 ossec-logcollector: INFO: Monitoring output of command(360): df -P
2019/08/06 11:43:46 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2019/08/06 11:43:46 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20
2019/08/06 11:43:46 ossec-logcollector: INFO: Started (pid: 22732).
2019/08/06 11:43:46 ossec-remoted: INFO: (4111): Maximum number of agents allowed: '14000'.
2019/08/06 11:43:46 ossec-remoted: INFO: (1410): Reading authentication keys file.
2019/08/06 11:43:46 sca: INFO: Starting Security Configuration Assessment scan.
2019/08/06 11:43:46 sca: INFO: Starting evaluation of policy: 'cis_debian9_L2.yml'
2019/08/06 11:43:49 ossec-syscheckd: INFO: Started (pid: 22718).
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6003): Monitoring directory: '/etc', with options 'perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode'.
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6003): Monitoring directory: '/usr/bin', with options 'perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode'.
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6003): Monitoring directory: '/usr/sbin', with options 'perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode'.
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6003): Monitoring directory: '/bin', with options 'perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode'.
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6003): Monitoring directory: '/sbin', with options 'perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode'.
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6003): Monitoring directory: '/boot', with options 'perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode'.
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/sys/kernel/security'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/sys/kernel/debug'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6206): Ignore 'file' entry '/dev/core'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6207): Ignore 'file' sregex '^/proc'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2019/08/06 11:43:49 ossec-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2019/08/06 11:43:49 rootcheck: INFO: Started (pid: 22718).
2019/08/06 11:43:49 sca: INFO: Evaluation finished for policy 'cis_debian9_L2.yml'
2019/08/06 11:43:49 sca: INFO: Starting evaluation of policy: 'cis_debian9_L1.yml'
2019/08/06 11:43:52 sca: INFO: Evaluation finished for policy 'cis_debian9_L1.yml'
2019/08/06 11:43:53 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2019/08/06 11:44:04 ossec-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2019/08/06 11:44:04 ossec-syscheckd: INFO: (6008): File integrity monitoring scan started.
2019/08/06 11:44:04 rootcheck: INFO: Starting rootcheck scan.
Usage of memory on MacOS for 10-scan run. Longer testing is needed to evaluate what's going on at the end.
Delete a check from the DB
Server side:
sqlite> select * from sca_check where id="3000";
1284019443|3000|cis_debian9_L1|Ensure mounting of freevxfs filesystems is disabled|The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems.|Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.|Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs|||||/sbin/modprobe -n -v freevxfs||failed||
sqlite> delete from sca_check where id="3000";
Agent side at next scan:
2019/08/08 07:30:21 sca: INFO: Integration checksum failed for policy 'cis_debian9_L1.yml'. Resending scan results in 109 seconds.
Server side after receiving the scan:
sqlite> select * from sca_check where id="3000";
912760343|3000|cis_debian9_L1|Ensure mounting of freevxfs filesystems is disabled|The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems.|Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.|Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs|||||/sbin/modprobe -n -v freevxfs||failed||
Changing a check from a policy
Server side:
sqlite> select * from sca_check where id="3001";
912760343|3001|cis_debian9_L1|Ensure mounting of jffs2 filesystems is disabled|The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices.|Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.|Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2|||||/sbin/modprobe -n -v jffs2||failed||
Agent side: Change the check from the scanned policy to write a test check:
- id: 3001
title: "Change the content of a check"
description: "The check must be updated in the server."
rationale: "The SCA integrity must handle this."
remediation: "Resend the scan"
compliance:
- cis: ["1.1.1.2"]
- cis_csc: ["5.1"]
condition: none
rules:
- 'c:echo -n integrity_test -> r:passed'
Logs
Agent side:
2019/08/08 07:49:08 sca[6060] wm_sca.c:2855 at wm_sca_dump_db_thread(): DEBUG: Sending first scan results for policy 'cis_debian9_L1.yml'
2019/08/08 07:49:08 sca[6060] wm_sca.c:2863 at wm_sca_dump_db_thread(): DEBUG: Dumping results to SCA DB for policy 'cis_debian9_L1.yml' (Policy index: 1)
2019/08/08 07:49:14 sca[6060] wm_sca.c:2892 at wm_sca_dump_db_thread(): DEBUG: Sending end of dump control event.
2019/08/08 07:49:16 sca[6060] wm_sca.c:2911 at wm_sca_dump_db_thread(): DEBUG: Finished dumping scan results to SCA DB for policy 'cis_debian9_L1' (1) (1)
Server side:
2019/08/08 07:49:06 ossec-analysisd: INFO: Policy 'cis_debian9_L1' outdated in agent '005'. Latest scan requested.
New check in the server:
sqlite> select * from sca_check where id="3001";
2128865376|3001|cis_debian9_L1|Change the content of a check|The check must be updated in the server.|The SCA integrity must handle this.|Resend the scan|||||echo -n integrity_test||passed||
Using leaks
to detect memory leaks on MacOS
Changing the notify_time
to 60 seconds and disabling every module but SCA. Scanning _cis_apple_macOS10.13.yml and policy file tests.
After running at least 15 scans, the summary of them is the next one, with 0 leaks.
# leaks 72527 --fullContent --fullStack
Process: wazuh-modulesd [72527]
Path: /private/var/ossec/bin/wazuh-modulesd
Load Address: 0x10ef4a000
Identifier: wazuh-modulesd
Version: ???
Code Type: X86-64
Parent Process: sh [49958]
Date/Time: 2019-08-08 09:52:09.203 +0200
Launch Time: 2019-08-08 09:51:10.371 +0200
OS Version: Mac OS X 10.13.5 (17F77)
Report Version: 7
Analysis Tool: /usr/bin/leaks
Physical footprint: 2032K
Physical footprint (peak): 2032K
----
leaks Report Version: 3.0, multi-line stacks
Process 72527: 2189 nodes malloced for 251 KB
Process 72527: 0 leaks for 0 total leaked bytes.
After the 60 seconds from the notify_time
have passed, leaks
reports this:
# leaks 72527 --fullContent --fullStack
Process: wazuh-modulesd [72527]
Path: /private/var/ossec/bin/wazuh-modulesd
Load Address: 0x10ef4a000
Identifier: wazuh-modulesd
Version: ???
Code Type: X86-64
Parent Process: sh [49958]
Date/Time: 2019-08-08 09:52:10.030 +0200
Launch Time: 2019-08-08 09:51:10.371 +0200
OS Version: Mac OS X 10.13.5 (17F77)
Report Version: 7
Analysis Tool: /usr/bin/leaks
Physical footprint: 2044K
Physical footprint (peak): 2044K
----
leaks Report Version: 3.0, multi-line stacks
Process 72527: 2302 nodes malloced for 253 KB
Process 72527: 113 leaks for 1808 total leaked bytes.
Same results after running several subsequent scans.
15 minutes of SCA running under masiff. Executing one scan per minute of the Debian & testing policies.
Disabling a policy A policy being disabled means that its information is not included in the database. Disabling a policy between two scans with the suffix .disabled does not remove this data.
Setting a complete path to a policy different than the one by default With the next configuration:
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>1m</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>C:\Program Files (x86)\ossec-agent\ruleset\sca_win_registry_test_suite.yml</policy>
</policies>
</sca>
Shows the next message, however the policy is correctly scanned.
2019/08/08 11:31:30 sca: ERROR: Unable to calculate SHA256 for file 'ruleset\sca/C:\Program Files (x86)\ossec-agent\ruleset\sca_win_registry_test_suite.yml'
2019/08/08 11:31:47 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca_win_registry_test_suite.yml'
2019/08/08 11:31:51 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca_win_registry_test_suite.yml'
It adds the directory by default, ruleset\sca
, to the complete path.
Extended testing on disabling a policy on Windows while the agent is running
sqlite> select distinct policy_id from sca_check;
cis_win10_enterprise_L1
cis_win10_enterprise_L2
directories_test_suite
sca_condition_test_suite
sca_files_test_suite
sca_negation_test_suite
sca_processes_test_suite
sca_win_audit
win_registry_test_suite
sca_files_test_suite.yml
-> sca_files_test_suite.yml.disable
Until the agent is restarted the agent logs a Warning: WARNING: Policy file not found: 'ruleset\sca\sca_files_test_suite.yml'. Skipping it.
But the table isn't deleted from the DB.
When the agent is restarted and the first SCA scan is send the DB purges that policy:
sqlite> select distinct policy_id from sca_check;
cis_win10_enterprise_L1
cis_win10_enterprise_L2
directories_test_suite
sca_condition_test_suite
sca_negation_test_suite
sca_processes_test_suite
sca_win_audit
win_registry_test_suite
Memory Use of Windows Agent
Powershell script to get the Memory on real time:
Get-Process -Name ossec-agent | Select-Object Name,@{Name='WorkingSet';Expression={($_.WorkingSet)}}
Configuration:
All modules except SCA are disabled.
Notify time: 10000
SCA with default policy: sca_win_audit
and a frequency of 1 minute.
X axis: time (seconds)
Y axis: Memory (KB)
Script: while (1){ Get-Process -Name ossec-agent | Select-Object Name,@{Name='WorkingSet';Expression={($_.WorkingSet)}}; sleep 4;}
Configuration: All modules except SCA are disabled. Notify time: 10000 SCA policies:
cis_win10_enterprise_L1
cis_win10_enterprise_L2
directories_test_suite
sca_condition_test_suite
sca_files_test_suite
sca_negation_test_suite
sca_processes_test_suite
sca_win_audit
win_registry_test_suite
C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_files.yml (Custom policy based on file test created for this test)
Frequency: 1 minute. X axis: time (seconds) Y axis: Memory (KB)
Changes during execution: Policy appear/disappear
while(1){mv "C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_files.yml" "C:\Program Files (x8
6)\ossec-agent\ruleset\sca\sca_files.yml.disable"; sleep 60; mv "C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_file
s.yml.disable" "C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_files.yml"; sleep 60;}
Half time IDs repeated and the other half valid policy (Check repeated ID and integrity)
while(1){(Get-Content -path "C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_repeated_global_
ids_1.yml" -Raw) -replace '300','330'; sleep 60; (Get-Content -path "C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_
repeated_global_ids_1.yml" -Raw) -replace '330','300'; sleep 60;}
SCA actions with events and alerts generated
Action | Events | Alerts |
---|---|---|
First scan | Every check + summary | Every check + summary |
Agent restart | Summary | None |
Check changes its status | Changed check + summary | Changed check + summary |
Agent stop, change check, agent start | Every check + summary | Changed check + summary |
Policy file change (change condition) | Every check + summary | Changed check + summary + every check + summary |
Policy file change (add line) | Every check + summary | Every check + summary |
Integrity fail (event lost) | Every check + summary | The event lost (in the next scan) |
The SCA refactor has been merged, so I am closing this issue.
SCA Memory test
These tests assess that there are no memory leaks in the PR: https://github.com/wazuh/wazuh/pull/3286
It also reflects the results of static code analyzers and tests of the memory and CPU use.
Functional tests
LINUX
.disabled
orenable="no"
at the configuration file.<policy>cis_debian9_L1.yml.disabled</policy>
, for example. It should be enabled.<policy>cis_debian9_L1.yml.disabled</policy>
.Check first scan results:
Check subsequent scans restults:
Check results when a policy is disabled:
Check the configuration on demand:
Integrity:
sca.request_db_interval
when the integrity check fails.Upgrade:
WINDOWS
.disabled
orenable="no"
at the configuration file.<policy>cis_debian9_L1.yml.disabled</policy>
, for example. It should be enabled.<policy>cis_debian9_L1.yml.disabled</policy>
.Check first scan results:
Check subsequent scans restults:
Check results when a policy is disabled:
Check the configuration on demand:
Integrity:
sca.request_db_interval
when the integrity check fails.Upgrade: