search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.44k stars 1.6k forks source link

Release 4.4.0 - Release Candidate 2 - Specific systems #16402

Closed wazuhci closed 1 year ago

wazuhci commented 1 year ago

Packages tests metrics information
Main release candidate issue #16390
Main packages metrics issue #16396
Version 4.4.0
Release candidate RC2
Tag https://github.com/wazuh/wazuh/tree/v4.4.0-rc2

Build packages

System Status Build
AIX :green_circle: https://ci.wazuh.info/job/Packages_builder_special/662/
HPUX :green_circle: https://ci.wazuh.info/job/Packages_builder_special/665/
S10 SPARC :green_circle: https://ci.wazuh.info/job/Packages_builder_special/663/
S11 SPARC :green_circle: https://ci.wazuh.info/job/Packages_builder_special/664/
OVA :green_circle: https://ci.wazuh.info/view/Packages/job/Packages_Builder_OVA/200/
AMI :green_circle: https://ci.wazuh.info/job/Packages_Builder_AMI/116/

Test packages

System Build Install Deployment install Upgrade Remove TCP UDP Errors found Warnings found Alerts found Check users
AIX :green_circle: :green_circle: :green_circle: :green_circle: :red_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
HPUX :green_circle: :red_circle: --- --- :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
S10 SPARC :green_circle: :green_circle: --- :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
S11 SPARC :green_circle: :green_circle: --- :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
OVA :green_circle: :green_circle: --- --- --- :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
AMI :green_circle: :green_circle: --- --- --- :green_circle: :green_circle: :red_circle: :red_circle: :green_circle: :green_circle:
PPC64EL packages
System Build Install Deployment install Upgrade Uninstall Alerts TCP UDP Errors Warnings System users
CentOS 7 :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
Debian Stretch :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
OVA/AMI specific tests
System Filebeat test Cluster green/yellow Production repositories UI Access No SSH root access SSH user access Wazuh dashboard/APP version Dashboard/Indexer VERSION file
OVA :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:
AMI :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle: :green_circle:

Status legend: :black_circle: - Pending/In progress :white_circle: - Skipped :red_circle: - Rejected :yellow_circle: - Ready to review :green_circle: - Approved

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

jnasselle commented 1 year ago

Analysis report - AIX :green_circle:

System info ``` bash-4.4$ hostname soaxp078 bash-4.4$ uname -a AIX soaxp078 1 6 00CADA644C00 ```
Build :green_circle: [aix-4.4.0-rc2-compilation.log](https://github.com/wazuh/wazuh/files/11017316/aix-4.4.0-rc2-compilation.log)
Install :green_circle: - Wazuh agent ``` bash-4.4$ curl -k -LO https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.4.0-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8261k 100 8261k 0 0 4473k 0 0:00:01 0:00:01 --:--:-- 4475k bash-4.4$ ls wazuh-agent-4.4.0-1.aix.ppc.rpm bash-4.4$ rpm -qip wazuh-agent-4.4.0-1.aix.ppc.rpm Name : wazuh-agent Relocations: (not relocateable) Version : 4.4.0 Vendor: Wazuh, Inc Release : 1 Build Date: Mon Mar 20 04:49:54 2023 Install date: (not installed) Build Host: soaxp078 Group : System Environment/Daemons Source RPM: wazuh-agent-4.4.0-1.src.rpm Size : 27755722 License: GPL Packager : Wazuh, Inc URL : https://www.wazuh.com/ Summary : The Wazuh agent, used for threat detection, incident response and integrity monitoring. Description : Wazuh is an open source security monitoring solution for threat detection, integrity monitoring, incident response and compliance. bash-4.4# WAZUH_MANAGER="xxx.xxx.xxx.xxx" rpm -ivh wazuh-agent-4.4.0-1.aix.ppc.rpm wazuh-agent ################################################## bash-4.4# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. bash-4.4# ps -ef | grep wazuh root 5636274 1 0 06:39:59 - 0:10 /var/ossec/bin/wazuh-syscheckd root 6094994 1 0 06:39:58 - 0:00 /var/ossec/bin/wazuh-execd wazuh 6422620 1 2 06:39:58 - 0:00 /var/ossec/bin/wazuh-agentd root 6750324 1 0 06:39:59 - 0:00 /var/ossec/bin/wazuh-logcollector root 7536892 1 1 06:40:00 - 0:00 /var/ossec/bin/wazuh-modulesd bash-4.4# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" bash-4.4# grep "tcp" /var/ossec/etc/ossec.conf tcp bash-4.4# prtconf System Model: IBM,8231-E2D Machine Serial Number: 06ADA64 Processor Type: PowerPC_POWER7 Processor Implementation Mode: POWER 7 Processor Version: PV_7_Compat bash-4.4# grep wazuh /etc/group wazuh:!:207: ``` - Wazuh server ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: soaxp078 IP address: any Status: Active Operating system: AIX |soaxp078 |1 |6 |00CADA644C00 Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679314071 Syscheck last started at: Mon Mar 20 11:39:59 2023 Syscheck last ended at: Mon Mar 20 11:40:07 2023 ```
Alerts :green_circle: ![image](https://user-images.githubusercontent.com/1791430/226335149-782ad500-ab4a-427f-b4bf-7ff7a0bb103f.png) ![image](https://user-images.githubusercontent.com/1791430/226335311-e4f1a642-c63b-404f-8b9b-8531acaba47e.png) ![image](https://user-images.githubusercontent.com/1791430/226335589-d44ecb25-0260-4335-8f69-779d509beef8.png) ``` [root@wazuh-server wazuh-user]# grep "1679313455.96078" /var/ossec/logs/alerts/alerts.json {"timestamp":"2023-03-20T11:57:35.478+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"soaxp078"},"manager":{"name":"wazuh-server"},"id":"1679313455.96078","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"20173","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"} ``` - TCP connection OK - UDP connection OK ``` bash-4.4# grep "tcp" /var/ossec/logs/ossec.log 2023/03/20 06:39:49 wazuh-agentd: INFO: Trying to connect to server ([xxx.xxx.xxx.xxx]:1514/tcp). 2023/03/20 06:39:49 wazuh-agentd: INFO: (4102): Connected to the server ([xxx.xxx.xxx.xxx]:1514/tcp). bash-4.4# grep "udp" /var/ossec/logs/ossec.log 2023/03/20 07:03:12 wazuh-agentd: INFO: Trying to connect to server ([xxx.xxx.xxx.xxx]:1514/udp). 2023/03/20 07:03:12 wazuh-agentd: INFO: (4102): Connected to the server ([xxx.xxx.xxx.xxx]:1514/udp). ```
Remove :red_circle: ``` bash-4.4# rpm -e wazuh-agent rmdir of /var/ossec/tmp/src/init failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory cannot remove /var/ossec/queue/syscollector/db - directory not empty cannot remove /var/ossec/queue/syscollector - directory not empty cannot remove /var/ossec/queue/logcollector - directory not empty cannot remove /var/ossec/queue/fim/db - directory not empty cannot remove /var/ossec/queue/fim - directory not empty cannot remove /var/ossec/queue - directory not empty removal of /var/ossec/logs/ossec.json failed: No such file or directory cannot remove /var/ossec/etc/shared - directory not empty cannot remove /var/ossec/etc - directory not empty cannot remove /var/ossec - directory not empty bash-4.4# ps -ef | grep wazuh bash-4.4# ls -l /var/ossec/ total 182408 -rw------- 1 root system 93389432 Mar 20 06:39 core drwxrwx--- 3 208 207 256 Mar 20 07:06 etc drwxr-x--- 5 root 207 256 Mar 20 07:06 queue bash-4.4# ls -la /var/ossec/core -rw------- 1 root system 93389432 Mar 20 06:39 /var/ossec/core ``` ERROR: It's seems to be that during uninstalling procedure, a core dump was generated by modulesd
Upgrade 4.3.10 -> 4.4.0 :green_circle: ``` bash-4.4# curl -k -LO WAZUH_MANAGER="xxx.xxx.xxx.xxx" rpm -ivh wazuh-agent-4.3.10-1.aix.ppc.rpm^C bash-4.4# curl -k -LO https://packages.wazuh.com/4.x/aix/wazuh-agent-4.3.10-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8080k 100 8080k 0 0 4739k 0 0:00:01 0:00:01 --:--:-- 4739k bash-4.4# WAZUH_MANAGER="44.192.45.229" rpm -ivh wazuh-agent-4.3.10-1.aix.ppc.rpm wazuh-agent ################################################## bash-4.4# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.3.10" WAZUH_REVISION="40323" WAZUH_TYPE="agent" bash-4.4# /var/ossec/bin/wazuh-control start Starting Wazuh v4.3.10... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. bash-4.4# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ``` ![image](https://user-images.githubusercontent.com/1791430/226356549-96077ed4-d892-464d-b295-d6bf679c2f70.png) ``` bash-4.4# curl -k -LO https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.4.0-1.aix.ppc.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8261k 100 8261k 0 0 4753k 0 0:00:01 0:00:01 --:--:-- 4753k bash-4.4# rpm -U wazuh-agent-4.4.0-1.aix.ppc.rpm bash-4.4# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" bash-4.4# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... bash-4.4# grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log bash-4.4# ``` ![image](https://user-images.githubusercontent.com/1791430/226357649-afb1216e-c06c-497e-8074-3aa0260e7269.png) ![image](https://user-images.githubusercontent.com/1791430/226359168-4d4d1bc3-44d4-4fd2-b7d6-767f62a1ca64.png)

Findings: Modulesd crash during AIX package uninstall #16469

jnasselle commented 1 year ago

Analysis report - HP-UX :green_circle:

System info ``` # model ia64 hp server Integrity Virtual Machine # uname -a HP-UX sovmh313 B.11.31 U ia64 2063415234 unlimited-user license ```
Build :green_circle: [hpux-4.4.0-rc2-compilation.log](https://github.com/wazuh/wazuh/files/11028649/hpux-4.4.0-rc2-compilation.log)
Install :red_circle: - Wazuh agent ```` # curl -k -L -O https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.4.0-1-hpux-11v3-ia64.tar % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 20.7M 100 20.7M 0 0 1180k 0 0:00:18 0:00:18 --:--:-- 1673k ```` ```` # groupadd wazuh # useradd -G wazuh wazuh # tar -xvf wazuh-agent-4.4.0-1-hpux-11v3-ia64.tar x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks x /var/ossec/bin/wazuh-logcollector, 1631088 bytes, 3186 tape blocks x /var/ossec/bin/wazuh-syscheckd, 2124792 bytes, 4150 tape blocks x /var/ossec/bin/wazuh-execd, 1493904 bytes, 2918 tape blocks x /var/ossec/bin/manage_agents, 440504 bytes, 861 tape blocks x /var/ossec/bin/wazuh-control, 7148 bytes, 14 tape blocks x /var/ossec/bin/wazuh-modulesd, 1489776 bytes, 2910 tape blocks x /var/ossec/bin/wazuh-agentd, 1632604 bytes, 3189 tape blocks x /var/ossec/bin/agent-auth, 441292 bytes, 862 tape blocks x /var/ossec/lib/libwazuhext.so, 9738588 bytes, 19021 tape blocks x /var/ossec/lib/libwazuhshared.so, 290356 bytes, 568 tape blocks x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86153 bytes, 169 tape blocks x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks x /var/ossec/wodles/aws/aws-s3, 175795 bytes, 344 tape blocks x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6018 bytes, 12 tape blocks x /var/ossec/wodles/gcloud/buckets/bucket.py, 14685 bytes, 29 tape blocks x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1841 bytes, 4 tape blocks x /var/ossec/wodles/gcloud/gcloud, 4661 bytes, 10 tape blocks x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks x /var/ossec/wodles/gcloud/tools.py, 5524 bytes, 11 tape blocks x /var/ossec/wodles/gcloud/exceptions.py, 4453 bytes, 9 tape blocks x /var/ossec/wodles/docker/DockerListener, 4705 bytes, 10 tape blocks x /var/ossec/wodles/azure/azure-logs, 37349 bytes, 73 tape blocks x /var/ossec/wodles/azure/orm.py, 7007 bytes, 14 tape blocks x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks x /var/ossec/etc/internal_options.conf, 14012 bytes, 28 tape blocks x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks x /var/ossec/etc/ossec.conf, 4855 bytes, 10 tape blocks x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks x /var/ossec/active-response/bin/firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/default-firewall-drop, 74444 bytes, 146 tape blocks x /var/ossec/active-response/bin/pf, 74040 bytes, 145 tape blocks x /var/ossec/active-response/bin/npf, 73972 bytes, 145 tape blocks x /var/ossec/active-response/bin/ipfw, 74028 bytes, 145 tape blocks x /var/ossec/active-response/bin/firewalld-drop, 74052 bytes, 145 tape blocks x /var/ossec/active-response/bin/disable-account, 73932 bytes, 145 tape blocks x /var/ossec/active-response/bin/host-deny, 74152 bytes, 145 tape blocks x /var/ossec/active-response/bin/ip-customblock, 73888 bytes, 145 tape blocks x /var/ossec/active-response/bin/restart-wazuh, 73680 bytes, 144 tape blocks x /var/ossec/active-response/bin/route-null, 73868 bytes, 145 tape blocks x /var/ossec/active-response/bin/kaspersky, 73728 bytes, 144 tape blocks x /var/ossec/active-response/bin/wazuh-slack, 73960 bytes, 145 tape blocks x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent ```` ``` # /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log ``` - Wazuh server ``` /var/ossec/bin/agent_control -i 003 Wazuh agent_control. Agent information: Agent ID: 003 Agent Name: sovmh313 IP address: any Status: Active Operating system: HP-UX |sovmh313 |B.11.31 |U |ia64 Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679325945 Syscheck last started at: Mon Mar 20 15:20:45 2023 Syscheck last ended at: Mon Mar 20 15:21:36 2023 ``` ``` # grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log ``` **ERROR:** `tar -xvf wazuh-agent-4.4.0-1-hpux-11v3-ia64.tar -C /` is not working despite it following the `tar` documentation. An issue will be created
Alerts :green_circle: - TCP ``` # grep "tcp" /var/ossec/logs/ossec.log 2023/03/20 10:20:40 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/tcp). 2023/03/20 10:20:40 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/tcp). ``` ```json # grep "1679325942.340618" /var/ossec/logs/alerts/alerts.json {"timestamp":"2023-03-20T15:25:42.127+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"sovmh313"},"manager":{"name":"wazuh-server"},"id":"1679325942.340618","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"} ``` - UDP ``` # grep "udp" /var/ossec/logs/ossec.log 2023/03/20 10:40:18 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/udp). 2023/03/20 10:40:18 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/udp). ```
Remove :green_circle: Removing the folder is enough to remove the agent
Upgrade 4.3.10 -> 4.4.0 :green_circle: There's no upgrade as it in HPUX
Users and groups :green_circle: ``` # cat /etc/passwd | grep wazuh wazuh:*:108:20::/home/wazuh:/sbin/sh # cat /etc/group | grep wazuh wazuh::105:wazuh ```

Findings: HP-UX agent install guide silently failing due buggy tar command parameter #5976

rauldpm commented 1 year ago

Analysis report - OVA

Agent info ``` [root@centos7 vagrant]# wget https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.4.0-1.x86_64.rpm --2023-03-20 16:18:23-- https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.4.0-1.x86_64.rpm Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 52.84.66.124, 52.84.66.16, 52.84.66.126, ... Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|52.84.66.124|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 8957875 (8.5M) [application/x-rpm] Saving to: ‘wazuh-agent-4.4.0-1.x86_64.rpm’ 100%[=========================================================================================================================================================================>] 8,957,875 6.45MB/s in 1.3s 2023-03-20 16:18:25 (6.45 MB/s) - ‘wazuh-agent-4.4.0-1.x86_64.rpm’ saved [8957875/8957875] [root@centos7 vagrant]# yum localinstall wazuh-agent-4.4.0-1.x86_64.rpm -y Loaded plugins: fastestmirror Examining wazuh-agent-4.4.0-1.x86_64.rpm: wazuh-agent-4.4.0-1.x86_64 Marking wazuh-agent-4.4.0-1.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.x86_64 0:4.4.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: wazuh-agent x86_64 4.4.0-1 /wazuh-agent-4.4.0-1.x86_64 25 M Transaction Summary =================================================================================================================================================================================================================== Install 1 Package Total size: 25 M Installed size: 25 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-agent-4.4.0-1.x86_64 1/1 Verifying : wazuh-agent-4.4.0-1.x86_64 1/1 Installed: wazuh-agent.x86_64 0:4.4.0-1 Complete! [root@centos7 vagrant]# nano /var/ossec/etc/ossec.conf [root@centos7 vagrant]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@centos7 vagrant]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: centos7 IP address: any Status: Active Operating system: Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64 Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679329269 Syscheck last started at: Mon Mar 20 16:19:50 2023 Syscheck last ended at: Mon Mar 20 16:19:52 2023 ```
OVA - Check Wazuh agent connection ``` [root@wazuh-server wazuh-user]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" [root@wazuh-server wazuh-user]# grep "tcp" /var/ossec/etc/ossec.conf tcp [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: centos7 IP address: any Status: Active Operating system: Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64 Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679329299 Syscheck last started at: Mon Mar 20 16:19:50 2023 Syscheck last ended at: Mon Mar 20 16:19:52 2023 [root@wazuh-server wazuh-user]# grep -i -E "tcp" /var/ossec/logs/ossec.log 2023/03/16 17:00:31 wazuh-remoted: INFO: Started (pid: 5864). Listening on port 1514/TCP (secure). 2023/03/20 16:01:05 wazuh-remoted: INFO: Started (pid: 1714). Listening on port 1514/TCP (secure). [root@wazuh-server wazuh-user]# nano /var/ossec/etc/ossec.conf [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control restart wazuh-clusterd not running... Killing wazuh-modulesd... Killing wazuh-monitord... Killing wazuh-logcollector... Killing wazuh-remoted... Killing wazuh-syscheckd... Killing wazuh-analysisd... wazuh-maild not running... Killing wazuh-execd... Killing wazuh-db... Killing wazuh-authd... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... Killing wazuh-apid... Wazuh v4.4.0 Stopped Starting Wazuh v4.4.0... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2023/03/20 16:23:01 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... Started wazuh-modulesd... Completed. [root@wazuh-server wazuh-user]# grep "udp" /var/ossec/etc/ossec.conf udp [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: centos7 IP address: any Status: Active Operating system: Linux |centos7 |3.10.0-1127.el7.x86_64 |#1 SMP Tue Mar 31 23:36:51 UTC 2020 |x86_64 Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679329448 Syscheck last started at: Mon Mar 20 16:23:59 2023 Syscheck last ended at: Mon Mar 20 16:24:01 2023 [root@wazuh-server wazuh-user]# grep -i -E "udp" /var/ossec/logs/ossec.log 2023/03/20 16:23:03 wazuh-remoted: INFO: Started (pid: 9558). Listening on port 1514/UDP (secure). [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log [root@wazuh-server wazuh-user]# ```
Wazuh processes ``` [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 423 1 0 16:00 ? 00:00:11 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 472 1 0 16:00 ? 00:00:00 login -- wazuh-user root 901 1 0 16:00 ? 00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 wazuh-i+ 995 1 4 16:00 ? 00:01:05 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3990m -Xmx3990m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-11617696194596619042 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2091909120 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet wazuh-u+ 2111 472 0 16:01 tty1 00:00:00 -bash root 3513 3411 0 16:11 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 3517 3513 0 16:11 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 3518 3517 0 16:11 pts/0 00:00:00 -bash wazuh 9385 1 3 16:23 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 9425 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-authd wazuh 9439 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-db wazuh 9454 9385 0 16:23 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 9457 9385 0 16:23 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 9470 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 9482 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-analysisd root 9544 1 7 16:23 ? 00:00:08 /var/ossec/bin/wazuh-syscheckd wazuh 9558 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 9592 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 9641 1 0 16:23 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 9651 1 1 16:23 ? 00:00:02 /var/ossec/bin/wazuh-modulesd root 10913 9143 0 16:25 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control restart wazuh-clusterd not running... Killing wazuh-modulesd... Killing wazuh-monitord... Killing wazuh-logcollector... Killing wazuh-remoted... Killing wazuh-syscheckd... Killing wazuh-analysisd... wazuh-maild not running... Killing wazuh-execd... Killing wazuh-db... Killing wazuh-authd... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... Killing wazuh-apid... Wazuh v4.4.0 Stopped Starting Wazuh v4.4.0... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2023/03/20 16:25:17 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... Started wazuh-modulesd... Completed. [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 423 1 0 16:00 ? 00:00:11 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 472 1 0 16:00 ? 00:00:00 login -- wazuh-user root 901 1 0 16:00 ? 00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 wazuh-i+ 995 1 4 16:00 ? 00:01:05 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3990m -Xmx3990m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-11617696194596619042 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2091909120 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet wazuh-u+ 2111 472 0 16:01 tty1 00:00:00 -bash root 3513 3411 0 16:11 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 3517 3513 0 16:11 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 3518 3517 0 16:11 pts/0 00:00:00 -bash wazuh 11094 1 39 16:25 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 11134 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-authd wazuh 11148 1 1 16:25 ? 00:00:00 /var/ossec/bin/wazuh-db wazuh 11163 11094 0 16:25 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 11166 11094 0 16:25 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 11179 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 11191 1 5 16:25 ? 00:00:00 /var/ossec/bin/wazuh-analysisd root 11253 1 31 16:25 ? 00:00:02 /var/ossec/bin/wazuh-syscheckd wazuh 11268 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 11299 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 11356 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 11395 1 39 16:25 ? 00:00:01 /var/ossec/bin/wazuh-modulesd root 11937 9143 0 16:25 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# service wazuh-manager restart Restarting wazuh-manager (via systemctl): [ OK ] [root@wazuh-server wazuh-user]# ps -ef | grep wazuh wazuh-d+ 423 1 0 16:00 ? 00:00:11 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 472 1 0 16:00 ? 00:00:00 login -- wazuh-user root 901 1 0 16:00 ? 00:00:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 wazuh-i+ 995 1 4 16:00 ? 00:01:05 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3990m -Xmx3990m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-11617696194596619042 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2091909120 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet wazuh-u+ 2111 472 0 16:01 tty1 00:00:00 -bash root 3513 3411 0 16:11 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 3517 3513 0 16:11 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 3518 3517 0 16:11 pts/0 00:00:00 -bash wazuh 12271 1 49 16:25 ? 00:00:04 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 12311 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-authd wazuh 12325 1 1 16:25 ? 00:00:00 /var/ossec/bin/wazuh-db wazuh 12340 12271 0 16:25 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 12343 12271 0 16:25 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 12356 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 12368 1 6 16:25 ? 00:00:00 /var/ossec/bin/wazuh-analysisd root 12430 1 39 16:25 ? 00:00:02 /var/ossec/bin/wazuh-syscheckd wazuh 12447 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-remoted root 12512 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-logcollector wazuh 12529 1 0 16:25 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 12541 1 38 16:25 ? 00:00:01 /var/ossec/bin/wazuh-modulesd root 13085 9143 0 16:25 pts/0 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# ```
Versions ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 4.4.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 4.4.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json { "name": "opensearch-dashboards", "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.", "keywords": [ "opensearch-dashboards", "opensearch", "logstash", "analytics", "visualizations", "dashboards", "dashboarding" ], "version": "2.4.1", "branch": "2.4", "build": { "number": 44004, "sha": "ea36827cdedf1e726e7cb8315ffc49f73f9b4eb7", "distributable": true, "release": true }, "repository": { "type": "git", "url": "https://github.com/opensearch-project/opensearch-dashboards.git" }, "engines": { "node": "14.20.0" } } [root@wazuh-server wazuh-user]# ```
OVA - Users ``` [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group wheel:x:10:wazuh-user wazuh-user:x:1000: wazuh-indexer:x:993: wazuh:x:992:wazuh wazuh-dashboard:x:991:wazuh-dashboard [root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash wazuh-indexer:x:996:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin wazuh:x:995:992::/var/ossec:/sbin/nologin wazuh-dashboard:x:994:991::/usr/share/wazuh-dashboard/:/sbin/nologin ```
OVA - WUI - Loading screen OK - Login screen OK - Light/dark mode OK - Credentials admin:admin OK ![1](https://user-images.githubusercontent.com/14913942/226407331-25e3929a-2cd7-47f3-9cc2-a4568e124465.png) ![2](https://user-images.githubusercontent.com/14913942/226407333-fc11cd5c-1c0b-42c7-bbe3-53fc86437dd0.png) ![3](https://user-images.githubusercontent.com/14913942/226407338-4d93e0f8-4abd-49b6-abd0-def0bbaca3ae.png) ![4](https://user-images.githubusercontent.com/14913942/226407349-89965a1a-d793-4ebe-a895-fd68514f0ca8.png)
OVA - Logs +
Wazuh dashboard - journalctl - Certificate errors reported at https://github.com/wazuh/wazuh-packages/issues/2106 ``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard.service | grep -i -E "error|critical|warning|fatal" Mar 20 16:30:00 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:30:00Z","tags":["error","opensearch","data"],"pid":423,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.12w/FHuAu0PJQcO0mTcZGNyX4A] already exists"} Mar 20 16:28:07 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:07Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:28:07 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:07Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:28:07 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:07Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:28:07 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:07Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:28:07 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:07Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:28:07 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:07Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:28:02 wazuh-server opensearch-dashboards[423]: {"type":"error","@timestamp":"2023-03-20T16:28:02Z","tags":["connection","client","error"],"pid":423,"level":"error","error":{"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"140176704063360:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"} Mar 20 16:01:21 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:21Z","tags":["error","opensearch","data"],"pid":423,"message":"[ResponseError]: Response Error"} Mar 20 16:01:18 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:18Z","tags":["error","opensearch","data"],"pid":423,"message":"[ResponseError]: Response Error"} Mar 20 16:01:16 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:16Z","tags":["error","opensearch","data"],"pid":423,"message":"[ResponseError]: Response Error"} Mar 20 16:01:13 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:13Z","tags":["error","opensearch","data"],"pid":423,"message":"[ResponseError]: Response Error"} Mar 20 16:01:11 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:11Z","tags":["error","opensearch","data"],"pid":423,"message":"[ResponseError]: Response Error"} Mar 20 16:01:08 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:08Z","tags":["error","opensearch","data"],"pid":423,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Mar 20 16:01:06 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:05Z","tags":["error","opensearch","data"],"pid":423,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Mar 20 16:01:03 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:03Z","tags":["error","opensearch","data"],"pid":423,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Mar 20 16:01:01 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:01:00Z","tags":["error","opensearch","data"],"pid":423,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Mar 20 16:00:58 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:00:58Z","tags":["error","opensearch","data"],"pid":423,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} Mar 20 16:00:56 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:00:56Z","tags":["error","savedobjects-service"],"pid":423,"message":"Unable to retrieve version information from OpenSearch nodes."} Mar 20 16:00:56 wazuh-server opensearch-dashboards[423]: {"type":"log","@timestamp":"2023-03-20T16:00:56Z","tags":["error","opensearch","data"],"pid":423,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"} ```
  • Wazuh indexer - journalctl - Warnings reported at https://github.com/wazuh/wazuh-packages/issues/2046 ``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer.service | grep -i -E "error|critical|warning|fatal" Mar 20 16:00:59 wazuh-server systemd-entrypoint[995]: WARNING: System::setSecurityManager will be removed in a future release Mar 20 16:00:59 wazuh-server systemd-entrypoint[995]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 20 16:00:59 wazuh-server systemd-entrypoint[995]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Mar 20 16:00:59 wazuh-server systemd-entrypoint[995]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 20 16:00:58 wazuh-server systemd-entrypoint[995]: WARNING: System::setSecurityManager will be removed in a future release Mar 20 16:00:58 wazuh-server systemd-entrypoint[995]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 20 16:00:58 wazuh-server systemd-entrypoint[995]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Mar 20 16:00:58 wazuh-server systemd-entrypoint[995]: WARNING: A terminally deprecated method in java.lang.System has been called ```
  • Wazuh indexer - /var/logs/wazuh-indexer - Securityadmin errors reported at https://github.com/wazuh/wazuh-packages/issues/2095 ``` [root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/ /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:00:59,672][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-11617696194596619042, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:06,240][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:08,806][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:11,124][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:11,142][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:11,147][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:11,150][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:13,547][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:13,550][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:13,553][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:13,555][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:16,051][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:16,054][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:16,057][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:16,059][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:18,552][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:18,554][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:18,555][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:18,557][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:20,386][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:21,057][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:21,066][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:21,072][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T16:01:21,077][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:00:59,672Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3990m, -Xmx3990m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-11617696194596619042, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2091909120, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:06,240Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:08,806Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:11,124Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:11,142Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:11,147Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:11,150Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:13,547Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:13,550Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:13,553Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:13,555Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:16,051Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:16,054Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:16,057Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:16,059Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:18,552Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:18,554Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:18,555Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:18,557Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:20,386Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:21,057Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:21,066Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:21,072Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T16:01:21,077Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "7x_17bsSSkek6cVku7ZRqQ", "node.id": "WZ0TQIwoQpSxNkCa3O_FKQ" } ```
  • Wazuh server - /var/ossec/logs ``` [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log > ossec_grep.log [root@wazuh-server wazuh-user]# ls -l ossec_grep.log -rw-r--r--. 1 root root 0 Mar 20 16:32 ossec_grep.log [root@wazuh-server wazuh-user]# cat ossec_grep.log [root@wazuh-server wazuh-user]# ```

OVA - Filebeat test ``` [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```
OVA - Wazuh indexer cluster ``` [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "7x_17bsSSkek6cVku7ZRqQ", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 17 82 1 0.01 0.07 0.08 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "discovered_cluster_manager" : true, "active_primary_shards" : 11, "active_shards" : 11, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } ```
jnasselle commented 1 year ago

Analysis report - Solaris 11 SPARC :green_circle:

System info ``` root@sossp166:~# cat /etc/release Oracle Solaris 11.3 SPARC Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights reserved. Assembled 06 October 2015 ```
Build :green_circle: [solaris11sparc-4.4.0-rc2-compilation.log](https://github.com/wazuh/wazuh/files/11028669/solaris11sparc-4.4.0-rc2-compilation.log)
Install :green_circle: - Wazuh agent ``` root@sossp166:~# wget https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.4.0-sol11-sparc.p5p --2023-03-20 12:47:05-- https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.4.0-sol11-sparc.p5p Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 54.230.163.42, 54.230.163.112, 54.230.163.59, ... Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|54.230.163.42|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6195200 (5.9M) [binary/octet-stream] Saving to: ‘wazuh-agent_v4.4.0-sol11-sparc.p5p’ wazuh-agent_v4.4.0- 100%[=====================>] 5.91M 3.73MB/s in 1.6s 2023-03-20 12:47:07 (3.73 MB/s) - ‘wazuh-agent_v4.4.0-sol11-sparc.p5p’ saved [6195200/6195200] root@sossp166:~# pkg install -g wazuh-agent_v4.4.0-sol11-sparc.p5p wazuh-agent Packages to install: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 97/97 5.6/5.6 32.4M/s PHASE ITEMS Installing new actions 150/150 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 ``` ``` root@sossp166:~# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" root@sossp166:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@sossp166:~# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... root@sossp166:~# ``` - Wazuh server ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004 Wazuh agent_control. Agent information: Agent ID: 004 Agent Name: sossp166 IP address: any Status: Active Operating system: SunOS |sossp166 |5.11 |11.3 |sun4v Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679333837 Syscheck last started at: Mon Mar 20 17:52:03 2023 Syscheck last ended at: Mon Mar 20 17:52:19 2023 ``` ![image](https://user-images.githubusercontent.com/1791430/219105907-a74a6e18-5203-4ef2-aa91-a4445cc28cea.png)
Alert :green_circle: - TCP ``` root@sossp166:/export/home# grep "tcp" /var/ossec/logs/ossec.log 2023/03/20 12:51:55 wazuh-agentd: INFO: Trying to connect to server ([xxx.xxx.xxx.xxx]:1514/tcp). 2023/03/20 12:51:55 wazuh-agentd: INFO: (4102): Connected to the server ([xxx.xxx.xxx.xxx]:1514/tcp). ``` ```json {"timestamp":"2023-02-15T17:21:02.501+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":4,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"sossp534","ip":"192.168.253.34"},"manager":{"name":"wazuh-server"},"id":"1676481662.162092","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"} ``` ``` root@sossp166:/export/home# /usr/xpg4/bin/grep -Ei "ERROR|CRITICAL|FATAL|WARNING" /var/ossec/logs/ossec.log root@sossp166 ``` - UDP ``` root@sossp166:/export/home# grep "udp" /var/ossec/logs/ossec.log 2023/03/20 13:05:52 wazuh-agentd: INFO: Trying to connect to server ([xxx.xxx.xxx.xxx]:1514/udp). 2023/03/20 13:05:52 wazuh-agentd: INFO: (4102): Connected to the server ([xxx.xxx.xxx.xxx]:1514/udp). ```
Remove :green_circle: ``` root@sossp166:/export/home# pkg uninstall wazuh-agent Packages to remove: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No PHASE ITEMS Removing old actions 194/194 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 The following unexpected or editable files and directories were salvaged while executing the requested package operation; they have been moved to the displayed location in the image: ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20230320T131118Z ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20230320T131119Z ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20230320T131119Z ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20230320T131119Z ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20230320T131119Z ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20230320T131119Z ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20230320T131119Z ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20230320T131119Z ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20230320T131119Z ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20230320T131119Z ``` ``` root@sossp166:/export/home# ls -la /var/ossec /var/ossec: No such file or directory ```
Upgrade 4.3.10 -> 4.4.0 :green_circle: ``` root@sossp166:~# groupdel wazuh root@sossp166:/export/home# wget https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.3.10-sol11-sparc.p5p --2023-03-20 13:14:27-- https://packages.wazuh.com/4.x/solaris/sparc/11/wazuh-agent_v4.3.10-sol11-sparc.p5p Resolving packages.wazuh.com (packages.wazuh.com)... 99.86.229.57, 99.86.229.76, 99.86.229.65, ... Connecting to packages.wazuh.com (packages.wazuh.com)|99.86.229.57|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6215680 (5.9M) [binary/octet-stream] Saving to: ‘wazuh-agent_v4.3.10-sol11-sparc.p5p’ wazuh-agent_v4.3.10-sol11-sparc.p5p 100%[=======================================================================================================================>] 5.93M 4.48MB/s in 1.3s 2023-03-20 13:14:29 (4.48 MB/s) - ‘wazuh-agent_v4.3.10-sol11-sparc.p5p’ saved [6215680/6215680] root@sossp166:/export/home# root@sossp166:/export/home# groupdel wazuh root@sossp166:/export/home# pkg install -g wazuh-agent_v4.3.10-sol11-sparc.p5p wazuh-agent Packages to install: 1 Services to change: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 92/92 5.6/5.6 33.6M/s PHASE ITEMS Installing new actions 144/144 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp166:/export/home# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.3.10" WAZUH_REVISION="40323" WAZUH_TYPE="agent" root@sossp166:/export/home# /var/ossec/bin/wazuh-control start Starting Wazuh v4.3.10... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@sossp166:~# pkg install -g wazuh-agent_v4.4.0-sol11-sparc.p5p wazuh-agent Packages to update: 1 Create boot environment: No Create backup boot environment: Yes DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 42/42 5.5/5.5 54.4M/s PHASE ITEMS Installing new actions 6/6 Updating modified actions 40/40 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 root@sossp166:~# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" root@sossp166:~# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ```
Users and groups :green_circle: ``` root@sossp166:/export/home# cat /etc/passwd | grep wazuh wazuh:x:7:13:& User:/: root@sossp166:/export/home# cat /etc/group | grep wazuh wazuh::13: ```
rauldpm commented 1 year ago

