Check Wazuh-Manager compatibility with new version Red Hat Enterprise Linux 9.4

[mjcr99]

Description

Hello team, this issue is to check the full compatibility of Wazuh Manager on the newfound version of Red Hat Enterprise Linux 9.4 operating system.

OSs checks issue: https://github.com/wazuh/wazuh/issues/23311

For this, it is necessary to perform the following tests to check that everything works as expected:

• [x] Wazuh-manager installation.
• [x] Enrollment and connectivity with an agent.
• [x] Centralized configuration work correctly.
• [x] FIM: Decoding and filtering of correct alerts from FIM.
• [x] SCA: Policy support.
• [x] Syscollector: Complete inventory.
• [x] Vulnerability Detector: Vulnerability support.
• [x] Active Response.
• [x] Logcollector: Decoding and filtering of correct alerts from Logcollector.
• [x] csyslogd module. Testing forwards alerts via syslog.
• [ ] ~agentless functionality~, at the moment, is not possible to test it, wait until redesign: https://github.com/wazuh/wazuh/issues/14406
• [x] maild functionality, Check an email alerts.
• [x] clusterd functionality. Check two nodes cluster with master and worker, use nginx as load balancer to connect an agent.
• [x] integratord functionality. Check Virustotal integration alerts.

[mjcr99]

Testing

:green_circle: Wazuh-manager installation

Manager installed at the RHEL 9.4 machine by following this guide.Using a the vagrant box: nikomarinov/RHEL. curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Installation logs

```console [root@localhost vagrant]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 08/05/2024 12:24:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.4 08/05/2024 12:24:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log 08/05/2024 12:25:00 INFO: --- Dependencies --- 08/05/2024 12:25:00 INFO: Installing lsof. 08/05/2024 12:25:15 ERROR: Your system does not meet the recommended minimum hardware requirements of 4Gb of RAM and 2 CPU cores. If you want to proceed with the installation use the -i option to ignore these requirements. [root@localhost vagrant]# curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 08/05/2024 12:25:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.4 08/05/2024 12:25:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log 08/05/2024 12:25:32 WARNING: Hardware and system checks ignored. 08/05/2024 12:25:32 INFO: Wazuh web interface port will be 443. 08/05/2024 12:25:34 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443. 08/05/2024 12:25:35 INFO: Wazuh repository added. 08/05/2024 12:25:35 INFO: --- Configuration files --- 08/05/2024 12:25:35 INFO: Generating configuration files. 08/05/2024 12:25:37 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 08/05/2024 12:25:37 INFO: --- Wazuh indexer --- 08/05/2024 12:25:37 INFO: Starting Wazuh indexer installation. 08/05/2024 12:27:19 INFO: Wazuh indexer installation finished. 08/05/2024 12:27:19 INFO: Wazuh indexer post-install configuration finished. 08/05/2024 12:27:19 INFO: Starting service wazuh-indexer. 08/05/2024 12:27:35 INFO: wazuh-indexer service started. 08/05/2024 12:27:35 INFO: Initializing Wazuh indexer cluster security settings. 08/05/2024 12:27:46 INFO: Wazuh indexer cluster initialized. 08/05/2024 12:27:46 INFO: --- Wazuh server --- 08/05/2024 12:27:46 INFO: Starting the Wazuh manager installation. 08/05/2024 12:28:43 INFO: Wazuh manager installation finished. 08/05/2024 12:28:43 INFO: Starting service wazuh-manager. 08/05/2024 12:29:02 INFO: wazuh-manager service started. 08/05/2024 12:29:02 INFO: Starting Filebeat installation. 08/05/2024 12:29:11 INFO: Filebeat installation finished. 08/05/2024 12:29:12 INFO: Filebeat post-install configuration finished. 08/05/2024 12:29:12 INFO: Starting service filebeat. 08/05/2024 12:29:12 INFO: filebeat service started. 08/05/2024 12:29:12 INFO: --- Wazuh dashboard --- 08/05/2024 12:29:12 INFO: Starting Wazuh dashboard installation. 08/05/2024 12:31:11 INFO: Wazuh dashboard installation finished. 08/05/2024 12:31:11 INFO: Wazuh dashboard post-install configuration finished. 08/05/2024 12:31:11 INFO: Starting service wazuh-dashboard. 08/05/2024 12:31:12 INFO: wazuh-dashboard service started. 08/05/2024 12:31:45 INFO: Initializing Wazuh dashboard web application. 08/05/2024 12:31:47 INFO: Wazuh dashboard web application initialized. 08/05/2024 12:31:47 INFO: --- Summary --- 08/05/2024 12:31:47 INFO: You can access the web interface https://:443 User: admin Password: --- 08/05/2024 12:31:47 INFO: Installation finished. ```

:green_circle: Enrollment and connectivity with an agent

It was needed to disable the firewall to get the agent to connect: systemctl stop firewalld

Connection logs

``` 2024/05/08 12:48:51 wazuh-authd: INFO: New connection from 192.168.56.106 2024/05/08 12:48:51 wazuh-authd: INFO: Received request for a new agent (agent3-ubu22) from: 192.168.56.106 2024/05/08 12:48:51 wazuh-authd: INFO: Agent key generated for 'agent3-ubu22' (requested by any) 2024/05/08 12:48:55 wazuh-remoted: INFO: (1409): Authentication file changed. Updating. 2024/05/08 12:48:55 wazuh-remoted: INFO: (1410): Reading authentication keys file. ```

:green_circle: Centralized configuration work correctly

Edit /var/ossec/etc/shared/default/agent.conf

agent.conf

``` GNU nano 5.6.1 /var/ossec/etc/shared/default/agent.conf /test ```

Log in the agent side after edit agent.conf in the manager

``` 2024/05/08 09:51:35 wazuh-modulesd:syscollector: INFO: Module finished. 2024/05/08 09:51:35 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/05/08 09:51:35 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources. 2024/05/08 09:51:35 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/05/08 09:51:35 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/05/08 09:51:36 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses. 2024/05/08 09:51:36 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/05/08 09:51:37 wazuh-execd: INFO: Started (pid: 5232). 2024/05/08 09:51:38 wazuh-agentd: INFO: (1410): Reading authentication keys file. 2024/05/08 09:51:38 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60 2024/05/08 09:51:38 wazuh-agentd: INFO: Version detected -> Linux |agent3-ubu22 |5.15.0-25-generic |#25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 |x86_64 [Ubuntu|ubuntu: 22.04 (Jammy Jellyfish)] - Wazuh v4.7.4 2024/05/08 09:51:38 wazuh-agentd: INFO: Started (pid: 5243). 2024/05/08 09:51:38 wazuh-agentd: INFO: Using AES as encryption method. 2024/05/08 09:51:38 wazuh-agentd: INFO: Trying to connect to server ([192.168.56.208]:1514/tcp). 2024/05/08 09:51:38 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.56.208]:1514/tcp': 'Connection refused'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: Started (pid: 5256). 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/test', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | realtime'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/05/08 09:51:39 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. ```

:green_circle: FIM: Decoding and filtering of correct alerts from FIM

Alert from FIM

 ``` ** Alert 1715162257.1218782: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 May 08 12:57:37 (agent3-ubu22) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/test/file1' modified Mode: realtime Changed attributes: mtime Old modification time was: '1715162052', now it is '1715162256' Attributes: - Size: 0 - Permissions: rw-r--r-- - Date: Wed May 8 12:57:36 2024 - Inode: 2359298 - User: root (0) - Group: root (0) - MD5: d41d8cd98f00b204e9800998ecf8427e - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ```

:green_circle: SCA: Policy support

SCA is officially supported on RHEL 9. Default configuration was used.

Connection logs

``` 2024/05/08 12:28:58 sca: INFO: Module started. 2024/05/08 12:28:58 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml' 2024/05/08 12:28:58 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2024/05/08 12:28:58 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/05/08 12:28:58 sca: INFO: Starting Security Configuration Assessment scan. 2024/05/08 12:28:58 wazuh-modulesd:control: INFO: Starting control thread. 2024/05/08 12:28:58 wazuh-modulesd:download: INFO: Module started. 2024/05/08 12:28:58 wazuh-modulesd:database: INFO: Module started. 2024/05/08 12:28:58 wazuh-modulesd:syscollector: INFO: Module started. 2024/05/08 12:28:58 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/05/08 12:28:59 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_rhel9_linux.yml' 2024/05/08 12:29:00 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/05/08 12:29:04 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/05/08 12:29:04 wazuh-syscheckd: INFO: FIM sync module started. 2024/05/08 12:29:10 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_rhel9_linux.yml' 2024/05/08 12:29:10 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds. ```

Dashboard SCA section


:green_circle: Syscollector

Configuration by default.

