rauldpm
commented
2 years ago Analysis report
- The construction time of the Solaris 10 Wazuh agent has become approximately 7 hours, when before it took an average of approximately 3 hours.
Closed okynos closed 2 years ago
rauldpm
commented
2 years ago rauldpm
commented
2 years ago rauldpm
commented
2 years ago rauldpm
commented
2 years ago rauldpm
commented
2 years ago rauldpm
commented
2 years ago ** Alert 1665169203.322015: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2022 Oct 07 19:00:03 (centos7) any->sca
Rule: 19008 (level 3) -> 'CIS Benchmark for CentOS 7: Ensure auditd service is enabled and running.'
{"type":"check","id":1835763500,"policy":"CIS Benchmark for CentOS 7","policy_id":"cis_centos7_linux","check":{"id":6114,"title":"Ensure auditd service is enabled and running.","description":"Turn on the auditd$
sca.type: check
sca.scan_id: 1835763500
sca.policy: CIS Benchmark for CentOS 7
sca.check.id: 6114
sca.check.title: Ensure auditd service is enabled and running.
sca.check.description: Turn on the auditd daemon to record system events.
sca.check.rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.
sca.check.remediation: Run the following command to enable auditd: # systemctl --now enable auditd
sca.check.compliance.cis: 4.1.1.2
sca.check.compliance.cis_csc: 6.2,6.3
sca.check.compliance.pci_dss: 10.1,10.7
sca.check.compliance.tsc: CC6.1,CC6.2,CC6.3,CC7.2,CC7.3,CC7.4
sca.check.compliance.cis_level: 2
sca.check.command: ["systemctl is-enabled auditd", "systemctl status auditd"]
sca.check.result: passed
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
Agent ID: 001
Agent Name: centos7
IP address: any/any
Status: Active
Operating system: Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64
Client version: Wazuh v4.3.9
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1665169380
Syscheck last started at: Fri Oct 7 18:59:51 2022
Syscheck last ended at: Fri Oct 7 18:59:52 2022
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.9"
WAZUH_REVISION="40322"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.3.9
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.3.9
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
"name": "opensearch-dashboards",
"description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
"keywords": [
"opensearch-dashboards",
"opensearch",
"logstash",
"analytics",
"visualizations",
"dashboards",
"dashboarding"
],
"version": "1.2.0",
"branch": "main",
"build": {
"number": 1,
"sha": "caf668e73304bac890f41c37cd6c3a41257cd289",
"distributable": true,
"release": true
},
"repository": {
"type": "git",
"url": "https://github.com/opensearch-project/opensearch-dashboards.git"
},
"engines": {
"node": "10.24.1"
}
}[root@wazuh-server wazuh-user]# grep -i -E "ossec|wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
[root@wazuh-server wazuh-user]# ** Alert 1665170051.110732: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2022 Oct 07 19:14:11 (centos7) any->sca
Rule: 19008 (level 3) -> 'CIS Benchmark for CentOS 7: Ensure XD/NX support is enabled.'
{"type":"check","id":1171990633,"policy":"CIS Benchmark for CentOS 7","policy_id":"cis_centos7_linux","check":{"id":6033,"title":"Ensure XD/NX support is enabled.","description":"Recent processors in the x86 fa$
sca.type: check
sca.scan_id: 1171990633
sca.policy: CIS Benchmark for CentOS 7
sca.check.id: 6033
sca.check.title: Ensure XD/NX support is enabled.
sca.check.description: Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), wh$
sca.check.rationale: Enabling any feature that can protect against buffer overflow attacks enhances the security of the system.
sca.check.remediation: On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. Yo$
sca.check.compliance.cis: 1.6.2
sca.check.compliance.cis_csc: 8.3
sca.check.compliance.pci_dss: 2.2.4
sca.check.compliance.nist_800_53: CM.1
sca.check.compliance.tsc: CC5.2
sca.check.compliance.cis_level: 1
sca.check.command: ["sh -c \"journalctl | grep \\\"protection: active\\\"\""]
sca.check.result: passed[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
Agent ID: 001
Agent Name: centos7
IP address: any/any
Status: Active
Operating system: Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64
Client version: Wazuh v4.3.9
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 4a8724b20dee0124ff9656783c490c4e
Last keep alive: 1665170220
Syscheck last started at: Fri Oct 7 19:14:01 2022
Syscheck last ended at: Fri Oct 7 19:14:02 2022
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
"name": "opensearch-dashboards",
"description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
"keywords": [
"opensearch-dashboards",
"opensearch",
"logstash",
"analytics",
"visualizations",
"dashboards",
"dashboarding"
],
"version": "1.2.0",
"branch": "main",
"build": {
"number": 1,
"sha": "caf668e73304bac890f41c37cd6c3a41257cd289",
"distributable": true,
"release": true
},
"repository": {
"type": "git",
"url": "https://github.com/opensearch-project/opensearch-dashboards.git"
},
"engines": {
"node": "10.24.1"
}
}[root@wazuh-server wazuh-user]# grep wazuh /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
okynos
commented
2 years ago Install:
# WAZUH_MANAGER=XXX.XXX.XXX.XXX apt-get -y install wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 4965 kB of archives.
After this operation, 32.4 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.3.9-1 [4965 kB]
Fetched 4965 kB in 1s (3321 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 8471 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.3.9-1_ppc64el.deb ...
Unpacking wazuh-agent (4.3.9-1) ...
Setting up wazuh-agent (4.3.9-1) ...Start:
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.3.9...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.Error/Warnings:
# cat /var/ossec/logs/ossec.log | grep -i error
# cat /var/ossec/logs/ossec.log | grep -i warn
# cat /var/ossec/logs/ossec.log | grep -i critUsers and groups:
# cat /etc/passwd | grep wazuh
wazuh:x:101:101::/var/ossec:/bin/false
# cat /etc/group | grep wazuh
wazuh:x:101:Uninstall:
# apt purge wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
distro-info-data libexpat1 libmpdec3 libpython3-stdlib libpython3.9-minimal libpython3.9-stdlib lsb-release
media-types python3 python3-minimal python3.9 python3.9-minimal
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 32.4 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 8826 files and directories currently installed.)
Removing wazuh-agent (4.3.9-1) ...
(Reading database ... 8487 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.3.9-1) ...Upgrade:
# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 4965 kB of archives.
After this operation, 3230 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.3.9-1 [4965 kB]
Fetched 4965 kB in 1s (3722 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 8814 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.3.9-1_ppc64el.deb ...
Unpacking wazuh-agent (4.3.9-1) over (4.3.0-1) ...
Setting up wazuh-agent (4.3.9-1) ...TCP/UDP Alerts:
{"timestamp":"2022-10-10T11:00:53.244+0000","rule":{"level":9,"description":"SCA summary: CIS Benchmark for Debian/Linux 10: Score less than 30% (29)","id":"19005","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"011","name":"acf49d6ba849","ip":"172.17.0.3"},"manager":{"name":"ip-172-31-94-2.ec2.internal"},"id":"1665399653.2774058","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"816118642","policy":"CIS Benchmark for Debian/Linux 10","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 10.","policy_id":"cis_debian10","passed":"32","failed":"78","invalid":"82","total_checks":"192","score":"29","file":"cis_debian10.yml"}},"location":"sca"}Install:
# WAZUH_MANAGER=XXX.XXX.XXX.XXX yum install wazuh-agent
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.keystealth.org
* extras: mirror.keystealth.org
* updates: mirrors.xtom.com
wazuh | 3.4 kB 00:00:00
wazuh/primary_db | 256 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.3.9-1 will be installed
--> Processing Dependency: /sbin/service for package: wazuh-agent-4.3.9-1.ppc64le
--> Running transaction check
---> Package initscripts.ppc64le 0:9.49.53-1.el7_9.1 will be installed
--> Processing Dependency: sysvinit-tools >= 2.87-5 for package: initscripts-9.49.53-1.el7_9.1.ppc64le
--> Processing Dependency: iproute for package: initscripts-9.49.53-1.el7_9.1.ppc64le
--> Running transaction check
---> Package iproute.ppc64le 0:4.11.0-30.el7 will be installed
--> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: iproute-4.11.0-30.el7.ppc64le
--> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-4.11.0-30.el7.ppc64le
--> Processing Dependency: libmnl.so.0()(64bit) for package: iproute-4.11.0-30.el7.ppc64le
---> Package sysvinit-tools.ppc64le 0:2.88-14.dsf.el7 will be installed
--> Running transaction check
---> Package iptables.ppc64le 0:1.4.21-35.el7 will be installed
--> Processing Dependency: libnfnetlink.so.0()(64bit) for package: iptables-1.4.21-35.el7.ppc64le
--> Processing Dependency: libnetfilter_conntrack.so.3()(64bit) for package: iptables-1.4.21-35.el7.ppc64le
---> Package libmnl.ppc64le 0:1.0.3-7.el7 will be installed
--> Running transaction check
---> Package libnetfilter_conntrack.ppc64le 0:1.0.6-1.el7_3 will be installed
---> Package libnfnetlink.ppc64le 0:1.0.1-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================
Package Arch Version Repository Size
======================================================================================================================
Installing:
wazuh-agent ppc64le 4.3.9-1 wazuh 6.0 M
Installing for dependencies:
initscripts ppc64le 9.49.53-1.el7_9.1 updates 441 k
iproute ppc64le 4.11.0-30.el7 base 777 k
iptables ppc64le 1.4.21-35.el7 base 448 k
libmnl ppc64le 1.0.3-7.el7 base 24 k
libnetfilter_conntrack ppc64le 1.0.6-1.el7_3 base 57 k
libnfnetlink ppc64le 1.0.1-4.el7 base 26 k
sysvinit-tools ppc64le 2.88-14.dsf.el7 base 62 k
Transaction Summary
======================================================================================================================
Install 1 Package (+7 Dependent packages)
Total download size: 7.8 M
Installed size: 41 M
Is this ok [y/d/N]: y
Downloading packages:
(1/8): initscripts-9.49.53-1.el7_9.1.ppc64le.rpm | 441 kB 00:00:00
(2/8): iproute-4.11.0-30.el7.ppc64le.rpm | 777 kB 00:00:00
(3/8): iptables-1.4.21-35.el7.ppc64le.rpm | 448 kB 00:00:00
(4/8): libmnl-1.0.3-7.el7.ppc64le.rpm | 24 kB 00:00:00
(5/8): libnetfilter_conntrack-1.0.6-1.el7_3.ppc64le.rpm | 57 kB 00:00:00
(6/8): libnfnetlink-1.0.1-4.el7.ppc64le.rpm | 26 kB 00:00:00
(7/8): sysvinit-tools-2.88-14.dsf.el7.ppc64le.rpm | 62 kB 00:00:00
(8/8): wazuh-agent-4.3.9-1.ppc64le.rpm | 6.0 MB 00:00:02
----------------------------------------------------------------------------------------------------------------------
Total 2.9 MB/s | 7.8 MB 00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libnfnetlink-1.0.1-4.el7.ppc64le 1/8
Installing : libmnl-1.0.3-7.el7.ppc64le 2/8
Installing : libnetfilter_conntrack-1.0.6-1.el7_3.ppc64le 3/8
Installing : iptables-1.4.21-35.el7.ppc64le 4/8
Installing : iproute-4.11.0-30.el7.ppc64le 5/8
