Release 4.7.2 - RC 1 - Installation metrics

wazuhci commented 8 months ago

Packages tests metrics information


Main release stage issue	#21052
Main packages metrics issue	#21087
Version	4.7.2
Release stage	RC 1
Tag	https://github.com/wazuh/wazuh/tree/v4.7.2-rc1

Packages used

Repository: packages-dev.wazuh.com
Package path: pre-release
Package revision: 1

Arquitecture	Build
AMD64	https://ci.wazuh.info/job/Test_install_tier/825/ & https://ci.wazuh.info/job/Test_install_tier/829/ (MacOS & Solaris)
ARM64	https://ci.wazuh.info/job/Test_install_tier/827/ & & https://ci.wazuh.info/job/Test_install_tier/830/ (MacOS)
I386	https://ci.wazuh.info/job/Test_install_tier/826/
ARM32	https://ci.wazuh.info/job/Test_install_tier/828/

Mac OS Instances request https://github.com/wazuh/internal-devel-requests/issues/623

System	AMD64	ARM64	I386	ARM32
Amazon Linux 1	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Amazon Linux 2	:green_circle:	:black_circle:	:black_circle:	:black_circle:
CentOS 5	:green_circle:	:black_circle:	:green_circle:	:black_circle:
CentOS 6	:green_circle:	:black_circle:	:green_circle:	:black_circle:
CentOS 7	:green_circle:	:green_circle:	:green_circle:	:black_circle:
CentOS 8	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Debian 7	:green_circle:	:black_circle:	:green_circle:	:black_circle:
Debian 8	:green_circle:	:black_circle:	:green_circle:	:black_circle:
Debian 9	:green_circle:	:green_circle:	:green_circle:	:green_circle:
Debian 10	:green_circle:	:black_circle:	:green_circle:	:black_circle:
Debian 11	:green_circle:	:black_circle:	:green_circle:	:black_circle:
Debian 12	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Fedora 29	:green_circle:	:green_circle:	:black_circle:	:green_circle:
Fedora 31	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Fedora 32	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Fedora 34	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Fedora 35	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Fedora 36	:green_circle:	:black_circle:	:black_circle:	:black_circle:
openSUSE Tumbleweed	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Oracle Linux 6	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Oracle Linux 7	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Oracle Linux 8	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Red Hat 6	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Red Hat 7	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Red Hat 8	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Red Hat 9	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Solaris 11	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Solaris 10	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Ubuntu Bionic	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Ubuntu Focal	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Ubuntu Precise	:green_circle:	:black_circle:	:black_circle:	:black_circle:
Ubuntu Trusty	:green_circle:	:black_circle:	:green_circle:	:black_circle:
Ubuntu Xenial	:green_circle:	:black_circle:	:green_circle:	:black_circle:
Windows 2016	:green_circle:	:black_circle:	:black_circle:	:black_circle:
macOS 10.15	:green_circle:	:black_circle:	:black_circle:	:black_circle:
macOS 12.01	:black_circle:	:green_circle:	:black_circle:	:black_circle:
macOS 13.4	:black_circle:	:green_circle:	:black_circle:	:black_circle:

macOS specific test

System	Install*	Install**	TCP	UDP	Alerts	Logs	User	Group	Remove
macOS 11.00 Big Sur	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
macOS 12.01 Monterey(intel64)	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
macOS 13.4 Ventura(intel64)	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
macOS 14 Sonoma(intel64)	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
macOS 12.01 Monterey(arm64)	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
macOS 13.4 Ventura(arm64)	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:
macOS 14 Sonoma(arm64)	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:	:green_circle:

* Without environment variables
** With environment variables

Status legend: :black_circle: - Pending/In progress :white_circle: - Skipped :red_circle: - Rejected :yellow_circle: - Ready to review :green_circle: - Approved

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

[ ] @davidjiglesias

Conclusion :green_circle:

No abnormalities were found.

Deblintrake09 commented 8 months ago

macOS 14.00 - Sonoma - arm64 :green_circle:

Check OS release

``` sh-3.2# uname -a Darwin ip-172-31-39-215.ec2.internal 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 arm64 ```

:green_circle: Install without ENV variables

- Download package ``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5604k 100 5604k 0 0 5868k 0 --:--:-- --:--:-- --:--:-- 5912k ``` ``` sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: ip-172-31-39-215.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-39-215.ec2.internal |23.1.0 |Darwin Kernel Version 23.1.0: Mon Oct 9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 |arm64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703599215 Syscheck last started at: Tue Dec 26 13:56:06 2023 Syscheck last ended at: Tue Dec 26 13:56:21 2023 ```

:green_circle: Installation with env variables

``` sh-3.2# echo "WAZUH_MANAGER='x.xx.xx.xxx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` [root@ip-wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 002 # /var/ossec/bin/agent_control -i 002 Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: ip-172-31-39-215.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-39-215.ec2.internal |23.1.0 |Darwin Kernel Version 23.1.0: Mon Oct 9 21:28:12 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T8103 |arm64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703599434 Syscheck last started at: Tue Dec 26 14:02:55 2023 Syscheck last ended at: Tue Dec 26 14:03:48 2023 ```

:green_circle: TCP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep tcp 2023/12/26 14:03:45 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/tcp). 2023/12/26 14:03:45 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/tcp). ```

:green_circle: UDP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep udp 2023/12/26 14:06:30 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/udp). 2023/12/26 14:06::30 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/udp). ```

:green_circle: Alerts

``` {"timestamp":"2023-12-26T14:04:22.384+0000","rule":{"level":7,"description":"SCA summary: CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0: Score less than 50% (42)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"ip-172-31-39-215.ec2.internal","ip":"172.31.39.215"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703599462.1083748","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1005467388","policy":"CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for MacOS 14 Sonoma systems.","policy_id":"cis_macOS_14.0_Sonoma.yml","passed":"25","failed":"34","invalid":"2","total_checks":"61","score":"42","file":"cis_macOS_14.0_Sonoma.yml"}},"location":"sca"} ```

:green_circle: Logs

:green_circle: User and group

``` sh-3.2# ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B 8 dic 00:24 .ssh drwxr-x--- 3 root wazuh 96B 8 dic 00:24 active-response drwxr-x--- 14 root wazuh 448B 8 dic 00:24 agentless drwxr-x--- 10 root wheel 320B 8 dic 00:24 bin drwxrwx--- 9 wazuh wazuh 288B 13 dic 09:29 etc drwxr-x--- 9 root wheel 288B 8 dic 00:24 lib drwxr-x--- 6 wazuh wazuh 192B 8 dic 00:24 logs drwxr-x--- 9 root wazuh 288B 8 dic 00:24 queue drwxr-x--- 3 root wazuh 96B 8 dic 00:24 ruleset drwxr-x--T 2 root wazuh 64B 13 dic 09:29 tmp drwxrwx--- 7 root wazuh 224B 13 dic 09:44 var drwxr-x--- 8 root wazuh 256B 8 dic 00:24 wodles ```

:green_circle: Removal

``` sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ```

:green_circle: Installing intel64 Package fails

``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6009k 100 6009k 0 0 13.6M 0 --:--:-- --:--:-- --:--:-- 14.0M sh-3.2# installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: This package requires Rosetta 2 to be installed. Please install Rosetta 2 and then try again. `sudo softwareupdate --install-rosetta` installer: Error - Wazuh Agent can’t be installed on this computer. ```

Deblintrake09 commented 8 months ago

macOS 14.00 - Sonoma - Intel :green_circle:

Check OS release

``` sh-3.2# uname -a Darwin ip-172-31-47-7.ec2.internal 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 x86_64 ```

:green_circle: Install without ENV variables

- Download package ``` # curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5604k 100 5604k 0 0 5868k 0 --:--:-- --:--:-- --:--:-- 5912k ``` ``` # installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. # nano /Library/Ossec/etc/ossec.conf sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 008 Wazuh agent_control. Agent information: Agent ID: 008 Agent Name: ip-172-31-47-7.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-47-7.ec2.internal |23.1.0 |Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703606441 Syscheck last started at: Tue Dec 26 15:59:32 2023 Syscheck last ended at: Tue Dec 26 15:59:46 2023 ```

:green_circle: Installation with env variables

``` sh-3.2# echo "WAZUH_MANAGER='x.xx.xx.xxx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.intel4.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 009 Wazuh agent_control. Agent information: Agent ID: 009 Agent Name: ip-172-31-47-7.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-47-7.ec2.internal |23.1.0 |Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703606615 Syscheck last started at: Tue Dec 26 16:03:25 2023 Syscheck last ended at: Tue Dec 26 16:03:28 2023 ```

:green_circle: TCP

``` # cat /Library/Ossec/logs/ossec.log | grep tcp 2023/12/26 16:03:25 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/tcp). 2023/12/26 16:03:25 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/tcp). ```

:green_circle: UDP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep udp 2023/12/26 14:06:30 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/udp). 2023/12/26 14:06::30 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/udp). ```

:green_circle: Alerts

``` {"timestamp":"2023-12-26T16:03:43.487+0000","rule":{"level":7,"description":"CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0: Ensure XProtect Is Running and Updated.","id":"19007","firedtimes":34,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["5.10"],"cis_csc_v8":["10.1","10.2","10.5"],"cis_csc_v7":["8.2","8.4"],"hipaa":["164.308(a)(5)(ii)(B)"],"iso_27001-2013":["A.12.2.1"],"nist_sp_800-53":["SI-16"],"soc_2":["CC6.8"]},"agent":{"id":"009","name":"ip-172-31-47-7.ec2.internal","ip":"172.31.47.7"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703606623.3200766","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"333055033","policy":"CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0","check":{"id":"34060","title":"Ensure XProtect Is Running and Updated.","description":"XProtect is Apple's native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. There are many AV and Endpoint Threat Detection and Response (ETDR) tools available for Mac OS. The native Apple provisioned tool looks for specific known malware is completely integrated into the OS. No matter what other tools are being used XProtect should have the latest signatures available.","rationale":"Apple creates signatures for known malware that actually effects Macs and that knowledge should be leveraged.","remediation":"Terminal Method: Run the following command to enable and update XProtect: $ sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.pl ist $ sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.Plugi nService.plist $ sudo /usr/sbin/softwareupdate -l --background-critical softwareupdate[97180]: Triggering a background check with forced scan (critical and config-data updates only) ... Note: Xprotect can only be enabled/disabled if SIP (System Integrity Protection) is disabled. If Xprotect is disabled, the system might be compromised and needs to be investigated.","compliance":{"cis":"5.10","cis_csc_v8":"10.1,10.2,10.5","cis_csc_v7":"8.2,8.4","cmmc_v2":{"0":"SI.L1-3.14.2,SI.L1-3.14.4"},"hipaa":"164.308(a)(5)(ii)(B)","iso_27001-2013":"A.12.2.1","nist_sp_800-53":"SI-16","pci_dss_v3":{"2":{"1":"1.4,11.4,5.1,5.1.1,5.2"}},"pci_dss_v4":{"0":"5.1.1,5.2.1,5.2.2,5.3.1,5.3.2"},"soc_2":"CC6.8"},"references":"https://eclecticlight.co/2021/10/27/silently-updated-security-data-files-in-monterey/,https://eclecticlight.co/2020/12/14/silently-updated-security-data-files-in-big-sur/,https://eclecticlight.co/2019/10/17/security-data-files-how-theyve-changed-in-catalina/,https://eclecticlight.co/2022/05/12/apple-has-pushed-an-update-to-xprotect-21/,https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web,https://eclecticlight.co/2023/06/12/malware-detection-and-remediation-by-xprotect-remediator/","command":["sh -c \"launchctl list | grep -c com.apple.XProtect.daemon.scan\""],"result":"failed"}}},"location":"sca"} {"timestamp":"2023-12-26T16:03:50.518+0000","rule":{"level":7,"description":"SCA summary: CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0: Score less than 50% (42)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"009","name":"ip-172-31-47-7.ec2.internal","ip":"172.31.47.7"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703606630.3206177","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"333055033","policy":"CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for MacOS 14 Sonoma systems.","policy_id":"cis_macOS_14.0_Sonoma.yml","passed":"25","failed":"34","invalid":"2","total_checks":"61","score":"42","file":"cis_macOS_14.0_Sonoma.yml"}},"location":"sca"} ```

:green_circle: Logs

:green_circle: User and group

``` # ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B Dec 22 13:24 .ssh drwxr-x--- 3 root wazuh 96B Dec 22 13:24 active-response drwxr-x--- 14 root wazuh 448B Dec 22 13:24 agentless drwxr-x--- 10 root wheel 320B Dec 22 13:24 bin drwxrwx--- 9 wazuh wazuh 288B Dec 26 16:02 etc drwxr-x--- 9 root wheel 288B Dec 22 13:24 lib drwxr-x--- 6 wazuh wazuh 192B Dec 22 13:24 logs drwxr-x--- 9 root wazuh 288B Dec 22 13:24 queue drwxr-x--- 3 root wazuh 96B Dec 22 13:24 ruleset drwxr-x--T 2 root wazuh 64B Dec 26 16:02 tmp drwxrwx--- 7 root wazuh 224B Dec 26 16:03 var drwxr-x--- 8 root wazuh 256B Dec 22 13:24 wodles ```

:green_circle: Removal

``` sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ```

:green_circle: Installing arm64 Package fails

``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6009k 100 6009k 0 0 13.6M 0 --:--:-- --:--:-- --:--:-- 14.0M sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Error - Wazuh Agent can’t be installed on this computer. ```

Deblintrake09 commented 8 months ago

macOS 13.00 - Ventura - Intel :green_circle:

Check OS release

``` sh-3.2# uname -a Darwin ip-172-31-36-13.ec2.internal 22.6.0 Darwin Kernel Version 22.6.0: Wed Oct 4 21:25:26 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_X86_64 x86_64 ```

:green_circle: Install without ENV variables

- Download package ``` # curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5604k 100 5604k 0 0 5868k 0 --:--:-- --:--:-- --:--:-- 5912k ``` ``` # installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. # nano /Library/Ossec/etc/ossec.conf sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 018 Wazuh agent_control. Agent information: Agent ID: 018 Agent Name: ip-172-31-36-13.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-36-13.ec2.internal |22.6.0 |Darwin Kernel Version 22.6.0: Wed Oct 4 21:25:26 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703673297 Syscheck last started at: Wed Dec 27 10:33:58 2023 Syscheck last ended at: Wed Dec 27 10:34:19 2023 ```

:green_circle: Installation with env variables

``` sh-3.2# echo "WAZUH_MANAGER='x.xx.xx.xxx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.intel4.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 020 Wazuh agent_control. Agent information: Agent ID: 020 Agent Name: ip-172-31-36-13.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-36-13.ec2.internal |22.6.0 |Darwin Kernel Version 22.6.0: Wed Oct 4 21:25:26 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703673471 Syscheck last started at: Wed Dec 27 10:37:32 2023 Syscheck last ended at: Wed Dec 27 10:37:54 2023 ```

:green_circle: TCP

``` # cat /Library/Ossec/logs/ossec.log | grep tcp 2023/12/27 10:37:51 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/tcp). 2023/12/27 10:37:51 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/tcp). ```

:green_circle: UDP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep udp 2023/12/27 10:39:21 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/udp). 2023/12/27 10:39:21 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/udp). ```

:green_circle: Alerts

``` {"timestamp":"2023-12-27T10:37:55.904+0000","rule":{"level":3,"description":"Successful sudo executed.","id":"5407","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":1,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"020","name":"ip-172-31-36-13.ec2.internal"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703673475.6175556","full_log":"2023-12-27 10:37:44.179316+0000 localhost sudo[5522]: root : PWD=/Library/Ossec ; USER=_locationd ; COMMAND=/usr/bin/osascript -l JavaScript -e $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd').objectForKey('LocationServicesEnabled')","predecoder":{"program_name":"sudo","timestamp":"2023-12-27 10:37:44.179316+0000"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"root","dstuser":"_locationd","pwd":"/Library/Ossec","command":"/usr/bin/osascript -l JavaScript -e $.NSUserDefaults.alloc.initWithSuiteName('com.apple.locationd').objectForKey('LocationServicesEnabled')"},"location":"macos"} {"timestamp":"2023-12-27T10:38:02.860+0000","rule":{"level":7,"description":"SCA summary: CIS Apple macOS 13.0 Ventura Benchmark v1.0.0: Score less than 50% (44)","id":"19004","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"020","name":"ip-172-31-36-13.ec2.internal","ip":"172.31.36.13"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703673482.6176259","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"832543217","policy":"CIS Apple macOS 13.0 Ventura Benchmark v1.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","policy_id":"cis_macOS_13","passed":"27","failed":"34","invalid":"0","total_checks":"61","score":"44","file":"cis_apple_macOS_13.x.yml"}},"location":"sca"} {"timestamp":"2023-12-27T10:38:25.305+0000","rule":{"level":7,"description":"SCA summary: CIS Apple macOS 13.0 Ventura Benchmark v1.0.0: Score less than 50% (44)","id":"19004","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"020","name":"ip-172-31-36-13.ec2.internal","ip":"172.31.36.13"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703673505.6177645","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"832543217","policy":"CIS Apple macOS 13.0 Ventura Benchmark v1.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","policy_id":"cis_macOS_13","passed":"27","failed":"34","invalid":"0","total_checks":"61","score":"44","file":"cis_apple_macOS_13.x.yml"}},"location":"sca"} ```

:green_circle: Logs

:green_circle: User and group

``` # ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B Dec 22 13:24 .ssh drwxr-x--- 3 root wazuh 96B Dec 22 13:24 active-response drwxr-x--- 14 root wazuh 448B Dec 22 13:24 agentless drwxr-x--- 10 root wheel 320B Dec 22 13:24 bin drwxrwx--- 9 wazuh wazuh 288B Dec 27 10:37 etc drwxr-x--- 9 root wheel 288B Dec 22 13:24 lib drwxr-x--- 6 wazuh wazuh 192B Dec 22 13:24 logs drwxr-x--- 9 root wazuh 288B Dec 22 13:24 queue drwxr-x--- 3 root wazuh 96B Dec 22 13:24 ruleset drwxr-x--T 2 root wazuh 64B Dec 27 10:32 tmp drwxrwx--- 7 root wazuh 224B Dec 27 10:37 var drwxr-x--- 8 root wazuh 256B Dec 22 13:24 wodles ```

:green_circle: Removal

``` sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ```

:green_circle: Installing arm64 Package fails

``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6009k 100 6009k 0 0 13.6M 0 --:--:-- --:--:-- --:--:-- 14.0M sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Error - Wazuh Agent can’t be installed on this computer. ```

Deblintrake09 commented 8 months ago

macOS 13.00 - Ventura - arm64 :green_circle:

Check OS release

``` sh-3.2# uname -a Darwin ip-172-31-46-89.ec2.internal 22.6.0 Darwin Kernel Version 22.6.0: Wed Oct 4 21:25:40 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T8103 arm64 ```

:green_circle: Install without ENV variables

- Download package ``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5604k 100 5604k 0 0 5868k 0 --:--:-- --:--:-- --:--:-- 5912k ``` ``` sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 024 Wazuh agent_control. Agent information: Agent ID: 024 Agent Name: ip-172-31-46-89.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-46-89.ec2.internal |22.6.0 |Darwin Kernel Version 22.6.0: Wed Oct 4 21:25:40 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T8103 |arm64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703687659 Syscheck last started at: Wed Dec 27 14:32:50 2023 Syscheck last ended at: Wed Dec 27 14:33:01 2023 ```

:green_circle: Installation with env variables

``` sh-3.2# echo "WAZUH_MANAGER='x.xx.xx.xxx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... wazuh-execd already running... wazuh-agentd already running... wazuh-syscheckd already running... wazuh-logcollector already running... wazuh-modulesd already running... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` # /var/ossec/bin/agent_control -i 025 Wazuh agent_control. Agent information: Agent ID: 025 Agent Name: ip-172-31-46-89.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-172-31-46-89.ec2.internal |22.6.0 |Darwin Kernel Version 22.6.0: Wed Oct 4 21:25:40 PDT 2023; root:xnu-8796.141.3.701.17~4/RELEASE_ARM64_T8103 |arm64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703687943 Syscheck last started at: Wed Dec 27 14:36:04 2023 Syscheck last ended at: Wed Dec 27 14:36:05 2023 ```

:green_circle: TCP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep tcp 2023/12/27 14:36:03 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/tcp). 2023/12/27 14:36:03 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/tcp). ```

:green_circle: UDP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep udp 2023/12/27 14:38:30 wazuh-agentd: INFO: Trying to connect to server ([172.31.39.143]:1514/udp). 2023/12/27 14:38:31 wazuh-agentd: INFO: (4102): Connected to the server ([172.31.39.143]:1514/udp). ```

:green_circle: Alerts

``` {"timestamp":"2023-12-27T14:36:34.718+0000","rule":{"level":7,"description":"SCA summary: CIS Apple macOS 13.0 Ventura Benchmark v1.0.0: Score less than 50% (44)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"025","name":"ip-172-31-46-89.ec2.internal","ip":"172.31.46.89"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703687794.7848419","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1040206385","policy":"CIS Apple macOS 13.0 Ventura Benchmark v1.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","policy_id":"cis_macOS_13","passed":"27","failed":"34","invalid":"0","total_checks":"61","score":"44","file":"cis_apple_macOS_13.x.yml"}},"location":"sca"} {"timestamp":"2023-12-27T14:36:37.743+0000","rule":{"level":7,"description":"SCA summary: CIS Apple macOS 13.0 Ventura Benchmark v1.0.0: Score less than 50% (44)","id":"19004","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"025","name":"ip-172-31-46-89.ec2.internal","ip":"172.31.46.89"},"manager":{"name":"ip-172-31-39-143.ec2.internal"},"id":"1703687797.7849807","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1040206385","policy":"CIS Apple macOS 13.0 Ventura Benchmark v1.0.0","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x.","policy_id":"cis_macOS_13","passed":"27","failed":"34","invalid":"0","total_checks":"61","score":"44","file":"cis_apple_macOS_13.x.yml"}},"location":"sca"} ```

:green_circle: Logs

:green_circle: User and group

``` sh-3.2# ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B Dec 22 13:44 .ssh drwxr-x--- 3 root wazuh 96B Dec 22 13:44 active-response drwxr-x--- 14 root wazuh 448B Dec 22 13:44 agentless drwxr-x--- 10 root wheel 320B Dec 22 13:45 bin drwxrwx--- 9 wazuh wazuh 288B Dec 27 14:35 etc drwxr-x--- 9 root wheel 288B Dec 22 13:45 lib drwxr-x--- 6 wazuh wazuh 192B Dec 22 13:44 logs drwxr-x--- 9 root wazuh 288B Dec 22 13:44 queue drwxr-x--- 3 root wazuh 96B Dec 22 13:44 ruleset drwxr-x--T 2 root wazuh 64B Dec 27 14:35 tmp drwxrwx--- 7 root wazuh 224B Dec 27 14:36 var drwxr-x--- 8 root wazuh 256B Dec 22 13:44 wodles ```

:green_circle: Removal

``` sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ```

:green_circle: Installing intel64 Package fails

``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6009k 100 6009k 0 0 13.6M 0 --:--:-- --:--:-- --:--:-- 14.0M sh-3.2# installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: This package requires Rosetta 2 to be installed. Please install Rosetta 2 and then try again. `sudo softwareupdate --install-rosetta` installer: Error - Wazuh Agent can’t be installed on this computer. ```

santipadilla commented 8 months ago

MacOS 12.01 - Monterey - intel64 :green_circle:

Check system information

```shellsession sh-3.2# uname -a Darwin macos-1201 21.6.0 Darwin Kernel Version 21.6.0: Wed Oct 4 23:55:28 PDT 2023; root:xnu-8020.240.18.704.15~1/RELEASE_X86_64 x86_64 ```

Install without ENV variables :green_circle:

- Download & Install agent ```shellsession sh-3.2# curl -sO https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg ``` ```shellsession sh-3.2# installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. ``` ```shellsession sh-3.2# sudo nano /Library/Ossec/etc/ossec.conf ``` ```shellsession sh-3.2# grep address /Library/Ossec/etc/ossec.conf

xx.xxx.xx.xxx

``` ```shellsession sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` - Check on manager ```shellsession [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 011 Wazuh agent_control. Agent information: Agent ID: 011 Agent Name: macos-1201 IP address: any Status: Active Operating system: Darwin |macos-1201|21.6.0 |Darwin Kernel Version 21.6.0: Wed Oct 4 23:55:28 PDT 2023; root:xnu-8020.240.18.704.15~1/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703756853 Syscheck last started at: Thu Dec 28 09:46:44 2023 Syscheck last ended at: Thu Dec 28 09:46:51 2023 ```

Removal :green_circle:

- **Uninstall the Wazuh agent** ```console sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ``` - **Remove the agent from the manager** ```shellsession [root@wazuh-server wazuh-user]# /var/ossec/bin/manage_agents -r 011 **************************************** * Wazuh v4.7.2 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: Available agents: ID: 011, Name: macos-1201, IP: any Provide the ID of the agent to be removed (or '\q' to quit): 011 Confirm deleting it?(y/n): y Agent '011' removed. manage_agents: Exiting. ```

Installation with environment variables :green_circle:

- **Install the agent using environment variables** ```shellsession sh-3.2# echo "WAZUH_MANAGER='xx.xxx.xx.xxx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. ``` ```shellsession sh-3.2# grep address /Library/Ossec/etc/ossec.conf

x.xx.xx.xxx

``` ```shellsession sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` - **Check connection on the manager** ```shellsession [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013 Wazuh agent_control. Agent information: Agent ID: 013 Agent Name: macos-1201 IP address: any Status: Active Operating system: Darwin |macos-1201 |21.6.0 |Darwin Kernel Version 21.6.0: Wed Oct 4 23:55:28 PDT 2023; root:xnu-8020.240.18.704.15~1/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703757556 Syscheck last started at: Thu Dec 28 09:58:45 2023 Syscheck last ended at: Thu Dec 28 09:58:47 2023 ```

TCP :green_circle:

- **Check that the agent is connected through TCP** ```shellsession sh-3.2# grep protocol /Library/Ossec/etc/ossec.conf tcp ``` ```shellsession sh-3.2# grep tcp /Library/Ossec/logs/ossec.log 2023/12/28 09:58:44 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xxx.xx]:1514/tcp). 2023/12/28 09:58:45 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xxx.xx]:1514/tcp). 2023/12/28 09:58:46 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u ```

UDP :green_circle:

- **Change the protocol to UDP on the agent** ```shellsession sh-3.2# sed -i '' 's/tcp/udp/g' /Library/Ossec/etc/ossec.conf ``` ```shellsession sh-3.2# grep protocol /Library/Ossec/etc/ossec.conf udp ``` ```shellsession sh-3.2# /Library/Ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. ``` ```shellsession sh-3.2# grep udp /Library/Ossec/logs/ossec.log 2023/12/28 10:03:37 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xxx.xx]:1514/udp). 2023/12/28 10:03:37 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xxx.xx]:1514/udp). 2023/12/28 10:03:39 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -an | awk '{if ((/^(udp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u ```

Alerts :green_circle:

```json {"timestamp":"2023-12-28T09:58:41.115+0000","rule":{"level":7,"description":"CIS Apple macOS 12.0 Monterey Benchmark v1.1.0: Ensure Login Window Displays as Name and Password Is Enabled.","id":"19007","firedtimes":109,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["6.1.1"],"cis_level":["1"]},"agent":{"id":"013","name":"ip-xxx-xx-xx-xx.ec2.internal"},"manager":{"name":"wazuh-server"},"id":"1703757521.521633","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"909501976","policy":"CIS Apple macOS 12.0 Monterey Benchmark v1.1.0","check":{"id":"29058","title":"Ensure Login Window Displays as Name and Password Is Enabled.","description":"The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system.","rationale":"Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes.","remediation":"Run the following command to enable the login window to display name and password: sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true","compliance":{"cis":"6.1.1","cis_level":"1"},"command":["defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME","sh -c \"profiles -P -o stdout | grep SHOWFULLNAME\""],"result":"failed"}}},"location":"sca"} {"timestamp":"2023-12-28T09:58:41.127+0000","rule":{"level":3,"description":"CIS Apple macOS 12.0 Monterey Benchmark v1.1.0: Ensure Show Password Hints Is Disabled.","id":"19008","firedtimes":67,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["6.1.2"],"cis_level":["1"]},"agent":{"id":"013","name":"ip-xxx-xx-xx-xx.ec2.internal"},"manager":{"name":"wazuh-server"},"id":"1703757521.524082","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"909501976","policy":"CIS Apple macOS 12.0 Monterey Benchmark v1.1.0","check":{"id":"29059","title":"Ensure Show Password Hints Is Disabled.","description":"Password hints are user-created text displayed when an incorrect password is used for an account.","rationale":"Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user.","remediation":"Run the following command to disable password hints: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0","compliance":{"cis":"6.1.2","cis_level":"1"},"command":["defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint"],"result":"passed"}}},"location":"sca"} {"timestamp":"2023-12-28T09:58:41.139+0000","rule":{"level":3,"description":"CIS Apple macOS 12.0 Monterey Benchmark v1.1.0: Ensure Guest Account Is Disabled.","id":"19008","firedtimes":68,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["6.1.3"],"cis_level":["1"]},"agent":{"id":"013","name":"ip-xxx-xx-xx-xx.ec2.internal"},"manager":{"name":"wazuh-server"},"id":"1703757521.526503","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"909501976","policy":"CIS Apple macOS 12.0 Monterey Benchmark v1.1.0","check":{"id":"29060","title":"Ensure Guest Account Is Disabled.","description":"The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out.","rationale":"Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.","remediation":"Run the following command to disable the guest account: sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false","compliance":{"cis":"6.1.3","cis_level":"1"},"command":["defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled"],"result":"passed"}}},"location":"sca"} ```

Logs :green_circle:

```shellsession sh-3.2# grep -iE "Error|\Warning\|Critical" /Library/Ossec/logs/ossec.log ```

User and group :green_circle:

```shellsession sh-3.2# ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B 22 dic 13:24 .ssh drwxr-x--- 3 root wazuh 96B 22 dic 13:24 active-response drwxr-x--- 14 root wazuh 448B 22 dic 13:24 agentless drwxr-x--- 10 root wheel 320B 22 dic 13:24 bin drwxrwx--- 9 wazuh wazuh 288B 28 dic 10:02 etc drwxr-x--- 9 root wheel 288B 22 dic 13:24 lib drwxr-x--- 6 wazuh wazuh 192B 22 dic 13:24 logs drwxr-x--- 9 root wazuh 288B 22 dic 13:24 queue drwxr-x--- 3 root wazuh 96B 22 dic 13:24 ruleset drwxr-x--T 2 root wazuh 64B 28 dic 09:57 tmp drwxrwx--- 7 root wazuh 224B 28 dic 10:03 var drwxr-x--- 8 root wazuh 256B 22 dic 13:24 wodles ``` ```shellsession sh-3.2# dscl . list /Groups | grep "wazuh" wazuh ```

Installation of an ARM64 package fails :green_circle:

```shellsession sh-3.2# curl -sO https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Error - Wazuh Agent can’t be installed on this computer. ```

MARCOSD4 commented 8 months ago

MacOS 12.01 - Monterey - arm64 :green_circle:

Check OS release

```console sh-3.2# uname -a Darwin ip-XXX-XX-XX-XXX.ec2.internal 21.6.0 Darwin Kernel Version 21.6.0: Wed Oct 4 23:54:48 PDT 2023; root:xnu-8020.240.18.704.15~1/RELEASE_ARM64_T8101 arm64 ```

:green_circle: Install without ENV variables

- Download package ```console sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5605k 100 5605k 0 0 13.3M 0 --:--:-- --:--:-- --:--:-- 13.7M ``` ```console sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ```console # /var/ossec/bin/agent_control -i 018 Wazuh agent_control. Agent information: Agent ID: 018 Agent Name: ip-XXX-XX-XX-XXX.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-XXX-XX-XX-XXX.ec2.internal |21.6.0 |Darwin Kernel Version 21.6.0: Wed Oct 4 23:54:48 PDT 2023; root:xnu-8020.240.18.704.15~1/RELEASE_ARM64_T8101 |arm64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703762356 Syscheck last started at: Thu Dec 28 11:18:27 2023 Syscheck last ended at: Thu Dec 28 11:18:40 2023 ```

:green_circle: Installation with env variables

```console sh-3.2# echo "WAZUH_MANAGER='xxx.xx.xx.xxx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ```console # /var/ossec/bin/agent_control -i 019 Wazuh agent_control. Agent information: Agent ID: 019 Agent Name: ip-XXX-XX-XX-XXX.ec2.internal IP address: any Status: Active Operating system: Darwin |ip-XXX-XX-XX-XXX.ec2.internal |21.6.0 |Darwin Kernel Version 21.6.0: Wed Oct 4 23:54:48 PDT 2023; root:xnu-8020.240.18.704.15~1/RELEASE_ARM64_T8101 |arm64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703763052 Syscheck last started at: Thu Dec 28 11:30:03 2023 Syscheck last ended at: Thu Dec 28 11:30:04 2023 ```

:green_circle: TCP

```console sh-3.2# cat /Library/Ossec/logs/ossec.log | grep tcp 2023/12/28 11:30:02 wazuh-agentd: INFO: Trying to connect to server ([XX.XXX.XXX.XX]:1514/tcp). 2023/12/28 11:30:02 wazuh-agentd: INFO: (4102): Connected to the server ([XX.XXX.XXX.XX]:1514/tcp). 2023/12/28 11:30:04 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u ```

:green_circle: UDP

```console sh-3.2# cat /Library/Ossec/logs/ossec.log | grep udp 2023/12/28 11:33:26 wazuh-agentd: INFO: Trying to connect to server ([XX.XXX.XXX.XX]:1514/udp). 2023/12/28 11:33:26 wazuh-agentd: INFO: (4102): Connected to the server ([XX.XXX.XXX.XX]:1514/udp). 2023/12/28 11:33:28 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u ```

:green_circle: Alerts

```console # cat /var/ossec/logs/alerts/alerts.json | grep ip-xxx-xx-xx-xx.ec2.internal {"timestamp":"2023-12-28T11:33:28.068+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":12,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"019","name":"ip-xxx-xx-xx-xx.ec2.internal","ip":"xxx-xx-xx-xx"},"manager":{"name":"wazuh-server"},"id":"1703763208.1509833","full_log":"Trojaned version of file '/usr/sbin/apachectl' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/sbin/apachectl"},"location":"rootcheck"} ```

:green_circle: Logs

:green_circle: User and group

```console sh-3.2# ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B 22 dic 13:44 .ssh drwxr-x--- 3 root wazuh 96B 22 dic 13:44 active-response drwxr-x--- 14 root wazuh 448B 22 dic 13:44 agentless drwxr-x--- 10 root wheel 320B 22 dic 13:45 bin drwxrwx--- 9 wazuh wazuh 288B 28 dic 11:29 etc drwxr-x--- 9 root wheel 288B 22 dic 13:45 lib drwxr-x--- 6 wazuh wazuh 192B 22 dic 13:44 logs drwxr-x--- 9 root wazuh 288B 22 dic 13:44 queue drwxr-x--- 3 root wazuh 96B 22 dic 13:44 ruleset drwxr-x--T 2 root wazuh 64B 28 dic 11:29 tmp drwxrwx--- 7 root wazuh 224B 28 dic 11:33 var drwxr-x--- 8 root wazuh 256B 22 dic 13:44 wodles ```

:green_circle: Removal

```console sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ```

:green_circle: Installing intel64 Package fails

```console sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6009k 100 6009k 0 0 14.2M 0 --:--:-- --:--:-- --:--:-- 14.7M sh-3.2# installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: This package requires Rosetta 2 to be installed. Please install Rosetta 2 and then try again. `sudo softwareupdate --install-rosetta` installer: Error - Wazuh Agent can’t be installed on this computer. ```

pro-akim commented 8 months ago

macOS 11.00 - Big Sur 🟢

Check OS release

``` sh-3.2# uname -a Darwin macos-big-sur 20.0.0 Darwin Kernel Version 20.0.0: Thu Jul 30 22:49:28 PDT 2020; root:xnu-7195.0.0.141.5~1/RELEASE_X86_64 x86_64 ```

:green_circle: Install without ENV variables

- Download package ``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.intel64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:- 0 6009k 0 16890 0 0 16839 0 0:06:05 0:00:01 0:06:0 2 6009k 2 137k 0 0 95593 0 0:01:04 0:00:01 0:01:0100 6009k 100 6009k 0 0 2496k 0 0:00:02 0:00:02 --:--:-- 2496k sh-3.2# installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# sed -i '' 's|

MANAGER_IP

|

xx.xxx.xxx.xx

|g' /Library/Ossec/etc/ossec.conf sh-3.2# grep "address" /Library/Ossec/etc/ossec.conf

xx.xxx.xxx.xx

sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 026 Wazuh agent_control. Agent information: Agent ID: 026 Agent Name: macos-big-sur IP address: any Status: Active Operating system: Darwin |macos-big-sur |20.0.0 |Darwin Kernel Version 20.0.0: Thu Jul 30 22:49:28 PDT 2020; root:xnu-7195.0.0.141.5~1/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703768411 Syscheck last started at: Thu Dec 28 12:59:32 2023 Syscheck last ended at: Thu Dec 28 12:59:47 2023 ```

:green_circle: Removal

``` sh-3.2# /Library/Ossec/bin/wazuh-control stop Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped sh-3.2# /bin/rm -r /Library/Ossec sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh" sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh" sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'. ```

:green_circle: Installation with env variables

``` sh-3.2# echo "WAZUH_MANAGER='xx.xxx.xxx.xx'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-4.7.2-1.intel64.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.7.2" WAZUH_REVISION="40710" WAZUH_TYPE="agent" ``` - Check on manager ``` [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 027 Wazuh agent_control. Agent information: Agent ID: 027 Agent Name: macos-big-sur IP address: any Status: Active Operating system: Darwin |macos-big-sur |20.0.0 |Darwin Kernel Version 20.0.0: Thu Jul 30 22:49:28 PDT 2020; root:xnu-7195.0.0.141.5~1/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.7.2 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1703768603 Syscheck last started at: Thu Dec 28 13:02:54 2023 Syscheck last ended at: Thu Dec 28 13:03:05 2023 ```

:green_circle: TCP

``` sh-3.2# cat /Library/Ossec/logs/ossec.log | grep tcp 2023/12/28 05:02:27 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u 2023/12/28 05:02:46 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xxx.xx]:1514/tcp). 2023/12/28 05:02:46 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xxx.xx]:1514/tcp). ``` ``` [root@wazuh-server wazuh-user]# grep 027 /var/ossec/logs/alerts/alerts.json {"timestamp":"2023-12-28T13:04:08.022+0000","rule":{"level":7,"description":"SCA summary: CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0: Score less than 50% (42)","id":"19004","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"027","name":"macos-big-sur","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1703768648.3067924","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"2013912483","policy":"CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0","description":"CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.15. This guide was tested against Apple macOS 10.15.","policy_id":"cis_apple_macos_11.x","passed":"27","failed":"37","invalid":"1","total_checks":"65","score":"42","file":"cis_apple_macOS_11.1.yml"}},"location":"sca"} {"timestamp":"2023-12-28T13:04:17.775+0000","rule":{"level":7,"description":"SCA summary: CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0: Score less than 50% (42)","id":"19004","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"027","name":"macos-big-sur","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1703768657.3069784","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"2013912483","policy":"CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0","description":"CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.15. This guide was tested against Apple macOS 10.15.","policy_id":"cis_apple_macos_11.x","passed":"27","failed":"37","invalid":"1","total_checks":"65","score":"42","file":"cis_apple_macOS_11.1.yml"}},"location":"sca"} ```

:green_circle: UDP

``` sh-3.2# sed -i '' 's|tcp|udp|g' /Library/Ossec/etc/ossec.conf sh-3.2# sh-3.2# grep protocol /Library/Ossec/etc/ossec.conf udp sh-3.2# /Library/Ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.7.2 Stopped Starting Wazuh v4.7.2... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# cat /Library/Ossec/logs/ossec.log | grep udp 2023/12/28 05:08:08 wazuh-agentd: INFO: Trying to connect to server ([xx.xxx.xxx.xx]:1514/udp). 2023/12/28 05:08:08 wazuh-agentd: INFO: (4102): Connected to the server ([xx.xxx.xxx.xx]:1514/udp). 2023/12/28 05:08:09 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u ``` ``` {"timestamp":"2023-12-28T13:08:08.621+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":3,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"027","name":"macos-big-sur","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1703768888.3072732","full_log":"ossec: Agent started: 'macos-big-sur->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"macos-big-sur->any"},"location":"wazuh-agent"} {"timestamp":"2023-12-28T13:08:10.767+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":4,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"027","name":"macos-big-sur","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1703768890.3073069","full_log":"Trojaned version of file '/usr/sbin/apachectl' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/sbin/apachectl"},"location":"rootcheck"} {"timestamp":"2023-12-28T13:08:19.513+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":5,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"027","name":"macos-big-sur","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1703768899.3073478","full_log":"Files hidden inside directory '/var/tmp'. Link count does not match number of files (3,4).","decoder":{"name":"rootcheck"},"data":{"title":"Files hidden inside directory '/var/tmp'."},"location":"rootcheck"} ```

:green_circle: Logs

:green_circle: User and group

``` sh-3.2# ls -lh /Library/Ossec/ total 0 drwxrwx--- 2 root wazuh 64B 22 dic 05:24 .ssh drwxr-x--- 3 root wazuh 96B 22 dic 05:24 active-response drwxr-x--- 14 root wazuh 448B 22 dic 05:24 agentless drwxr-x--- 10 root wheel 320B 22 dic 05:24 bin drwxrwx--- 9 wazuh wazuh 288B 28 dic 05:06 etc drwxr-x--- 9 root wheel 288B 22 dic 05:24 lib drwxr-x--- 6 wazuh wazuh 192B 22 dic 05:24 logs drwxr-x--- 9 root wazuh 288B 22 dic 05:24 queue drwxr-x--- 3 root wazuh 96B 22 dic 05:24 ruleset drwxr-x--T 2 root wazuh 64B 28 dic 05:01 tmp drwxrwx--- 7 root wazuh 224B 28 dic 05:08 var drwxr-x--- 8 root wazuh 256B 22 dic 05:24 wodles ```

:green_circle: Installing ARM64 Package fails

``` sh-3.2# curl -OL https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.7.2-1.arm64.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5605k 100 5605k 0 0 2359k 0 0:00:02 0:00:02 --:--:-- 2358k sh-3.2# installer -pkg wazuh-agent-4.7.2-1.arm64.pkg -target / installer: Error - Wazuh Agent can’t be installed on this computer. ```

Rebits commented 8 months ago

LGTM

damarisg commented 8 months ago

LGTM!

wazuh / wazuh