Inventory from an agent Ubuntu 22


:green_circle: Vulnerability detector

Configuration

``` yes 5m 6h yes ... yes 5 6 7 8 9 1h ```

Vulnerability alert

``` ** Alert 1715163468.7305875: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2, 2024 May 08 13:17:48 (agent3-ubu22) any->vulnerability-detector Rule: 23505 (level 10) -> 'CVE-2022-1621 affects vim-runtime' {"vulnerability":{"package":{"name":"vim-runtime","source":"vim","version":"2:8.2.3995-1ubuntu2","architecture":"all","condition":"Package less than 2:8.2.3995-1ubuntu2.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":6.8,"exploitability_score":8.6,"impact_score":6.4},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9}},"cve":"CVE-2022-1621","title":"CVE-2022-1621 affects vim-runtime","rationale":"Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution","severity":"High","published":"2022-05-10","updated":"2023-11-07","cwe_reference":"CWE-122","status":"Active","type":"PACKAGE","references":["http://seclists.org/fulldisclosure/2022/Oct/28","http://seclists.org/fulldisclosure/2022/Oct/41","https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b","https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb","https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html","https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/","https://security.gentoo.org/glsa/202208-32","https://security.gentoo.org/glsa/202305-16","https://support.apple.com/kb/HT213488","https://nvd.nist.gov/vuln/detail/CVE-2022-1621","https://ubuntu.com/security/notices/USN-5460-1","https://ubuntu.com/security/notices/USN-5613-1","https://www.cve.org/CVERecord?id=CVE-2022-1621"],"assigner":"security@huntr.dev"}} vulnerability.package.name: vim-runtime vulnerability.package.source: vim vulnerability.package.version: 2:8.2.3995-1ubuntu2 vulnerability.package.architecture: all vulnerability.package.condition: Package less than 2:8.2.3995-1ubuntu2.1 vulnerability.cvss.cvss2.vector.attack_vector: network vulnerability.cvss.cvss2.vector.access_complexity: medium vulnerability.cvss.cvss2.vector.authentication: none vulnerability.cvss.cvss2.vector.confidentiality_impact: partial vulnerability.cvss.cvss2.vector.integrity_impact: partial vulnerability.cvss.cvss2.vector.availability: partial vulnerability.cvss.cvss2.base_score: 6.800000 vulnerability.cvss.cvss2.exploitability_score: 8.600000 vulnerability.cvss.cvss2.impact_score: 6.400000 vulnerability.cvss.cvss3.vector.attack_vector: local vulnerability.cvss.cvss3.vector.access_complexity: low vulnerability.cvss.cvss3.vector.privileges_required: none vulnerability.cvss.cvss3.vector.user_interaction: required vulnerability.cvss.cvss3.vector.scope: unchanged vulnerability.cvss.cvss3.vector.confidentiality_impact: high vulnerability.cvss.cvss3.vector.integrity_impact: high vulnerability.cvss.cvss3.vector.availability: high vulnerability.cvss.cvss3.base_score: 7.800000 vulnerability.cvss.cvss3.exploitability_score: 1.800000 vulnerability.cvss.cvss3.impact_score: 5.900000 vulnerability.cve: CVE-2022-1621 vulnerability.title: CVE-2022-1621 affects vim-runtime vulnerability.rationale: Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution vulnerability.severity: High vulnerability.published: 