Installing : sysvinit-tools-2.88-14.dsf.el7.ppc64le 6/8
Installing : initscripts-9.49.53-1.el7_9.1.ppc64le 7/8
Installing : wazuh-agent-4.3.9-1.ppc64le 8/8
Verifying : initscripts-9.49.53-1.el7_9.1.ppc64le 1/8
Verifying : libmnl-1.0.3-7.el7.ppc64le 2/8
Verifying : sysvinit-tools-2.88-14.dsf.el7.ppc64le 3/8
Verifying : libnfnetlink-1.0.1-4.el7.ppc64le 4/8
Verifying : wazuh-agent-4.3.9-1.ppc64le 5/8
Verifying : iproute-4.11.0-30.el7.ppc64le 6/8
Verifying : iptables-1.4.21-35.el7.ppc64le 7/8
Verifying : libnetfilter_conntrack-1.0.6-1.el7_3.ppc64le 8/8
Installed:
wazuh-agent.ppc64le 0:4.3.9-1
Dependency Installed:
initscripts.ppc64le 0:9.49.53-1.el7_9.1 iproute.ppc64le 0:4.11.0-30.el7
iptables.ppc64le 0:1.4.21-35.el7 libmnl.ppc64le 0:1.0.3-7.el7
libnetfilter_conntrack.ppc64le 0:1.0.6-1.el7_3 libnfnetlink.ppc64le 0:1.0.1-4.el7
sysvinit-tools.ppc64le 0:2.88-14.dsf.el7
Complete!Start:
# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.3.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.Error/Warnings:
# cat /var/ossec/logs/ossec.log | grep -i error
# cat /var/ossec/logs/ossec.log | grep -i warn
# cat /var/ossec/logs/ossec.log | grep -i critUsers and groups:
# cat /etc/passwd | grep wazuh
wazuh:x:999:998::/var/ossec:/sbin/nologin
# cat /etc/group | grep wazuh
wazuh:x:998:wazuhUninstall:
# yum remove wazuh-agent
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.3.9-1 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================
Package Arch Version Repository Size
======================================================================================================================
Removing:
wazuh-agent ppc64le 4.3.9-1 @wazuh 28 M
Transaction Summary
======================================================================================================================
Remove 1 Package
Installed size: 28 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : wazuh-agent-4.3.9-1.ppc64le 1/1
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave
Verifying : wazuh-agent-4.3.9-1.ppc64le 1/1
Removed:
wazuh-agent.ppc64le 0:4.3.9-1
Complete!Upgrade:
# yum upgrade
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.keystealth.org
* extras: mirror.keystealth.org
* updates: mirrors.xtom.com
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.3.0-1 will be updated
---> Package wazuh-agent.ppc64le 0:4.3.9-1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================
Package Arch Version Repository Size
======================================================================================================================
Updating:
wazuh-agent ppc64le 4.3.9-1 wazuh 6.0 M
Transaction Summary
======================================================================================================================
Upgrade 1 Package
Total download size: 6.0 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-agent-4.3.9-1.ppc64le.rpm | 6.0 MB 00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : wazuh-agent-4.3.9-1.ppc64le 1/2
Cleanup : wazuh-agent-4.3.0-1.ppc64le 2/2
Verifying : wazuh-agent-4.3.9-1.ppc64le 1/2
Verifying : wazuh-agent-4.3.0-1.ppc64le 2/2
Updated:
wazuh-agent.ppc64le 0:4.3.9-1
Complete!TCP/UDP Alerts:
{"timestamp":"2022-10-10T11:00:31.271+0000","rule":{"level":3,"description":"Ossec agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"008","name":"be355a389fc8","ip":"172.17.0.2"},"manager":{"name":"ip-172-31-94-2.ec2.internal"},"id":"1665399631.2769855","full_log":"ossec: Agent started: 'be355a389fc8->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"be355a389fc8->any"},"location":"ossec"}
Packages tests metrics information
Build packages
Test packages
PPC64EL packages
OVA/AMI specific tests
Status legend: ⚫ - Pending/In progress ⚪ - Skipped 🔴 - Rejected 🟢 - Approved