Analysis report - Solaris 10 SPARC

Build [build.log](https://github.com/wazuh/wazuh/files/11028826/build.log)
Install ``` # pkgadd -d wazuh-agent_v4.4.0-sol10-sparc.pkg The following packages are available: 1 wazuh-agent Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. (sparc) 4.4.0 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Processing package instance from Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection.(sparc) 4.4.0 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # vi /var/ossec/etc/ossec.conf xterm-256color: Unknown terminal type I don't know what kind of terminal you are on - all I have is 'xterm-256color'. [Using open mode] "/var/ossec/etc/ossec.conf" 199 lines, 5542 characters
44.200.143.84
:wq "/var/ossec/etc/ossec.conf" 199 lines, 5545 characters # grep "tcp" /var/ossec/etc/ossec.conf tcp # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # hostname sossp176 # ps -ef | grep wazuh root 84 29304 0 19:04:46 pts/1 0:00 grep wazuh root 29646 1 0 19:02:10 ? 0:00 /var/ossec/bin/wazuh-execd root 29685 1 0 19:02:14 ? 0:08 /var/ossec/bin/wazuh-modulesd root 29668 1 47 19:02:12 ? 2:35 /var/ossec/bin/wazuh-syscheckd wazuh 29656 1 0 19:02:11 ? 0:03 /var/ossec/bin/wazuh-agentd root 29678 1 0 19:02:14 ? 0:00 /var/ossec/bin/wazuh-logcollector # grep "ERROR" /var/ossec/logs/ossec.log # grep "CRITICAL" /var/ossec/logs/ossec.log # grep "FATAL" /var/ossec/logs/ossec.log # grep "WARNING" /var/ossec/logs/ossec.log # ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: sossp176 IP address: any Status: Active Operating system: SunOS |sossp176 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679335442 Syscheck last started at: Tue Mar 21 00:02:12 2023 Syscheck last ended at: Tue Mar 21 00:03:05 2023 ``` ``` ** Alert 1679335413.64107: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 2023 Mar 20 18:03:33 (sossp176) any->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone. title: File is owned by root and has written permissions to anyone. file: /tmp/.X11-pipe/X0 ```
User and group ``` # cat /etc/passwd | grep wazuh wazuh:x:60540:57447::/var/ossec:/bin/false # cat /etc/group | grep wazuh wazuh::57447: ```
TPC/UDP ``` # cat /var/ossec/logs/ossec.log | grep tcp 2023/03/20 19:02:05 wazuh-agentd: INFO: Trying to connect to server ([44.200.143.84]:1514/tcp). 2023/03/20 19:02:05 wazuh-agentd: INFO: (4102): Connected to the server ([44.200.143.84]:1514/tcp). 2023/03/20 19:02:11 wazuh-agentd: INFO: Trying to connect to server ([44.200.143.84]:1514/tcp). 2023/03/20 19:02:11 wazuh-agentd: INFO: (4102): Connected to the server ([44.200.143.84]:1514/tcp). ``` ``` # vi /var/ossec/etc/ossec.conf xterm-256color: Unknown terminal type I don't know what kind of terminal you are on - all I have is 'xterm-256color'. [Using open mode] "/var/ossec/etc/ossec.conf" 199 lines, 5545 characters
44.200.143.84
1514 udp :wq "/var/ossec/etc/ossec.conf" 199 lines, 5545 characters # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.0 Stopped # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # grep "udp" /var/ossec/etc/ossec.conf udp # cat /var/ossec/logs/ossec.log | grep udp 2023/03/20 19:08:11 wazuh-agentd: INFO: Trying to connect to server ([44.200.143.84]:1514/udp). 2023/03/20 19:08:11 wazuh-agentd: INFO: (4102): Connected to the server ([44.200.143.84]:1514/udp). ```
Remove ``` # pkgrm wazuh-agent The following package is currently installed: wazuh-agent Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. (sparc) 4.4.0 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package dependencies in global zone ## Processing package information. ## Executing preremove script. Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.0 Stopped ## Removing pathnames in class /var/ossec/wodles/utils.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/pubsub /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets /var/ossec/wodles/gcloud /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/docker /var/ossec/wodles/azure/orm.py /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws /var/ossec/wodles/__init__.py /var/ossec/wodles /var/ossec/var/wodles /var/ossec/var/upgrade /var/ossec/var/selinux /var/ossec/var/run /var/ossec/var/incoming /var/ossec/var /var/ossec/tmp /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/ruleset/sca /var/ossec/ruleset /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/syscollector/db /var/ossec/queue/syscollector /var/ossec/queue/sockets /var/ossec/queue/rids /var/ossec/queue/logcollector /var/ossec/queue/fim/db /var/ossec/queue/fim /var/ossec/queue/diff /var/ossec/queue/alerts /var/ossec/queue /var/ossec/logs/wazuh /var/ossec/logs/ossec.log /var/ossec/logs/ossec.json /var/ossec/logs/active-responses.log /var/ossec/logs /var/ossec/lib/libwazuhshared.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/librsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/libdbsync.so /var/ossec/lib /var/ossec/etc/wpk_root.pem /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared /var/ossec/etc/ossec.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/client.keys /var/ossec/etc/TIMEZONE /var/ossec/etc /var/ossec/bin/wazuh-syscheckd /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-agentd /var/ossec/bin/manage_agents /var/ossec/bin/agent-auth /var/ossec/bin /var/ossec/backup /var/ossec/agentless/su.exp /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/main.exp /var/ossec/agentless /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin /var/ossec/active-response /var/ossec/.ssh /var/ossec /etc/rc3.d/S97wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/init.d/wazuh-agent ## Executing postremove script. ## Updating system information. Removal of was successful. # ps -ef | grep wazuh root 895 29304 0 19:10:48 pts/1 0:00 grep wazuh # ls -l /var/ossec/ total 6 drwxrwx--- 3 60540 57447 3 Mar 20 19:10 etc drwxr-x--- 8 root 57447 8 Mar 20 19:10 queue # ls -l /var/ossec/etc/ total 3 drwxrwx--- 2 root 57447 5 Mar 20 19:10 shared # ls -l /var/ossec/etc/shared/ total 1801 -rw-r--r-- 1 60540 57447 76 Mar 20 19:02 agent.conf -rw-r--r-- 1 60540 57447 228 Mar 20 19:02 ar.conf -rw-r--r-- 1 60540 57447 899315 Mar 20 19:02 merged.mg # ls -l /var/ossec/queue/ total 18 drwxrwx--- 2 60540 57447 4 Mar 20 19:08 alerts drwxr-x--- 3 60540 57447 3 Mar 20 19:00 fim drwxr-x--- 2 60540 57447 3 Mar 20 19:01 logcollector drwxr-x--- 2 60540 57447 4 Mar 20 19:02 rids drwxrwx--- 2 60540 57447 10 Mar 20 19:08 sockets drwxr-x--- 3 60540 57447 3 Mar 20 19:10 syscollector ``` - Uninstall unwanted files reported at https://github.com/wazuh/wazuh-packages/issues/2099
Upgrade ``` # pkgadd -d wazuh-agent_v4.3.10-sol10-sparc.pkg The following packages are available: 1 wazuh-agent Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. (sparc) 4.3.10 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Processing package instance from Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection.(sparc) 4.3.10 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/librsync.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # vi /var/ossec/etc/ossec.conf xterm-256color: Unknown terminal type I don't know what kind of terminal you are on - all I have is 'xterm-256color'. [Using open mode] "/var/ossec/etc/ossec.conf" 199 lines, 5541 characters
44.200.143.84
:wq "/var/ossec/etc/ossec.conf" 199 lines, 5544 characters # /var/ossec/bin/wazuh-control start Starting Wazuh v4.3.10... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # ps -ef | grep wazuh root 1172 29304 0 19:17:04 pts/1 0:00 grep wazuh root 1146 1 0 19:17:01 ? 0:00 /var/ossec/bin/wazuh-execd root 1066 1062 1 19:16:59 ? 0:00 /usr/xpg4/bin/sh /var/ossec/bin/wazuh-control restart root 1168 1 1 19:17:03 ? 0:00 /var/ossec/bin/wazuh-syscheckd wazuh 1156 1 0 19:17:02 ? 0:00 /var/ossec/bin/wazuh-agentd ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: sossp176 IP address: any Status: Active Operating system: SunOS |sossp176 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.3.10 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679336283 Syscheck last started at: Tue Mar 21 00:17:03 2023 (Scan in progress) Syscheck last ended at: Unknown ``` ``` # # /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.3.10 Stopped # cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk # cp /var/ossec/etc/client.keys ~/client.keys.bk # pkgrm wazuh-agent The following package is currently installed: wazuh-agent Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. (sparc) 4.3.10 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package dependencies in global zone ## Processing package information. ## Executing preremove script. wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... Wazuh v4.3.10 Stopped ## Removing pathnames in class /var/ossec/wodles/utils.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/pubsub /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets /var/ossec/wodles/gcloud /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/docker /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/aws /var/ossec/wodles/__init__.py /var/ossec/wodles /var/ossec/var/wodles /var/ossec/var/upgrade /var/ossec/var/selinux /var/ossec/var/run /var/ossec/var/incoming /var/ossec/var /var/ossec/tmp /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/ruleset/sca /var/ossec/ruleset /var/ossec/queue/syscollector/norm_config.json /var/ossec/queue/syscollector/db /var/ossec/queue/syscollector /var/ossec/queue/sockets /var/ossec/queue/rids /var/ossec/queue/logcollector /var/ossec/queue/fim/db /var/ossec/queue/fim /var/ossec/queue/diff /var/ossec/queue/alerts /var/ossec/queue /var/ossec/logs/wazuh /var/ossec/logs/ossec.log /var/ossec/logs/ossec.json /var/ossec/logs/active-responses.log /var/ossec/logs /var/ossec/lib/libwazuhshared.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libsyscollector.so /var/ossec/lib/librsync.so /var/ossec/lib/libdbsync.so /var/ossec/lib /var/ossec/etc/wpk_root.pem /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared /var/ossec/etc/ossec.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/internal_options.conf /var/ossec/etc/client.keys /var/ossec/etc/TIMEZONE /var/ossec/etc /var/ossec/bin/wazuh-syscheckd /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-agentd /var/ossec/bin/manage_agents /var/ossec/bin/agent-auth /var/ossec/bin /var/ossec/backup /var/ossec/agentless/su.exp /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/main.exp /var/ossec/agentless /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin /var/ossec/active-response /var/ossec/.ssh /var/ossec /etc/rc3.d/S97wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/init.d/wazuh-agent ## Executing postremove script. wazuh:x:60540:57447::/var/ossec:/bin/false wazuh::57447: ## Updating system information. Removal of was successful. # pkgadd -d wazuh-agent_v4.4.0-sol10-sparc.pkg wazuh-agent Processing package instance from Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection.(sparc) 4.4.0 Wazuh, Inc ## Executing checkinstall script. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. The following files are already installed on the system and are being used by another package: * /var/ossec * /var/ossec/etc * /var/ossec/etc/shared * /var/ossec/queue * /var/ossec/queue/alerts * /var/ossec/queue/fim * /var/ossec/queue/fim/db * /var/ossec/queue/logcollector * /var/ossec/queue/rids * /var/ossec/queue/sockets * /var/ossec/queue/syscollector * /var/ossec/queue/syscollector/db * - conflict with a file which does not belong to any package. Do you want to install these conflicting files [y,n,?,q] y ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of [y,n,?] y Installing Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection. as ## Executing preinstall script. ## Installing part 1 of 1. /etc/init.d/wazuh-agent /etc/rc2.d/S97wazuh-agent /etc/rc3.d/S97wazuh-agent /var/ossec/active-response/bin/default-firewall-drop /var/ossec/active-response/bin/disable-account /var/ossec/active-response/bin/firewall-drop /var/ossec/active-response/bin/firewalld-drop /var/ossec/active-response/bin/host-deny /var/ossec/active-response/bin/ip-customblock /var/ossec/active-response/bin/ipfw /var/ossec/active-response/bin/kaspersky /var/ossec/active-response/bin/kaspersky.py /var/ossec/active-response/bin/npf /var/ossec/active-response/bin/pf /var/ossec/active-response/bin/restart-wazuh /var/ossec/active-response/bin/restart.sh /var/ossec/active-response/bin/route-null /var/ossec/active-response/bin/wazuh-slack /var/ossec/agentless/main.exp /var/ossec/agentless/register_host.sh /var/ossec/agentless/ssh.exp /var/ossec/agentless/ssh_asa-fwsmconfig_diff /var/ossec/agentless/ssh_foundry_diff /var/ossec/agentless/ssh_generic_diff /var/ossec/agentless/ssh_integrity_check_bsd /var/ossec/agentless/ssh_integrity_check_linux /var/ossec/agentless/ssh_nopass.exp /var/ossec/agentless/ssh_pixconfig_diff /var/ossec/agentless/sshlogin.exp /var/ossec/agentless/su.exp /var/ossec/bin/agent-auth /var/ossec/bin/manage_agents /var/ossec/bin/wazuh-agentd /var/ossec/bin/wazuh-control /var/ossec/bin/wazuh-execd /var/ossec/bin/wazuh-logcollector /var/ossec/bin/wazuh-modulesd /var/ossec/bin/wazuh-syscheckd /var/ossec/etc/TIMEZONE /var/ossec/etc/client.keys /var/ossec/etc/internal_options.conf /var/ossec/etc/local_internal_options.conf /var/ossec/etc/ossec.conf /var/ossec/etc/shared/cis_apache2224_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_sles11_linux_rcl.txt /var/ossec/etc/shared/cis_sles12_linux_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt /var/ossec/etc/shared/win_applications_rcl.txt /var/ossec/etc/shared/win_audit_rcl.txt /var/ossec/etc/shared/win_malware_rcl.txt /var/ossec/etc/wpk_root.pem /var/ossec/lib/libdbsync.so /var/ossec/lib/libgcc_s.so.1 /var/ossec/lib/librsync.so /var/ossec/lib/libstdc++.so.6 /var/ossec/lib/libsyscollector.so /var/ossec/lib/libsysinfo.so /var/ossec/lib/libwazuhext.so /var/ossec/lib/libwazuhshared.so /var/ossec/logs/active-responses.log /var/ossec/logs/ossec.json /var/ossec/logs/ossec.log /var/ossec/queue/syscollector/norm_config.json /var/ossec/ruleset/sca/sca_unix_audit.yml /var/ossec/wodles/__init__.py /var/ossec/wodles/aws/aws-s3 /var/ossec/wodles/azure/azure-logs /var/ossec/wodles/azure/orm.py /var/ossec/wodles/docker/DockerListener /var/ossec/wodles/gcloud/buckets/access_logs.py /var/ossec/wodles/gcloud/buckets/bucket.py /var/ossec/wodles/gcloud/exceptions.py /var/ossec/wodles/gcloud/gcloud /var/ossec/wodles/gcloud/integration.py /var/ossec/wodles/gcloud/pubsub/subscriber.py /var/ossec/wodles/gcloud/tools.py /var/ossec/wodles/utils.py [ verifying class ] ## Executing postinstall script. Installation of was successful. # mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf # # chown root:wazuh /var/ossec/etc/ossec.conf # mv ~/client.keys.bk /var/ossec/etc/client.keys # chown root:wazuh /var/ossec/etc/client.keys # /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. # ps -ef | grep wazuh root 1504 1 29 19:19:30 ? 0:37 /var/ossec/bin/wazuh-syscheckd root 1485 1 0 19:19:28 ? 0:00 /var/ossec/bin/wazuh-execd root 1647 29304 0 19:19:52 pts/1 0:00 grep wazuh root 1524 1 0 19:19:32 ? 0:00 /var/ossec/bin/wazuh-modulesd root 1516 1 0 19:19:31 ? 0:00 /var/ossec/bin/wazuh-logcollector wazuh 1492 1 0 19:19:28 ? 0:00 /var/ossec/bin/wazuh-agentd ``` ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: sossp176 IP address: any Status: Active Operating system: SunOS |sossp176 |5.10 |Generic_147147-26 |sun4v Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679336469 Syscheck last started at: Tue Mar 21 00:19:29 2023 Syscheck last ended at: Tue Mar 21 00:20:05 2023 ```
c-bordon commented 1 year ago

Analysis report - PPC64LE :green_circle:

