Release 4.8.0 - RC 2 - E2E UX tests - Vulnerability Detection

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-cppserver-div1 team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by May 15, 2024 and notify the @wazuh/devel-cppserver-div1 team via Slack using the c-release channel
• Review: The @wazuh/devel-cppserver-div1 team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by May 16, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by May 17, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Ubuntu 22.04 x86_64
Server	Installation assistant	Single node	Ubuntu 22.04 x86_64
Dashboard	Installation assistant	-	Ubuntu 22.04 x86_64
Agent	Installing Wazuh agents	-	Windows server 2019 x86_64, ubuntu 20.04 x86_64, Amazon Linux 2023 x86_64, macOS Sonoma arm

Test description

• Utilize the Vulnerability Detection module to identify Operating System vulnerabilities in all agents and the manager
• Install and Mitigate Vulnerable System Packages:
  • For Windows agents, deploy .msi/.exe packages; for Linux agents, utilize .rpm packages; for macOS agents, employ .pkg packages; and for the Ubuntu manager, utilize .deb packages
  • Mitigate vulnerabilities by either removing the package entirely or upgrading it to a secure version.
• Test Vulnerable Python Packages:
  • Install a vulnerable Python package on each agent and detect the vulnerability using the Vulnerability Detection module
  • Mitigate vulnerabilities by either removing the package entirely or upgrading it to a secure version.
• Test Vulnerable NPM Packages:
  • Install a vulnerable NPM package on each agent and detect the vulnerability using the Vulnerability Detection module
  • Mitigate vulnerabilities by either removing the package entirely or upgrading it to a secure version.
• Test POC for https://documentation-dev.wazuh.com/v4.8.0-rc2/proof-of-concept-guide/poc-vulnerability-detection.html

[!IMPORTANT] Check Known issues to ensure that every test is possible to perform.

[!NOTE] Remember to check vulnerabilities in corresponding system feeds. Check the list in the CVE lists for endpoint section

CVE lists for endpoint

• Ubuntu: https://ubuntu.com/security/cves
• ALAS: https://alas.aws.amazon.com/alas2023.html
• Windows: https://nvd.nist.gov/vuln/search
• macOS: https://nvd.nist.gov/vuln/search

Vulnerable Packages Suggestions

Package type	Windows	AmazonLinux	macOS	Ubuntu
System Packages	VLC-2.0.7 (CVE-2023-47359)	httpd-2.4.55-1.amzn2023 (CVE-2023-31122)	nodejs-20.2.0 (CVE-2023-44487)	apache2=2.4.41-4ubuntu3 (CVE-2023-31122)
Python Packages	Django-3.2.13 (CVE-2022-34265)	Django-3.2.13 (CVE-2022-34265)	Django-3.2.13 (CVE-2022-34265)	Django-3.2.13 (CVE-2022-34265)
NPM Packages	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)

[!NOTE] These packages are only suggestions and the package availability along with the vulnerability status can change. Consider using different vulnerable packages.

Known issues

• https://github.com/wazuh/wazuh/issues/15630
• https://github.com/wazuh/wazuh/issues/22911
• https://github.com/wazuh/wazuh/issues/22896
• https://github.com/wazuh/wazuh/issues/21838
• https://github.com/wazuh/wazuh/issues/22894
• https://github.com/wazuh/wazuh/issues/22867

Conclusions :red_circle:

Status	Test	Failure type	Notes
🟢	System information
🟡	System installation	Warnings in indexer status	- Known issue: https://github.com/wazuh/wazuh-packages/issues/1749
🟢	Initial checks
:yellow_circle:	macOS Sonoma Agent	No vulnerabilities detected from pkg packages	- Known issue: https://github.com/wazuh/wazuh/issues/15798 (This is an old issue with macOS. It's currently blocked, and won't be solved in 4.8.0)
:red_circle:	macOS Sonoma Agent	No vulnerabilities detected from python packages	- New issue: https://github.com/wazuh/wazuh/issues/23507
🟢	Amazon Linux 2023 Agent
🟢	Windows Server 2019 Agent
🟢	Ubuntu 20.04 Agent
:green_circle:	Proof of concept

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • Yes, no ambiguity found.
• Did you face any challenges not covered by the guideline?
  • No.
• Suggestions for improvement:
  • Not at the moment.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [ ] @davidjiglesias
• [x] @wazuh/devel-cppserver-div1

[santipadilla]

System information :green_circle:

Manager

OS information

```console root@wazuh-master-pre:/home/vagrant# cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS" PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy ```

CPU information

```console root@wazuh-master-pre:/home/vagrant# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 39 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Vendor ID: GenuineIntel Model name: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz CPU family: 6 Model: 165 Thread(s) per core: 1 Core(s) per socket: 2 Socket(s): 1 Stepping: 2 BogoMIPS: 5184.00 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clf lush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl x topology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 cx16 pcid sse 4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clf lushopt md_clear flush_l1d arch_capabilities Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 64 KiB (2 instances) L1i: 64 KiB (2 instances) L2: 512 KiB (2 instances) L3: 24 MiB (2 instances) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0,1 Vulnerabilities: Gather data sampling: Unknown: Dependent on hypervisor status Itlb multihit: KVM: Mitigation: VMX unsupported L1tf: Mitigation; PTE Inversion Mds: Mitigation; Clear CPU buffers; SMT Host state unknown Meltdown: Mitigation; PTI Mmio stale data: Mitigation; Clear CPU buffers; SMT Host state unknown Retbleed: Vulnerable Spec rstack overflow: Not affected Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affect ed Srbds: Unknown: Dependent on hypervisor status Tsx async abort: Not affected ```

Memory information

```console root@wazuh-master-pre:/home/vagrant# free -h total used free shared buff/cache available Mem: 1.9Gi 510Mi 247Mi 0.0Ki 1.2Gi 1.2Gi Swap: 2.0Gi 89Mi 1.9Gi ```

Storage information

```console root@wazuh-master-pre:/home/vagrant# df --total -h Filesystem Size Used Avail Use% Mounted on tmpfs 197M 976K 196M 1% /run /dev/mapper/ubuntu--vg-ubuntu--lv 62G 13G 47G 21% / tmpfs 982M 80K 982M 1% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock /dev/sda2 2.0G 129M 1.7G 8% /boot tmpfs 197M 4.0K 197M 1% /run/user/1000 total 65G 13G 50G 20% - ```

Ubuntu agent

OS information

```console root@ubuntu-agent-pre:/home/vagrant# cat /etc/os-release NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal ```

CPU information

```console root@ubuntu-agent-pre:/home/vagrant# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 39 bits physical, 48 bits virtual CPU(s): 1 On-line CPU(s) list: 0 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 1 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 165 Model name: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz Stepping: 2 CPU MHz: 2592.004 BogoMIPS: 5184.00 Hypervisor vendor: KVM Virtualization type: full L1d cache: 32 KiB L1i cache: 32 KiB L2 cache: 256 KiB L3 cache: 12 MiB NUMA node0 CPU(s): 0 Vulnerability Gather data sampling: Unknown: Dependent on hypervisor status Vulnerability Itlb multihit: KVM: Vulnerable Vulnerability L1tf: Mitigation; PTE Inversion Vulnerability Mds: Mitigation; Clear CPU buffers; SMT Host state unknown Vulnerability Meltdown: Mitigation; PTI Vulnerability Mmio stale data: Mitigation; Clear CPU buffers; SMT Host state unknown Vulnerability Retbleed: Vulnerable Vulnerability Spec store bypass: Vulnerable Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitizat ion Vulnerability Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected Vulnerability Srbds: Unknown: Dependent on hypervisor status Vulnerability Tsx async abort: Not affected Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant _tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq monitor ssse3 cx16 pcid sse4_1 sse4_2 x2apic movbe pop cnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch inv pcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities ```

Memory information

```console root@ubuntu-agent-pre:/home/vagrant# free -h total used free shared buff/cache available Mem: 1.9Gi 113Mi 1.5Gi 0.0Ki 284Mi 1.7Gi Swap: 1.9Gi 0B 1.9Gi ```

Storage information

```console root@ubuntu-agent-pre:/home/vagrant# df --total -h Filesystem Size Used Avail Use% Mounted on udev 941M 0 941M 0% /dev tmpfs 198M 936K 197M 1% /run /dev/sda3 124G 3.2G 114G 3% / tmpfs 986M 0 986M 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 986M 0 986M 0% /sys/fs/cgroup /dev/sda1 456M 206M 216M 49% /boot tmpfs 198M 0 198M 0% /run/user/1000 total 127G 3.4G 118G 3% - ```

Amazon Linux agent

OS information

```console [root@amazon-agent-pre vagrant]# cat /etc/*release Amazon Linux release 2023.3.20240304 (Amazon Linux) NAME="Amazon Linux" VERSION="2023" ID="amzn" ID_LIKE="fedora" VERSION_ID="2023" PLATFORM_ID="platform:al2023" PRETTY_NAME="Amazon Linux 2023.3.20240304" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023" HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/" DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/" SUPPORT_URL="https://aws.amazon.com/premiumsupport/" BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023" VENDOR_NAME="AWS" VENDOR_URL="https://aws.amazon.com/" SUPPORT_END="2028-03-15" Amazon Linux release 2023.3.20240304 (Amazon Linux) ```

CPU information

```console [root@amazon-agent-pre vagrant]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 39 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 1 On-line CPU(s) list: 0 Vendor ID: GenuineIntel Model name: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz CPU family: 6 Model: 165 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 1 Stepping: 2 BogoMIPS: 5184.00 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflus h mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopolo gy nonstop_tsc cpuid tsc_known_freq pni pclmulqdq monitor ssse3 cx16 pcid sse4 _1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dno wprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 32 KiB (1 instance) L1i: 32 KiB (1 instance) L2: 256 KiB (1 instance) L3: 12 MiB (1 instance) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0 Vulnerabilities: Gather data sampling: Unknown: Dependent on hypervisor status Itlb multihit: KVM: Mitigation: VMX unsupported L1tf: Mitigation; PTE Inversion Mds: Mitigation; Clear CPU buffers; SMT Host state unknown Meltdown: Mitigation; PTI Mmio stale data: Mitigation; Clear CPU buffers; SMT Host state unknown Retbleed: Vulnerable Spec rstack overflow: Not affected Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected Srbds: Unknown: Dependent on hypervisor status Tsx async abort: Not affected ```

Memory information

```console [root@amazon-agent-pre vagrant]# free -h total used free shared buff/cache available Mem: 1.9Gi 191Mi 1.1Gi 5.0Mi 655Mi 1.6Gi Swap: 0B 0B 0B ```

Storage information

```console [root@amazon-agent-pre vagrant]# df --total -h Filesystem Size Used Avail Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 980M 0 980M 0% /dev/shm tmpfs 392M 5.4M 387M 2% /run /dev/sda1 25G 2.2G 23G 9% / tmpfs 980M 0 980M 0% /tmp /dev/sda128 10M 1.3M 8.7M 13% /boot/efi vagrant 234G 206G 28G 89% /vagrant tmpfs 196M 0 196M 0% /run/user/1000 total 262G 208G 54G 80% - ```

MacOS agent

OS information

```console sh-3.2# uname -a Darwin macos-1400 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14:40:03 PDT 2023; root:xnu-10002.1.13~1/RELEASE_ARM64_VMAPPLE arm64 sh-3.2# sw_vers ProductName: macOS ProductVersion: 14.0 BuildVersion: 23A344 ```

CPU information

```console sh-3.2# system_profiler SPHardwareDataType Hardware: Hardware Overview: Model Name: Apple Virtual Machine 1 Model Identifier: VirtualMac2,1 Model Number: VM0001LL/A Chip: Apple M1 Max (Virtual) Total Number of Cores: 2 Memory: 4 GB System Firmware Version: 10151.1.1 OS Loader Version: 10151.1.1 Serial Number (system): ZGHNPYVQG6 Hardware UUID: 2E6953F4-CFA4-50CB-96B9-7A70F47BFABE Provisioning UDID: 0000FE00-9C55689FB529FB1A Activation Lock Status: Disabled ```

Memory information

```console sh-3.2# vm_stat Mach Virtual Memory Statistics: (page size of 16384 bytes) Pages free: 4114. Pages active: 104231. Pages inactive: 98937. Pages speculative: 5320. Pages throttled: 0. Pages wired down: 34368. Pages purgeable: 667. "Translation faults": 7069291. Pages copy-on-write: 690853. Pages zero filled: 2135430. Pages reactivated: 93960. Pages purged: 9669. File-backed pages: 133145. Anonymous pages: 75343. Pages stored in compressor: 50363. Pages occupied by compressor: 14438. Decompressions: 36982. Compressions: 248546. Pageins: 389734. Pageouts: 1978. Swapins: 0. Swapouts: 0. ```

Storage information

```console sh-3.2# df -h Filesystem Size Used Avail Capacity iused ifree %iused Mounted on /dev/disk5s1s1 59Gi 9,1Gi 37Gi 20% 387k 390M 0% / devfs 201Ki 201Ki 0Bi 100% 694 0 100% /dev /dev/disk5s6 59Gi 20Ki 37Gi 1% 0 390M 0% /System/Volumes/VM /dev/disk5s2 59Gi 5,2Gi 37Gi 13% 735 390M 0% /System/Volumes/Preboot /dev/disk5s4 59Gi 4,9Mi 37Gi 1% 44 390M 0% /System/Volumes/Update /dev/disk3s2 500Mi 20Ki 495Mi 1% 0 5,1M 0% /System/Volumes/xarts /dev/disk3s1 500Mi 104Ki 495Mi 1% 24 5,1M 0% /System/Volumes/iSCPreboot /dev/disk3s3 500Mi 72Ki 495Mi 1% 18 5,1M 0% /System/Volumes/Hardware /dev/disk5s5 59Gi 6,1Gi 37Gi 15% 150k 390M 0% /System/Volumes/Data /dev/disk2 1,8Ti 931Gi 927Gi 51% 355k 4,3G 0% /Volumes/My Shared Files /dev/disk0s2 20Mi 20Mi 0Bi 100% 88 4,3G 0% /Volumes/Parallels Tools map auto_home 0Bi 0Bi 0Bi 100% 0 0 - /System/Volumes/Data/home ```

Windows agent

OS information


CPU information


Memory information


Storage information


[santipadilla]

System installation :yellow_circle:

Indexer :yellow_circle:

Initial configuration

```console root@wazuh-indexer-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh root@wazuh-indexer-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/config.yml root@wazuh-indexer-pre:/home/vagrant# ls config.yml wazuh-install.sh root@wazuh-indexer-pre:/home/vagrant# nano config.yml root@wazuh-indexer-pre:/home/vagrant# bash wazuh-install.sh --generate-config-files 15/05/2024 08:23:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 15/05/2024 08:23:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log 15/05/2024 08:23:56 INFO: Verifying that your system meets the recommended minimum hardware requirements. 15/05/2024 08:24:11 INFO: --- Configuration files --- 15/05/2024 08:24:11 INFO: Generating configuration files. 15/05/2024 08:24:11 INFO: Generating the root certificate. 15/05/2024 08:24:11 INFO: Generating Admin certificates. 15/05/2024 08:24:12 INFO: Generating Wazuh indexer certificates. 15/05/2024 08:24:12 INFO: Generating Filebeat certificates. 15/05/2024 08:24:12 INFO: Generating Wazuh dashboard certificates. 15/05/2024 08:24:12 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. ```

Wazuh indexer nodes installation

```console root@wazuh-indexer-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh root@wazuh-indexer-pre:/home/vagrant# bash wazuh-install.sh --wazuh-indexer wazuh-indexer-pre 15/05/2024 08:34:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 15/05/2024 08:34:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log 15/05/2024 08:34:07 INFO: Verifying that your system meets the recommended minimum hardware requirements. 15/05/2024 08:34:18 INFO: --- Dependencies ---- 15/05/2024 08:34:18 INFO: Installing apt-transport-https. 15/05/2024 08:34:23 INFO: Wazuh development repository added. 15/05/2024 08:34:23 INFO: --- Wazuh indexer --- 15/05/2024 08:34:23 INFO: Starting Wazuh indexer installation. 15/05/2024 08:35:35 INFO: Wazuh indexer installation finished. 15/05/2024 08:35:35 INFO: Wazuh indexer post-install configuration finished. 15/05/2024 08:35:35 INFO: Starting service wazuh-indexer. 15/05/2024 08:35:48 INFO: wazuh-indexer service started. 15/05/2024 08:35:48 INFO: Initializing Wazuh indexer cluster security settings. 15/05/2024 08:35:50 INFO: Wazuh indexer cluster initialized. 15/05/2024 08:35:50 INFO: Installation finished. ```

Cluster initialization

```console root@wazuh-indexer-pre:/home/vagrant# bash wazuh-install.sh --start-cluster 15/05/2024 08:37:57 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 15/05/2024 08:37:57 INFO: Verbose logging redirected to /var/log/wazuh-install.log 15/05/2024 08:37:59 INFO: Verifying that your system meets the recommended minimum hardware requirements. 15/05/2024 08:38:10 INFO: Wazuh indexer cluster security configuration initialized. 15/05/2024 08:38:36 INFO: Updating the internal users. 15/05/2024 08:38:38 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 15/05/2024 08:38:44 INFO: Wazuh indexer cluster started. ```

Testing the cluster installation

```console root@wazuh-indexer-pre:/home/vagrant# curl -k -u admin:PASSWORD https://172.16.1.31:9200 { "name" : "wazuh-indexer-pre", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "oIzMBIErRIqOQunRhyqs8A", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03", "build_date" : "2023-09-20T23:54:29.889267151Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@wazuh-indexer-pre:/home/vagrant# curl -k -u admin:PASSWORD https://172.16.1.31:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.16.1.31 32 90 4 0.01 0.11 0.08 dimr data,ingest,master,remote_cluster_client * wazuh-indexer-pre ```

Indexer status

```console root@wazuh-indexer-pre:/home/vagrant# systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-05-15 08:35:48 UTC; 4h 9min ago Docs: https://documentation.wazuh.com Main PID: 5490 (java) Tasks: 73 (limit: 2220) Memory: 1.2G CPU: 4min 1.728s CGroup: /system.slice/wazuh-indexer.service └─5490 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.c> May 15 08:35:36 wazuh-indexer-pre systemd[1]: Starting Wazuh-indexer... May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: A terminally deprecated method > May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager has > May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: Please consider reporting this > May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager will> May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: A terminally deprecated method > May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager has > May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: Please consider reporting this > May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager will> May 15 08:35:48 wazuh-indexer-pre systemd[1]: Started Wazuh-indexer. ``` >Note: Warnings in indexer status. - Known issue: https://github.com/wazuh/wazuh-packages/issues/1749

Server :green_circle:

Wazuh server cluster installation

```console root@wazuh-master-pre:/home/vagrant# bash wazuh-install.sh --wazuh-server wazuh-master-pre 15/05/2024 08:52:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 15/05/2024 08:52:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log 15/05/2024 08:52:17 INFO: Verifying that your system meets the recommended minimum hardware requirements. 15/05/2024 08:52:34 INFO: --- Dependencies ---- 15/05/2024 08:52:34 INFO: Installing apt-transport-https. 15/05/2024 08:52:38 INFO: Wazuh development repository added. 15/05/2024 08:52:39 INFO: --- Wazuh server --- 15/05/2024 08:52:39 INFO: Starting the Wazuh manager installation. 15/05/2024 08:53:31 INFO: Wazuh manager installation finished. 15/05/2024 08:53:31 INFO: Wazuh manager vulnerability detection configuration finished. 15/05/2024 08:53:31 INFO: Starting service wazuh-manager. 15/05/2024 08:53:47 INFO: wazuh-manager service started. 15/05/2024 08:53:47 INFO: Starting Filebeat installation. 15/05/2024 08:54:08 INFO: Filebeat installation finished. 15/05/2024 08:54:10 INFO: Filebeat post-install configuration finished. 15/05/2024 08:54:36 INFO: Starting service filebeat. 15/05/2024 08:54:37 INFO: filebeat service started. 15/05/2024 08:54:37 INFO: Installation finished. ```

Manager status

```console root@wazuh-master-pre:/home/vagrant# systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-05-15 08:54:33 UTC; 39s ago Tasks: 146 (limit: 2220) Memory: 1.3G CPU: 40.013s CGroup: /system.slice/wazuh-manager.service ├─50787 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─50788 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─50791 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─50794 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py ├─50835 /var/ossec/bin/wazuh-authd ├─50852 /var/ossec/bin/wazuh-db ├─50877 /var/ossec/bin/wazuh-execd ├─50894 /var/ossec/bin/wazuh-analysisd ├─50937 /var/ossec/bin/wazuh-syscheckd ├─50955 /var/ossec/bin/wazuh-remoted ├─50992 /var/ossec/bin/wazuh-logcollector ├─51030 /var/ossec/bin/wazuh-monitord └─51084 /var/ossec/bin/wazuh-modulesd May 15 08:54:26 wazuh-master-pre env[50731]: Started wazuh-analysisd... May 15 08:54:27 wazuh-master-pre env[50731]: Started wazuh-syscheckd... May 15 08:54:28 wazuh-master-pre env[50731]: Started wazuh-remoted... May 15 08:54:29 wazuh-master-pre env[50731]: Started wazuh-logcollector... May 15 08:54:30 wazuh-master-pre env[50731]: Started wazuh-monitord... May 15 08:54:30 wazuh-master-pre env[51082]: 2024/05/15 08:54:30 wazuh-modulesd:router: INFO: Loade> May 15 08:54:30 wazuh-master-pre env[51082]: 2024/05/15 08:54:30 wazuh-modulesd:content_manager: IN> May 15 08:54:31 wazuh-master-pre env[50731]: Started wazuh-modulesd... May 15 08:54:33 wazuh-master-pre env[50731]: Completed. May 15 08:54:33 wazuh-master-pre systemd[1]: Started Wazuh manager. ```

Manager version

```console root@wazuh-master-pre:/home/vagrant# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40810" WAZUH_TYPE="server" ```

Dashboard :green_circle:

Wazuh dashboard installation

```console root@wazuh-dashboard-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh root@wazuh-dashboard-pre:/home/vagrant# bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard-pre -o 15/05/2024 09:26:44 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 15/05/2024 09:26:44 INFO: Verbose logging redirected to /var/log/wazuh-install.log 15/05/2024 09:26:44 INFO: --- Removing existing Wazuh installation --- 15/05/2024 09:26:44 INFO: Removing Wazuh dashboard. 15/05/2024 09:26:49 INFO: Wazuh dashboard removed. 15/05/2024 09:26:49 INFO: Installation cleaned. 15/05/2024 09:26:49 INFO: Verifying that your system meets the recommended minimum hardware requirements. 15/05/2024 09:26:53 INFO: Wazuh web interface port will be 443. 15/05/2024 09:26:58 INFO: Wazuh development repository added. 15/05/2024 09:26:58 INFO: --- Wazuh dashboard ---- 15/05/2024 09:26:58 INFO: Starting Wazuh dashboard installation. 15/05/2024 09:27:31 INFO: Wazuh dashboard installation finished. 15/05/2024 09:27:31 INFO: Wazuh dashboard post-install configuration finished. 15/05/2024 09:27:31 INFO: Starting service wazuh-dashboard. 15/05/2024 09:27:32 INFO: wazuh-dashboard service started. 15/05/2024 09:27:45 INFO: Initializing Wazuh dashboard web application. 15/05/2024 09:27:46 INFO: Wazuh dashboard web application initialized. 15/05/2024 09:27:46 INFO: --- Summary --- 15/05/2024 09:27:46 INFO: You can access the web interface https://172.16.1.32:443 User: admin Password: PASSWORD 15/05/2024 09:27:46 INFO: Installation finished. ```

Dashboard status

```console root@wazuh-dashboard-pre:/home/vagrant# systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-05-15 12:49:58 UTC; 4min 25s ago Main PID: 639 (node) Tasks: 11 (limit: 4558) Memory: 282.2M CPU: 6.180s CGroup: /system.slice/wazuh-dashboard.service └─639 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=655> May 15 12:49:58 wazuh-dashboard-pre systemd[1]: Started wazuh-dashboard. May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:05 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> May 15 12:50:05 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05-> ```

Dashboard interface


[santipadilla]

Initial checks :green_circle:

No error in manager :green_circle:

This warning appears when the manager starts: ``` 2024/05/15 08:53:44 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-master-pre', retrying until the connection is successful. ``` But then the initialization is done correctly: ``` 2024/05/15 08:54:31 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-master-pre. ```

All indices green :green_circle:

```console root@wazuh-master-pre:/home/vagrant# curl -k -u admin:PASSWORD https://172.16.1.31:9200/_cat/indices green open wazuh-states-vulnerabilities-wazuh-master-pre 0QxdKOf3RZaliXx8S5VTNQ 1 0 0 0 208b 208b green open .opensearch-observability 8PGOhqzHSXuhCRyJlet4OQ 1 0 0 0 208b 208b green open .plugins-ml-config IZXJTwnMTMexsZbfvkyeRA 1 0 1 0 3.9kb 3.9kb green open wazuh-statistics-2024.20w 5Bv7S4SbTAub0V_n2mMHpQ 1 0 18 0 179.6kb 179.6kb green open wazuh-alerts-4.x-2024.05.15 Yp3Yt5PRRjmCTUZGHwT0dQ 3 0 194 0 571.9kb 571.9kb green open wazuh-monitoring-2024.20w Pq5EgjhYSZycEpQPtV8_mA 1 0 0 0 208b 208b green open .opendistro_security P5EIXB7zTTGvc94FiUrH3A 1 0 10 1 44.1kb 44.1kb green open .kibana_1 oXgdYsJnSAWOhg6fSwbLOA 1 0 6 1 69.8kb 69.8kb ```

[santipadilla]

macOS Sonoma Agent :red_circle:

Initial scan :green_circle:


Disable and enable VD :green_circle:


System package :yellow_circle:

```console sh-3.2# curl -o node-v20.2.0.pkg https://nodejs.org/dist/v20.2.0/node-v20.2.0.pkg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 69.9M 100 69.9M 0 0 43.5M 0 0:00:01 0:00:01 --:--:-- 43.7M sh-3.2# sudo installer -pkg node-v20.2.0.pkg -target / installer: Package name is Node.js installer: Installing at base path / installer: The install was successful. sh-3.2# node -v v20.2.0 ``` >Note: No vulnerabilities detected. Known issue: https://github.com/wazuh/wazuh/issues/15798 > This is an old issue with macOS. It's currently blocked, and won't be solved in 4.8.0

Python package :red_circle:

```console sh-3.2# python3 -m venv my_django_env sh-3.2# source my_django_env/bin/activate (my_django_env) sh-3.2# (my_django_env) sh-3.2# pip install Django==3.2.13 Collecting Django==3.2.13 Downloading Django-3.2.13-py3-none-any.whl (7.9 MB) |████████████████████████████████| 7.9 MB 7.8 MB/s Collecting pytz Downloading pytz-2024.1-py2.py3-none-any.whl (505 kB) |████████████████████████████████| 505 kB 81.8 MB/s Collecting asgiref<4,>=3.3.2 Downloading asgiref-3.8.1-py3-none-any.whl (23 kB) Collecting sqlparse>=0.2.2 Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB) |████████████████████████████████| 43 kB 11.3 MB/s Collecting typing-extensions>=4 Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB) Installing collected packages: typing-extensions, sqlparse, pytz, asgiref, Django Successfully installed Django-3.2.13 asgiref-3.8.1 pytz-2024.1 sqlparse-0.5.0 typing-extensions-4.11.0 WARNING: You are using pip version 21.2.4; however, version 24.0 is available. You should consider upgrading via the '/Users/vagrant/my_django_env/bin/python3 -m pip install --upgrade pip' command. (my_django_env) sh-3.2# django-admin --version 3.2.13 ``` >Note: It does not detect vulnerabilities and they do not appear in the inventory either. >New issue: https://github.com/wazuh/wazuh/issues/23507

NPM package :green_circle:

- Install package ```console sh-3.2# npm install -g axios@0.6.0 npm WARN deprecated axios@0.6.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 added 1 package in 362ms npm notice npm notice New major version of npm available! 9.6.6 -> 10.7.0 npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.7.0 npm notice Run npm install -g npm@10.7.0 to update! npm notice sh-3.2# sh-3.2# npm list -g /usr/local/lib ├── axios@0.6.0 ├── corepack@0.17.2 └── npm@9.6.6 ``` - Cves detected ```console {"timestamp":"2024-05-15T12:10:40.803+0000","rule":{"level":7,"description":"CVE-2019-10742 affects axios","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775040.1699688","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"snyk","cve":"CVE-2019-10742","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-755","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 0.18.1","name":"axios","source":"https://github.com/mzabriskie/axios","version":"0.6.0"},"published":"2019-05-07T19:29:00Z","rationale":"Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.","reference":"https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505, https://github.com/axios/axios/issues/1098, https://github.com/axios/axios/pull/1485","severity":"Medium","status":"Active","title":"CVE-2019-10742 affects axios","type":"Packages","updated":"2021-07-21T11:39:23Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-05-15T12:10:40.813+0000","rule":{"level":7,"description":"CVE-2020-28168 affects axios","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775040.1702115","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2020-28168","cvss":{"cvss2":{"base_score":"4.300000","vector":{"access_complexity":"MEDIUM","authentication":"NONE","availability":"NONE","confidentiality_impact":"PARTIAL","integrity_impact":"NONE"}}},"cwe_reference":"CWE-918","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 0.21.1","name":"axios","source":"https://github.com/mzabriskie/axios","version":"0.6.0"},"published":"2020-11-06T20:15:13Z","rationale":"Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.","reference":"https://github.com/axios/axios/issues/3369, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E","severity":"Medium","status":"Active","title":"CVE-2020-28168 affects axios","type":"Packages","updated":"2023-11-07T03:21:07Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-05-15T12:10:40.823+0000","rule":{"level":10,"description":"CVE-2021-3749 affects axios","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775040.1705369","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"@huntrdev","cve":"CVE-2021-3749","cvss":{"cvss2":{"base_score":"7.800000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-1333","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 0.21.2","name":"axios","source":"https://github.com/mzabriskie/axios","version":"0.6.0"},"published":"2021-08-31T11:15:07Z","rationale":"axios is vulnerable to Inefficient Regular Expression Complexity","reference":"https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31, https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://www.oracle.com/security-alerts/cpujul2022.html, https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a%40%3Cdev.druid.apache.org%3E, https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103%40%3Ccommits.druid.apache.org%3E","severity":"High","status":"Active","title":"CVE-2021-3749 affects axios","type":"Packages","updated":"2023-11-07T03:38:14Z"}},"location":"vulnerability-detector"} ```    - Uninstall package ```console sh-3.2# npm uninstall -g axios removed 1 package in 95ms sh-3.2# npm list -g /usr/local/lib ├── corepack@0.17.2 └── npm@9.6.6 ``` - Mitigate vulnerabilities ```console {"timestamp":"2024-05-15T12:15:02.114+0000","rule":{"level":3,"description":"The CVE-2019-10742 that affected axios was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775302.1710435","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2019-10742","cvss":{"cvss2":{"base_score":"5"}},"enumeration":"CVE","package":{"architecture":" ","name":"axios","version":"0.6.0"},"published":"2019-05-07T19:29:00Z","reference":"https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505, https://github.com/axios/axios/issues/1098, https://github.com/axios/axios/pull/1485","severity":"Medium","status":"Solved","title":"CVE-2019-10742 affecting axios was solved","type":"Packages","updated":"2021-07-21T11:39:23Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-05-15T12:15:02.124+0000","rule":{"level":3,"description":"The CVE-2021-3749 that affected axios was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775302.1711840","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2021-3749","cvss":{"cvss2":{"base_score":"7.800000"}},"enumeration":"CVE","package":{"architecture":" ","name":"axios","version":"0.6.0"},"published":"2021-08-31T11:15:07Z","reference":"https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31, https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://www.oracle.com/security-alerts/cpujul2022.html, https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a%40%3Cdev.druid.apache.org%3E, https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103%40%3Ccommits.druid.apache.org%3E","severity":"High","status":"Solved","title":"CVE-2021-3749 affecting axios was solved","type":"Packages","updated":"2023-11-07T03:38:14Z"}},"location":"vulnerability-detector"} {"timestamp":"2024-05-15T12:15:02.135+0000","rule":{"level":3,"description":"The CVE-2020-28168 that affected axios was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775302.1716079","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2020-28168","cvss":{"cvss2":{"base_score":"4.300000"}},"enumeration":"CVE","package":{"architecture":" ","name":"axios","version":"0.6.0"},"published":"2020-11-06T20:15:13Z","reference":"https://github.com/axios/axios/issues/3369, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E","severity":"Medium","status":"Solved","title":"CVE-2020-28168 affecting axios was solved","type":"Packages","updated":"2023-11-07T03:21:07Z"}},"location":"vulnerability-detector"} ```   

[santipadilla]

Amazon Linux 2023 Agent :green_circle:

Installation :green_circle:

```console [root@amazon-agent-pre vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH [root@amazon-agent-pre vagrant]# cat > /etc/yum.repos.d/wazuh.repo << EOF > [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 EOF [root@amazon-agent-pre vagrant]# WAZUH_MANAGER="172.16.1.30" yum install wazuh-agent-4.8.0-1 EL-2023.3.20240304 - Wazuh 5.8 MB/s | 25 MB 00:04 Last metadata expiration check: 0:00:06 ago on Wed May 15 15:19:00 2024. Dependencies resolved. =========================================================================================================== Package Architecture Version Repository Size =========================================================================================================== Installing: wazuh-agent x86_64 4.8.0-1 wazuh 10 M Transaction Summary =========================================================================================================== Install 1 Package Total download size: 10 M Installed size: 29 M Is this ok [y/N]: y Downloading Packages: wazuh-agent-4.8.0-1.x86_64.rpm 4.4 MB/s | 10 MB 00:02 ----------------------------------------------------------------------------------------------------------- Total 4.4 MB/s | 10 MB 00:02 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: wazuh-agent-4.8.0-1.x86_64 1/1 Installing : wazuh-agent-4.8.0-1.x86_64 1/1 Running scriptlet: wazuh-agent-4.8.0-1.x86_64 1/1 Verifying : wazuh-agent-4.8.0-1.x86_64 1/1 Installed: wazuh-agent-4.8.0-1.x86_64 Complete! [root@amazon-agent-pre vagrant]# systemctl daemon-reload [root@amazon-agent-pre vagrant]# systemctl enable wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service. [root@amazon-agent-pre vagrant]# systemctl start wazuh-agent [root@amazon-agent-pre vagrant]# systemctl status wazuh-agent ● wazuh-agent.service - Wazuh agent Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled) Active: active (running) since Wed 2024-05-15 15:20:43 UTC; 46s ago Process: 5977 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 32 (limit: 2307) Memory: 322.9M CPU: 11.226s CGroup: /system.slice/wazuh-agent.service ├─6235 /var/ossec/bin/wazuh-execd ├─6247 /var/ossec/bin/wazuh-agentd ├─6261 /var/ossec/bin/wazuh-syscheckd ├─6276 /var/ossec/bin/wazuh-logcollector └─6294 /var/ossec/bin/wazuh-modulesd May 15 15:20:35 amazon-agent-pre systemd[1]: Starting wazuh-agent.service - Wazuh agent... May 15 15:20:35 amazon-agent-pre env[5977]: Starting Wazuh v4.8.0... May 15 15:20:36 amazon-agent-pre env[5977]: Started wazuh-execd... May 15 15:20:37 amazon-agent-pre env[5977]: Started wazuh-agentd... May 15 15:20:38 amazon-agent-pre env[5977]: Started wazuh-syscheckd... May 15 15:20:39 amazon-agent-pre env[5977]: Started wazuh-logcollector... May 15 15:20:41 amazon-agent-pre env[5977]: Started wazuh-modulesd... May 15 15:20:43 amazon-agent-pre env[5977]: Completed. May 15 15:20:43 amazon-agent-pre systemd[1]: Started wazuh-agent.service - Wazuh agent. [root@amazon-agent-pre vagrant]# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40810" WAZUH_TYPE="agent" ```

Initial scan :green_circle:

 

Disable and enable VD :green_circle:

 

System package :green_circle:

- Install package ```console [root@amazon-agent-pre vagrant]# sudo yum install -y httpd-2.4.55-1.amzn2023 Last metadata expiration check: 16:21:57 ago on Wed May 15 15:19:00 2024. Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Installing: httpd x86_64 2.4.55-1.amzn2023 amazonlinux 48 k Installing dependencies: apr x86_64 1.7.2-2.amzn2023.0.2 amazonlinux 129 k apr-util x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 98 k generic-logos-httpd noarch 18.0.0-12.amzn2023.0.3 amazonlinux 19 k httpd-core x86_64 2.4.55-1.amzn2023 amazonlinux 1.4 M httpd-filesystem noarch 2.4.55-1.amzn2023 amazonlinux 15 k httpd-tools x86_64 2.4.55-1.amzn2023 amazonlinux 82 k libbrotli x86_64 1.0.9-4.amzn2023.0.2 amazonlinux 315 k mailcap noarch 2.1.49-3.amzn2023.0.3 amazonlinux 33 k Installing weak dependencies: apr-util-openssl x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 17 k mod_http2 x86_64 2.0.11-2.amzn2023 amazonlinux 150 k mod_lua x86_64 2.4.55-1.amzn2023 amazonlinux 62 k Transaction Summary ========================================================================================================= Install 12 Packages Total download size: 2.3 M Installed size: 6.8 M Downloading Packages: (1/12): apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64.rpm 98 kB/s | 17 kB 00:00 (2/12): mod_http2-2.0.11-2.amzn2023.x86_64.rpm 344 kB/s | 150 kB 00:00 (3/12): apr-1.7.2-2.amzn2023.0.2.x86_64.rpm 322 kB/s | 129 kB 00:00 (4/12): apr-util-1.6.3-1.amzn2023.0.1.x86_64.rpm 570 kB/s | 98 kB 00:00 (5/12): httpd-2.4.55-1.amzn2023.x86_64.rpm 58 kB/s | 48 kB 00:00 (6/12): mod_lua-2.4.55-1.amzn2023.x86_64.rpm 68 kB/s | 62 kB 00:00 (7/12): httpd-tools-2.4.55-1.amzn2023.x86_64.rpm 81 kB/s | 82 kB 00:01 (8/12): libbrotli-1.0.9-4.amzn2023.0.2.x86_64.rpm 255 kB/s | 315 kB 00:01 (9/12): generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch.rpm 413 kB/s | 19 kB 00:00 (10/12): mailcap-2.1.49-3.amzn2023.0.3.noarch.rpm 502 kB/s | 33 kB 00:00 (11/12): httpd-filesystem-2.4.55-1.amzn2023.noarch.rpm 24 kB/s | 15 kB 00:00 (12/12): httpd-core-2.4.55-1.amzn2023.x86_64.rpm 689 kB/s | 1.4 MB 00:02 --------------------------------------------------------------------------------------------------------- Total 506 kB/s | 2.3 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12 Installing : apr-util-1.6.3-1.amzn2023.0.1.x86_64 2/12 Installing : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 3/12 Installing : mailcap-2.1.49-3.amzn2023.0.3.noarch 4/12 Installing : httpd-tools-2.4.55-1.amzn2023.x86_64 5/12 Installing : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch 6/12 Running scriptlet: httpd-filesystem-2.4.55-1.amzn2023.noarch 7/12 Installing : httpd-filesystem-2.4.55-1.amzn2023.noarch 7/12 Installing : httpd-core-2.4.55-1.amzn2023.x86_64 8/12 Installing : mod_http2-2.0.11-2.amzn2023.x86_64 9/12 Installing : mod_lua-2.4.55-1.amzn2023.x86_64 10/12 Installing : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 11/12 Installing : httpd-2.4.55-1.amzn2023.x86_64 12/12 Running scriptlet: httpd-2.4.55-1.amzn2023.x86_64 12/12 Verifying : httpd-2.4.55-1.amzn2023.x86_64 1/12 Verifying : mod_http2-2.0.11-2.amzn2023.x86_64 2/12 Verifying : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 3/12 Verifying : apr-1.7.2-2.amzn2023.0.2.x86_64 4/12 Verifying : mod_lua-2.4.55-1.amzn2023.x86_64 5/12 Verifying : apr-util-1.6.3-1.amzn2023.0.1.x86_64 6/12 Verifying : httpd-tools-2.4.55-1.amzn2023.x86_64 7/12 Verifying : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 8/12 Verifying : httpd-core-2.4.55-1.amzn2023.x86_64 9/12 Verifying : httpd-filesystem-2.4.55-1.amzn2023.noarch 10/12 Verifying : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch 11/12 Verifying : mailcap-2.1.49-3.amzn2023.0.3.noarch 12/12 ========================================================================================================= WARNING: A newer release of "Amazon Linux" is available. Available Versions: Version 2023.3.20240312: Run the following command to upgrade to 2023.3.20240312: dnf upgrade --releasever=2023.3.20240312 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html Version 2023.4.20240319: Run the following command to upgrade to 2023.4.20240319: dnf upgrade --releasever=2023.4.20240319 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html Version 2023.4.20240401: Run the following command to upgrade to 2023.4.20240401: dnf upgrade --releasever=2023.4.20240401 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html Version 2023.4.20240416: Run the following command to upgrade to 2023.4.20240416: dnf upgrade --releasever=2023.4.20240416 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html Version 2023.4.20240429: Run the following command to upgrade to 2023.4.20240429: dnf upgrade --releasever=2023.4.20240429 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html Version 2023.4.20240513: Run the following command to upgrade to 2023.4.20240513: dnf upgrade --releasever=2023.4.20240513 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html ========================================================================================================= Installed: apr-1.7.2-2.amzn2023.0.2.x86_64 apr-util-1.6.3-1.amzn2023.0.1.x86_64 apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch httpd-2.4.55-1.amzn2023.x86_64 httpd-core-2.4.55-1.amzn2023.x86_64 httpd-filesystem-2.4.55-1.amzn2023.noarch httpd-tools-2.4.55-1.amzn2023.x86_64 libbrotli-1.0.9-4.amzn2023.0.2.x86_64 mailcap-2.1.49-3.amzn2023.0.3.noarch mod_http2-2.0.11-2.amzn2023.x86_64 mod_lua-2.4.55-1.amzn2023.x86_64 Complete! [root@amazon-agent-pre vagrant]# httpd -v Server version: Apache/2.4.55 (Amazon Linux) Server built: Feb 10 2023 00:00:00 ```     - Uninstall package ```console [root@amazon-agent-pre vagrant]# sudo systemctl stop httpd [root@amazon-agent-pre vagrant]# sudo systemctl disable httpd [root@amazon-agent-pre vagrant]# sudo yum remove -y httpd Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Removing: httpd x86_64 2.4.55-1.amzn2023 @amazonlinux 60 k Removing unused dependencies: apr x86_64 1.7.2-2.amzn2023.0.2 @amazonlinux 297 k apr-util x86_64 1.6.3-1.amzn2023.0.1 @amazonlinux 217 k apr-util-openssl x86_64 1.6.3-1.amzn2023.0.1 @amazonlinux 24 k generic-logos-httpd noarch 18.0.0-12.amzn2023.0.3 @amazonlinux 21 k httpd-core x86_64 2.4.55-1.amzn2023 @amazonlinux 4.7 M httpd-filesystem noarch 2.4.55-1.amzn2023 @amazonlinux 464 httpd-tools x86_64 2.4.55-1.amzn2023 @amazonlinux 201 k libbrotli x86_64 1.0.9-4.amzn2023.0.2 @amazonlinux 771 k mailcap noarch 2.1.49-3.amzn2023.0.3 @amazonlinux 78 k mod_http2 x86_64 2.0.11-2.amzn2023 @amazonlinux 395 k mod_lua x86_64 2.4.55-1.amzn2023 @amazonlinux 143 k Transaction Summary ========================================================================================================= Remove 12 Packages Freed space: 6.8 M Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: httpd-2.4.55-1.amzn2023.x86_64 1/12 Erasing : httpd-2.4.55-1.amzn2023.x86_64 1/12 Running scriptlet: httpd-2.4.55-1.amzn2023.x86_64 1/12 Erasing : mod_lua-2.4.55-1.amzn2023.x86_64 2/12 Erasing : mod_http2-2.0.11-2.amzn2023.x86_64 3/12 Erasing : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch 4/12 Erasing : httpd-core-2.4.55-1.amzn2023.x86_64 5/12 Erasing : httpd-tools-2.4.55-1.amzn2023.x86_64 6/12 Erasing : mailcap-2.1.49-3.amzn2023.0.3.noarch 7/12 Erasing : httpd-filesystem-2.4.55-1.amzn2023.noarch 8/12 Erasing : apr-util-1.6.3-1.amzn2023.0.1.x86_64 9/12 Erasing : apr-1.7.2-2.amzn2023.0.2.x86_64 10/12 Erasing : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 11/12 Erasing : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 12/12 Running scriptlet: libbrotli-1.0.9-4.amzn2023.0.2.x86_64 12/12 Verifying : apr-1.7.2-2.amzn2023.0.2.x86_64 1/12 Verifying : apr-util-1.6.3-1.amzn2023.0.1.x86_64 2/12 Verifying : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 3/12 Verifying : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch 4/12 Verifying : httpd-2.4.55-1.amzn2023.x86_64 5/12 Verifying : httpd-core-2.4.55-1.amzn2023.x86_64 6/12 Verifying : httpd-filesystem-2.4.55-1.amzn2023.noarch 7/12 Verifying : httpd-tools-2.4.55-1.amzn2023.x86_64 8/12 Verifying : libbrotli-1.0.9-4.amzn2023.0.2.x86_64 9/12 Verifying : mailcap-2.1.49-3.amzn2023.0.3.noarch 10/12 Verifying : mod_http2-2.0.11-2.amzn2023.x86_64 11/12 Verifying : mod_lua-2.4.55-1.amzn2023.x86_64 12/12 ========================================================================================================= WARNING: A newer release of "Amazon Linux" is available. Available Versions: Version 2023.3.20240312: Run the following command to upgrade to 2023.3.20240312: dnf upgrade --releasever=2023.3.20240312 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html Version 2023.4.20240319: Run the following command to upgrade to 2023.4.20240319: dnf upgrade --releasever=2023.4.20240319 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html Version 2023.4.20240401: Run the following command to upgrade to 2023.4.20240401: dnf upgrade --releasever=2023.4.20240401 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html Version 2023.4.20240416: Run the following command to upgrade to 2023.4.20240416: dnf upgrade --releasever=2023.4.20240416 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html Version 2023.4.20240429: Run the following command to upgrade to 2023.4.20240429: dnf upgrade --releasever=2023.4.20240429 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html Version 2023.4.20240513: Run the following command to upgrade to 2023.4.20240513: dnf upgrade --releasever=2023.4.20240513 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html ========================================================================================================= Removed: apr-1.7.2-2.amzn2023.0.2.x86_64 apr-util-1.6.3-1.amzn2023.0.1.x86_64 apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64 generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch httpd-2.4.55-1.amzn2023.x86_64 httpd-core-2.4.55-1.amzn2023.x86_64 httpd-filesystem-2.4.55-1.amzn2023.noarch httpd-tools-2.4.55-1.amzn2023.x86_64 libbrotli-1.0.9-4.amzn2023.0.2.x86_64 mailcap-2.1.49-3.amzn2023.0.3.noarch mod_http2-2.0.11-2.amzn2023.x86_64 mod_lua-2.4.55-1.amzn2023.x86_64 Complete! ```   

Python package :green_circle:

- Install package ```console [root@amazon-agent-pre vagrant]# sudo yum install -y python3-pip Last metadata expiration check: 16:39:53 ago on Wed May 15 15:19:00 2024. Dependencies resolved. ========================================================================================================= Package Architecture Version Repository Size ========================================================================================================= Installing: python3-pip noarch 21.3.1-2.amzn2023.0.7 amazonlinux 1.8 M Installing weak dependencies: libxcrypt-compat x86_64 4.4.33-7.amzn2023 amazonlinux 92 k Transaction Summary ========================================================================================================= Install 2 Packages Total download size: 1.9 M Installed size: 11 M Downloading Packages: (1/2): libxcrypt-compat-4.4.33-7.amzn2023.x86_64.rpm 277 kB/s | 92 kB 00:00 (2/2): python3-pip-21.3.1-2.amzn2023.0.7.noarch.rpm 799 kB/s | 1.8 MB 00:02 --------------------------------------------------------------------------------------------------------- Total 547 kB/s | 1.9 MB 00:03 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : libxcrypt-compat-4.4.33-7.amzn2023.x86_64 1/2 Installing : python3-pip-21.3.1-2.amzn2023.0.7.noarch 2/2 Running scriptlet: python3-pip-21.3.1-2.amzn2023.0.7.noarch 2/2 Verifying : libxcrypt-compat-4.4.33-7.amzn2023.x86_64 1/2 Verifying : python3-pip-21.3.1-2.amzn2023.0.7.noarch 2/2 ========================================================================================================= WARNING: A newer release of "Amazon Linux" is available. Available Versions: Version 2023.3.20240312: Run the following command to upgrade to 2023.3.20240312: dnf upgrade --releasever=2023.3.20240312 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html Version 2023.4.20240319: Run the following command to upgrade to 2023.4.20240319: dnf upgrade --releasever=2023.4.20240319 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html Version 2023.4.20240401: Run the following command to upgrade to 2023.4.20240401: dnf upgrade --releasever=2023.4.20240401 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html Version 2023.4.20240416: Run the following command to upgrade to 2023.4.20240416: dnf upgrade --releasever=2023.4.20240416 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html Version 2023.4.20240429: Run the following command to upgrade to 2023.4.20240429: dnf upgrade --releasever=2023.4.20240429 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html Version 2023.4.20240513: Run the following command to upgrade to 2023.4.20240513: dnf upgrade --releasever=2023.4.20240513 Release notes: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html ========================================================================================================= Installed: libxcrypt-compat-4.4.33-7.amzn2023.x86_64 python3-pip-21.3.1-2.amzn2023.0.7.noarch Complete! [root@amazon-agent-pre vagrant]# pip3 --version pip 21.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9) [root@amazon-agent-pre vagrant]# [root@amazon-agent-pre vagrant]# python3 -m pip install Django==3.2.13 Collecting Django==3.2.13 Downloading Django-3.2.13-py3-none-any.whl (7.9 MB) |████████████████████████████████| 7.9 MB 829 kB/s Collecting asgiref<4,>=3.3.2 Downloading asgiref-3.8.1-py3-none-any.whl (23 kB) Requirement already satisfied: pytz in /usr/lib/python3.9/site-packages (from Django==3.2.13) (2022.7.1) Collecting sqlparse>=0.2.2 Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB) |████████████████████████████████| 43 kB 649 kB/s Collecting typing-extensions>=4 Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB) Installing collected packages: typing-extensions, sqlparse, asgiref, Django Successfully installed Django-3.2.13 asgiref-3.8.1 sqlparse-0.5.0 typing-extensions-4.11.0 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv [root@amazon-agent-pre vagrant]# django-admin --version 3.2.13 ```    - Uninstall package ```console [root@amazon-agent-pre vagrant]# python3 -m pip uninstall Django Found existing installation: Django 3.2.13 Uninstalling Django-3.2.13: Would remove: /usr/local/bin/django-admin /usr/local/bin/django-admin.py /usr/local/lib/python3.9/site-packages/Django-3.2.13.dist-info/* /usr/local/lib/python3.9/site-packages/django/* Proceed (Y/n)? Y Successfully uninstalled Django-3.2.13 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv ```  

NPM package :green_circle:

- Install package ```console [root@amazon-agent-pre vagrant]# npm install -g axios@0.6.0 npm warn deprecated axios@0.6.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 added 1 package in 2s npm notice npm notice New minor version of npm available! 10.7.0 -> 10.8.0 npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.8.0 npm notice To update run: npm install -g npm@10.8.0 npm notice ``` - Cves detected    - Uninstall package ```console [root@amazon-agent-pre vagrant]# npm uninstall -g axios removed 1 package in 216ms ``` - Mitigate vulnerabilities  

[santipadilla]

Windows Server 2019 Agent :green_circle:

Installation :green_circle:

```console PS C:\Users\vagrant> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.8.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='172.16.1.30' PS C:\Users\vagrant> NET START Wazuh The Wazuh service is starting. The Wazuh service was started successfully. PS C:\Users\vagrant> Get-Service -DisplayName *Wazuh* Status Name DisplayName ------ ---- ----------- Running WazuhSvc Wazuh ```

Initial scan :green_circle:

 

Disable and enable VD :green_circle:

 

System package :green_circle:

- Installation     - Uninstallation  

Python package :green_circle:

- Installation     - Uninstallation    

NPM package :green_circle:

- Install package   - Cves detected    - Uninstall package  - Mitigate vulnerabilities   

[santipadilla]

Ubuntu 20.04 Agent :green_circle:

Installation :green_circle:

```console root@ubuntu-agent-pre:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 root@ubuntu-agent-pre:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main root@ubuntu-agent-pre:/home/vagrant# apt-get update Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease Get:2 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB] Get:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB] Get:5 http://us.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages [979 kB] Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.8 kB] Get:7 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [3,328 kB] Get:8 http://us.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [524 kB] Get:9 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [17.2 kB] Get:10 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [2,946 kB] Get:11 https://packages-dev.wazuh.com/pre-release/apt unstable/main i386 Packages [11.1 kB] Get:12 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted i386 Packages [37.7 kB] Get:13 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [412 kB] Get:14 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 c-n-f Metadata [552 B] Get:15 http://us.archive.ubuntu.com/ubuntu focal-updates/universe i386 Packages [784 kB] Get:16 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,187 kB] Get:17 http://us.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [284 kB] Get:18 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [25.7 kB] Get:19 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse i386 Packages [8,444 B] Get:20 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [26.2 kB] Get:21 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse Translation-en [7,880 B] Get:22 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [620 B] Get:23 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Get:24 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [2,951 kB] Get:25 http://security.ubuntu.com/ubuntu focal-security/main i386 Packages [754 kB] Get:26 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [442 kB] Get:27 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [13.2 kB] Get:28 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [2,830 kB] Get:29 http://security.ubuntu.com/ubuntu focal-security/restricted i386 Packages [36.4 kB] Get:30 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [396 kB] Get:31 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 c-n-f Metadata [552 B] Get:32 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [961 kB] Get:33 http://security.ubuntu.com/ubuntu focal-security/universe i386 Packages [657 kB] Get:34 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [202 kB] Get:35 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [19.2 kB] Get:36 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [24.0 kB] Get:37 http://security.ubuntu.com/ubuntu focal-security/multiverse i386 Packages [7,200 B] Get:38 http://security.ubuntu.com/ubuntu focal-security/multiverse Translation-en [5,904 B] Get:39 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [548 B] Fetched 20.3 MB in 8s (2,502 kB/s) Reading package lists... Done root@ubuntu-agent-pre:/home/vagrant# WAZUH_MANAGER="172.16.1.30" apt-get install wazuh-agent Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: wazuh-agent 0 upgraded, 1 newly installed, 0 to remove and 120 not upgraded. Need to get 10.3 MB of archives. After this operation, 34.0 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.8.0-1 [10.3 MB] Fetched 10.3 MB in 8s (1,315 kB/s) Preconfiguring packages ... Selecting previously unselected package wazuh-agent. (Reading database ... 111955 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ... Unpacking wazuh-agent (4.8.0-1) ... Setting up wazuh-agent (4.8.0-1) ... Processing triggers for systemd (245.4-4ubuntu3.22) ... root@ubuntu-agent-pre:/home/vagrant# systemctl daemon-reload root@ubuntu-agent-pre:/home/vagrant# systemctl enable wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service. root@ubuntu-agent-pre:/home/vagrant# systemctl start wazuh-agent root@ubuntu-agent-pre:/home/vagrant# systemctl status wazuh-agent ● wazuh-agent.service - Wazuh agent Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2024-05-16 11:39:02 UTC; 11s ago Process: 3096 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/S> Tasks: 28 (limit: 2257) Memory: 17.6M CGroup: /system.slice/wazuh-agent.service ├─3134 /var/ossec/bin/wazuh-execd ├─3145 /var/ossec/bin/wazuh-agentd ├─3158 /var/ossec/bin/wazuh-syscheckd ├─3171 /var/ossec/bin/wazuh-logcollector └─3188 /var/ossec/bin/wazuh-modulesd May 16 11:38:55 ubuntu-agent-pre systemd[1]: Starting Wazuh agent... May 16 11:38:55 ubuntu-agent-pre env[3096]: Starting Wazuh v4.8.0... May 16 11:38:56 ubuntu-agent-pre env[3096]: Started wazuh-execd... May 16 11:38:57 ubuntu-agent-pre env[3096]: Started wazuh-agentd... May 16 11:38:58 ubuntu-agent-pre env[3096]: Started wazuh-syscheckd... May 16 11:38:59 ubuntu-agent-pre env[3096]: Started wazuh-logcollector... May 16 11:39:00 ubuntu-agent-pre env[3096]: Started wazuh-modulesd... May 16 11:39:02 ubuntu-agent-pre env[3096]: Completed. May 16 11:39:02 ubuntu-agent-pre systemd[1]: Started Wazuh agent. root@ubuntu-agent-pre:/home/vagrant# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40810" WAZUH_TYPE="agent" ```