2022-05-10 vulnerability.updated: 2023-11-07 vulnerability.cwe_reference: CWE-122 vulnerability.status: Active vulnerability.type: PACKAGE vulnerability.references: ["http://seclists.org/fulldisclosure/2022/Oct/28", "http://seclists.org/fulldisclosure/2022/Oct/41", "https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b", "https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb", "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", "https://security.gentoo.org/glsa/202208-32", "https://security.gentoo.org/glsa/202305-16", "https://support.apple.com/kb/HT213488", "https://nvd.nist.gov/vuln/detail/CVE-2022-1621", "https://ubuntu.com/security/notices/USN-5460-1", "https://ubuntu.com/security/notices/USN-5613-1", "https://www.cve.org/CVERecord?id=CVE-2022-1621"] vulnerability.assigner: security@huntr.dev ** Alert 1715185003.679304: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2, 2024 May 08 19:16:43 (localhost.localdomain) 127.0.0.1->vulnerability-detector Rule: 23503 (level 5) -> 'CVE-2022-47010 affects binutils' {"vulnerability":{"package":{"name":"binutils","version":"2.35.2-43.el9","architecture":"x86_64","condition":"Package unfixed"},"cvss":{"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6}},"cve":"CVE-2022-47010","title":"CVE-2022-47010 affects binutils","rationale":"An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.","severity":"Low","published":"2023-08-22","updated":"2023-08-26","cwe_reference":"CWE-401","status":"Active","type":"PACKAGE","bugzilla_references":["https://bugzilla.redhat.com/show_bug.cgi?id=2233988"],"references":["https://sourceware.org/bugzilla/show_bug.cgi?id=29262","https://nvd.nist.gov/vuln/detail/CVE-2022-47010","https://access.redhat.com/security/cve/CVE-2022-47010"],"assigner":"cve@mitre.org"}} vulnerability.package.name: binutils vulnerability.package.version: 2.35.2-43.el9 vulnerability.package.architecture: x86_64 vulnerability.package.condition: Package unfixed vulnerability.cvss.cvss3.vector.attack_vector: local vulnerability.cvss.cvss3.vector.access_complexity: low vulnerability.cvss.cvss3.vector.privileges_required: none vulnerability.cvss.cvss3.vector.user_interaction: required vulnerability.cvss.cvss3.vector.scope: unchanged vulnerability.cvss.cvss3.vector.confidentiality_impact: none vulnerability.cvss.cvss3.vector.integrity_impact: none vulnerability.cvss.cvss3.vector.availability: high vulnerability.cvss.cvss3.base_score: 5.500000 vulnerability.cvss.cvss3.exploitability_score: 1.800000 vulnerability.cvss.cvss3.impact_score: 3.600000 vulnerability.cve: CVE-2022-47010 vulnerability.title: CVE-2022-47010 affects binutils vulnerability.rationale: An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. vulnerability.severity: Low vulnerability.published: 2023-08-22 vulnerability.updated: 2023-08-26 vulnerability.cwe_reference: CWE-401 vulnerability.status: Active vulnerability.type: PACKAGE vulnerability.bugzilla_references: ["https://bugzilla.redhat.com/show_bug.cgi?id=2233988"] vulnerability.references: ["https://sourceware.org/bugzilla/show_bug.cgi?id=29262", "https://nvd.nist.gov/vuln/detail/CVE-2022-47010", "https://access.redhat.com/security/cve/CVE-2022-47010"] vulnerability.assigner: cve@mitre.org ```

:green_circle: Active response

Use case: Restarting the Wazuh agent with active response

Manager ossec.conf configuration:

  <active-response>
    <command>restart-wazuh</command>
    <location>local</location>
    <rules_id>550</rules_id>
  </active-response>

Force a FIM modify alert (id 550) to get the restart.sh script executed with active response:

Results

Manager's alerts

```console ** Alert 1715166818.7689060: - restart, 2024 May 08 14:13:38 (agent3-ubu22) any->syscheck Rule: 100009 (level 5) -> 'Changes made to the agent configuration file - /var/ossec/etc/ossec.conf' File '/var/ossec/etc/ossec.conf' modified Mode: realtime Changed attributes: size,mtime,md5,sha1,sha256 Size changed from '5681' to '5682' Old modification time was: '1715166684', now it is '1715166818' Old md5sum was: '78a1bd39c2a113fb967c85371acab4a7' New md5sum is : '2c280e1d64b0afb47049ec3798910c58' Old sha1sum was: 'd118c0b6a5d478098065e77bde5b57da9dcb6b80' New sha1sum is : '3d7eb2bc0fb7916653978643b87df308447bbc8b' Old sha256sum was: 'bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9' New sha256sum is : '818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502' Attributes: - Size: 5682 - Permissions: rw-rw---- - Date: Wed May 8 14:13:38 2024 - Inode: 1574517 - User: root (0) - Group: wazuh (113) - MD5: 2c280e1d64b0afb47049ec3798910c58 - SHA1: 3d7eb2bc0fb7916653978643b87df308447bbc8b - SHA256: 818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502 ** Alert 1715166848.7690161: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2024 May 08 14:14:08 (agent3-ubu22) any->wazuh-remoted Rule: 506 (level 3) -> 'Wazuh agent stopped.' ossec: Agent stopped: 'agent3-ubu22->any'. ** Alert 1715166851.7690498: - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2024 May 08 14:14:11 (agent3-ubu22) any->wazuh-agent Rule: 503 (level 3) -> 'Wazuh agent started.' ossec: Agent started: 'agent3-ubu22->any'. ```

Active response log

``` root@agent3-ubu22:/home/vagrant# cat /var/ossec/logs/active-responses.log Wed May 8 11:10:41 UTC 2024 active-response/bin/restart.sh agent 2024/05/08 11:13:38 active-response/bin/restart-wazuh: Starting 2024/05/08 11:13:38 active-response/bin/restart-wazuh: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2024-05-08T14:13:38.725+0300","rule":{"level":5,"description":"Changes made to the agent configuration file - /var/ossec/etc/ossec.conf","id":"100009","firedtimes":1,"mail":false,"groups":["restart"]},"agent":{"id":"001","name":"agent3-ubu22","ip":"192.168.56.106"},"manager":{"name":"localhost.localdomain"},"id":"1715166818.7689060","full_log":"File '/var/ossec/etc/ossec.conf' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '5681' to '5682'\nOld modification time was: '1715166684', now it is '1715166818'\nOld md5sum was: '78a1bd39c2a113fb967c85371acab4a7'\nNew md5sum is : '2c280e1d64b0afb47049ec3798910c58'\nOld sha1sum was: 'd118c0b6a5d478098065e77bde5b57da9dcb6b80'\nNew sha1sum is : '3d7eb2bc0fb7916653978643b87df308447bbc8b'\nOld sha256sum was: 'bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9'\nNew sha256sum is : '818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502'\n","syscheck":{"path":"/var/ossec/etc/ossec.conf","mode":"realtime","size_before":"5681","size_after":"5682","perm_after":"rw-rw----","uid_after":"0","gid_after":"113","md5_before":"78a1bd39c2a113fb967c85371acab4a7","md5_after":"2c280e1d64b0afb47049ec3798910c58","sha1_before":"d118c0b6a5d478098065e77bde5b57da9dcb6b80","sha1_after":"3d7eb2bc0fb7916653978643b87df308447bbc8b","sha256_before":"bdcd8471121275592c217368c48ce512c05de86c062009585c27240c6dd31fd9","sha256_after":"818f7fa2bc631064c2762547f864c4a5521e625d4ec48c7a2a4f0bee93ef9502","uname_after":"root","gname_after":"wazuh","mtime_before":"2024-05-08T14:11:24","mtime_after":"2024-05-08T14:13:38","inode_after":1574517,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"},"program":"active-response/bin/restart-wazuh"}} 2024/05/08 11:14:17 active-response/bin/restart-wazuh: Ended ```

:green_circle: csyslogd module

Link to the docu guide: https://documentation.wazuh.com/current/user-manual/manager/manual-syslog-output.html Link to syslog_output config: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syslog-output.html#reference-ossec-syslog-output

Configuration in the manager

``` 192.168.56.52 3 json ```

Manager log

``` 2024/05/08 14:27:25 wazuh-csyslogd: INFO: Started (pid: 8695). 2024/05/08 14:27:25 wazuh-csyslogd: INFO: Forwarding alerts via syslog to: '192.168.56.106:514'. ```

Rsyslog server configuration and results

Done in a Ubuntu 22 VM. Edit rsyslog file: `/etc/rsyslog.conf` Uncomment tcp config lines: ``` # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") ``` Disable firewall: `systemctl stop firewalld.service` Restart rsyslog: `systemctl restart rsyslog` Alert received in rsyslog server in `/var/log/message`: ``` Dec 14 12:22:12 rhel9 ossec: {"timestamp":"2023-12-14T12:22:12.714+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"centos8","ip":"192.168.56.52"},"manager":{"name":"rhel9"},"id":"1702556532.8056183","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 918/sshd\ntcp6 :::22 :::* 918/sshd\nudp 127.0.0.1:323 0.0.0.0:* 847/chronyd\nudp6 ::1:323 :::* 847/chronyd\ntcp 0.0.0.0:514 0.0.0.0:* 4590/rsyslogd\ntcp6 :::514 :::* 4590/rsyslogd","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 918/sshd\ntcp6 :::22 :::* 918/sshd\nudp 127.0.0.1:323 0.0.0.0:* 847/chronyd\nudp6 ::1:323 :::* 847/chronyd\ntcp 0.0.0.0:514 0.0.0.0:* 4713/rsyslogd\ntcp6 :::514 :::* 4713/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 4713/rsyslogd\nudp6 :::514 :::* 4713/rsyslogd","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 918/sshd\ntcp6 :::22 :::* 918/sshd\nudp 127.0.0.1:323 0.0.0.0:* 847/chronyd\nudp6 ::1:323 :::* 847/chronyd\ntcp 0.0.0.0:514 0.0.0.0:* 4590/rsyslogd\ntcp6 :::514 :::* 4590/rsyslogd","location":"netstat listening ports"} ```

:green_circle: maild module

Postfix installation

Link to the docu guide: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html - Install postfix and deps: `yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain` - Edit postfix configuration: `/etc/postfix/main.cf` - Add this block for centOS systems: ``` relayhost = [smtp.gmail.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt smtp_use_tls = yes compatibility_level = 2 ``` - If the postfix server is not in the same local host where manager is, you have to edit this lines in the postfix config file too: ``` inet_interfaces = all mynetworks = 192.168.56.24 #(IP address of the VM where wazuh-manager is installed) ``` - Add to postfix the password related to your gmail account. Note: The password must be an [App Password](https://security.google.com/settings/security/apppasswords). App Passwords can only be used with accounts that have [2-Step Verification](https://myaccount.google.com/signinoptions/two-step-verification) turned on. ``` echo [smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD > /etc/postfix/sasl_passwd postmap /etc/postfix/sasl_passwd chmod 400 /etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db systemctl restart postfix ``` - To check postfix logs: `journalctl -u postfix -f`

Configuration in the manager

- Edit the `smtp_server` field with your IP addres of the VM where postfix is installed: ``` yes yes no no yes localhost manuel.cano@wazuh.com manuel.cano@wazuh.com 12 alerts.log 10m 0 3 3 ``` Restart manager and generate some FIM modified event (rule id 550 set in the configuration).

Results

- Logs in postfix: `journalctl -u postfix -f` ``` [root@localhost vagrant]# journalctl -u postfix -f May 08 14:53:54 localhost.localdomain postfix/smtp[16337]: ADBF0105D0F: to=, relay=smtp.gmail.com[64.233.167.108]:587, delay=1.6, delays=0.06/0.08/0.74/0.73, dsn=2.0.0, status=sent (250 2.0.0 OK 1715169234 5b1f17b1804b1-41f88110ff8sm20657595e9.38 - gsmtp) May 08 14:53:54 localhost.localdomain postfix/qmgr[11501]: ADBF0105D0F: removed May 08 14:54:22 localhost.localdomain postfix/smtpd[16330]: connect from localhost[127.0.0.1] May 08 14:54:22 localhost.localdomain postfix/smtpd[16330]: AC9161000DE: client=localhost[127.0.0.1] May 08 14:54:22 localhost.localdomain postfix/cleanup[16336]: AC9161000DE: message-id=<20240508115422.AC9161000DE@localhost.localdomain> May 08 14:54:22 localhost.localdomain postfix/smtpd[16330]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 May 08 14:54:22 localhost.localdomain postfix/qmgr[11501]: AC9161000DE: from=, size=999, nrcpt=1 (queue active) May 08 14:54:22 localhost.localdomain postfix/smtp[16337]: connect to smtp.gmail.com[2a00:1450:400c:c06::6d]:587: Network is unreachable May 08 14:54:23 localhost.localdomain postfix/smtp[16337]: AC9161000DE: to=, relay=smtp.gmail.com[64.233.167.108]:587, delay=1.3, delays=0.05/0/0.52/0.68, dsn=2.0.0, status=sent (250 2.0.0 OK 1715169263 q14-20020a05600c46ce00b004182b87aaacsm2056291wmo.14 - gsmtp) May 08 14:54:23 localhost.localdomain postfix/qmgr[11501]: AC9161000DE: removed ``` 

:red_circle: -> :green_circle: clusterd module

See https://github.com/wazuh/wazuh/issues/23312#issuecomment-2102782010

nginx installation

Link to the docu guide: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html - Install nginx: `yum install yum-utils` `nano /etc/yum.repos.d/nginx.repo` Add this block: ``` [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true ``` `yum-config-manager --enable nginx-mainline` `yum install nginx` - Edit nginx configuration: `nano /etc/nginx/nginx.conf` Add this block editing IPs address: ``` stream { upstream cluster { hash $remote_addr consistent; server :1514; server :1514; } upstream master { server :1515; } server { listen 1514; proxy_pass cluster; } server { listen 1515; proxy_pass master; } } ``` With this configuration: ``` [root@localhost vagrant]# cat /etc/nginx/nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; keepalive_timeout 65; gzip on; include /etc/nginx/conf.d/*.conf; } stream { upstream cluster { hash $remote_addr consistent; server 192.168.56.208:1514; server 192.168.56.100:1514; } upstream master { server 192.168.56.208:1515; } server { listen 1514; proxy_pass cluster; } server { listen 1515; proxy_pass master; } } ``` The following problem is arising: ``` [root@localhost vagrant]# nginx -c /etc/nginx/nginx.conf nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1514 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:1515 failed (98: Address already in use) nginx: [emerg] still could not bind() [root@localhost vagrant]# systemctl status nginx × nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled) Active: failed (Result: exit-code) since Wed 2024-05-08 15:38:47 EEST; 1h 5min ago Docs: http://nginx.org/en/docs/ Process: 17247 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE) CPU: 18ms May 08 15:38:47 localhost.localdomain systemd[1]: Starting nginx - high performance web server... May 08 15:38:47 localhost.localdomain nginx[17247]: nginx: [emerg] bind() to 0.0.0.0:1514 failed (13: Permission denied) May 08 15:38:47 localhost.localdomain systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE May 08 15:38:47 localhost.localdomain systemd[1]: nginx.service: Failed with result 'exit-code'. May 08 15:38:47 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server. ```

Install another wazuh-manager to create the cluster

Results

:green_circle: integratord module

Virustotal integration

Link: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#virustotal - Manager configuration: ``` virustotal API_KEY syscheck json ``` - API KEY request: https://www.virustotal.com/gui/my-apikey - Restart manager - Generate syscheck event, and check virustotal analysis alert: ``` ** Alert 1715178187.11332461: mail - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 May 08 17:23:07 (agent3-ubu22) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File '/test/file2' added Mode: realtime Attributes: - Size: 0 - Permissions: rw-r--r-- - Date: Wed May 8 17:23:07 2024 - Inode: 2359300 - User: root (0) - Group: root (0) - MD5: d41d8cd98f00b204e9800998ecf8427e - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ** Alert 1715178189.11333149: mail - virustotal, 2024 May 08 17:23:09 (agent3-ubu22) 192.168.56.106->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - /test/file2 - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1715178187.11332461", "file": "/test/file2", "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"}, "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "scan_date": "2024-05-08 14:17:22", "positives": 0, "total": 48, "permalink": "https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1715177842"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1715178187.11332461 virustotal.source.file: /test/file2 virustotal.source.md5: d41d8cd98f00b204e9800998ecf8427e virustotal.source.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 virustotal.scan_date: 2024-05-08 14:17:22 virustotal.positives: 0 virustotal.total: 48 virustotal.permalink: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1715177842 integration: virustotal ``` - Check a dummy file that generate a possitive threat alert, download from here: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html#id2 ``` ** Alert 1715178336.11334533: mail - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 May 08 17:25:36 (agent3-ubu22) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File '/test/eicar.com.txt' added Mode: realtime Attributes: - Size: 68 - Permissions: rw-r--r-- - Date: Wed May 8 17:25:13 2024 - Inode: 1444251 - User: root (0) - Group: root (0) - MD5: 44d88612fea8a8f36de82e1278abb02f - SHA1: 3395856ce81f2b7382dee72602f798b642f14140 - SHA256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f ** Alert 1715178339.11335230: mail - virustotal,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, 2024 May 08 17:25:39 (agent3-ubu22) 192.168.56.106->virustotal Rule: 87105 (level 12) -> 'VirusTotal: Alert - /test/eicar.com.txt - 54 engines detected this file' {"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1715178336.11334533", "file": "/test/eicar.com.txt", "md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140"}, "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "scan_date": "2024-05-08 14:04:47", "positives": 54, "total": 58, "permalink": "https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1715177087"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 1 virustotal.source.alert_id: 1715178336.11334533 virustotal.source.file: /test/eicar.com.txt virustotal.source.md5: 44d88612fea8a8f36de82e1278abb02f virustotal.source.sha1: 3395856ce81f2b7382dee72602f798b642f14140 virustotal.sha1: 3395856ce81f2b7382dee72602f798b642f14140 virustotal.scan_date: 2024-05-08 14:04:47 virustotal.positives: 54 virustotal.total: 58 virustotal.permalink: https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1715177087 integration: virustotal ```

[mjcr99]

:red_circle: -> :green_circle: clusterd module

To avoid the nginx installation problem this test has been performed without using a Load Balancer, following this documentation.

Cluster configuration block in master node

```xml wazuh master-node 7f0fb8da5d78dd01671cf8713e6c5ed5 master 1516 0.0.0.0 192.168.56.208 no no ```

Cluster configuration block in worker node

```xml wazuh worker01-node 7f0fb8da5d78dd01671cf8713e6c5ed5 worker 1516 0.0.0.0 192.168.56.208 no no ```

Agent enrollment logs with worker node

```console 2024/05/09 17:20:13 wazuh-agentd: INFO: Requesting a key from server: 192.168.56.100 2024/05/09 17:20:13 wazuh-agentd: INFO: No authentication password provided 2024/05/09 17:20:13 wazuh-agentd: INFO: Using agent name as: agent-rhel9.4 2024/05/09 17:20:13 wazuh-agentd: INFO: Waiting for server reply 2024/05/09 17:20:13 wazuh-agentd: INFO: Valid key received 2024/05/09 17:20:13 wazuh-agentd: INFO: Waiting 20 seconds before server connection 2024/05/09 17:20:33 wazuh-agentd: INFO: (1410): Reading authentication keys file. 2024/05/09 17:20:33 wazuh-agentd: INFO: Closing connection to server ([192.168.56.100]:1514/tcp). 2024/05/09 17:20:33 wazuh-agentd: INFO: Trying to connect to server ([192.168.56.100]:1514/tcp). 2024/05/09 17:20:33 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.56.100]:1514/tcp). 2024/05/09 17:20:34 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing... ```

Cluster and listed agent visualization

```console [root@localhost vagrant]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local ID: 001, Name: agent3-ubu22, IP: any, Disconnected ID: 002, Name: agent-rhel9.4, IP: any, Active List of agentless devices: [root@localhost vagrant]# /var/ossec/bin/cluster_control -l NAME TYPE VERSION ADDRESS master-node master 4.7.4 192.168.56.208 worker01-node worker 4.7.4 192.168.56.100 [root@localhost vagrant]# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1, Active/Local ID: 001, Name: agent3-ubu22, IP: any, Disconnected ID: 002, Name: agent-rhel9.4, IP: any, Active List of agentless devices: ```

[MarcelKemp]

LGTM.