⚠️ Need procps installed in docker environments

Deployment + Install

CentOS 7 ``` [root@42ef8692cdbd /]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (AltArch)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (AltArch)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7:server" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" [root@42ef8692cdbd /]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.4.0-1.ppc64le.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6391k 100 6391k 0 0 1713k 0 0:00:03 0:00:03 --:--:-- 1714k [root@42ef8692cdbd /]# WAZUH_MANAGER="44.192.45.229" yum localinstall wazuh-agent-4.4.0-1.ppc64le.rpm -y Loaded plugins: fastestmirror, ovl Examining wazuh-agent-4.4.0-1.ppc64le.rpm: wazuh-agent-4.4.0-1.ppc64le Marking wazuh-agent-4.4.0-1.ppc64le.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.4.0-1 will be installed --> Processing Dependency: /sbin/service for package: wazuh-agent-4.4.0-1.ppc64le Loading mirror speeds from cached hostfile * base: mirrors.ocf.berkeley.edu * extras: mirrors.ocf.berkeley.edu * updates: mirrors.xtom.com --> Processing Dependency: /sbin/service for package: wazuh-agent-4.4.0-1.ppc64le --> Running transaction check ---> Package initscripts.ppc64le 0:9.49.53-1.el7_9.1 will be installed --> Processing Dependency: sysvinit-tools >= 2.87-5 for package: initscripts-9.49.53-1.el7_9.1.ppc64le --> Processing Dependency: iproute for package: initscripts-9.49.53-1.el7_9.1.ppc64le --> Running transaction check ---> Package iproute.ppc64le 0:4.11.0-30.el7 will be installed --> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: iproute-4.11.0-30.el7.ppc64le --> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-4.11.0-30.el7.ppc64le --> Processing Dependency: libmnl.so.0()(64bit) for package: iproute-4.11.0-30.el7.ppc64le ---> Package sysvinit-tools.ppc64le 0:2.88-14.dsf.el7 will be installed --> Running transaction check ---> Package iptables.ppc64le 0:1.4.21-35.el7 will be installed --> Processing Dependency: libnfnetlink.so.0()(64bit) for package: iptables-1.4.21-35.el7.ppc64le --> Processing Dependency: libnetfilter_conntrack.so.3()(64bit) for package: iptables-1.4.21-35.el7.ppc64le ---> Package libmnl.ppc64le 0:1.0.3-7.el7 will be installed --> Running transaction check ---> Package libnetfilter_conntrack.ppc64le 0:1.0.6-1.el7_3 will be installed ---> Package libnfnetlink.ppc64le 0:1.0.1-4.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Installing: wazuh-agent ppc64le 4.4.0-1 /wazuh-agent-4.4.0-1.ppc64le 30 M Installing for dependencies: initscripts ppc64le 9.49.53-1.el7_9.1 updates 441 k iproute ppc64le 4.11.0-30.el7 base 777 k iptables ppc64le 1.4.21-35.el7 base 448 k libmnl ppc64le 1.0.3-7.el7 base 24 k libnetfilter_conntrack ppc64le 1.0.6-1.el7_3 base 57 k libnfnetlink ppc64le 1.0.1-4.el7 base 26 k sysvinit-tools ppc64le 2.88-14.dsf.el7 base 62 k Transaction Summary ============================================================================================================================================================================================================================================ Install 1 Package (+7 Dependent packages) Total size: 31 M Total download size: 1.8 M Installed size: 42 M Downloading packages: (1/7): iproute-4.11.0-30.el7.ppc64le.rpm | 777 kB 00:00:00 (2/7): initscripts-9.49.53-1.el7_9.1.ppc64le.rpm | 441 kB 00:00:00 (3/7): iptables-1.4.21-35.el7.ppc64le.rpm | 448 kB 00:00:00 (4/7): libmnl-1.0.3-7.el7.ppc64le.rpm | 24 kB 00:00:00 (5/7): libnfnetlink-1.0.1-4.el7.ppc64le.rpm | 26 kB 00:00:00 (6/7): libnetfilter_conntrack-1.0.6-1.el7_3.ppc64le.rpm | 57 kB 00:00:00 (7/7): sysvinit-tools-2.88-14.dsf.el7.ppc64le.rpm | 62 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.8 MB/s | 1.8 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libnfnetlink-1.0.1-4.el7.ppc64le 1/8 Installing : libmnl-1.0.3-7.el7.ppc64le 2/8 Installing : libnetfilter_conntrack-1.0.6-1.el7_3.ppc64le 3/8 Installing : iptables-1.4.21-35.el7.ppc64le 4/8 Installing : iproute-4.11.0-30.el7.ppc64le 5/8 Installing : sysvinit-tools-2.88-14.dsf.el7.ppc64le 6/8 Installing : initscripts-9.49.53-1.el7_9.1.ppc64le 7/8 Installing : wazuh-agent-4.4.0-1.ppc64le 8/8 Verifying : initscripts-9.49.53-1.el7_9.1.ppc64le 1/8 Verifying : libmnl-1.0.3-7.el7.ppc64le 2/8 Verifying : sysvinit-tools-2.88-14.dsf.el7.ppc64le 3/8 Verifying : libnfnetlink-1.0.1-4.el7.ppc64le 4/8 Verifying : iproute-4.11.0-30.el7.ppc64le 5/8 Verifying : wazuh-agent-4.4.0-1.ppc64le 6/8 Verifying : iptables-1.4.21-35.el7.ppc64le 7/8 Verifying : libnetfilter_conntrack-1.0.6-1.el7_3.ppc64le 8/8 Installed: wazuh-agent.ppc64le 0:4.4.0-1 Dependency Installed: initscripts.ppc64le 0:9.49.53-1.el7_9.1 iproute.ppc64le 0:4.11.0-30.el7 iptables.ppc64le 0:1.4.21-35.el7 libmnl.ppc64le 0:1.0.3-7.el7 libnetfilter_conntrack.ppc64le 0:1.0.6-1.el7_3 libnfnetlink.ppc64le 0:1.0.1-4.el7 sysvinit-tools.ppc64le 0:2.88-14.dsf.el7 Complete! [root@42ef8692cdbd /]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@42ef8692cdbd /]# ps -ef | grep wazuh root 1056 1 0 18:46 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 1068 1 0 18:46 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 1082 1 0 18:46 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 1094 1 0 18:46 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 1112 1 4 18:46 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 1417 1 0 18:46 ? 00:00:00 grep --color=auto wazuh [root@42ef8692cdbd /]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" [root@42ef8692cdbd /]# grep "tcp" /var/ossec/logs/ossec.log 2023/03/20 18:46:52 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/tcp). 2023/03/20 18:46:53 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/tcp). [root@42ef8692cdbd /]# /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.0 Stopped [root@42ef8692cdbd /]# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf [root@42ef8692cdbd /]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@42ef8692cdbd /]# grep "udp" /var/ossec/logs/ossec.log 2023/03/20 18:47:46 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/udp). 2023/03/20 18:47:46 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/udp). [root@42ef8692cdbd /]# vim /var/ossec/etc/ossec.conf [root@42ef8692cdbd /]# touch /etc/mycentosrc1file [root@42ef8692cdbd /]# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.0 Stopped Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@42ef8692cdbd /]# echo "test_ppc_centos" > /etc/mycentosrc1file [root@42ef8692cdbd /]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log [root@42ef8692cdbd /]# cat /etc/passwd | grep wazuh wazuh:x:999:998::/var/ossec:/sbin/nologin [root@42ef8692cdbd /]# cat /etc/group | grep wazuh wazuh:x:998:wazuh ``` --- ``` [root@wazuh-server ~]# /var/ossec/bin/agent_control -i 008 Wazuh agent_control. Agent information: Agent ID: 008 Agent Name: 42ef8692cdbd IP address: any Status: Active Operating system: Linux |42ef8692cdbd |3.10.0-957.21.3.el7.ppc64le |#1 SMP Tue Jun 18 16:48:04 UTC 2019 |ppc64le Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679338238 Syscheck last started at: Mon Mar 20 18:49:20 2023 Syscheck last ended at: Mon Mar 20 18:49:23 2023 ```
Debian Stretch ``` root@17f9e740df7a:/# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" VERSION_CODENAME=stretch ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" root@17f9e740df7a:/# WAZUH_MANAGER="44.192.45.229" apt install ./wazuh-agent_4.4.0-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.0-1_ppc64el.deb' The following additional packages will be installed: bzip2 dh-python distro-info-data file libexpat1 libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal readline-common xz-utils Suggested packages: bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils binfmt-support readline-doc The following NEW packages will be installed: bzip2 dh-python distro-info-data file libexpat1 libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal readline-common wazuh-agent xz-utils 0 upgraded, 22 newly installed, 0 to remove and 3 not upgraded. Need to get 6514 kB/11.8 MB of archives. After this operation, 70.2 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 /wazuh-agent_4.4.0-1_ppc64el.deb wazuh-agent ppc64el 4.4.0-1 [5268 kB] Get:2 http://deb.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB] Get:3 http://deb.debian.org/debian stretch/main ppc64el libexpat1 ppc64el 2.2.0-2+deb9u3 [76.8 kB] Get:4 http://deb.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB] Get:5 http://deb.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB] Get:6 http://deb.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB] Get:7 http://deb.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB] Get:8 http://deb.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB] Get:9 http://deb.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB] Get:10 http://deb.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB] Get:11 http://deb.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB] Get:12 http://deb.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB] Get:13 http://deb.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB] Get:14 http://deb.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB] Get:15 http://deb.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB] Get:16 http://deb.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB] Get:17 http://deb.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB] Get:18 http://deb.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB] Get:19 http://deb.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB] Get:20 http://deb.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB] Get:21 http://deb.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B] Get:22 http://deb.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB] Fetched 6514 kB in 8s (812 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libpython3.5-minimal:ppc64el. (Reading database ... 7205 files and directories currently installed.) Preparing to unpack .../00-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ... Selecting previously unselected package libexpat1:ppc64el. Preparing to unpack .../01-libexpat1_2.2.0-2+deb9u3_ppc64el.deb ... Unpacking libexpat1:ppc64el (2.2.0-2+deb9u3) ... Selecting previously unselected package python3.5-minimal. Preparing to unpack .../02-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking python3.5-minimal (3.5.3-1+deb9u1) ... Selecting previously unselected package python3-minimal. Preparing to unpack .../03-python3-minimal_3.5.3-1_ppc64el.deb ... Unpacking python3-minimal (3.5.3-1) ... Selecting previously unselected package mime-support. Preparing to unpack .../04-mime-support_3.60_all.deb ... Unpacking mime-support (3.60) ... Selecting previously unselected package libmpdec2:ppc64el. Preparing to unpack .../05-libmpdec2_2.4.2-1_ppc64el.deb ... Unpacking libmpdec2:ppc64el (2.4.2-1) ... Selecting previously unselected package readline-common. Preparing to unpack .../06-readline-common_7.0-3_all.deb ... Unpacking readline-common (7.0-3) ... Selecting previously unselected package libreadline7:ppc64el. Preparing to unpack .../07-libreadline7_7.0-3_ppc64el.deb ... Unpacking libreadline7:ppc64el (7.0-3) ... Selecting previously unselected package libsqlite3-0:ppc64el. Preparing to unpack .../08-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ... Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ... Selecting previously unselected package libpython3.5-stdlib:ppc64el. Preparing to unpack .../09-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ... Selecting previously unselected package python3.5. Preparing to unpack .../10-python3.5_3.5.3-1+deb9u1_ppc64el.deb ... Unpacking python3.5 (3.5.3-1+deb9u1) ... Selecting previously unselected package libpython3-stdlib:ppc64el. Preparing to unpack .../11-libpython3-stdlib_3.5.3-1_ppc64el.deb ... Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ... Selecting previously unselected package dh-python. Preparing to unpack .../12-dh-python_2.20170125_all.deb ... Unpacking dh-python (2.20170125) ... Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ... Setting up libexpat1:ppc64el (2.2.0-2+deb9u3) ... Setting up python3.5-minimal (3.5.3-1+deb9u1) ... Setting up python3-minimal (3.5.3-1) ... Selecting previously unselected package python3. (Reading database ... 8189 files and directories currently installed.) Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ... Unpacking python3 (3.5.3-1) ... Selecting previously unselected package bzip2. Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ... Unpacking bzip2 (1.0.6-8.1) ... Selecting previously unselected package libmagic-mgc. Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking libmagic-mgc (1:5.30-1+deb9u3) ... Selecting previously unselected package libmagic1:ppc64el. Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ... Selecting previously unselected package file. Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ... Unpacking file (1:5.30-1+deb9u3) ... Selecting previously unselected package xz-utils. Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ... Unpacking xz-utils (5.2.2-1.2+b1) ... Selecting previously unselected package distro-info-data. Preparing to unpack .../6-distro-info-data_0.36_all.deb ... Unpacking distro-info-data (0.36) ... Selecting previously unselected package lsb-release. Preparing to unpack .../7-lsb-release_9.20161125_all.deb ... Unpacking lsb-release (9.20161125) ... Selecting previously unselected package wazuh-agent. Preparing to unpack .../8-wazuh-agent_4.4.0-1_ppc64el.deb ... Unpacking wazuh-agent (4.4.0-1) ... Setting up readline-common (7.0-3) ... Setting up mime-support (3.60) ... Setting up libreadline7:ppc64el (7.0-3) ... Setting up distro-info-data (0.36) ... Setting up libmagic-mgc (1:5.30-1+deb9u3) ... Setting up bzip2 (1.0.6-8.1) ... Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... Setting up xz-utils (5.2.2-1.2+b1) ... update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ... Setting up libmpdec2:ppc64el (2.4.2-1) ... Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ... Setting up file (1:5.30-1+deb9u3) ... Setting up python3.5 (3.5.3-1+deb9u1) ... Setting up libpython3-stdlib:ppc64el (3.5.3-1) ... Setting up python3 (3.5.3-1) ... running python rtupdate hooks for python3.5... running python post-rtupdate hooks for python3.5... Setting up lsb-release (9.20161125) ... Setting up dh-python (2.20170125) ... Setting up wazuh-agent (4.4.0-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... root@17f9e740df7a:/# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@17f9e740df7a:/# ps -ef | grep wazuh root 5024 1 0 18:03 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 5035 1 0 18:03 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 5049 1 7 18:03 ? 00:00:01 /var/ossec/bin/wazuh-syscheckd root 5060 1 0 18:03 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 5077 1 1 18:03 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 5456 1 0 18:04 pts/0 00:00:00 grep wazuh root@17f9e740df7a:/# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="agent" root@17f9e740df7a:/# grep "tcp" /var/ossec/logs/ossec.log 2023/03/20 18:03:50 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/tcp). 2023/03/20 18:03:50 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/tcp). 2023/03/20 18:03:56 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/tcp). 2023/03/20 18:03:56 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/tcp). root@17f9e740df7a:/# /var/ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.0 Stopped root@17f9e740df7a:/# sed -i "s/tcp/udp/" /var/ossec/etc/ossec.conf root@17f9e740df7a:/# /var/ossec/bin/wazuh-control start Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@17f9e740df7a:/# grep "udp" /var/ossec/logs/ossec.log 2023/03/20 18:06:16 wazuh-agentd: INFO: Trying to connect to server ([44.192.45.229]:1514/udp). 2023/03/20 18:06:16 wazuh-agentd: INFO: (4102): Connected to the server ([44.192.45.229]:1514/udp). root@17f9e740df7a:/# vim /var/ossec/etc/ossec.conf root@17f9e740df7a:/# grep mydebianrc1file /var/ossec/etc/ossec.conf /etc/mydebianrc1file root@17f9e740df7a:/# touch /etc/mydebianrc1file root@17f9e740df7a:/# /var/ossec/bin/wazuh-control restart Killing wazuh-modulesd... Process wazuh-modulesd couldn't be terminated. It will be killed. Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.4.0 Stopped Starting Wazuh v4.4.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@17f9e740df7a:/# echo "test_ppc_debian" > /etc/mydebianrc1file root@17f9e740df7a:/# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log root@17f9e740df7a:/# cat /etc/passwd | grep wazuh wazuh:x:101:101::/var/ossec:/bin/false root@17f9e740df7a:/# cat /etc/group | grep wazuh wazuh:x:101: ``` ``` [root@wazuh-server ~]# /var/ossec/bin/agent_control -i 005 Wazuh agent_control. Agent information: Agent ID: 005 Agent Name: 17f9e740df7a IP address: any Status: Active Operating system: Linux |17f9e740df7a |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le Client version: Wazuh v4.4.0 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1679336218 Syscheck last started at: Mon Mar 20 18:13:54 2023 Syscheck last ended at: Mon Mar 20 18:13:55 2023 ```

Alerts

CentOS 7 ``` ** Alert 1679338198.2678303: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Mar 20 18:49:58 (42ef8692cdbd) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/etc/mycentosrc1file' modified Mode: realtime Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '0' to '16' Old modification time was: '1679338143', now it is '1679338198' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : '6736e8166da0df262e927c547d36c8d0' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '311845dcea5a654c90de745db3b943229f8a9915' Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' New sha256sum is : 'ef0d7015c07b4b993df49401ec0b961723a046af3068e411a36f9e02aaff7f9c' Attributes: - Size: 16 - Permissions: rw-r--r-- - Date: Mon Mar 20 18:49:58 2023 - Inode: 536556 - User: root (0) - Group: root (0) - MD5: 6736e8166da0df262e927c547d36c8d0 - SHA1: 311845dcea5a654c90de745db3b943229f8a9915 - SHA256: ef0d7015c07b4b993df49401ec0b961723a046af3068e411a36f9e02aaff7f9c What changed: 0a1 > test_ppc_centos ```
Debian Stretch ``` ** Alert 1679336063.1139952: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Mar 20 18:14:23 (17f9e740df7a) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/etc/mydebianrc1file' modified Mode: realtime Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '0' to '16' Old modification time was: '1679335956', now it is '1679336062' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : 'f139040aeeb0fc2962f46844133d790b' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '77c1fb70a6b9c8152f3063120fec5f2e5cc0eed5' Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' New sha256sum is : '626a1526d7f03fc1cafdfc46233510b106a437ff274ae961fb164124a651fd54' Attributes: - Size: 16 - Permissions: rw-r--r-- - Date: Mon Mar 20 18:14:22 2023 - Inode: 279232 - User: root (0) - Group: root (0) - MD5: f139040aeeb0fc2962f46844133d790b - SHA1: 77c1fb70a6b9c8152f3063120fec5f2e5cc0eed5 - SHA256: 626a1526d7f03fc1cafdfc46233510b106a437ff274ae961fb164124a651fd54 What changed: 0a1 > test_ppc_debian ```

Remove

CentOS 7 ``` [root@42ef8692cdbd /]# ps -ef | grep wazuh root 2683 1 0 18:49 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 2695 1 0 18:49 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 2710 1 4 18:49 ? 00:00:07 /var/ossec/bin/wazuh-syscheckd root 2722 1 0 18:49 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 2741 1 0 18:49 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 3179 1 0 18:52 ? 00:00:00 grep --color=auto wazuh [root@42ef8692cdbd /]# yum remove wazuh-agent Loaded plugins: fastestmirror, ovl Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.4.0-1 will be erased --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Removing: wazuh-agent ppc64le 4.4.0-1 @/wazuh-agent-4.4.0-1.ppc64le 30 M Transaction Summary ============================================================================================================================================================================================================================================ Remove 1 Package Installed size: 30 M Is this ok [y/N]: yu Is this ok [y/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : wazuh-agent-4.4.0-1.ppc64le 1/1 warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave Verifying : wazuh-agent-4.4.0-1.ppc64le 1/1 Removed: wazuh-agent.ppc64le 0:4.4.0-1 Complete! [root@42ef8692cdbd /]# ps -ef | grep wazuh root 3350 1 0 18:52 ? 00:00:00 grep --color=auto wazuh [root@42ef8692cdbd /]# cat /etc/passwd | grep wazuh [root@42ef8692cdbd /]# cat /etc/group | grep wazuh [root@42ef8692cdbd /]# ls -l /var/ossec/etc/ total 12 -rw-r-----. 1 999 998 86 Mar 20 18:46 client.keys.rpmsave -rw-rw----. 1 root 998 5315 Mar 20 18:48 ossec.conf.rpmsave ```
Debian Stretch ``` root@17f9e740df7a:/# ps -ef | grep wazuh root 7482 1 0 18:13 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 7493 1 0 18:13 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 7507 1 1 18:13 ? 00:00:04 /var/ossec/bin/wazuh-syscheckd root 7518 1 0 18:13 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 7535 1 0 18:13 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 7966 1 0 18:19 pts/0 00:00:00 grep wazuh root@17f9e740df7a:/# apt purge wazuh-agent Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bzip2 dh-python distro-info-data file libexpat1 libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3 python3-minimal python3.5 python3.5-minimal readline-common xz-utils Use 'apt autoremove' to remove them. The following packages will be REMOVED: wazuh-agent* 0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded. After this operation, 33.8 MB disk space will be freed. Do you want to continue? [Y/n] Y (Reading database ... 10508 files and directories currently installed.) Removing wazuh-agent (4.4.0-1) ... Processing triggers for libc-bin (2.24-11+deb9u4) ... (Reading database ... 10158 files and directories currently installed.) Purging configuration files for wazuh-agent (4.4.0-1) ... wazuh:x:101:101::/var/ossec:/bin/false ```

Upgrade

CentOS 7 ``` [root@42ef8692cdbd /]# WAZUH_MANAGER="44.192.45.229" yum localinstall wazuh-agent-4.3.10-1.ppc64le.rpm -y Loaded plugins: fastestmirror, ovl Examining wazuh-agent-4.3.10-1.ppc64le.rpm: wazuh-agent-4.3.10-1.ppc64le Marking wazuh-agent-4.3.10-1.ppc64le.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.3.10-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Installing: wazuh-agent ppc64le 4.3.10-1 /wazuh-agent-4.3.10-1.ppc64le 28 M Transaction Summary ============================================================================================================================================================================================================================================ Install 1 Package Total size: 28 M Installed size: 28 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : wazuh-agent-4.3.10-1.ppc64le 1/1 Verifying : wazuh-agent-4.3.10-1.ppc64le 1/1 Installed: wazuh-agent.ppc64le 0:4.3.10-1 Complete! [root@42ef8692cdbd /]# /var/ossec/bin/wazuh-control start Starting Wazuh v4.3.10... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. [root@42ef8692cdbd /]# ps -ef | grep wazuh root 4156 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 4168 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 4182 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 4193 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 4212 1 4 18:54 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 4571 1 0 18:54 ? 00:00:00 grep --color=auto wazuh [root@42ef8692cdbd /]# yum localinstall wazuh-agent-4.4.0-1.ppc64le.rpm -y Loaded plugins: fastestmirror, ovl Examining wazuh-agent-4.4.0-1.ppc64le.rpm: wazuh-agent-4.4.0-1.ppc64le Marking wazuh-agent-4.4.0-1.ppc64le.rpm as an update to wazuh-agent-4.3.10-1.ppc64le Resolving Dependencies --> Running transaction check ---> Package wazuh-agent.ppc64le 0:4.3.10-1 will be updated ---> Package wazuh-agent.ppc64le 0:4.4.0-1 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Updating: wazuh-agent ppc64le 4.4.0-1 /wazuh-agent-4.4.0-1.ppc64le 30 M Transaction Summary ============================================================================================================================================================================================================================================ Upgrade 1 Package Total size: 30 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : wazuh-agent-4.4.0-1.ppc64le 1/2 Error unpacking rpm package wazuh-agent-4.4.0-1.ppc64le error: unpacking of archive failed on file /var/ossec/tmp/sca-4.4.0-1-tmp/rhel/7/cis_rhel7_linux.yml;6418abf7: cpio: chown Verifying : wazuh-agent-4.4.0-1.ppc64le 1/2 wazuh-agent-4.3.10-1.ppc64le was supposed to be removed but is not! Verifying : wazuh-agent-4.3.10-1.ppc64le 2/2 Failed: wazuh-agent.ppc64le 0:4.3.10-1 wazuh-agent.ppc64le 0:4.4.0-1 Complete! [root@42ef8692cdbd /]# ps -ef | grep wazuh root 4710 4706 0 18:54 ? 00:00:00 /bin/sh /var/ossec/bin/wazuh-control restart root 4840 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 4852 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 4867 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 4879 1 0 18:54 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 4897 1 4 18:54 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 5026 1 0 18:55 ? 00:00:00 grep --color=auto wazuh ```
Debian Stretch ``` root@17f9e740df7a:/# WAZUH_MANAGER="44.192.45.229" apt install ./wazuh-agent_4.3.10-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.3.10-1_ppc64el.deb' The following NEW packages will be installed: wazuh-agent 0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded. Need to get 0 B/4964 kB of archives. After this operation, 32.4 MB of additional disk space will be used. Get:1 /wazuh-agent_4.3.10-1_ppc64el.deb wazuh-agent ppc64el 4.3.10-1 [4964 kB] debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package wazuh-agent. (Reading database ... 10143 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.3.10-1_ppc64el.deb ... Unpacking wazuh-agent (4.3.10-1) ... Setting up wazuh-agent (4.3.10-1) ... root@17f9e740df7a:/# /var/ossec/bin/wazuh-control start Starting Wazuh v4.3.10... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@17f9e740df7a:/# ps -ef | grep wazuh root 9623 9619 0 18:23 ? 00:00:00 /bin/sh /var/ossec/bin/wazuh-control restart root 9704 1 0 18:23 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 9715 1 0 18:23 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 9729 1 0 18:23 ? 00:00:00 /var/ossec/bin/wazuh-syscheckd root 9740 1 0 18:23 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 9750 1 0 18:23 pts/0 00:00:00 grep wazuh root@17f9e740df7a:/# apt install ./wazuh-agent_4.4.0-1_ppc64el.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.0-1_ppc64el.deb' The following packages will be upgraded: wazuh-agent 1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded. Need to get 0 B/5268 kB of archives. After this operation, 1398 kB of additional disk space will be used. Get:1 /wazuh-agent_4.4.0-1_ppc64el.deb wazuh-agent ppc64el 4.4.0-1 [5268 kB] debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 10499 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.4.0-1_ppc64el.deb ... Unpacking wazuh-agent (4.4.0-1) over (4.3.10-1) ... Setting up wazuh-agent (4.4.0-1) ... Configuration file '/etc/systemd/system/wazuh-agent.service' ==> Deleted (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** wazuh-agent.service (Y/I/N/O/D/Z) [default=N] ? N Processing triggers for libc-bin (2.24-11+deb9u4) ... root@17f9e740df7a:/# ps -ef | grep wazuh root 10752 1 0 18:24 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 10763 1 0 18:24 ? 00:00:00 /var/ossec/bin/wazuh-agentd root 10777 1 32 18:24 ? 00:00:04 /var/ossec/bin/wazuh-syscheckd root 10788 1 0 18:24 ? 00:00:00 /var/ossec/bin/wazuh-logcollector root 10805 1 1 18:24 ? 00:00:00 /var/ossec/bin/wazuh-modulesd root 11242 1 0 18:24 pts/0 00:00:00 grep wazuh ```
rauldpm commented 1 year ago