Initial scan :green_circle:

 

Disable and enable VD :green_circle:

 

System package :green_circle:

- Installation ```console root@ubuntu-agent-pre:/home/vagrant# sudo apt install apparmor Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: apparmor-profiles-extra apparmor-utils The following NEW packages will be installed: apparmor 0 upgraded, 1 newly installed, 0 to remove and 118 not upgraded. Need to get 502 kB of archives. After this operation, 2,020 kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 apparmor amd64 2.13.3-7ubuntu5.3 [502 kB] Fetched 502 kB in 1s (581 kB/s) Preconfiguring packages ... Selecting previously unselected package apparmor. (Reading database ... 146284 files and directories currently installed.) Preparing to unpack .../apparmor_2.13.3-7ubuntu5.3_amd64.deb ... Unpacking apparmor (2.13.3-7ubuntu5.3) ... Setting up apparmor (2.13.3-7ubuntu5.3) ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.22) ... ```    >Note: Same number of vulnerabilities because the package was already installed, the vulnerability has been resolved and has been activated. :green_circle: - Uninstallation ```console root@ubuntu-agent-pre:/home/vagrant# sudo apt remove apparmor Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: apparmor 0 upgraded, 0 newly installed, 1 to remove and 118 not upgraded. After this operation, 2,020 kB disk space will be freed. Do you want to continue? [Y/n] Y (Reading database ... 146312 files and directories currently installed.) Removing apparmor (2.13.3-7ubuntu5.3) ... Processing triggers for man-db (2.9.1-1) ... ```   

Python package :green_circle:

- Installation ```console root@ubuntu-agent-pre:/home/vagrant# python3 -m pip install Django==3.2.13 Collecting Django==3.2.13 Downloading Django-3.2.13-py3-none-any.whl (7.9 MB) |████████████████████████████████| 7.9 MB 3.2 MB/s Collecting sqlparse>=0.2.2 Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB) |████████████████████████████████| 43 kB 5.4 MB/s Collecting asgiref<4,>=3.3.2 Downloading asgiref-3.8.1-py3-none-any.whl (23 kB) Collecting pytz Downloading pytz-2024.1-py2.py3-none-any.whl (505 kB) |████████████████████████████████| 505 kB 30.6 MB/s Collecting typing-extensions>=4; python_version < "3.11" Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB) Installing collected packages: sqlparse, typing-extensions, asgiref, pytz, Django Successfully installed Django-3.2.13 asgiref-3.8.1 pytz-2024.1 sqlparse-0.5.0 typing-extensions-4.11.0 ```    - Uninstall ```console root@ubuntu-agent-pre:/home/vagrant# python3 -m pip uninstall Django Found existing installation: Django 3.2.13 Uninstalling Django-3.2.13: Would remove: /usr/local/bin/django-admin /usr/local/bin/django-admin.py /usr/local/lib/python3.8/dist-packages/Django-3.2.13.dist-info/* /usr/local/lib/python3.8/dist-packages/django/* Proceed (y/n)? y Successfully uninstalled Django-3.2.13 ```   

NPM package :green_circle:

- Install package ```console root@ubuntu-agent-pre:/home/vagrant# curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash - 2024-05-16 14:23:55 - Installing pre-requisites Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB] Hit:3 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease Get:4 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,186 kB] Hit:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease Hit:6 http://security.ubuntu.com/ubuntu focal-security InRelease Fetched 1,300 kB in 6s (231 kB/s) Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done ca-certificates is already the newest version (20230311ubuntu0.20.04.1). gnupg is already the newest version (2.2.19-3ubuntu2.2). The following additional packages will be installed: libcurl4 The following NEW packages will be installed: apt-transport-https The following packages will be upgraded: curl libcurl4 2 upgraded, 1 newly installed, 0 to remove and 110 not upgraded. Need to get 398 kB of archives. After this operation, 162 kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 apt-transport-https all 2.0.10 [1,704 B] Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 curl amd64 7.68.0-1ubuntu2.22 [161 kB] Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libcurl4 amd64 7.68.0-1ubuntu2.22 [235 kB] Fetched 398 kB in 1s (434 kB/s) Selecting previously unselected package apt-transport-https. (Reading database ... 152732 files and directories currently installed.) Preparing to unpack .../apt-transport-https_2.0.10_all.deb ... Unpacking apt-transport-https (2.0.10) ... Preparing to unpack .../curl_7.68.0-1ubuntu2.22_amd64.deb ... Unpacking curl (7.68.0-1ubuntu2.22) over (7.68.0-1ubuntu2.20) ... Preparing to unpack .../libcurl4_7.68.0-1ubuntu2.22_amd64.deb ... Unpacking libcurl4:amd64 (7.68.0-1ubuntu2.22) over (7.68.0-1ubuntu2.20) ... Setting up apt-transport-https (2.0.10) ... Setting up libcurl4:amd64 (7.68.0-1ubuntu2.22) ... Setting up curl (7.68.0-1ubuntu2.22) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for libc-bin (2.31-0ubuntu9.12) ... Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease Get:3 https://deb.nodesource.com/node_18.x nodistro InRelease [12.1 kB] Hit:4 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease Get:5 https://deb.nodesource.com/node_18.x nodistro/main amd64 Packages [8,669 B] Hit:6 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease Hit:7 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease Fetched 20.8 kB in 1s (18.5 kB/s) Reading package lists... Done 2024-05-16 14:24:08 - Repository configured successfully. To install Node.js, run: apt-get install nodejs -y root@ubuntu-agent-pre:/home/vagrant# root@ubuntu-agent-pre:/home/vagrant# sudo apt install -y nodejs Reading package lists... Done Building dependency tree... 50% Building dependency tree Reading state information... Done The following NEW packages will be installed: nodejs 0 upgraded, 1 newly installed, 0 to remove and 110 not upgraded. Need to get 29.6 MB of archives. After this operation, 187 MB of additional disk space will be used. Get:1 https://deb.nodesource.com/node_18.x nodistro/main amd64 nodejs amd64 18.20.2-1nodesource1 [29.6 MB] Fetched 29.6 MB in 1s (32.6 MB/s) Selecting previously unselected package nodejs. (Reading database ... 152736 files and directories currently installed.) Preparing to unpack .../nodejs_18.20.2-1nodesource1_amd64.deb ... Unpacking nodejs (18.20.2-1nodesource1) ... Setting up nodejs (18.20.2-1nodesource1) ... Processing triggers for man-db (2.9.1-1) ... root@ubuntu-agent-pre:/home/vagrant# npm -v 10.5.0 root@ubuntu-agent-pre:/home/vagrant# npm install -g axios@0.6.0 npm WARN deprecated axios@0.6.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 added 1 package in 1s npm notice npm notice New minor version of npm available! 10.5.0 -> 10.8.0 npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.8.0 npm notice Run npm install -g npm@10.8.0 to update! npm notice root@ubuntu-agent-pre:/home/vagrant# npm list -g /usr/lib ├── axios@0.6.0 ├── corepack@0.25.2 └── npm@10.5.0 ``` - Cves detected    - Uninstall package ```console root@ubuntu-agent-pre:/home/vagrant# npm uninstall -g axios removed 1 package in 193ms root@ubuntu-agent-pre:/home/vagrant# npm list -g /usr/lib ├── corepack@0.25.2 └── npm@10.5.0 ``` - Mitigate vulnerabilities   

[santipadilla]

Proof of concept :green_circle:

Agent Information :green_circle:

```console root@debian-agent-pre:/home/vagrant# cat /etc/*release PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" root@debian-agent-pre:/home/vagrant# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 39 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 1 On-line CPU(s) list: 0 Vendor ID: GenuineIntel Model name: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz BIOS Model name: CPU @ 0.0GHz BIOS CPU family: 0 CPU family: 6 Model: 165 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 1 Stepping: 2 BogoMIPS: 5184.00 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clfl ush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xto pology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq monitor ssse3 cx16 pci d sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt md_clear flush_l1d arch_capabilities Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 32 KiB (1 instance) L1i: 32 KiB (1 instance) L2: 256 KiB (1 instance) L3: 12 MiB (1 instance) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0 Vulnerabilities: Gather data sampling: Unknown: Dependent on hypervisor status Itlb multihit: KVM: Mitigation: VMX unsupported L1tf: Mitigation; PTE Inversion Mds: Mitigation; Clear CPU buffers; SMT Host state unknown Meltdown: Mitigation; PTI Mmio stale data: Mitigation; Clear CPU buffers; SMT Host state unknown Retbleed: Vulnerable Spec rstack overflow: Not affected Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affecte d Srbds: Unknown: Dependent on hypervisor status Tsx async abort: Not affected root@debian-agent-pre:/home/vagrant# free -h total used free shared buff/cache available Mem: 1.9Gi 309Mi 1.0Gi 476Ki 760Mi 1.6Gi Swap: 1.9Gi 0B 1.9Gi root@debian-agent-pre:/home/vagrant# df --total -h Filesystem Size Used Avail Use% Mounted on udev 962M 0 962M 0% /dev tmpfs 197M 476K 197M 1% /run /dev/sda3 124G 2.3G 115G 2% / tmpfs 984M 0 984M 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock /dev/sda1 447M 172M 246M 42% /boot tmpfs 197M 0 197M 0% /run/user/1000 total 126G 2.5G 118G 3% - ```

Agent installation :green_circle:

```console root@debian-agent-pre:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 root@debian-agent-pre:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main root@debian-agent-pre:/home/vagrant# root@debian-agent-pre:/home/vagrant# apt-get update Get:1 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB] Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB] Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB] Get:4 http://security.debian.org/debian-security bookworm-security/main Sources [96.0 kB] Get:5 http://deb.debian.org/debian bookworm/main Sources [9,489 kB] Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [156 kB] Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [92.9 kB] Get:8 http://deb.debian.org/debian bookworm-updates/main Sources.diff/Index [10.6 kB] Get:9 http://deb.debian.org/debian bookworm-updates/main amd64 Packages.diff/Index [10.6 kB] Get:10 http://deb.debian.org/debian bookworm-updates/main Translation-en.diff/Index [10.6 kB] Get:11 http://deb.debian.org/debian bookworm-updates/main Sources T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [831 B] Get:12 http://deb.debian.org/debian bookworm-updates/main amd64 Packages T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [1,595 B] Get:13 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:11 http://deb.debian.org/debian bookworm-updates/main Sources T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [831 B] Get:12 http://deb.debian.org/debian bookworm-updates/main amd64 Packages T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [1,595 B] Get:14 http://deb.debian.org/debian bookworm-updates/main Translation-en T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [2,563 B] Get:14 http://deb.debian.org/debian bookworm-updates/main Translation-en T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [2,563 B] Get:15 http://deb.debian.org/debian bookworm/main amd64 Packages [8,786 kB] Get:16 http://deb.debian.org/debian bookworm/main Translation-en [6,109 kB] Get:17 http://deb.debian.org/debian bookworm-updates/non-free-firmware Sources [2,076 B] Get:18 http://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B] Get:19 http://deb.debian.org/debian bookworm-updates/non-free-firmware Translation-en [384 B] Get:20 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.8 kB] Fetched 25.1 MB in 3s (8,732 kB/s) Reading package lists... Done N: Repository 'http://deb.debian.org/debian bookworm InRelease' changed its 'Version' value from '12.4' to '12.5' root@debian-agent-pre:/home/vagrant# WAZUH_MANAGER="172.16.1.30" apt-get install wazuh-agent Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: wazuh-agent 0 upgraded, 1 newly installed, 0 to remove and 50 not upgraded. Need to get 10.3 MB of archives. After this operation, 34.0 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.8.0-1 [10.3 MB] Fetched 10.3 MB in 2s (4,158 kB/s) Preconfiguring packages ... Selecting previously unselected package wazuh-agent. (Reading database ... 60505 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ... Unpacking wazuh-agent (4.8.0-1) ... Setting up wazuh-agent (4.8.0-1) ... root@debian-agent-pre:/home/vagrant# systemctl daemon-reload root@debian-agent-pre:/home/vagrant# systemctl enable wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service. root@debian-agent-pre:/home/vagrant# root@debian-agent-pre:/home/vagrant# systemctl start wazuh-agent root@debian-agent-pre:/home/vagrant# root@debian-agent-pre:/home/vagrant# systemctl status wazuh-agent ● wazuh-agent.service - Wazuh agent Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; preset: enabled) Active: active (running) since Thu 2024-05-16 14:46:03 UTC; 6s ago Process: 3862 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/S> Tasks: 28 (limit: 2307) Memory: 31.1M CPU: 1.668s CGroup: /system.slice/wazuh-agent.service ├─3885 /var/ossec/bin/wazuh-execd ├─3896 /var/ossec/bin/wazuh-agentd ├─3909 /var/ossec/bin/wazuh-syscheckd ├─3922 /var/ossec/bin/wazuh-logcollector └─3939 /var/ossec/bin/wazuh-modulesd May 16 14:45:56 debian-agent-pre systemd[1]: Starting wazuh-agent.service - Wazuh agent... May 16 14:45:56 debian-agent-pre env[3862]: Starting Wazuh v4.8.0... May 16 14:45:57 debian-agent-pre env[3862]: Started wazuh-execd... May 16 14:45:58 debian-agent-pre env[3862]: Started wazuh-agentd... May 16 14:45:59 debian-agent-pre env[3862]: Started wazuh-syscheckd... May 16 14:46:00 debian-agent-pre env[3862]: Started wazuh-logcollector... May 16 14:46:01 debian-agent-pre env[3862]: Started wazuh-modulesd... May 16 14:46:03 debian-agent-pre env[3862]: Completed. May 16 14:46:03 debian-agent-pre systemd[1]: Started wazuh-agent.service - Wazuh agent. root@debian-agent-pre:/home/vagrant# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40810" WAZUH_TYPE="agent" ```

Configuration :green_circle:

- Manager ``` yes yes 60m yes https://172.16.1.31:9200 /etc/filebeat/certs/root-ca.pem /etc/filebeat/certs/wazuh-master-pre.pem /etc/filebeat/certs/wazuh-master-pre-key.pem ``` - Debian Agent ```console no 1m yes yes yes yes yes yes yes 10 ```

Initial scan :green_circle:

 

Package uninstallation :green_circle:

>Note: That version of vim was already pre-installed in Debian 12 so we proceed to uninstall it first. ```console root@debian-agent-pre:/home/vagrant# sudo apt remove vim Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: libsodium23 vim-runtime Use 'sudo apt autoremove' to remove them. The following packages will be REMOVED: vim 0 upgraded, 0 newly installed, 1 to remove and 50 not upgraded. After this operation, 3,738 kB disk space will be freed. Do you want to continue? [Y/n] Y (Reading database ... 60909 files and directories currently installed.) Removing vim (2:9.0.1378-2) ... update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/view (view) in auto mode update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/vi (vi) in auto mode update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/rview (rview) in auto mode update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/ex (ex) in auto mode ``` - Cves solved  

Package installation :green_circle:

```console root@debian-agent-pre:/home/vagrant# sudo apt install vim=2:9.0.1378-2 Reading package lists... Done Building dependency tree... Done Reading state information... Done Suggested packages: ctags vim-doc vim-scripts The following NEW packages will be installed: vim 0 upgraded, 1 newly installed, 0 to remove and 50 not upgraded. Need to get 0 B/1,567 kB of archives. After this operation, 3,738 kB of additional disk space will be used. Selecting previously unselected package vim. (Reading database ... 60900 files and directories currently installed.) Preparing to unpack .../vim_2%3a9.0.1378-2_amd64.deb ... Unpacking vim (2:9.0.1378-2) ... Setting up vim (2:9.0.1378-2) ... update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/ex (ex) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rview (rview) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rvim (rvim) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vi (vi) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/view (view) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vim (vim) in auto mode update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vimdiff (vimdiff) in auto mode ``` - Cves detected  

Dashboard filters :green_circle:

- package.name:vim  - Active vulnerability alerts – data.vulnerability.package.name: vim AND data.vulnerability.status:Active  - Solved vulnerability alerts – data.vulnerability.package.name: vim AND data.vulnerability.status:Solved 

[sebasfalcone]

Feedback

• Testing looks good and also really well presented, awesome job
• About macOS not detecting System packages:
  • https://github.com/wazuh/wazuh/issues/15798
  • This is an old issue with macOS. It's currently blocked, and won't be solved in 4.8.0
  • We can add this to the notes
• About macOS not detecting Python packages:
  • It's weird that it did detect npm packages but not the python ones (is the python package on the inventory?)

[santipadilla]

Hi @sebasfalcone, about macOS Sonoma:

• System packages: note added in the commentary and in the conclusion.
• Python packages: It does not detect vulnerabilities and they do not appear in the inventory either.
  • I have opened an issue about it.

Thanks you!

[sebasfalcone]

Thanks for the testing @santipadilla, LGTM

[sebasfalcone]

Feedback

@GabrielEValenzuela pointed out that the Python package was installed on a virtual environment

We need to repeat the test without the use of the virtual environment to validate the issue

[santipadilla]

@sebasfalcone Hi, it has been tested with and without virtual environment and with different packages. In no case are they detected. I have added the comment in the issue.

[sebasfalcone]

Feedback

Thanks @santipadilla! Testing LGTM

[juliamagan]

LGTM