wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
11.14k stars 1.69k forks source link

HP-UX agent is not able to register #23323

Closed juliamagan closed 6 months ago

juliamagan commented 7 months ago
Wazuh version Component Install type Install method Platform
4.8.0-alpha2 < v ≤ 4.8.0-rc1 Authd/Agentd Manager/Agent Packages 4.8.0 AMI and HP-UX

Description

During the tests carried out in https://github.com/wazuh/wazuh/issues/23261 it has been possible to see that the HP-UX agent is not able to register in the agent, receiving the following error:

2024/05/07 03:53:30 wazuh-agentd[8077] enrollment_op.c:243 at w_enrollment_connect(): ERROR: SSL error (1). Connection refused by the manager. Maybe the port specified is incorrect.

In the manager we can see the following logs:

00F7B8921D7F0000:error:0A00041B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1586:SSL alert number 51
2024/05/07 10:01:40 wazuh-authd[27281] main-server.c:696 at run_dispatcher(): DEBUG: SSL Error (-1)
00F7B8921D7F0000:error:0A00041B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1586:SSL alert number 51
2024/05/07 10:01:40 wazuh-authd[27281] main-server.c:696 at run_dispatcher(): DEBUG: SSL Error (-1)
Agent configuration
```xml
X.X.X.X
1514 tcp
yes X.X.X.X 1515 HP-UX, HP-UX11, HP-UX11.31 10 60 yes aes
```
Manager configuration
```xml no 1515 no yes no HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH no etc/sslmanager.cert etc/sslmanager.key yes ```
jr0me commented 7 months ago

Update

We are looking into the issue, pursuing the lead that the problem may be generated by TLSv1.3 being enabled by default since OpenSSL v3.0.

Log from agent using agent-auth:

bash-4.4# /var/ossec/bin/agent-auth -m 54.81.139.56
2024/05/07 10:18:58 agent-auth: INFO: Started (pid: 12212).
2024/05/07 10:18:58 agent-auth: INFO: Requesting a key from server: 54.81.139.56
2024/05/07 10:18:59 agent-auth: ERROR: SSL error (1). Connection refused by the manager. Maybe the port specified is incorrect.
00000001:error:02000087:rsa routines:RSA_verify_PKCS1_PSS_mgf1:salt length recovery failed:crypto/rsa/rsa_pss.c:112:
00000001:error:1C880004:Provider routines:rsa_verify:RSA lib:providers/implementations/signature/rsa_sig.c:815:
00000001:error:0A00007B:SSL routines:tls_process_cert_verify:bad signature:ssl/statem/statem_lib.c:538:
TomasTurina commented 7 months ago

Update

Following this guide allows the agent to connect and works as expected:

https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/enrollment-methods/via-manager-API/index.html

TomasTurina commented 7 months ago

Update

Testing using openSSL 1.x, no errors reported:

# openssl version                                     
OpenSSL 1.0.2r  26 Feb 2019
# echo R | openssl s_client -connect 54.81.139.56:1515
CONNECTED(00000003)
depth=0 C = US, ST = California, CN = wazuh
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, CN = wazuh
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/CN=wazuh
   i:/C=US/ST=California/CN=wazuh
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUTkEiq1PQKoWqULanBsCvMkwP4pUwDQYJKoZIhvcNAQEL
BQAwMjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAMM
BXdhenVoMB4XDTI0MDUwODIyNDEzMFoXDTI1MDUwODIyNDEzMFowMjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAMMBXdhenVoMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2KBJZSlm5Wnv2zWLp/1THkTmYOT
qDuKAmmlA0x5B1WSjspERROStduE5K5gQjdPHFN4HhRX+m7UFAsIec7f2kGWgIuA
kqJvhP4F2cD2a8b8ywZr9pSRxtB5gyqCN4kIKAOiHTtAJ0mF1gjxz7psSvWe1IE2
KlEoQ21NxN6Vhzd9PKYLxsAQqzdL68HHdQNYrH0f63X1D8Mx5gnIwhwkDZABsNdm
bKuYAxuuB6sDDnvuscx/z/7gYDknHe/37fY6x0o3L24pNgx43GTCrXYFJUmhAi8k
kA9rib1IsXpW0ALOy2vW0G1KRQq98THm+f2wYYYTAiZ5sC3QnWapaRzPjwIDAQAB
oz0wOzAdBgNVHQ4EFgQUiMbqDPGlJ92CcXhLsCnTabNS99kwCQYDVR0jBAIwADAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCog7N6qItycHePiezH
Doyf66d+D39P9xySRb9ZrE6QIn70JGQNe/qoM7UjaedrYeQHdjnOeveyHYU183Hb
nFMB8q83s2jQygUVH/o1atantcskm3bsXJpqkyVaR4AHUBQldGyPl9qEu7g1WRJo
qDyUypHoDMdKUq84wGseLUXnzyGAxy+DyAVo3NKo0Jh0OZ6+bm3Ee4gtIB9xGjYZ
t8KD3kPVbCQA4wuSBnRaz2TbySWNl/sWxdtX+b0H1YxqoMQoqOghh7wd7G0/1vxg
kjZ3MM9ywsfsd3KRQhooC4GQ0PkGbJusCCbrzq1Y+EW9S2+sN9O2DMjWjmzGzS7f
IeOO
-----END CERTIFICATE-----
subject=/C=US/ST=California/CN=wazuh
issuer=/C=US/ST=California/CN=wazuh
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1473 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 42675FAD344049D593CA125E4F53FF248D94FFD253574CC97EE2A116D2264307
    Session-ID-ctx: 
    Master-Key: 9D2ACFD646D14DDBE572252E6396922328C55B501974AC0BC019B67D1CD2B12F9B6A42B12A67E16004D7B8FF2B92C348
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e7 b1 df 35 bd 0a 21 9b-60 c7 4b 59 60 93 f1 db   ...5..!.`.KY`...
    0010 - 11 ad 44 fe 16 76 ad 00-15 f8 dd 28 c8 06 90 53   ..D..v.....(...S
    0020 - 60 d1 62 a7 62 73 08 8e-98 4b 47 af bc 87 87 6f   `.b.bs...KG....o
    0030 - a3 0e f2 c1 cc 01 db 39-51 6d f4 b5 a7 33 96 fc   .......9Qm...3..
    0040 - 49 46 0f cd c5 1f 8e d4-40 57 97 e4 08 fa 33 50   IF......@W....3P
    0050 - 34 67 58 f3 4d a1 6d a2-18 62 29 39 2e 62 33 83   4gX.M.m..b)9.b3.
    0060 - 16 14 9a 97 a5 d5 33 2b-f6 b7 88 08 cd b3 cd f4   ......3+........
    0070 - 6e 0a d4 d2 fa 7a 28 62-39 30 f7 0c 4d 44 79 38   n....z(b90..MDy8
    0080 - 9c b4 65 43 a7 61 4d 18-5e 0a a5 d0 86 f5 fd 7a   ..eC.aM.^......z
    0090 - 5b 9b 11 13 74 ef f3 6a-32 bd d7 55 15 4c 60 a0   [...t..j2..U.L`.

    Start Time: 1715214347
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
RENEGOTIATING
2129563076:error:14094153:SSL routines:ssl3_read_bytes:no renegotiation:s3_pkt.c:1486:

Testing with openSSL 3.x, with errors:

# ./openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
# echo R | ./openssl s_client -connect 54.81.139.56:1515                     
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C = US, ST = California, CN = wazuh
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, ST = California, CN = wazuh
verify return:1
00000001:error:02000087:rsa routines:RSA_verify_PKCS1_PSS_mgf1:salt length recovery failed:crypto/rsa/rsa_pss.c:112:
00000001:error:1C880004:Provider routines:rsa_verify:RSA lib:providers/implementations/signature/rsa_sig.c:815:
00000001:error:0A00007B:SSL routines:tls_process_key_exchange:bad signature:ssl/statem/statem_clnt.c:2306:
---
Certificate chain
 0 s:C = US, ST = California, CN = wazuh
   i:C = US, ST = California, CN = wazuh
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  8 22:41:30 2024 GMT; NotAfter: May  8 22:41:30 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUTkEiq1PQKoWqULanBsCvMkwP4pUwDQYJKoZIhvcNAQEL
BQAwMjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAMM
BXdhenVoMB4XDTI0MDUwODIyNDEzMFoXDTI1MDUwODIyNDEzMFowMjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAMMBXdhenVoMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2KBJZSlm5Wnv2zWLp/1THkTmYOT
qDuKAmmlA0x5B1WSjspERROStduE5K5gQjdPHFN4HhRX+m7UFAsIec7f2kGWgIuA
kqJvhP4F2cD2a8b8ywZr9pSRxtB5gyqCN4kIKAOiHTtAJ0mF1gjxz7psSvWe1IE2
KlEoQ21NxN6Vhzd9PKYLxsAQqzdL68HHdQNYrH0f63X1D8Mx5gnIwhwkDZABsNdm
bKuYAxuuB6sDDnvuscx/z/7gYDknHe/37fY6x0o3L24pNgx43GTCrXYFJUmhAi8k
kA9rib1IsXpW0ALOy2vW0G1KRQq98THm+f2wYYYTAiZ5sC3QnWapaRzPjwIDAQAB
oz0wOzAdBgNVHQ4EFgQUiMbqDPGlJ92CcXhLsCnTabNS99kwCQYDVR0jBAIwADAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCog7N6qItycHePiezH
Doyf66d+D39P9xySRb9ZrE6QIn70JGQNe/qoM7UjaedrYeQHdjnOeveyHYU183Hb
nFMB8q83s2jQygUVH/o1atantcskm3bsXJpqkyVaR4AHUBQldGyPl9qEu7g1WRJo
qDyUypHoDMdKUq84wGseLUXnzyGAxy+DyAVo3NKo0Jh0OZ6+bm3Ee4gtIB9xGjYZ
t8KD3kPVbCQA4wuSBnRaz2TbySWNl/sWxdtX+b0H1YxqoMQoqOghh7wd7G0/1vxg
kjZ3MM9ywsfsd3KRQhooC4GQ0PkGbJusCCbrzq1Y+EW9S2+sN9O2DMjWjmzGzS7f
IeOO
-----END CERTIFICATE-----
subject=C = US, ST = California, CN = wazuh
issuer=C = US, ST = California, CN = wazuh
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1209 bytes and written 195 bytes
Verification error: self-signed certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1715214393
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: yes
---

More specific error:

# echo R | ./openssl s_client -connect 54.81.139.56:1515 -verify_return_error
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C = US, ST = California, CN = wazuh
verify error:num=18:self-signed certificate
00000001:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
00000001:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/local/ssl/certs)
00000001:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
00000001:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/local/ssl/certs)
00000001:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
---
Certificate chain
 0 s:C = US, ST = California, CN = wazuh
   i:C = US, ST = California, CN = wazuh
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  8 22:41:30 2024 GMT; NotAfter: May  8 22:41:30 2025 GMT
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 904 bytes and written 195 bytes
Verification error: self-signed certificate
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1715214448
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Creating the directory /usr/local/ssl/certs solves part of the problem:

# mkdir /usr/local/ssl
# mkdir /usr/local/ssl/certs
# echo R | ./openssl s_client -connect 54.81.139.56:1515 -verify_return_error
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C = US, ST = California, CN = wazuh
verify error:num=18:self-signed certificate
00000001:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
---
Certificate chain
 0 s:C = US, ST = California, CN = wazuh
   i:C = US, ST = California, CN = wazuh
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  8 22:41:30 2024 GMT; NotAfter: May  8 22:41:30 2025 GMT
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 904 bytes and written 195 bytes
Verification error: self-signed certificate
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1715214500
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

The error is the following:

00000001:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:

Some related/useful links about this error:

It seems that something changed in openSSL 3.x for HP-UX that now it isn't able to verify the self signed certificate of the Wazuh manager. Probably it is not anymore in the default trusted store.

Further investigation is required. The initial conclusion is that we need to find a proper certificate for HP-UX that works with openSSL 3.x to solve this.

TomasTurina commented 6 months ago

Update

We found that the problem is related to the ciphers used by OpenSSL 3.0 in HP-UX:

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 

It cannot select any cipher that works by default with the default configuration:

HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH

After some investigation and interpretation of the error message RSA_verify_PKCS1_PSS_mgf1:salt length recovery failed:crypto/rsa/rsa_pss.c:112, we found a workaround to make this work. Just set this cipher:

RSA

Useful documentation: http://www.polarhome.com/service/man/?qf=ciphers&tf=2&of=HP-UX&sf=1

Using RSA cipher allows the HP-UX agent to register using TLv1.2, with both auto-enrollment and agent-auth tool.

Agent log:

2024/05/09 17:47:36 wazuh-execd: INFO: Started (pid: 19692).
2024/05/09 17:47:37 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/09 17:47:37 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2024/05/09 17:47:37 wazuh-agentd: INFO: Version detected -> HP-UX |sovmh349 |B.11.31 |U |ia64 [HP-UX|hp-ux: 11.31] - Wazuh v4.8.0
2024/05/09 17:47:37 wazuh-agentd: INFO: Started (pid: 19699).
2024/05/09 17:47:37 wazuh-agentd: INFO: Requesting a key from server: x.x.x.x
2024/05/09 17:47:37 wazuh-agentd: INFO: No authentication password provided
2024/05/09 17:47:37 wazuh-agentd: INFO: Using agent name as: sovmh349
2024/05/09 17:47:37 wazuh-agentd: INFO: Waiting for server reply
2024/05/09 17:47:37 wazuh-agentd: INFO: Valid key received
2024/05/09 17:47:37 wazuh-agentd: INFO: Waiting 20 seconds before server connection
...
2024/05/09 17:47:57 wazuh-agentd: INFO: (1410): Reading authentication keys file.                                                                                        
2024/05/09 17:47:57 wazuh-agentd: INFO: Using AES as encryption method.                                                                                                  
2024/05/09 17:47:57 wazuh-agentd: INFO: Trying to connect to server ([x.x.x.x]:1514/tcp).                                                                           
2024/05/09 17:47:57 wazuh-agentd: INFO: (4102): Connected to the server ([x.x.x.x]:1514/tcp).                                                                       
2024/05/09 17:47:58 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing...                                                                          
2024/05/09 17:47:58 rootcheck: INFO: Starting rootcheck scan.                                                                                                            
2024/05/09 17:47:58 wazuh-agentd: INFO: Agent is restarting due to shared configuration changes.                                                                         
2024/05/09 17:47:59 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.                                                                                   
2024/05/09 17:47:59 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...                                                                      
2024/05/09 17:47:59 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.                                                                               
2024/05/09 17:48:00 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...                                                                         
2024/05/09 17:48:00 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...                                                                            
2024/05/09 17:48:00 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.                                                                                    
2024/05/09 17:48:00 wazuh-execd: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...                                                                             
2024/05/09 17:48:01 wazuh-execd: INFO: Started (pid: 19904).                                                                                                             
2024/05/09 17:48:01 wazuh-agentd: INFO: (1410): Reading authentication keys file.                                                                                        
2024/05/09 17:48:01 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60                                                                              
2024/05/09 17:48:01 wazuh-agentd: INFO: Version detected -> HP-UX |sovmh349 |B.11.31 |U |ia64 [HP-UX|hp-ux: 11.31] - Wazuh v4.8.0                                        
2024/05/09 17:48:01 wazuh-agentd: INFO: Started (pid: 19911).                                                                                                            
2024/05/09 17:48:01 wazuh-agentd: INFO: Using AES as encryption method.                                                                                                  
2024/05/09 17:48:01 wazuh-agentd: INFO: Trying to connect to server ([x.x.x.x]:1514/tcp).                                                                           
2024/05/09 17:48:02 wazuh-agentd: INFO: (4102): Connected to the server ([x.x.x.x]:1514/tcp).

Manager log:

2024/05/09 22:46:46 wazuh-authd: INFO: New connection from x.x.x.x
2024/05/09 22:46:46 wazuh-authd: INFO: Received request for a new agent (sovmh349) from: x.x.x.x
2024/05/09 22:46:46 wazuh-authd: INFO: Agent key generated for 'sovmh349' (requested by any)
2024/05/09 22:46:50 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2024/05/09 22:46:50 wazuh-remoted: INFO: (1410): Reading authentication keys file.

We should consider document this or apply this cipher for HP-UX agents by default.

vikman90 commented 6 months ago

Proposal

We have discovered that OpenSSL does not support some ciphers by default on HP-UX. Considering HP-UX is considered a legacy platform, we propose the following:

This ensures that agents can enroll in both new installations and updates.

havidarou commented 6 months ago

Let's continue with modifying the ciphers configuration to RSA for the HP-UX agent.

TomasTurina commented 6 months ago

Update

We found that any cipher with a security level of at least 4 works. This explains why RSA works.

The default security level is 1. To modify the security level, this can be added to the ciphers list:

@SECLEVEL=4

Using the default cipher list plus the setting from above works:

<enrollment>
    <ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH:@SECLEVEL=5</ssl_cipher>
</enrollment>

Agent log:

2024/05/13 13:43:47 wazuh-execd: INFO: Started (pid: 16555).
2024/05/13 13:43:48 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/13 13:43:48 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2024/05/13 13:43:48 wazuh-agentd: INFO: Version detected -> HP-UX |sovmh349 |B.11.31 |U |ia64 [HP-UX|hp-ux: 11.31] - Wazuh v4.8.0
2024/05/13 13:43:48 wazuh-agentd: INFO: Started (pid: 16565).
2024/05/13 13:43:48 wazuh-agentd: INFO: Requesting a key from server: 52.90.67.128
2024/05/13 13:43:48 wazuh-agentd: INFO: No authentication password provided
2024/05/13 13:43:48 wazuh-agentd: INFO: Using agent name as: sovmh349
2024/05/13 13:43:48 wazuh-agentd: INFO: Waiting for server reply
2024/05/13 13:43:48 wazuh-agentd: INFO: Valid key received
2024/05/13 13:43:48 wazuh-agentd: INFO: Waiting 20 seconds before server connection
2024/05/13 13:43:49 wazuh-syscheckd: INFO: Started (pid: 16581).
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6000): Starting daemon...
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2024/05/13 13:43:49 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/05/13 13:43:49 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/05/13 13:43:49 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/adm/syslog/syslog.log'.
2024/05/13 13:43:49 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -n | awk '/^[a-z][a-z]/ {print}' | awk '{print $1, $4, $5}'
2024/05/13 13:43:49 wazuh-logcollector: INFO: Started (pid: 16588).
2024/05/13 13:43:49 wazuh-modulesd: INFO: Started (pid: 16595).
2024/05/13 13:43:49 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/05/13 13:43:49 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/05/13 13:43:49 wazuh-modulesd:syscollector: INFO: Not supported in HP-UX.
2024/05/13 13:43:49 sca: INFO: Module started.
2024/05/13 13:43:49 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml'
2024/05/13 13:43:49 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_hpux_11i.yml'
2024/05/13 13:43:49 sca: INFO: Starting Security Configuration Assessment scan.
2024/05/13 13:43:49 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/05/13 13:43:51 sca: INFO: Skipping policy '/var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml': 'Check HPUX version, bastille is installed and a bastille report is present.'
2024/05/13 13:43:51 sca: INFO: Skipping policy '/var/ossec/ruleset/sca/cis_hpux_11i.yml': 'Check HPUX version and bastille is not installed.'
2024/05/13 13:44:08 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/13 13:44:08 wazuh-agentd: INFO: Using AES as encryption method.
2024/05/13 13:44:08 wazuh-agentd: INFO: Trying to connect to server ([52.90.67.128]:1514/tcp).
2024/05/13 13:44:08 wazuh-agentd: INFO: (4102): Connected to the server ([52.90.67.128]:1514/tcp).
2024/05/13 13:44:09 rootcheck: INFO: Starting rootcheck scan.
2024/05/13 13:44:09 wazuh-syscheckd: INFO: Agent is now online. Process unlocked, continuing...
2024/05/13 13:44:09 wazuh-agentd: INFO: Agent is restarting due to shared configuration changes.
2024/05/13 13:44:10 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2024/05/13 13:44:10 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...
2024/05/13 13:44:10 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources.
2024/05/13 13:44:11 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...
2024/05/13 13:44:11 wazuh-agentd: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...
2024/05/13 13:44:11 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2024/05/13 13:44:11 wazuh-execd: INFO: (1225): SIGNAL [(15)-(15)] Received. Exit Cleaning...
2024/05/13 13:44:13 wazuh-execd: INFO: Started (pid: 16803).
2024/05/13 13:44:13 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2024/05/13 13:44:13 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2024/05/13 13:44:13 wazuh-agentd: INFO: Version detected -> HP-UX |sovmh349 |B.11.31 |U |ia64 [HP-UX|hp-ux: 11.31] - Wazuh v4.8.0
2024/05/13 13:44:13 wazuh-agentd: INFO: Started (pid: 16810).
2024/05/13 13:44:13 wazuh-agentd: INFO: Using AES as encryption method.
2024/05/13 13:44:13 wazuh-agentd: INFO: Trying to connect to server ([52.90.67.128]:1514/tcp).
2024/05/13 13:44:13 wazuh-agentd: INFO: (4102): Connected to the server ([52.90.67.128]:1514/tcp).
2024/05/13 13:44:14 wazuh-syscheckd: INFO: Started (pid: 16826).
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6000): Starting daemon...
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2024/05/13 13:44:14 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2024/05/13 13:44:14 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/05/13 13:44:14 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/adm/syslog/syslog.log'.
2024/05/13 13:44:14 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -n | awk '/^[a-z][a-z]/ {print}' | awk '{print $1, $4, $5}'
2024/05/13 13:44:14 wazuh-logcollector: INFO: Started (pid: 16833).
2024/05/13 13:44:14 rootcheck: INFO: Starting rootcheck scan.
2024/05/13 13:44:14 wazuh-modulesd: INFO: Started (pid: 16840).
2024/05/13 13:44:14 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/05/13 13:44:14 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/05/13 13:44:14 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/05/13 13:44:14 wazuh-modulesd:syscollector: INFO: Not supported in HP-UX.
2024/05/13 13:44:14 sca: INFO: Module started.
2024/05/13 13:44:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml'
2024/05/13 13:44:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_hpux_11i.yml'
2024/05/13 13:44:14 sca: INFO: Starting Security Configuration Assessment scan.
2024/05/13 13:44:15 sca: INFO: Skipping policy '/var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml': 'Check HPUX version, bastille is installed and a bastille report is present.'
2024/05/13 13:44:16 sca: INFO: Skipping policy '/var/ossec/ruleset/sca/cis_hpux_11i.yml': 'Check HPUX version and bastille is not installed.'
2024/05/13 13:44:16 sca: INFO: Security Configuration Assessment scan finished. Duration: 2 seconds.
2024/05/13 13:45:13 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/05/13 13:45:13 wazuh-syscheckd: INFO: FIM sync module started.
2024/05/13 13:45:58 rootcheck: INFO: Ending rootcheck scan.

New proposal

Use SSL_CTX_set_security_level to set the security level to at least 4 (we can use 4 or 5) when it is an HP-UX agent.

Level 4 Security level set to 192 bits of security. As a result RSA, DSA and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS versions below 1.2 are not permitted.

Level 5 Security level set to 256 bits of security. As a result RSA, DSA and DH keys shorter than 15360 bits and ECC keys shorter than 512 bits are prohibited.

cc @vikman90 @havidarou