jotacarma90
commented
1 year ago Testing
:green_circle: Agent and server, (enrollment and connectivity with the manager)
- Agent:
2023/10/20 10:59:42 wazuh-agentd: INFO: Version detected -> Darwin |ip-172-31-37-195.ec2.internal |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:52 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T8103 |arm64 [macOS|darwin: 13.5.2 (Ventura)] - Wazuh v4.5.3 2023/10/20 10:59:42 wazuh-agentd: INFO: Started (pid: 38437). 2023/10/20 10:59:42 wazuh-agentd: INFO: Using AES as encryption method. 2023/10/20 10:59:42 wazuh-agentd: INFO: Trying to connect to server ([172.31.68.165]:1514/tcp). 2023/10/20 10:59:42 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.68.165]:1514/tcp). - Manager:
2023/10/20 09:34:40 wazuh-authd: INFO: New connection from 198.74.56.46 2023/10/20 09:34:41 wazuh-authd: INFO: Client timeout from 198.74.56.46
### :green_circle: FIM: Schedule
Configuration:<directories>/tmp/testschedule</directories>
<details><summary>Scheduled alerts</summary>
</details>
### :green_circle: Syscollector
Configuration by default:
- Agent:2023/10/20 10:59:45 wazuh-modulesd:syscollector: INFO: Module started. 2023/10/20 10:59:45 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2023/10/20 10:59:45 wazuh-modulesd:syscollector: INFO: Evaluation finished.
- Manager2023/10/20 11:18:01 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2023/10/20 11:18:08 wazuh-modulesd:syscollector: INFO: Evaluation finished.
### :green_circle: Active response
Manager configuration:
Afterwards, any level 10 or higher alert generated will restart the indicated agent.2023/10/20 11:47:12 active-response/bin/restart-wazuh: Starting 2023/10/20 11:47:12 active-response/bin/restart-wazuh: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-20T11:47:12.179+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":22,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"ip-172-31-37-195.ec2.internal","ip":"FE80:0000:0000:0000:E048:A7FF:FEEB:30F9"},"manager":{"name":"wazuh-server"},"id":"1697802432.396871","full_log":"Trojaned version of file '/usr/sbin/apachectl' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/sbin/apachectl"},"location":"rootcheck"},"program":"active-response/bin/restart-wazuh"}}
2023/10/20 11:47:14 active-response/bin/restart-wazuh: Ended
### :green_circle: Log capture (Eventchannel for Windows and ULS for macOS)
Configuration
### :yellow_circle: ~Upgrade using WPK~: Does not apply
We are not able to generate wpk packages for arm642023/10/20 12:07:43 - Upgrade started.
installer: This package requires Rosetta 2 to be installed.
Please install Rosetta 2 and then try again.
sudo softwareupdate --install-rosetta
installer: Error - Wazuh Agent can’t be installed on this computer. 2023/10/20 12:07:43 - Installation result = 1 2023/10/20 12:07:44 - Waiting connection... Status = connected. Remaining attempts: 29. 2023/10/20 12:07:44 - Upgrade failed. Restoring...
### :green_circle: Vulnerabilities detector
### :yellow_circle: ~SCA~: Does not apply
Issue related to rework SCA policies in macOS Ventura:
https://github.com/wazuh/wazuh/issues/17319
mjcr99
ncvicchi
Description
Hello team, this issue is to check the full compatibility of Wazuh on the new found version of macOS Ventura 13.5 arm64 operating system.
OSs checks issue: https://github.com/wazuh/wazuh/issues/17387 Instance request issue: https://github.com/wazuh/internal-devel-requests/issues/49
For this, it is necessary to perform the following tests to check that everything works as expected: