search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.28k stars 1.57k forks source link

Check Wazuh Agent compatibility with new version Red Hat Enterprise Linux 9.3 #20387

Closed jotacarma90 closed 9 months ago

jotacarma90 commented 9 months ago

Description

Hello team, this issue is to check the full compatibility of Wazuh on the newfound version of Red Hat Enterprise Linux 9.3 operating system.

OSs checks issue: https://github.com/wazuh/wazuh/issues/20373

For this, it is necessary to perform the following tests to check that everything works as expected:

ncvicchi commented 9 months ago

Testing

:green_circle: Agent and server, (enrollment and connectivity with the manager)

Agent installed at the RHEL 9.3 machine by following this guide. The manager was implemented by running an the OVA 4.6.0 release.

Agent log ```console [root@rhel93 wazuh]# cat /var/ossec/logs/ossec.log 2023/11/26 20:52:21 wazuh-execd: INFO: Started (pid: 9514). 2023/11/26 20:52:22 wazuh-agentd: INFO: (1410): Reading authentication keys file. 2023/11/26 20:52:22 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60 2023/11/26 20:52:22 wazuh-agentd: INFO: Version detected -> Linux |rhel93 |5.14.0-362.8.1.el9_3.x86_64 |#1 SMP PREEMPT_DYNAMIC Tue Oct 3 11:12:36 EDT 2023 |x86_64 [Red Hat Enterprise Linux|rhel: 9.3 (Plow)] - Wazuh v4.6.0 2023/11/26 20:52:22 wazuh-agentd: INFO: Started (pid: 9526). 2023/11/26 20:52:22 wazuh-agentd: INFO: Requesting a key from server: 192.168.0.153 2023/11/26 20:52:22 wazuh-agentd: INFO: No authentication password provided 2023/11/26 20:52:22 wazuh-agentd: INFO: Using agent name as: rhel93 2023/11/26 20:52:22 wazuh-agentd: INFO: Waiting for server reply 2023/11/26 20:52:22 wazuh-agentd: INFO: Valid key received 2023/11/26 20:52:22 wazuh-agentd: INFO: Waiting 20 seconds before server connection 2023/11/26 20:52:23 wazuh-syscheckd: INFO: Started (pid: 9540). ... 2023/11/26 20:52:42 wazuh-agentd: INFO: (1410): Reading authentication keys file. 2023/11/26 20:52:42 wazuh-agentd: INFO: Using AES as encryption method. 2023/11/26 20:52:42 wazuh-agentd: INFO: Trying to connect to server ([192.168.0.153]:1514/tcp). 2023/11/26 20:52:42 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.0.153]:1514/tcp). 2023/11/26 20:52:42 wazuh-agentd: INFO: Agent is restarting due to shared configuration changes. ```
wazuh-control status before reboot ```console [root@rhel93 wazuh]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... [root@rhel93 wazuh]# ```
wazuh-control status after reboot ```console [root@rhel93 wazuh]# /var/ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... ```
Manager log ``` 2023/11/26 23:52:22 wazuh-authd: INFO: New connection from 192.168.0.16 2023/11/26 23:52:22 wazuh-authd: INFO: Received request for a new agent (rhel93) from: 192.168.0.16 2023/11/26 23:52:22 wazuh-authd: INFO: Agent key generated for 'rhel93' (requested by any) 2023/11/26 23:52:25 wazuh-remoted: INFO: (1409): Authentication file changed. Updating. 2023/11/26 23:52:25 wazuh-remoted: INFO: (1410): Reading authentication keys file. ```

:green_circle: FIM scheduled

Using default configuration (just changed frequency to 60 seconds):

Results ```console ** Alert 1701045664.19527: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:41:04 (rhel93) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File '/etc/testchesdule' added Mode: scheduled Attributes: - Size: 0 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:40:34 2023 - Inode: 34724752 - User: root (0) - Group: root (0) - MD5: d41d8cd98f00b204e9800998ecf8427e - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ** Alert 1701045728.20208: - ossec,syscheck,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:42:08 (rhel93) any->syscheck Rule: 553 (level 7) -> 'File deleted.' File '/etc/testchesdule' deleted Mode: scheduled Attributes: - Size: 0 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:40:34 2023 - Inode: 34724752 - User: root (0) - Group: root (0) - MD5: d41d8cd98f00b204e9800998ecf8427e - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ```

:green_circle: FIM: Real-time

Configuration:

    <directories realtime="yes">/testrealtime</directories>
Results ``` [root@rhel93 wazuh]# touch /testrealtime/file1 [root@rhel93 wazuh]# nano /testrealtime/file1 [root@rhel93 wazuh]# rm /testrealtime/file1 rm: ¿borrar el fichero regular '/testrealtime/file1'? (s/n) s ``` ``` ** Alert 1701045860.21525: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:44:20 (rhel93) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File '/testrealtime/file1' added Mode: realtime Attributes: - Size: 0 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:44:20 2023 - Inode: 52246751 - User: root (0) - Group: root (0) - MD5: d41d8cd98f00b204e9800998ecf8427e - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ** Alert 1701045869.22207: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:44:29 (rhel93) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/testrealtime/file1' modified Mode: realtime Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '0' to '5' Old modification time was: '1701045860', now it is '1701045869' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : 'd8e8fca2dc0f896fd7cb4cb0031ba249' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '4e1243bd22c66e76c2ba9eddc1f91394e57f9f83' Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' New sha256sum is : 'f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2' Attributes: - Size: 5 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:44:29 2023 - Inode: 52246751 - User: root (0) - Group: root (0) - MD5: d8e8fca2dc0f896fd7cb4cb0031ba249 - SHA1: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 - SHA256: f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 ** Alert 1701045880.23431: - ossec,syscheck,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:44:40 (rhel93) any->syscheck Rule: 553 (level 7) -> 'File deleted.' File '/testrealtime/file1' deleted Mode: realtime Attributes: - Size: 5 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:44:29 2023 - Inode: 52246751 - User: root (0) - Group: root (0) - MD5: d8e8fca2dc0f896fd7cb4cb0031ba249 - SHA1: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 - SHA256: f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 ```

:green_circle: FIM whodata

Configuration:

    <directories whodata="yes">/testwhodata</directories>
Results ``` [root@rhel93 wazuh]# touch /testwhodata/test.txt [root@rhel93 wazuh]# nano /testwhodata/test.txt [root@rhel93 wazuh]# rm /testwhodata/test.txt ``` ``` ** Alert 1701046045.30788: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:47:25 (rhel93) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File '/testwhodata/test.txt' added Mode: whodata Attributes: - Size: 0 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:47:25 2023 - Inode: 52246753 - User: root (0) - Group: root (0) - MD5: d41d8cd98f00b204e9800998ecf8427e - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - (Audit) User name: root - (Audit) Audit name: wazuh - (Audit) Effective name: root - (Audit) Group name: root - (Audit) Process id: 14367 - (Audit) Process name: /usr/bin/touch - (Audit) Process cwd: /home/wazuh - (Audit) Parent process name: /usr/bin/bash - (Audit) Parent process id: 4772 - (Audit) Parent process cwd: /home/wazuh ** Alert 1701046053.31816: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:47:33 (rhel93) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/testwhodata/test.txt' modified Mode: whodata Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '0' to '5' Old modification time was: '1701046045', now it is '1701046053' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : 'd8e8fca2dc0f896fd7cb4cb0031ba249' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '4e1243bd22c66e76c2ba9eddc1f91394e57f9f83' Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' New sha256sum is : 'f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2' Attributes: - Size: 5 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:47:33 2023 - Inode: 52246753 - User: root (0) - Group: root (0) - MD5: d8e8fca2dc0f896fd7cb4cb0031ba249 - SHA1: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 - SHA256: f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 - (Audit) User name: root - (Audit) Audit name: wazuh - (Audit) Effective name: root - (Audit) Group name: root - (Audit) Process id: 14532 - (Audit) Process name: /usr/bin/nano - (Audit) Process cwd: /home/wazuh - (Audit) Parent process name: /usr/bin/bash - (Audit) Parent process id: 4772 - (Audit) Parent process cwd: /home/wazuh ** Alert 1701046061.33385: - ossec,syscheck,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 00:47:41 (rhel93) any->syscheck Rule: 553 (level 7) -> 'File deleted.' File '/testwhodata/test.txt' deleted Mode: whodata Attributes: - Size: 5 - Permissions: rw-r--r-- - Date: Mon Nov 27 00:47:33 2023 - Inode: 52246753 - User: root (0) - Group: root (0) - MD5: d8e8fca2dc0f896fd7cb4cb0031ba249 - SHA1: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 - SHA256: f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 - (Audit) User name: root - (Audit) Audit name: wazuh - (Audit) Effective name: root - (Audit) Group name: root - (Audit) Process id: 14907 - (Audit) Process name: /usr/bin/rm - (Audit) Process cwd: /home/wazuh - (Audit) Parent process name: /usr/bin/bash - (Audit) Parent process id: 4772 - (Audit) Parent process cwd: /home/wazuh ```

:green_circle: SCA support

Configuration

SCA is officially supported on RHEL 9. Default configuration was used.

Agent log ```console 2023/11/26 21:47:14 sca: INFO: Module started. 2023/11/26 21:47:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml' 2023/11/26 21:47:14 sca: INFO: Starting Security Configuration Assessment scan. 2023/11/26 21:47:14 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel9_linux.yml' 2023/11/26 21:47:18 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml' 2023/11/26 21:47:18 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. ```
Results ![image](https://github.com/wazuh/wazuh/assets/69121070/1a7005b1-ee3f-4f23-9817-2aa2cba82279) ![image](https://github.com/wazuh/wazuh/assets/69121070/dbfc4e90-f327-4709-b748-fe8f804150c4)

:green_circle: Syscollector

Configuration by default

Agent log ``` 2023/11/26 21:47:14 wazuh-modulesd:syscollector: INFO: Module started. 2023/11/26 21:47:14 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2023/11/26 21:47:14 wazuh-modulesd:syscollector: INFO: Evaluation finished. ```
Manager log ``` 2023/09/26 21:49:57 wazuh-modulesd:syscollector: INFO: Module started. 2023/09/26 21:49:57 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2023/09/26 21:50:32 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2023/09/26 21:50:43 wazuh-modulesd:syscollector: INFO: Evaluation finished. ```
Inventory ![image](https://github.com/wazuh/wazuh/assets/69121070/4bec302a-3201-431d-bb93-fd1f94f9e244) ![image](https://github.com/wazuh/wazuh/assets/69121070/cec9fb63-fa47-4f3b-9634-7ad43eab8e5a)

:green_circle: Vulnerability detector

RHEL 9 is officially supported in Version 4.6.0

Both vulnerability detection module as well as RHEL vulnerability detection were enabled at the manager's ossec.log

  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>
...
    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>
Results ```console 2023/11/27 01:20:35 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 5' feed finished successfully. 2023/11/27 01:20:35 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update. 2023/11/27 01:20:47 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 6' feed finished successfully. 2023/11/27 01:20:47 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update. 2023/11/27 01:21:00 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully. 2023/11/27 01:21:00 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update. 2023/11/27 01:21:14 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 8' feed finished successfully. 2023/11/27 01:21:14 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 9' database update. 2023/11/27 01:21:20 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 9' feed finished successfully. 2023/11/27 01:21:20 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update. 2023/11/27 01:22:27 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'JSON Red Hat Enterprise Linux' feed finished successfully. 2023/11/27 01:22:27 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update. 2023/11/27 01:26:13 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully. 2023/11/27 01:26:13 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update. 2023/11/27 01:26:19 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully. 2023/11/27 01:26:19 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan. 2023/11/27 01:26:19 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it. 2023/11/27 01:26:19 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '003' vulnerabilities. 2023/11/27 01:29:41 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '003' 2023/11/27 01:29:41 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished. ``` ![image](https://github.com/wazuh/wazuh/assets/69121070/f067304a-8871-4717-93ff-eab35daa5739)

:green_circle: Active response

Use case: Restarting the Wazuh agent with active response

Manager ossec.conf configuration:

   <active-response>
    <command>restart-wazuh</command>
    <location>local</location>
    <rules_id>100009</rules_id>
  </active-response>

Manager's /var/ossec/etc/rules/local_rules.xml file:


<group name="restart,">
  <rule id="100009" level="5">
    <if_sid>550</if_sid>
    <match>ossec.conf</match>
    <description>Changes made to the agent configuration file - $(file)</description>
  </rule>
</group>

We force an alert by adding a line in the ossec.conf file in the agent:


<directories realtime="yes">/root</directories>
Results
Manager's log ```console ** Alert 1701112765.598479: - pam,syslog,authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2023 Nov 27 19:19:25 (rhel93) any->/var/log/secure Rule: 5501 (level 3) -> 'PAM: Login session opened.' User: root(uid=0) Nov 27 16:19:24 rhel93 sudo[11322]: pam_unix(sudo:session): session opened for user root(uid=0) by wazuh(uid=1000) uid: 1000 ** Alert 1701112813.598921: - restart, 2023 Nov 27 19:20:13 (rhel93) any->syscheck Rule: 100009 (level 5) -> 'Changes made to the agent configuration file - /var/ossec/etc/ossec.conf' File '/var/ossec/etc/ossec.conf' modified Mode: realtime Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '5810' to '5862' Old modification time was: '1701112663', now it is '1701112813' Old md5sum was: '6a4f7f5a436ecd5a257af09c251db5d2' New md5sum is : 'e0f1fbe39c838e9e785016302b765014' Old sha1sum was: '65fa76f668034b1bfc12d60c44f98d18f33fc669' New sha1sum is : '8ca5aefec752f07160ca6ddc4ea3743ce5f9d9bd' Old sha256sum was: '8cf516f6442cef9bb1fa470c80c008c38dc5e6af339e4342ad93a507a0b689fc' New sha256sum is : 'de9d92fe3f74640cca8b699a71a98cf1cd5bda5a4c77a68b54301314e3a3d9c5' Attributes: - Size: 5862 - Permissions: rw-rw---- - Date: Mon Nov 27 19:20:13 2023 - Inode: 863163 - User: root (0) - Group: wazuh (1000) - MD5: e0f1fbe39c838e9e785016302b765014 - SHA1: 8ca5aefec752f07160ca6ddc4ea3743ce5f9d9bd - SHA256: de9d92fe3f74640cca8b699a71a98cf1cd5bda5a4c77a68b54301314e3a3d9c5 ** Alert 1701112813.600015: - ossec,active_response,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4, 2023 Nov 27 19:20:13 (rhel93) any->/var/ossec/logs/active-responses.log Rule: 657 (level 3) -> 'Active response: active-response/bin/restart-wazuh - add' 2023/11/27 16:20:13 active-response/bin/restart-wazuh: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-11-27T19:20:13.730+0000","rule":{"level":5,"description":"Changes made to the agent configuration file - /var/ossec/etc/ossec.conf","id":"100009","firedtimes":1,"mail":false,"groups":["restart"]},"agent":{"id":"003","name":"rhel93","ip":"192.168.0.16"},"manager":{"name":"wazuh-server"},"id":"1701112813.598921","full_log":"File '/var/ossec/etc/ossec.conf' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '5810' to '5862'\nOld modification time was: '1701112663', now it is '1701112813'\nOld md5sum was: '6a4f7f5a436ecd5a257af09c251db5d2'\nNew md5sum is : 'e0f1fbe39c838e9e785016302b765014'\nOld sha1sum was: '65fa76f668034b1bfc12d60c44f98d18f33fc669'\nNew sha1sum is : '8ca5aefec752f07160ca6ddc4ea3743ce5f9d9bd'\nOld sha256sum was: '8cf516f6442cef9bb1fa470c80c008c38dc5e6af339e4342ad93a507a0b689fc'\nNew sha256sum is : 'de9d92fe3f74640cca8b699a71a98cf1cd5bda5a4c77a68b54301314e3a3d9c5'\n","syscheck":{"path":"/var/ossec/etc/ossec.conf","mode":"realtime","size_before":"5810","size_after":"5862","perm_after":"rw-rw----","uid_after":"0","gid_after":"1000","md5_before":"6a4f7f5a436ecd5a257af09c251db5d2","md5_after":"e0f1fbe39c838e9e785016302b765014","sha1_before":"65fa76f668034b1bfc12d60c44f98d18f33fc669","sha1_after":"8ca5aefec752f07160ca6ddc4ea3743ce5f9d9bd","sha256_before":"8cf516f6442cef9bb1fa470c80c008c38dc5e6af339e4342ad93a507a0b689fc","sha256_after":"de9d92fe3f74640cca8b699a71a98cf1cd5bda5a4c77a68b54301314e3a3d9c5","uname_after":"root","gname_after":"wazuh","mtime_before":"2023-11-27T19:17:43","mtime_after":"2023-11-27T19:20:13","inode_after":863163,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"},"program":"active-response/bin/restart-wazuh"}} version: 1 origin.name: node01 origin.module: wazuh-execd command: add parameters.extra_args: [] parameters.alert.timestamp: 2023-11-27T19:20:13.730+0000 parameters.alert.rule.level: 5 parameters.alert.rule.description: Changes made to the agent configuration file - /var/ossec/etc/ossec.conf parameters.alert.rule.id: 100009 parameters.alert.rule.firedtimes: 1 parameters.alert.rule.mail: false parameters.alert.rule.groups: ["restart"] parameters.alert.agent.id: 003 parameters.alert.agent.name: rhel93 parameters.alert.agent.ip: 192.168.0.16 parameters.alert.manager.name: wazuh-server parameters.alert.id: 1701112813.598921 parameters.alert.full_log: File '/var/ossec/etc/ossec.conf' modified Mode: realtime Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '5810' to '5862' Old modification time was: '1701112663', now it is '1701112813' Old md5sum was: '6a4f7f5a436ecd5a257af09c251db5d2' New md5sum is : 'e0f1fbe39c838e9e785016302b765014' Old sha1sum was: '65fa76f668034b1bfc12d60c44f98d18f33fc669' New sha1sum is : '8ca5aefec752f07160ca6ddc4ea3743ce5f9d9bd' Old sha256sum was: '8cf516f6442cef9bb1fa470c80c008c38dc5e6af339e4342ad93a507a0b689fc' New sha256sum is : 'de9d92fe3f74640cca8b699a71a98cf1cd5bda5a4c77a68b54301314e3a3d9c5' parameters.alert.syscheck.path: /var/ossec/etc/ossec.conf parameters.alert.syscheck.mode: realtime parameters.alert.syscheck.size_before: 5810 parameters.alert.syscheck.size_after: 5862 parameters.alert.syscheck.perm_after: rw-rw---- parameters.alert.syscheck.uid_after: 0 parameters.alert.syscheck.gid_after: 1000 parameters.alert.syscheck.md5_before: 6a4f7f5a436ecd5a257af09c251db5d2 parameters.alert.syscheck.md5_after: e0f1fbe39c838e9e785016302b765014 parameters.alert.syscheck.sha1_before: 65fa76f668034b1bfc12d60c44f98d18f33fc669 parameters.alert.syscheck.sha1_after: 8ca5aefec752f07160ca6ddc4ea3743ce5f9d9bd parameters.alert.syscheck.sha256_before: 8cf516f6442cef9bb1fa470c80c008c38dc5e6af339e4342ad93a507a0b689fc parameters.alert.syscheck.sha256_after: de9d92fe3f74640cca8b699a71a98cf1cd5bda5a4c77a68b54301314e3a3d9c5 parameters.alert.syscheck.uname_after: root parameters.alert.syscheck.gname_after: wazuh parameters.alert.syscheck.mtime_before: 2023-11-27T19:17:43 parameters.alert.syscheck.mtime_after: 2023-11-27T19:20:13 parameters.alert.syscheck.inode_after: 863163 parameters.alert.syscheck.changed_attributes: ["size", "mtime", "md5", "sha1", "sha256"] parameters.alert.syscheck.event: modified parameters.alert.decoder.name: syscheck_integrity_changed parameters.alert.location: syscheck parameters.program: active-response/bin/restart-wazuh ** Alert 1701112814.604930: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2023 Nov 27 19:20:14 (rhel93) any->wazuh-remoted Rule: 506 (level 3) -> 'Wazuh agent stopped.' ossec: Agent stopped: 'rhel93->any'. ** Alert 1701112816.605254: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2023 Nov 27 19:20:16 (rhel93) any->wazuh-agent Rule: 503 (level 3) -> 'Wazuh agent started.' ossec: Agent started: 'rhel93->any'. ```
Dashoboard ![image](https://github.com/wazuh/wazuh/assets/69121070/e5e53304-3cc8-41ea-a8e8-658011d97025)

:green_circle: Log capture (Eventchannel for Windows and ULS for macOS)

A log file will be traced and a log entry will be added to verify it is successfully detected

Agent's configuration:


  <localfile>
    <log_format>syslog</log_format>
    <location>/var/logs/file.log</location>
  </localfile>

We force an event in the file:


echo 'Sep 10 22:12:41 example pvedaemon[6427]: authentication failure; rhost=192.168.0.1 user=root@pam 
msg=Authentication failure' >/var/log/file.log
Results
Manager's log ```console ** Alert 1701113433.608649: - audit,audit_configuration,gdpr_IV_30.1.g,gpg13_10.1, 2023 Nov 27 19:30:33 (rhel93) any->/var/log/audit/audit.log Rule: 80705 (level 3) -> 'Auditd: Configuration changed.' type=CONFIG_CHANGE msg=audit(1701113432.027:481): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="wazuh_fim" list=4 res=1AUID="unset" type=SYSCALL msg=audit(1701113432.027:481): arch=c000003e syscall=44 success=yes exit=1080 a0=a a1=7ffc7c3419b0 a2=438 a3=0 items=0 ppid=1 pid=16478 auid=4294967295 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="wazuh-syscheckd" exe="/var/ossec/bin/wazuh-syscheckd" subj=system_u:system_r:unconfined_service_t:s0 key=(null)ARCH=x86_64 SYSCALL=sendto AUID="unset" UID="root" GID="wazuh" EUID="root" SUID="root" FSUID="root" EGID="wazuh" SGID="wazuh" FSGID="wazuh" type=PROCTITLE msg=audit(1701113432.027:481): proctitle="/var/ossec/bin/wazuh-syscheckd" audit.type: CONFIG_CHANGE audit.id: 481 audit.key: null ** Alert 1701113433.609695: - audit,audit_configuration,gdpr_IV_30.1.g,gpg13_10.1, 2023 Nov 27 19:30:33 (rhel93) any->/var/log/audit/audit.log Rule: 80705 (level 3) -> 'Auditd: Configuration changed.' type=CONFIG_CHANGE msg=audit(1701113432.027:480): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=remove_rule key="wazuh_hc" list=4 res=1AUID="unset" type=SYSCALL msg=audit(1701113432.027:480): arch=c000003e syscall=44 success=yes exit=1080 a0=a a1=7ffc7c33f990 a2=438 a3=0 items=0 ppid=1 pid=16478 auid=4294967295 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="wazuh-syscheckd" exe="/var/ossec/bin/wazuh-syscheckd" subj=system_u:system_r:unconfined_service_t:s0 key=(null)ARCH=x86_64 SYSCALL=sendto AUID="unset" UID="root" GID="wazuh" EUID="root" SUID="root" FSUID="root" EGID="wazuh" SGID="wazuh" FSGID="wazuh" type=SOCKADDR msg=audit(1701113432.027:480): saddr=100000000000000000000000SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=PROCTITLE msg=audit(1701113432.027:480): proctitle="/var/ossec/bin/wazuh-syscheckd" audit.type: CONFIG_CHANGE audit.id: 480 audit.key: null ```
Dashboard ![image](https://github.com/wazuh/wazuh/assets/69121070/a64fcbba-a0fd-4751-b3ca-961714b35ac8)

🟢 Upgrade using WPK

WPK was downloaded from here and this procedure was follow (from step 2)



[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_upgrade -a 003 -f /home/wazuh-user/wazuh_agent_v4.6.0_linux_x86_64.wpk -x upgrade.sh

Upgrading...

Upgraded agents:
        Agent 003 upgraded: Wazuh v4.6.0 -> Wazuh v4.6.0
[root@wazuh-server wazuh-user]#
lchico commented 9 months ago

LGTM!

ed108206 commented 9 months ago

LGMT