Analysis report - AMI

AMI - Agent connection and workload This was tested as part of Special systems, since the AMI was the Wazuh manager
AMI - WUI - Loading screen OK - Login screen OK - Light/dark mode OK - Credentials: OK
AMI - Logs +
Wazuh dashboard - journalctl [dashboard.log](https://github.com/wazuh/wazuh/files/11022923/dashboard.log) Errors reported at: https://github.com/wazuh/wazuh-packages/issues/2106
  • Wazuh indexer - journalctl ``` [root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer.service | grep -i -E "error|critical|fatal|warning" Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: 2023-03-20 11:13:20,570 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: 2023-03-20 11:13:20,564 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: WARNING: System::setSecurityManager will be removed in a future release Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Mar 20 11:13:20 wazuh-server systemd-entrypoint[2408]: WARNING: A terminally deprecated method in java.lang.System has been called Mar 20 11:13:15 wazuh-server systemd-entrypoint[2408]: WARNING: System::setSecurityManager will be removed in a future release Mar 20 11:13:15 wazuh-server systemd-entrypoint[2408]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Mar 20 11:13:15 wazuh-server systemd-entrypoint[2408]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.4.1.jar) Mar 20 11:13:15 wazuh-server systemd-entrypoint[2408]: WARNING: A terminally deprecated method in java.lang.System has been called ``` - Reported at https://github.com/wazuh/wazuh-jenkins/issues/4862
  • Wazuh indexer - /var/logs/wazuh-indexer - `Default endpoint could not be created, auditlog will not work properly` error related to https://github.com/wazuh/wazuh-packages/issues/1968 - `Exception during establishing a SSL connection` error related to https://github.com/wazuh/wazuh-packages/issues/1489 ``` [root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/ /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:13:20,572Z", "level": "INFO", "component": "o.o.n.Node", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3936m, -Xmx3936m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-2372038918792075688, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2063597568, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:01,343Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:05,614Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:06,530Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:07,419Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:07,429Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:07,432Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:07,434Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:09,900Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:09,903Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:09,906Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:09,908Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:12,401Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:12,404Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:12,406Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:12,410Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:14,785Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:14,904Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:14,906Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:14,909Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:14,911Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:17,404Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:17,406Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:17,408Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T11:14:17,411Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" } /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T12:11:29,867Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T15:31:08,317Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T15:31:08,320Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T15:31:44,086Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T15:31:44,092Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T17:41:31,145Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2023-03-20T17:41:33,308Z", "level": "ERROR", "component": "o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Exception during establishing a SSL connection: java.net.SocketException: Connection reset", "cluster.uuid": "qrCY2yLJQP-l0Y8UneoIQw", "node.id": "BllAiBMuQeWfGzXFZJOpIA" , /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:13:20,572][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms3936m, -Xmx3936m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-2372038918792075688, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=2063597568, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:01,343][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:05,614][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:06,530][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:07,419][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:07,429][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:07,432][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:07,434][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:09,900][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:09,903][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:09,906][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:09,908][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:12,401][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:12,404][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:12,406][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:12,410][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:14,785][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:14,904][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:14,906][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:14,909][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:14,911][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:17,404][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:17,406][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:17,408][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T11:14:17,411][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T12:11:29,867][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T15:31:08,317][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T15:31:08,320][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T15:31:44,086][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T15:31:44,092][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T17:41:31,145][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset /var/log/wazuh-indexer/wazuh-cluster.log:[2023-03-20T17:41:33,308][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset ```
  • Wazuh server - /var/ossec/logs ``` [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log | wc -l 3 [root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 2023/03/20 17:59:22 wazuh-authd: ERROR: SSL Error (-1) 2023/03/20 18:28:08 wazuh-db: ERROR: There was an error assigning the groups to agent '007' 2023/03/20 18:28:08 wazuh-db: WARNING: The groups were empty right after the set for agent '007' ``` SSL error: - Related to Debian PPC64 agent (.152) - Related https://github.com/wazuh/wazuh/issues/13936 ``` 2023/03/20 17:35:13 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2023/03/20 17:59:22 wazuh-authd: INFO: New connection from xx.xx.xx.152 2023/03/20 17:59:22 wazuh-authd: ERROR: SSL Error (-1) 2023/03/20 18:03:18 wazuh-authd: INFO: Agent '004' (sossp166) deleted (requested locally) ``` Group error: - Reported at https://github.com/wazuh/wazuh/issues/16464 ``` 2023/03/20 18:28:04 wazuh-authd: INFO: Agent '007' (17f9e740df7a) deleted (requested locally) 2023/03/20 18:28:08 wazuh-db: ERROR: There was an error assigning the groups to agent '007' 2023/03/20 18:28:08 wazuh-db: WARNING: The groups were empty right after the set for agent '007' 2023/03/20 18:28:13 wazuh-remoted: INFO: (1409): Authentication file changed. Updating. ```

AMI - Filebeat test ``` [root@wazuh-server wazuh-user]# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```
AMI - Wazuh Indexer Cluster ``` [root@wazuh-server wazuh-user]# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "qrCY2yLJQP-l0Y8UneoIQw", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "f2f809ea280ffba217451da894a5899f1cec02ab", "build_date" : "2022-12-12T22:17:42.341124910Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } [root@wazuh-server wazuh-user]# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 127.0.0.1 8 82 0 0.00 0.00 0.00 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 [root@wazuh-server wazuh-user]# curl -k -u admin:INSTANCE_ID https://127.0.0.1:9200/_cluster/health?pretty { "cluster_name" : "wazuh-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "discovered_master" : true, "discovered_cluster_manager" : true, "active_primary_shards" : 11, "active_shards" : 11, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 } ```
AMI - Users ``` grep -R "wazuh" /etc/passwd ```
AMI - Versions ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.4.0" WAZUH_REVISION="40404" WAZUH_TYPE="server" [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION 4.4.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION 4.4.0 [root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json { "name": "opensearch-dashboards", "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.", "keywords": [ "opensearch-dashboards", "opensearch", "logstash", "analytics", "visualizations", "dashboards", "dashboarding" ], "version": "2.4.1", "branch": "2.4", "build": { "number": 44004, "sha": "ea36827cdedf1e726e7cb8315ffc49f73f9b4eb7", "distributable": true, "release": true }, "repository": { "type": "git", "url": "https://github.com/opensearch-project/opensearch-dashboards.git" }, "engines": { "node": "14.20.0" } } ```
AMI - Processes ``` [root@wazuh-server wazuh-user]# ps -ef | grep wazuh root 2150 1 0 11:12 ? 00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0 root 2190 1 0 11:12 ? 00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server wazuh-i+ 2408 1 0 11:12 ? 00:03:20 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3936m -Xmx3936m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-2372038918792075688 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2063597568 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet wazuh-d+ 4621 1 0 11:14 ? 00:01:03 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml root 5555 2480 0 12:06 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 5588 5555 0 12:06 ? 00:00:00 sshd: wazuh-user@pts/0 wazuh-u+ 5589 5588 0 12:06 pts/0 00:00:00 -bash wazuh 10736 1 0 12:18 ? 00:00:14 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py root 10776 1 0 12:18 ? 00:00:51 /var/ossec/bin/wazuh-authd wazuh 10790 1 0 12:18 ? 00:00:23 /var/ossec/bin/wazuh-db root 10815 1 0 12:18 ? 00:00:00 /var/ossec/bin/wazuh-execd wazuh 10827 1 0 12:18 ? 00:00:11 /var/ossec/bin/wazuh-analysisd root 10837 1 0 12:18 ? 00:00:07 /var/ossec/bin/wazuh-syscheckd wazuh 10842 10736 0 12:18 ? 00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 10845 10736 0 12:18 ? 00:00:13 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py wazuh 10909 1 0 12:18 ? 00:00:26 /var/ossec/bin/wazuh-remoted root 10958 1 0 12:18 ? 00:00:02 /var/ossec/bin/wazuh-logcollector wazuh 11014 1 0 12:18 ? 00:00:00 /var/ossec/bin/wazuh-monitord root 11024 1 0 12:18 ? 00:00:02 /var/ossec/bin/wazuh-modulesd root 14756 2480 0 18:42 ? 00:00:00 sshd: wazuh-user [priv] wazuh-u+ 14773 14756 0 18:42 ? 00:00:00 sshd: wazuh-user@pts/2 wazuh-u+ 14774 14773 0 18:42 pts/2 00:00:00 -bash root 15039 14797 0 19:04 pts/2 00:00:00 grep --color=auto wazuh [root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ```