jotacarma90
commented
1 year ago Testing
:green_circle: Agent and server, (enrollment and connectivity with the manager)
- Agent:
2023/10/23 12:57:29 wazuh-agentd: INFO: Version detected -> Darwin |ip-172-31-47-123.ec2.internal |22.6.0 |Darwin Kernel Version 22.6.0: Wed Jul 5 22:21:56 PDT 2023; root:xnu-8796.141.3~6/RELEASE_X86_64 |x86_64 [macOS|darwin: 13.5.2 (Ventura)] - Wazuh v4.5.3 2023/10/23 12:57:29 wazuh-agentd: INFO: Started (pid: 2058). 2023/10/23 12:57:29 wazuh-agentd: INFO: Using AES as encryption method. 2023/10/23 12:57:29 wazuh-agentd: INFO: Trying to connect to server ([172.31.68.165]:1514/tcp). 2023/10/23 12:57:29 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.68.165]:1514/tcp). - Manager:
2023/10/23 12:57:02 wazuh-authd: INFO: New connection from 172.31.47.123 2023/10/23 12:57:02 wazuh-authd: INFO: Received request for a new agent (ip-172-31-47-123.ec2.internal) from: 172.31.47.123 2023/10/23 12:57:02 wazuh-authd: INFO: Agent key generated for 'ip-172-31-47-123.ec2.internal' (requested by any)
### :green_circle: FIM: Schedule
Configuration:<directories>/tmp/testschedule</directories>
<details><summary>Scheduled alerts</summary>
</details>
### :green_circle: Syscollector
Configuration by default:
- Agent:2023/10/24 10:03:16 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2023/10/24 10:03:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
- Manager2023/10/24 10:09:57 wazuh-modulesd:syscollector: INFO: Module started. 2023/10/24 10:09:57 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2023/10/24 10:09:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.
### :green_circle: Active response
Manager configuration:
Afterwards, any level 10 or higher alert generated will restart the indicated agent.2023/10/24 10:23:10 active-response/bin/restart-wazuh: Starting 2023/10/24 10:23:10 active-response/bin/restart-wazuh: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-24T10:23:10.634+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"ip-172-31-47-123.ec2.internal","ip":"172.31.47.123"},"manager":{"name":"wazuh-server"},"id":"1698142990.31720","full_log":"Trojaned version of file '/usr/sbin/apachectl' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/sbin/apachectl"},"location":"rootcheck"},"program":"active-response/bin/restart-wazuh"}} 2023/10/24 10:23:13 active-response/bin/restart-wazuh: Ended
### :green_circle: Log capture (Eventchannel for Windows and ULS for macOS)
Configuration
### :green_circle: Upgrade using WPK
[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_upgrade -a 002 -f /home/wazuh-user/wazuh_agent_v4.5.3_macos_x86_64.wpk -d
Upgrading...
Upgraded agents: Agent 002 upgraded: Wazuh v4.5.3 -> Wazuh v4.5.3
### :green_circle: Vulnerabilities detector
### :yellow_circle: ~SCA~: Does not apply
Issue related to rework SCA policies in macOS Ventura:
https://github.com/wazuh/wazuh/issues/17319
mjcr99
ncvicchi
Description
Hello team, this issue is to check the full compatibility of Wazuh on the new found version of macOS Ventura 13.5 amd64 operating system.
OSs checks issue: https://github.com/wazuh/wazuh/issues/17387 Instance request issue: https://github.com/wazuh/internal-devel-requests/issues/49
For this, it is necessary to perform the following tests to check that everything works as expected: