davidjiglesias commented 3 months ago

End-to-End (E2E) Testing Guideline

Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-pyserver team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

🟢 All checks passed
🟡 Found a known issue
🔴 Found a new error

Issue delivery and completion

Initial delivery: The issue's assignee must complete the testing and deliver the results by Jul 24, 2024 and notify the @wazuh/devel-pyserver team via Slack using the c-release channel
Review: The @wazuh/devel-pyserver team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jul 25, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
Auditor: The QA team must audit, validate the results, and close the issue by Jul 26, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Step by step	Single node	SUSE 15 x86_64
Server	Step by step	Single node	SUSE 15 x86_64
Dashboard	Step by step	-	SUSE 15 x86_64
Agent	Installation from sources	-	Amazon Linux 2 x86_64

Test description

Configure AWS Cloudtrail in a Wazuh Manager and a Wazuh Agent.

Test this proof of concept guide, ensuring it works as expected for the current release under test
Check this documentation page for additional use case examples, test at least a couple of EC2 and a couple of IAM use cases
Use discard_regex option to effectively discard certain types of events.

Known issues

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure type	Notes
🟢	Indexer installation
🟢	Wazuh manager installation
🟡	Dashboard installation	libcap library not found on SLES 15, however, installation succeded	Already reported: https://github.com/wazuh/wazuh-dashboard/issues/160
🟢	Agent installation (from sources)
🟢	Cloudtrail configuration
🟢	Cloudtrail use cases and events

Feedback

We value your feedback. Please provide insights on your testing experience.

Was the testing guideline clear? Were there any ambiguities?
- Testing guideline was clear
Did you face any challenges not covered by the guideline?
- My test included deploying in SUSE the dashboard+indexer+server which is not covered by the docs (all instructions are done for apt / yum while SLES uses zypper). I had to adapt a few commands, specifically when adding the Wazuh repo as a package source.
Suggestions for improvement:
- None really, maybe just limiting the testing of SLES only in the agent (where the docs explicitly show how to install)

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

[ ] @rauldpm
[x] @wazuh/devel-pyserver

efahnle commented 3 months ago

I'll take this one

efahnle commented 3 months ago

Server installation

System information

ec2-user@suse15-server:~> cat /etc/hostname
suse15-server
ec2-user@suse15-server:~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"

Step by step installation

Indexer :green_circle:

```console ec2-user@suse15-server:~> wget https://packages-dev.wazuh.com/4.9/wazuh-certs-tool.sh --2024-07-23 14:30:11-- https://packages-dev.wazuh.com/4.9/wazuh-certs-tool.sh Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 108.156.184.127, 108.156.184.31, 108.156.184.80, ... Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|108.156.184.127|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 36475 (36K) [application/x-sh] Saving to: ‘wazuh-certs-tool.sh’ wazuh-certs-tool.sh 100%[===================================================================>] 35,62K --.-KB/s in 0,05s 2024-07-23 14:30:11 (704 KB/s) - ‘wazuh-certs-tool.sh’ saved [36475/36475] ec2-user@suse15-server:~> wget https://packages-dev.wazuh.com/4.9/config.yml --2024-07-23 14:30:21-- https://packages-dev.wazuh.com/4.9/config.yml Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 108.156.184.127, 108.156.184.31, 108.156.184.80, ... Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|108.156.184.127|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 636 [binary/octet-stream] Saving to: ‘config.yml’ config.yml 100%[===================================================================>] 636 --.-KB/s in 0s 2024-07-23 14:30:21 (93,7 MB/s) - ‘config.yml’ saved [636/636] ec2-user@suse15-server:~> ls bin config.yml wazuh-certs-tool.sh ec2-user@suse15-server:~> ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: mtu 9001 qdisc mq state UP group default qlen 1000 link/ether 06:11:ac:94:dc:f1 brd ff:ff:ff:ff:ff:ff altname enp0s5 altname ens5 inet 172.31.22.197/20 brd 172.31.31.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::411:acff:fe94:dcf1/64 scope link proto kernel_ll valid_lft forever preferred_lft forever ec2-user@suse15-server:~> vim config.yml ec2-user@suse15-server:~> ec2-user@suse15-server:~> cat config.yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: "172.31.22.197" #- name: node-2 # ip: "" #- name: node-3 # ip: "" # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: "172.31.22.197" # node_type: master #- name: wazuh-2 # ip: "" # node_type: worker #- name: wazuh-3 # ip: "" # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: "172.31.22.197" ec2-user@suse15-server:~> bash ./wazuh-certs-tool.sh -A 23/07/2024 14:33:12 INFO: Verbose logging redirected to /home/ec2-user/wazuh-certificates-tool.log 23/07/2024 14:33:13 INFO: Generating the root certificate. 23/07/2024 14:33:13 INFO: Generating Admin certificates. 23/07/2024 14:33:13 INFO: Admin certificates created. 23/07/2024 14:33:13 INFO: Generating Wazuh indexer certificates. 23/07/2024 14:33:13 INFO: Wazuh indexer certificates created. 23/07/2024 14:33:13 INFO: Generating Filebeat certificates. 23/07/2024 14:33:13 INFO: Wazuh Filebeat certificates created. 23/07/2024 14:33:13 INFO: Generating Wazuh dashboard certificates. 23/07/2024 14:33:13 INFO: Wazuh dashboard certificates created. ec2-user@suse15-server:~> ll total 44 drwxr-xr-x 2 ec2-user users 6 mar 15 2022 bin -rw------- 1 ec2-user users 622 jul 23 14:33 config.yml drwxr--r-- 2 ec2-user users 210 jul 23 14:33 wazuh-certificates -rw------- 1 ec2-user users 650 jul 23 14:33 wazuh-certificates-tool.log -rw-r--r-- 1 ec2-user users 36475 jul 19 23:16 wazuh-certs-tool.sh ec2-user@suse15-server:~> ll wazuh-certificates total 40 -rwxr--r-- 1 ec2-user users 1704 jul 23 14:33 admin-key.pem -rwxr--r-- 1 ec2-user users 1119 jul 23 14:33 admin.pem -rwxr--r-- 1 ec2-user users 1704 jul 23 14:33 dashboard-key.pem -rwxr--r-- 1 ec2-user users 1281 jul 23 14:33 dashboard.pem -rwxr--r-- 1 ec2-user users 1704 jul 23 14:33 node-1-key.pem -rwxr--r-- 1 ec2-user users 1277 jul 23 14:33 node-1.pem -rwxr--r-- 1 ec2-user users 1704 jul 23 14:33 root-ca.key -rwxr--r-- 1 ec2-user users 1204 jul 23 14:33 root-ca.pem -rwxr--r-- 1 ec2-user users 1704 jul 23 14:33 wazuh-1-key.pem -rwxr--r-- 1 ec2-user users 1277 jul 23 14:33 wazuh-1.pem suse15-server:/home/ec2-user # zypper install coreutils Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Building repository 'SLE-Module-Basesystem15-SP6-Pool' cache ..........................................................................................................................................[done] Retrieving repository 'SLE-Module-Basesystem15-SP6-Updates' metadata ..................................................................................................................................[done] Building repository 'SLE-Module-Basesystem15-SP6-Updates' cache .......................................................................................................................................[done] Building repository 'SLE-Module-Containers15-SP6-Pool' cache ..........................................................................................................................................[done] Retrieving repository 'SLE-Module-Containers15-SP6-Updates' metadata ..................................................................................................................................[done] Building repository 'SLE-Module-Containers15-SP6-Updates' cache .......................................................................................................................................[done] Building repository 'SLE-Module-Desktop-Applications15-SP6-Pool' cache ................................................................................................................................[done] Retrieving repository 'SLE-Module-Desktop-Applications15-SP6-Updates' metadata ........................................................................................................................[done] Building repository 'SLE-Module-Desktop-Applications15-SP6-Updates' cache .............................................................................................................................[done] Building repository 'SLE-Module-DevTools15-SP6-Pool' cache ............................................................................................................................................[done] Retrieving repository 'SLE-Module-DevTools15-SP6-Updates' metadata ....................................................................................................................................[done] Building repository 'SLE-Module-DevTools15-SP6-Updates' cache .........................................................................................................................................[done] Building repository 'SLE-Module-Public-Cloud15-SP6-Pool' cache ........................................................................................................................................[done] Retrieving repository 'SLE-Module-Public-Cloud15-SP6-Updates' metadata ................................................................................................................................[done] Building repository 'SLE-Module-Public-Cloud15-SP6-Updates' cache .....................................................................................................................................[done] Building repository 'SLE-Module-Python3-15-SP6-Pool' cache ............................................................................................................................................[done] Retrieving repository 'SLE-Module-Python3-15-SP6-Updates' metadata ....................................................................................................................................[done] Building repository 'SLE-Module-Python3-15-SP6-Updates' cache .........................................................................................................................................[done] Building repository 'SLE-Product-SLES15-SP6-Pool' cache ...............................................................................................................................................[done] Retrieving repository 'SLE-Product-SLES15-SP6-Updates' metadata .......................................................................................................................................[done] Building repository 'SLE-Product-SLES15-SP6-Updates' cache ............................................................................................................................................[done] Building repository 'SLE-Module-Server-Applications15-SP6-Pool' cache .................................................................................................................................[done] Retrieving repository 'SLE-Module-Server-Applications15-SP6-Updates' metadata .........................................................................................................................[done] Building repository 'SLE-Module-Server-Applications15-SP6-Updates' cache ..............................................................................................................................[done] Building repository 'SLE-Module-Web-Scripting15-SP6-Pool' cache .......................................................................................................................................[done] Retrieving repository 'SLE-Module-Web-Scripting15-SP6-Updates' metadata ...............................................................................................................................[done] Building repository 'SLE-Module-Web-Scripting15-SP6-Updates' cache ....................................................................................................................................[done] Loading repository data... Reading installed packages... 'coreutils' is already installed. No update candidate for 'coreutils-8.32-150400.9.6.1.x86_64'. The highest available version is already installed. Resolving package dependencies... Nothing to do. suse15-server:/home/ec2-user # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH warning: Rebuilding outdated index databases warning: Generating 18 missing index(es), please wait... suse15-server:/home/ec2-user # cat /etc/zypp/repos.d/ Basesystem_Module_x86_64:SLE-Module-Basesystem15-SP6-Debuginfo-Pool.repo Public_Cloud_Module_x86_64:SLE-Module-Public-Cloud15-SP6-Source-Pool.repo Basesystem_Module_x86_64:SLE-Module-Basesystem15-SP6-Debuginfo-Updates.repo Public_Cloud_Module_x86_64:SLE-Module-Public-Cloud15-SP6-Updates.repo Basesystem_Module_x86_64:SLE-Module-Basesystem15-SP6-Pool.repo Python_3_Module_x86_64:SLE-Module-Python3-15-SP6-Debuginfo-Pool.repo Basesystem_Module_x86_64:SLE-Module-Basesystem15-SP6-Source-Pool.repo Python_3_Module_x86_64:SLE-Module-Python3-15-SP6-Debuginfo-Updates.repo Basesystem_Module_x86_64:SLE-Module-Basesystem15-SP6-Updates.repo Python_3_Module_x86_64:SLE-Module-Python3-15-SP6-Pool.repo Containers_Module_x86_64:SLE-Module-Containers15-SP6-Debuginfo-Pool.repo Python_3_Module_x86_64:SLE-Module-Python3-15-SP6-Source-Pool.repo Containers_Module_x86_64:SLE-Module-Containers15-SP6-Debuginfo-Updates.repo Python_3_Module_x86_64:SLE-Module-Python3-15-SP6-Updates.repo Containers_Module_x86_64:SLE-Module-Containers15-SP6-Pool.repo SUSE_Linux_Enterprise_Server_x86_64:SLE-Product-SLES15-SP6-Debuginfo-Pool.repo Containers_Module_x86_64:SLE-Module-Containers15-SP6-Source-Pool.repo SUSE_Linux_Enterprise_Server_x86_64:SLE-Product-SLES15-SP6-Debuginfo-Updates.repo Containers_Module_x86_64:SLE-Module-Containers15-SP6-Updates.repo SUSE_Linux_Enterprise_Server_x86_64:SLE-Product-SLES15-SP6-Pool.repo Desktop_Applications_Module_x86_64:SLE-Module-Desktop-Applications15-SP6-Debuginfo-Pool.repo SUSE_Linux_Enterprise_Server_x86_64:SLE-Product-SLES15-SP6-Source-Pool.repo Desktop_Applications_Module_x86_64:SLE-Module-Desktop-Applications15-SP6-Debuginfo-Updates.repo SUSE_Linux_Enterprise_Server_x86_64:SLE-Product-SLES15-SP6-Updates.repo Desktop_Applications_Module_x86_64:SLE-Module-Desktop-Applications15-SP6-Pool.repo Server_Applications_Module_x86_64:SLE-Module-Server-Applications15-SP6-Debuginfo-Pool.repo Desktop_Applications_Module_x86_64:SLE-Module-Desktop-Applications15-SP6-Source-Pool.repo Server_Applications_Module_x86_64:SLE-Module-Server-Applications15-SP6-Debuginfo-Updates.repo Desktop_Applications_Module_x86_64:SLE-Module-Desktop-Applications15-SP6-Updates.repo Server_Applications_Module_x86_64:SLE-Module-Server-Applications15-SP6-Pool.repo Development_Tools_Module_x86_64:SLE-Module-DevTools15-SP6-Debuginfo-Pool.repo Server_Applications_Module_x86_64:SLE-Module-Server-Applications15-SP6-Source-Pool.repo Development_Tools_Module_x86_64:SLE-Module-DevTools15-SP6-Debuginfo-Updates.repo Server_Applications_Module_x86_64:SLE-Module-Server-Applications15-SP6-Updates.repo Development_Tools_Module_x86_64:SLE-Module-DevTools15-SP6-Pool.repo Web_and_Scripting_Module_x86_64:SLE-Module-Web-Scripting15-SP6-Debuginfo-Pool.repo Development_Tools_Module_x86_64:SLE-Module-DevTools15-SP6-Source-Pool.repo Web_and_Scripting_Module_x86_64:SLE-Module-Web-Scripting15-SP6-Debuginfo-Updates.repo Development_Tools_Module_x86_64:SLE-Module-DevTools15-SP6-Updates.repo Web_and_Scripting_Module_x86_64:SLE-Module-Web-Scripting15-SP6-Pool.repo Public_Cloud_Module_x86_64:SLE-Module-Public-Cloud15-SP6-Debuginfo-Pool.repo Web_and_Scripting_Module_x86_64:SLE-Module-Web-Scripting15-SP6-Source-Pool.repo Public_Cloud_Module_x86_64:SLE-Module-Public-Cloud15-SP6-Debuginfo-Updates.repo Web_and_Scripting_Module_x86_64:SLE-Module-Web-Scripting15-SP6-Updates.repo Public_Cloud_Module_x86_64:SLE-Module-Public-Cloud15-SP6-Pool.repo suse15-server:/home/ec2-user # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/zypp/repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 suse15-server:/home/ec2-user # cat /etc/zypp/repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 suse15-server:/home/ec2-user # rm /etc/zypp/repos.d/wazuh.repo suse15-server:/home/ec2-user # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1' | tee /etc/zypp/repos.d/wazuh.repo [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-$releasever - Wazuh baseurl=https://packages-dev.wazuh.com/pre-release/yum/ protect=1 suse15-server:/home/ec2-user # zypper install wazuh-indexer Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Building repository 'EL-15.6 - Wazuh' cache ...........................................................................................................................................................[done] Loading repository data... Reading installed packages... Resolving package dependencies... The following NEW package is going to be installed: wazuh-indexer The following package has no support information from its vendor: wazuh-indexer 1 new package to install. Overall download size: 812.6 MiB. Already cached: 0 B. After the operation, additional 1.0 GiB will be used. Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): y Retrieving: wazuh-indexer-4.9.0-1.x86_64 (EL-15.6 - Wazuh) (1/1), 812.6 MiB Retrieving: wazuh-indexer-4.9.0-1.x86_64.rpm .............................................................................................................................................[done (57.6 MiB/s)] Checking for file conflicts: ..........................................................................................................................................................................[done] ### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable wazuh-indexer.service ### You can start wazuh-indexer service by executing sudo systemctl start wazuh-indexer.service (1/1) Installing: wazuh-indexer-4.9.0-1.x86_64 ........................................................................................................................................................[done] suse15-server:/home/ec2-user # vim /etc/wazuh-indexer/opensearch.yml suse15-server:/home/ec2-user # cat /etc/wazuh-indexer/opensearch.yml network.host: "172.31.22.197" node.name: "node-1" cluster.initial_master_nodes: - "node-1" #- "node-2" #- "node-3" cluster.name: "wazuh-cluster" #discovery.seed_hosts: # - "node-1-ip" # - "node-2-ip" # - "node-3-ip" node.max_local_storage_nodes: "3" path.data: /var/lib/wazuh-indexer path.logs: /var/log/wazuh-indexer plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false plugins.security.authcz.admin_dn: - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" plugins.security.system_indices.enabled: true plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] ### Option to allow Filebeat-oss 7.10.2 to work ### compatibility.override_main_response_version: true suse15-server:/home/ec2-user # NODE_NAME=node-1 suse15-server:/home/ec2-user # echo $NODE_NAME node-1 suse15-server:/home/ec2-user # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . ./ ./root-ca.key ./root-ca.pem ./admin-key.pem ./admin.pem ./node-1-key.pem ./node-1.pem ./wazuh-1-key.pem ./wazuh-1.pem ./dashboard-key.pem ./dashboard.pem suse15-server:/home/ec2-user # mkdir /etc/wazuh-indexer/certs suse15-server:/home/ec2-user # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem suse15-server:/home/ec2-user # suse15-server:/home/ec2-user # ll /etc/wazuh-indexer/certs/ total 20 -rwxr--r-- 1 ec2-user users 1704 Jul 23 14:33 admin-key.pem -rwxr--r-- 1 ec2-user users 1119 Jul 23 14:33 admin.pem -rwxr--r-- 1 ec2-user users 1704 Jul 23 14:33 node-1-key.pem -rwxr--r-- 1 ec2-user users 1277 Jul 23 14:33 node-1.pem -rwxr--r-- 1 ec2-user users 1204 Jul 23 14:33 root-ca.pem suse15-server:/home/ec2-user # mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem suse15-server:/home/ec2-user # mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem suse15-server:/home/ec2-user # chmod 500 /etc/wazuh-indexer/certs suse15-server:/home/ec2-user # chmod 400 /etc/wazuh-indexer/certs/* suse15-server:/home/ec2-user # chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs suse15-server:/home/ec2-user # ll /etc/wazuh-indexer/certs/ total 20 -r-------- 1 wazuh-indexer wazuh-indexer 1704 Jul 23 14:33 admin-key.pem -r-------- 1 wazuh-indexer wazuh-indexer 1119 Jul 23 14:33 admin.pem -r-------- 1 wazuh-indexer wazuh-indexer 1704 Jul 23 14:33 indexer-key.pem -r-------- 1 wazuh-indexer wazuh-indexer 1277 Jul 23 14:33 indexer.pem -r-------- 1 wazuh-indexer wazuh-indexer 1204 Jul 23 14:33 root-ca.pem suse15-server:/home/ec2-user # systemctl daemon-reload suse15-server:/home/ec2-user # systemctl enable wazuh-indexer Synchronizing state of wazuh-indexer.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable wazuh-indexer ln -sf ../wazuh-indexer /etc/init.d/rc2.d/S50wazuh-indexer ln: failed to create symbolic link '/etc/init.d/rc2.d/S50wazuh-indexer': No such file or directory suse15-server:/home/ec2-user # systemctl start wazuh-indexer suse15-server:/home/ec2-user # systemctl status wazuh-indexer ● wazuh-indexer.service - wazuh-indexer Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; disabled; preset: disabled) Active: active (running) since Tue 2024-07-23 14:54:54 UTC; 3min 3s ago Docs: https://documentation.wazuh.com Main PID: 5495 (java) Tasks: 64 CPU: 58.316s CGroup: /system.slice/wazuh-indexer.service └─5495 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.head> Jul 23 14:54:34 suse15-server systemd-entrypoint[5495]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar) Jul 23 14:54:34 suse15-server systemd-entrypoint[5495]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Jul 23 14:54:34 suse15-server systemd-entrypoint[5495]: WARNING: System::setSecurityManager will be removed in a future release Jul 23 14:54:35 suse15-server systemd-entrypoint[5495]: Jul 23, 2024 2:54:35 PM sun.util.locale.provider.LocaleProviderAdapter Jul 23 14:54:35 suse15-server systemd-entrypoint[5495]: WARNING: COMPAT locale provider will be removed in a future release Jul 23 14:54:36 suse15-server systemd-entrypoint[5495]: WARNING: A terminally deprecated method in java.lang.System has been called Jul 23 14:54:36 suse15-server systemd-entrypoint[5495]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.13.0.jar) Jul 23 14:54:36 suse15-server systemd-entrypoint[5495]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Jul 23 14:54:36 suse15-server systemd-entrypoint[5495]: WARNING: System::setSecurityManager will be removed in a future release Jul 23 14:54:54 suse15-server systemd[1]: Started wazuh-indexer. suse15-server:/home/ec2-user # /usr/share/wazuh-indexer/bin/indexer-security-init.sh ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 172.31.22.197:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.13.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success suse15-server:/home/ec2-user # curl -k -u https://172.31.22.197:9200 { "name" : "node-1", "cluster_name" : "wazuh-cluster", "cluster_uuid" : "Hj7CLqagQcmHADjS-02arA", "version" : { "number" : "7.10.2", "build_type" : "rpm", "build_hash" : "2c952aba7735bee5f4b0bb9cfc821d68ffbdd636", "build_date" : "2024-07-19T16:30:35.251438Z", "build_snapshot" : false, "lucene_version" : "9.10.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } suse15-server:/home/ec2-user # curl -k -u https://172.31.22.197:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.31.22.197 28 36 6 0.13 0.15 0.08 dimr cluster_manager,data,ingest,remote_cluster_client * node-1 suse15-server:/home/ec2-user # zypper info wazuh-indexer Loading repository data... Reading installed packages... Information for package wazuh-indexer: -------------------------------------- Repository : EL-15.6 - Wazuh Name : wazuh-indexer Version : 4.9.0-1 Arch : x86_64 Vendor : Wazuh, Inc Support Level : unknown Installed Size : 1.01 GiB Installed : Yes Status : up-to-date Source package : wazuh-indexer-4.9.0-1.src Upstream URL : https://www.wazuh.com/ Summary : An open source distributed and RESTful search engine Description : Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. For more information, see: https://www.wazuh.com/ ```

efahnle commented 3 months ago

Step by step installation

Manager :green_circle:

```console suse15-server:/home/ec2-user # zypper search -s wazuh-manager | grep 4.9 | wazuh-manager | package | 4.9.0-1 | x86_64 | EL-15.6 - Wazuh suse15-server:/home/ec2-user # zypper install wazuh-manager Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Loading repository data... Reading installed packages... Resolving package dependencies... The following NEW package is going to be installed: wazuh-manager The following package has no support information from its vendor: wazuh-manager 1 new package to install. Overall download size: 300.5 MiB. Already cached: 0 B. After the operation, additional 853.8 MiB will be used. Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): y Retrieving: wazuh-manager-4.9.0-1.x86_64 (EL-15.6 - Wazuh) (1/1), 300.5 MiB Retrieving: wazuh-manager-4.9.0-1.x86_64.rpm .............................................................................................................................................[done (59.1 MiB/s)] Checking for file conflicts: ..........................................................................................................................................................................[done] (1/1) Installing: wazuh-manager-4.9.0-1.x86_64 ........................................................................................................................................................[done] Running post-transaction scripts ......................................................................................................................................................................[done] suse15-server:/home/ec2-user # suse15-server:/home/ec2-user # zypper install filebeat Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Loading repository data... Reading installed packages... Resolving package dependencies... The following NEW package is going to be installed: filebeat The following package has no support information from its vendor: filebeat 1 new package to install. Overall download size: 20.8 MiB. Already cached: 0 B. After the operation, additional 70.2 MiB will be used. Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): y Retrieving: filebeat-7.10.2-1.x86_64 (EL-15.6 - Wazuh) (1/1), 20.8 MiB Retrieving: filebeat-oss-7.10.2-x86_64.rpm ...............................................................................................................................................[done (20.2 MiB/s)] Checking for file conflicts: ..........................................................................................................................................................................[done] (1/1) Installing: filebeat-7.10.2-1.x86_64 ............................................................................................................................................................[done] suse15-server:/home/ec2-user # suse15-server:/home/ec2-user # curl -so /etc/filebeat/filebeat.yml https://packages-dev.wazuh.com/4.9/tpl/wazuh/filebeat/filebeat.yml suse15-server:/home/ec2-user # ll /etc/filebeat/filebeat.yml -rw------- 1 root root 867 Jul 23 15:09 /etc/filebeat/filebeat.yml suse15-server:/home/ec2-user # vim /etc/filebeat/filebeat.yml suse15-server:/home/ec2-user # cat /etc/filebeat/filebeat.yml # Wazuh - Filebeat configuration file output.elasticsearch: hosts: ["172.31.22.197:9200"] protocol: https username: ${username} password: ${password} ssl.certificate_authorities: - /etc/filebeat/certs/root-ca.pem ssl.certificate: "/etc/filebeat/certs/filebeat.pem" ssl.key: "/etc/filebeat/certs/filebeat-key.pem" setup.template.json.enabled: true setup.template.json.path: '/etc/filebeat/wazuh-template.json' setup.template.json.name: 'wazuh' setup.ilm.overwrite: true setup.ilm.enabled: false filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0644 logging.metrics.enabled: false seccomp: default_action: allow syscalls: - action: allow names: - rseq suse15-server:/home/ec2-user # suse15-server:/home/ec2-user # filebeat keystore create Created filebeat keystore suse15-server:/home/ec2-user # echo | filebeat keystore add username --stdin --force Successfully updated the keystore suse15-server:/home/ec2-user # echo | filebeat keystore add password --stdin --force Successfully updated the keystore suse15-server:/home/ec2-user # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0-alpha3/extensions/elasticsearch/7.x/wazuh-template.json suse15-server:/home/ec2-user # chmod go+r /etc/filebeat/wazuh-template.json suse15-server:/home/ec2-user # curl -s https://packages-dev.wazuh.com/pre-release/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json suse15-server:/home/ec2-user # ll /usr/share/filebeat/module total 0 drwxr-xr-x 4 root root 51 Jul 23 15:08 apache drwxr-xr-x 2 root root 24 Jul 23 15:08 apache2 drwxr-xr-x 3 root root 35 Jul 23 15:08 auditd drwxr-xr-x 7 root root 95 Jul 23 15:08 elasticsearch drwxr-xr-x 3 root root 35 Jul 23 15:08 haproxy drwxr-xr-x 5 root root 64 Jul 23 15:08 icinga drwxr-xr-x 4 root root 33 Jul 23 15:08 iis drwxr-xr-x 3 root root 35 Jul 23 15:08 kafka drwxr-xr-x 3 root root 35 Jul 23 15:08 kibana drwxr-xr-x 4 root root 50 Jul 23 15:08 logstash drwxr-xr-x 3 root root 35 Jul 23 15:08 mongodb drwxr-xr-x 4 root root 52 Jul 23 15:08 mysql drwxr-xr-x 3 root root 35 Jul 23 15:08 nats drwxr-xr-x 5 root root 77 Jul 23 15:08 nginx drwxr-xr-x 3 root root 38 Jul 23 15:08 osquery drwxr-xr-x 3 root root 35 Jul 23 15:08 postgresql drwxr-xr-x 4 root root 50 Jul 23 15:08 redis drwxr-xr-x 3 root root 35 Jul 23 15:08 santa drwxr-xr-x 4 root root 50 Jul 23 15:08 system drwxr-xr-x 3 root root 38 Jul 23 15:08 traefik drwxr-xr-x 5 root root 67 Mar 12 11:16 wazuh suse15-server:/home/ec2-user # echo $NODE_NAME node-1 suse15-server:/home/ec2-user # mkdir /etc/filebeat/certs suse15-server:/home/ec2-user # tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem suse15-server:/home/ec2-user # ./root-ca.pem bash: ./root-ca.pem: No such file or directory suse15-server:/home/ec2-user # mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem suse15-server:/home/ec2-user # mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem suse15-server:/home/ec2-user # chmod 500 /etc/filebeat/certs suse15-server:/home/ec2-user # chmod 400 /etc/filebeat/certs/* suse15-server:/home/ec2-user # chown -R root:root /etc/filebeat/certs suse15-server:/home/ec2-user # ll /etc/filebeat/certs total 12 -r-------- 1 root root 1704 Jul 23 14:33 filebeat-key.pem -r-------- 1 root root 1277 Jul 23 14:33 filebeat.pem -r-------- 1 root root 1204 Jul 23 14:33 root-ca.pem suse15-server:/home/ec2-user # /var/ossec/bin/wazuh-keystore -f indexer -k username -v suse15-server:/home/ec2-user # /var/ossec/bin/wazuh-keystore -f indexer -k password -v suse15-server:/home/ec2-user # vim /var/ossec/etc/ossec.conf suse15-server:/home/ec2-user # grep -A10 -B4 172.31.22.197 /var/ossec/etc/ossec.conf yes https://172.31.22.197:9200 /etc/filebeat/certs/root-ca.pem /etc/filebeat/certs/filebeat.pem /etc/filebeat/certs/filebeat-key.pem suse15-server:/home/ec2-user # systemctl daemon-reload suse15-server:/home/ec2-user # systemctl enable wazuh-manager Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /usr/lib/systemd/system/wazuh-manager.service. suse15-server:/home/ec2-user # systemctl start wazuh-manager suse15-server:/home/ec2-user # systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled) Active: active (running) since Tue 2024-07-23 15:15:46 UTC; 2s ago Process: 8569 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) Tasks: 139 CPU: 29.395s CGroup: /system.slice/wazuh-manager.service ├─8634 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─8675 /var/ossec/bin/wazuh-authd ├─8693 /var/ossec/bin/wazuh-db ├─8707 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─8710 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─8713 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─8726 /var/ossec/bin/wazuh-execd ├─8741 /var/ossec/bin/wazuh-analysisd ├─8754 /var/ossec/bin/wazuh-syscheckd ├─8804 /var/ossec/bin/wazuh-remoted ├─8840 /var/ossec/bin/wazuh-logcollector ├─8860 /var/ossec/bin/wazuh-monitord └─8883 /var/ossec/bin/wazuh-modulesd Jul 23 15:15:38 suse15-server env[8569]: Started wazuh-analysisd... Jul 23 15:15:39 suse15-server env[8569]: Started wazuh-syscheckd... Jul 23 15:15:40 suse15-server env[8569]: Started wazuh-remoted... Jul 23 15:15:42 suse15-server env[8569]: Started wazuh-logcollector... Jul 23 15:15:43 suse15-server env[8569]: Started wazuh-monitord... Jul 23 15:15:43 suse15-server env[8881]: 2024/07/23 15:15:43 wazuh-modulesd:router: INFO: Loaded router module. Jul 23 15:15:43 suse15-server env[8881]: 2024/07/23 15:15:43 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Jul 23 15:15:44 suse15-server env[8569]: Started wazuh-modulesd... Jul 23 15:15:46 suse15-server env[8569]: Completed. Jul 23 15:15:46 suse15-server systemd[1]: Started Wazuh manager. suse15-server:/home/ec2-user # systemctl daemon-reload suse15-server:/home/ec2-user # systemctl enable filebeat Synchronizing state of filebeat.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable filebeat ln -sf ../filebeat /etc/init.d/rc2.d/S50filebeat ln: failed to create symbolic link '/etc/init.d/rc2.d/S50filebeat': No such file or directory suse15-server:/home/ec2-user # systemctl start filebeat suse15-server:/home/ec2-user # systemctl status filebeat ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch. Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; preset: disabled) Active: active (running) since Tue 2024-07-23 15:15:58 UTC; 5s ago Docs: https://www.elastic.co/products/beats/filebeat Main PID: 9421 (filebeat) Tasks: 8 CPU: 117ms CGroup: /system.slice/filebeat.service └─9421 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.lo> Jul 23 15:15:58 suse15-server systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch.. suse15-server:/home/ec2-user # suse15-server:/home/ec2-user # filebeat test output elasticsearch: https://172.31.22.197:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 172.31.22.197 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ```

efahnle commented 3 months ago

Step by step installation

Dashboard :yellow_circle:

A package was missing for SUSE (libcap). However the installation completed successfully and I'm able to login and view events. More details below (Related: https://github.com/wazuh/wazuh-dashboard/issues/160)

```console suse15-server:/home/ec2-user # zypper install libcap Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Loading repository data... Reading installed packages... 'libcap' not found in package names. Trying capabilities. No provider of 'libcap' found. Resolving package dependencies... Nothing to do. suse15-server:/home/ec2-user # zypper install wazuh-dashboard Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Loading repository data... Reading installed packages... Resolving package dependencies... Problem: 1: nothing provides 'libcap' needed by the to be installed wazuh-dashboard-4.9.0-1.x86_64 Solution 1: do not install wazuh-dashboard-4.9.0-1.x86_64 Solution 2: break wazuh-dashboard-4.9.0-1.x86_64 by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/c/d/?] (c): c suse15-server:/home/ec2-user # zypper install libcap2 Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Loading repository data... Reading installed packages... 'libcap2' is already installed. No update candidate for 'libcap2-2.63-150400.3.3.1.x86_64'. The highest available version is already installed. Resolving package dependencies... Nothing to do. suse15-server:/home/ec2-user # cnf libcap libcap: command not found suse15-server:/home/ec2-user # cnf libcap2 libcap2: command not found suse15-server:/home/ec2-user # zypper install wazuh-dashboard Refreshing service 'Basesystem_Module_x86_64'. Refreshing service 'Containers_Module_x86_64'. Refreshing service 'Desktop_Applications_Module_x86_64'. Refreshing service 'Development_Tools_Module_x86_64'. Refreshing service 'Public_Cloud_Module_x86_64'. Refreshing service 'Python_3_Module_x86_64'. Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'. Refreshing service 'Server_Applications_Module_x86_64'. Refreshing service 'Web_and_Scripting_Module_x86_64'. Loading repository data... Reading installed packages... Resolving package dependencies... Problem: 1: nothing provides 'libcap' needed by the to be installed wazuh-dashboard-4.9.0-1.x86_64 Solution 1: do not install wazuh-dashboard-4.9.0-1.x86_64 Solution 2: break wazuh-dashboard-4.9.0-1.x86_64 by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/c/d/?] (c): 2 Resolving dependencies... Resolving package dependencies... The following NEW package is going to be installed: wazuh-dashboard The following package has no support information from its vendor: wazuh-dashboard 1 new package to install. Overall download size: 253.1 MiB. Already cached: 0 B. After the operation, additional 848.6 MiB will be used. Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): Retrieving: wazuh-dashboard-4.9.0-1.x86_64 (EL-15.6 - Wazuh) (1/1), 253.1 MiB Retrieving: wazuh-dashboard-4.9.0-1.x86_64.rpm ...........................................................................................................................................[done (42.1 MiB/s)] Checking for file conflicts: ..........................................................................................................................................................................[done] /var/tmp/rpm-tmp.BvSllu: line 1: setcap: command not found /var/tmp/rpm-tmp.BvSllu: line 2: setcap: command not found (1/1) Installing: wazuh-dashboard-4.9.0-1.x86_64 ......................................................................................................................................................[done] Running post-transaction scripts ......................................................................................................................................................................[done] suse15-server:/home/ec2-user # vim /etc/wazuh-dashboard/opensearch_dashboards.yml suse15-server:/home/ec2-user # cat /etc/wazuh-dashboard/opensearch_dashboards.yml server.host: 0.0.0.0 server.port: 32000 opensearch.hosts: https://localhost:9200 opensearch.ssl.verificationMode: certificate opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] uiSettings.overrides.defaultRoute: /app/wz-home opensearchDashboards.branding: useExpandedHeader: false suse15-server:/home/ec2-user # mkdir /etc/wazuh-dashboard/certs suse15-server:/home/ec2-user # tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem suse15-server:/home/ec2-user # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem suse15-server:/home/ec2-user # mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem suse15-server:/home/ec2-user # chmod 500 /etc/wazuh-dashboard/certs suse15-server:/home/ec2-user # chmod 400 /etc/wazuh-dashboard/certs/* suse15-server:/home/ec2-user # chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs suse15-server:/home/ec2-user # suse15-server:/home/ec2-user # systemctl daemon-reload suse15-server:/home/ec2-user # systemctl enable wazuh-dashboard Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. suse15-server:/home/ec2-user # systemctl start wazuh-dashboard suse15-server:/home/ec2-user # mkdir -p /usr/share/wazuh-dashboard/data/wazuh/config/ suse15-server:/home/ec2-user # vim /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml suse15-server:/home/ec2-user # cat /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml hosts: - default: url: https://172.31.22.197 port: 55000 username: password: run_as: false suse15-server:/home/ec2-user # systemctl status wazuh-dashboard ● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled) Active: active (running) since Tue 2024-07-23 15:38:35 UTC; 7s ago Main PID: 12313 (node) Tasks: 11 CPU: 7.981s CGroup: /system.slice/wazuh-dashboard.service └─12313 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml Jul 23 15:38:41 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:41Z","tags":["info","savedobjects-service"],"pid":12313,"message":"Starting saved objects migration> Jul 23 15:38:41 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:41Z","tags":["info","savedobjects-service"],"pid":12313,"message":"Creating index .kibana_1."} Jul 23 15:38:41 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:41Z","tags":["info","savedobjects-service"],"pid":12313,"message":"Pointing alias .kibana to .kiban> Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["info","savedobjects-service"],"pid":12313,"message":"Finished in 208ms."} Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["warning","cross-compatibility-service"],"pid":12313,"message":"Starting cross compati> Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["info","plugins-system"],"pid":12313,"message":"Starting [48] plugins: [usageCollectio> Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["info","plugins","wazuh","initialize"],"pid":12313,"message":"dashboard index: .kibana> Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["info","plugins","wazuh","initialize"],"pid":12313,"message":"App revision: 03"} Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["info","plugins","wazuh","initialize"],"pid":12313,"message":"Total RAM: 7826MB"} Jul 23 15:38:42 suse15-server opensearch-dashboards[12313]: {"type":"log","@timestamp":"2024-07-23T15:38:42Z","tags":["error","opensearch","data"],"pid":12313,"message":"[ResponseError]: Response Error"} ``` ![image](https://github.com/user-attachments/assets/d275554f-534b-4f97-9b1e-d9b3f8d55ce8) ![image](https://github.com/user-attachments/assets/fd5ce64e-d080-4de0-aa3a-287bba5ed318)

efahnle commented 3 months ago

Agent installation :green_circle:

System information

[root@ip-172-31-17-47 ec2-user]# cat /etc/hostname 
ip-172-31-17-47.us-east-2.compute.internal
[root@ip-172-31-17-47 ec2-user]# cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Installation (from sources)

```console [root@ip-172-31-17-47 ec2-user]# yum update -y No packages marked for update [root@ip-172-31-17-47 ec2-user]# yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 procps -y Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Package 1:make-3.82-24.amzn2.x86_64 already installed and latest version No package centos-release-scl available. Package wget-1.14-18.amzn2.1.x86_64 already installed and latest version Package bzip2-1.0.6-13.amzn2.0.3.x86_64 already installed and latest version Package procps-ng-3.3.10-26.amzn2.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package autoconf.noarch 0:2.69-11.amzn2 will be installed --> Processing Dependency: m4 >= 1.4.14 for package: autoconf-2.69-11.amzn2.noarch --> Processing Dependency: perl(Data::Dumper) for package: autoconf-2.69-11.amzn2.noarch ---> Package automake.noarch 0:1.13.4-3.1.amzn2 will be installed --> Processing Dependency: perl(TAP::Parser) for package: automake-1.13.4-3.1.amzn2.noarch --> Processing Dependency: perl(Thread::Queue) for package: automake-1.13.4-3.1.amzn2.noarch ---> Package gcc.x86_64 0:7.3.1-17.amzn2 will be installed --> Processing Dependency: cpp = 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libatomic >= 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libcilkrts >= 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libitm >= 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libmpx >= 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libquadmath >= 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libsanitizer >= 7.3.1-17.amzn2 for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libmpc.so.3()(64bit) for package: gcc-7.3.1-17.amzn2.x86_64 --> Processing Dependency: libmpfr.so.4()(64bit) for package: gcc-7.3.1-17.amzn2.x86_64 ---> Package gcc-c++.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libtool.x86_64 0:2.4.2-22.2.amzn2.0.2 will be installed ---> Package openssl-devel.x86_64 1:1.0.2k-24.amzn2.0.12 will be installed --> Processing Dependency: krb5-devel(x86-64) for package: 1:openssl-devel-1.0.2k-24.amzn2.0.12.x86_64 --> Processing Dependency: zlib-devel(x86-64) for package: 1:openssl-devel-1.0.2k-24.amzn2.0.12.x86_64 ---> Package policycoreutils-python.x86_64 0:2.5-22.amzn2 will be installed --> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64 --> Running transaction check ---> Package audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 will be installed ---> Package checkpolicy.x86_64 0:2.5-6.amzn2 will be installed ---> Package cpp.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package glibc-devel.x86_64 0:2.26-64.amzn2.0.2 will be installed --> Processing Dependency: glibc-headers = 2.26-64.amzn2.0.2 for package: glibc-devel-2.26-64.amzn2.0.2.x86_64 --> Processing Dependency: glibc-headers for package: glibc-devel-2.26-64.amzn2.0.2.x86_64 ---> Package krb5-devel.x86_64 0:1.15.1-55.amzn2.2.8 will be installed --> Processing Dependency: libkadm5(x86-64) = 1.15.1-55.amzn2.2.8 for package: krb5-devel-1.15.1-55.amzn2.2.8.x86_64 --> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.1-55.amzn2.2.8.x86_64 --> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.1-55.amzn2.2.8.x86_64 --> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.1-55.amzn2.2.8.x86_64 --> Processing Dependency: libverto-devel for package: krb5-devel-1.15.1-55.amzn2.2.8.x86_64 ---> Package libatomic.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libcgroup.x86_64 0:0.41-21.amzn2 will be installed ---> Package libcilkrts.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libitm.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libmpc.x86_64 0:1.0.1-3.amzn2.0.2 will be installed ---> Package libmpx.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libquadmath.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libsanitizer.x86_64 0:7.3.1-17.amzn2 will be installed ---> Package libselinux-python.x86_64 0:2.5-12.amzn2.0.2 will be installed ---> Package libsemanage-python.x86_64 0:2.5-11.amzn2 will be installed ---> Package m4.x86_64 0:1.4.16-10.amzn2.0.2 will be installed ---> Package mpfr.x86_64 0:3.1.1-4.amzn2.0.2 will be installed ---> Package perl-Data-Dumper.x86_64 0:2.145-3.amzn2.0.2 will be installed ---> Package perl-Test-Harness.noarch 0:3.28-3.amzn2 will be installed ---> Package perl-Thread-Queue.noarch 0:3.02-2.amzn2 will be installed ---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed ---> Package setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 will be installed ---> Package zlib-devel.x86_64 0:1.2.7-19.amzn2.0.3 will be installed --> Running transaction check ---> Package glibc-headers.x86_64 0:2.26-64.amzn2.0.2 will be installed --> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.26-64.amzn2.0.2.x86_64 --> Processing Dependency: kernel-headers for package: glibc-headers-2.26-64.amzn2.0.2.x86_64 ---> Package keyutils-libs-devel.x86_64 0:1.5.8-3.amzn2.0.2 will be installed ---> Package libcom_err-devel.x86_64 0:1.42.9-19.amzn2.0.1 will be installed ---> Package libkadm5.x86_64 0:1.15.1-55.amzn2.2.8 will be installed ---> Package libselinux-devel.x86_64 0:2.5-12.amzn2.0.2 will be installed --> Processing Dependency: libsepol-devel(x86-64) >= 2.5-6 for package: libselinux-devel-2.5-12.amzn2.0.2.x86_64 --> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-12.amzn2.0.2.x86_64 --> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-12.amzn2.0.2.x86_64 ---> Package libverto-devel.x86_64 0:0.2.5-4.amzn2.0.2 will be installed --> Running transaction check ---> Package kernel-headers.x86_64 0:5.10.220-209.869.amzn2 will be installed ---> Package libsepol-devel.x86_64 0:2.5-10.amzn2.0.1 will be installed ---> Package pcre-devel.x86_64 0:8.32-17.amzn2.0.3 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================= Installing: autoconf noarch 2.69-11.amzn2 amzn2-core 701 k automake noarch 1.13.4-3.1.amzn2 amzn2-core 679 k gcc x86_64 7.3.1-17.amzn2 amzn2-core 22 M gcc-c++ x86_64 7.3.1-17.amzn2 amzn2-core 13 M libtool x86_64 2.4.2-22.2.amzn2.0.2 amzn2-core 588 k openssl-devel x86_64 1:1.0.2k-24.amzn2.0.12 amzn2-core 1.5 M policycoreutils-python x86_64 2.5-22.amzn2 amzn2-core 454 k Installing for dependencies: audit-libs-python x86_64 2.8.1-3.amzn2.1 amzn2-core 79 k checkpolicy x86_64 2.5-6.amzn2 amzn2-core 294 k cpp x86_64 7.3.1-17.amzn2 amzn2-core 9.2 M glibc-devel x86_64 2.26-64.amzn2.0.2 amzn2-core 995 k glibc-headers x86_64 2.26-64.amzn2.0.2 amzn2-core 516 k kernel-headers x86_64 5.10.220-209.869.amzn2 amzn2extra-kernel-5.10 1.4 M keyutils-libs-devel x86_64 1.5.8-3.amzn2.0.2 amzn2-core 37 k krb5-devel x86_64 1.15.1-55.amzn2.2.8 amzn2-core 274 k libatomic x86_64 7.3.1-17.amzn2 amzn2-core 46 k libcgroup x86_64 0.41-21.amzn2 amzn2-core 66 k libcilkrts x86_64 7.3.1-17.amzn2 amzn2-core 85 k libcom_err-devel x86_64 1.42.9-19.amzn2.0.1 amzn2-core 32 k libitm x86_64 7.3.1-17.amzn2 amzn2-core 85 k libkadm5 x86_64 1.15.1-55.amzn2.2.8 amzn2-core 181 k libmpc x86_64 1.0.1-3.amzn2.0.2 amzn2-core 52 k libmpx x86_64 7.3.1-17.amzn2 amzn2-core 52 k libquadmath x86_64 7.3.1-17.amzn2 amzn2-core 189 k libsanitizer x86_64 7.3.1-17.amzn2 amzn2-core 642 k libselinux-devel x86_64 2.5-12.amzn2.0.2 amzn2-core 187 k libselinux-python x86_64 2.5-12.amzn2.0.2 amzn2-core 237 k libsemanage-python x86_64 2.5-11.amzn2 amzn2-core 115 k libsepol-devel x86_64 2.5-10.amzn2.0.1 amzn2-core 77 k libverto-devel x86_64 0.2.5-4.amzn2.0.2 amzn2-core 12 k m4 x86_64 1.4.16-10.amzn2.0.2 amzn2-core 256 k mpfr x86_64 3.1.1-4.amzn2.0.2 amzn2-core 208 k pcre-devel x86_64 8.32-17.amzn2.0.3 amzn2-core 480 k perl-Data-Dumper x86_64 2.145-3.amzn2.0.2 amzn2-core 48 k perl-Test-Harness noarch 3.28-3.amzn2 amzn2-core 302 k perl-Thread-Queue noarch 3.02-2.amzn2 amzn2-core 17 k python-IPy noarch 0.75-6.amzn2.0.1 amzn2-core 32 k setools-libs x86_64 3.3.8-2.amzn2.0.2 amzn2-core 618 k zlib-devel x86_64 1.2.7-19.amzn2.0.3 amzn2-core 51 k Transaction Summary ============================================================================================================================================================================================================= Install 7 Packages (+32 Dependent packages) Total download size: 55 M Installed size: 155 M Downloading packages: (1/39): autoconf-2.69-11.amzn2.noarch.rpm | 701 kB 00:00:00 (2/39): audit-libs-python-2.8.1-3.amzn2.1.x86_64.rpm | 79 kB 00:00:00 (3/39): automake-1.13.4-3.1.amzn2.noarch.rpm | 679 kB 00:00:00 (4/39): checkpolicy-2.5-6.amzn2.x86_64.rpm | 294 kB 00:00:00 (5/39): cpp-7.3.1-17.amzn2.x86_64.rpm | 9.2 MB 00:00:00 (6/39): gcc-c++-7.3.1-17.amzn2.x86_64.rpm | 13 MB 00:00:00 (7/39): gcc-7.3.1-17.amzn2.x86_64.rpm | 22 MB 00:00:00 (8/39): glibc-devel-2.26-64.amzn2.0.2.x86_64.rpm | 995 kB 00:00:00 (9/39): glibc-headers-2.26-64.amzn2.0.2.x86_64.rpm | 516 kB 00:00:00 (10/39): keyutils-libs-devel-1.5.8-3.amzn2.0.2.x86_64.rpm | 37 kB 00:00:00 (11/39): libatomic-7.3.1-17.amzn2.x86_64.rpm | 46 kB 00:00:00 (12/39): krb5-devel-1.15.1-55.amzn2.2.8.x86_64.rpm | 274 kB 00:00:00 (13/39): libcgroup-0.41-21.amzn2.x86_64.rpm | 66 kB 00:00:00 (14/39): libcom_err-devel-1.42.9-19.amzn2.0.1.x86_64.rpm | 32 kB 00:00:00 (15/39): libcilkrts-7.3.1-17.amzn2.x86_64.rpm | 85 kB 00:00:00 (16/39): kernel-headers-5.10.220-209.869.amzn2.x86_64.rpm | 1.4 MB 00:00:00 (17/39): libitm-7.3.1-17.amzn2.x86_64.rpm | 85 kB 00:00:00 (18/39): libmpc-1.0.1-3.amzn2.0.2.x86_64.rpm | 52 kB 00:00:00 (19/39): libkadm5-1.15.1-55.amzn2.2.8.x86_64.rpm | 181 kB 00:00:00 (20/39): libmpx-7.3.1-17.amzn2.x86_64.rpm | 52 kB 00:00:00 (21/39): libquadmath-7.3.1-17.amzn2.x86_64.rpm | 189 kB 00:00:00 (22/39): libselinux-devel-2.5-12.amzn2.0.2.x86_64.rpm | 187 kB 00:00:00 (23/39): libsanitizer-7.3.1-17.amzn2.x86_64.rpm | 642 kB 00:00:00 (24/39): libsemanage-python-2.5-11.amzn2.x86_64.rpm | 115 kB 00:00:00 (25/39): libselinux-python-2.5-12.amzn2.0.2.x86_64.rpm | 237 kB 00:00:00 (26/39): libsepol-devel-2.5-10.amzn2.0.1.x86_64.rpm | 77 kB 00:00:00 (27/39): libtool-2.4.2-22.2.amzn2.0.2.x86_64.rpm | 588 kB 00:00:00 (28/39): libverto-devel-0.2.5-4.amzn2.0.2.x86_64.rpm | 12 kB 00:00:00 (29/39): m4-1.4.16-10.amzn2.0.2.x86_64.rpm | 256 kB 00:00:00 (30/39): mpfr-3.1.1-4.amzn2.0.2.x86_64.rpm | 208 kB 00:00:00 (31/39): openssl-devel-1.0.2k-24.amzn2.0.12.x86_64.rpm | 1.5 MB 00:00:00 (32/39): pcre-devel-8.32-17.amzn2.0.3.x86_64.rpm | 480 kB 00:00:00 (33/39): perl-Data-Dumper-2.145-3.amzn2.0.2.x86_64.rpm | 48 kB 00:00:00 (34/39): perl-Test-Harness-3.28-3.amzn2.noarch.rpm | 302 kB 00:00:00 (35/39): perl-Thread-Queue-3.02-2.amzn2.noarch.rpm | 17 kB 00:00:00 (36/39): python-IPy-0.75-6.amzn2.0.1.noarch.rpm | 32 kB 00:00:00 (37/39): policycoreutils-python-2.5-22.amzn2.x86_64.rpm | 454 kB 00:00:00 (38/39): setools-libs-3.3.8-2.amzn2.0.2.x86_64.rpm | 618 kB 00:00:00 (39/39): zlib-devel-1.2.7-19.amzn2.0.3.x86_64.rpm | 51 kB 00:00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 47 MB/s | 55 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : mpfr-3.1.1-4.amzn2.0.2.x86_64 1/39 Installing : libmpc-1.0.1-3.amzn2.0.2.x86_64 2/39 Installing : cpp-7.3.1-17.amzn2.x86_64 3/39 Installing : libsepol-devel-2.5-10.amzn2.0.1.x86_64 4/39 Installing : kernel-headers-5.10.220-209.869.amzn2.x86_64 5/39 Installing : glibc-headers-2.26-64.amzn2.0.2.x86_64 6/39 Installing : glibc-devel-2.26-64.amzn2.0.2.x86_64 7/39 Installing : m4-1.4.16-10.amzn2.0.2.x86_64 8/39 Installing : libcilkrts-7.3.1-17.amzn2.x86_64 9/39 Installing : zlib-devel-1.2.7-19.amzn2.0.3.x86_64 10/39 Installing : pcre-devel-8.32-17.amzn2.0.3.x86_64 11/39 Installing : libselinux-devel-2.5-12.amzn2.0.2.x86_64 12/39 Installing : libmpx-7.3.1-17.amzn2.x86_64 13/39 Installing : keyutils-libs-devel-1.5.8-3.amzn2.0.2.x86_64 14/39 Installing : libatomic-7.3.1-17.amzn2.x86_64 15/39 Installing : perl-Data-Dumper-2.145-3.amzn2.0.2.x86_64 16/39 Installing : autoconf-2.69-11.amzn2.noarch 17/39 Installing : checkpolicy-2.5-6.amzn2.x86_64 18/39 Installing : libcgroup-0.41-21.amzn2.x86_64 19/39 Installing : libsemanage-python-2.5-11.amzn2.x86_64 20/39 Installing : libkadm5-1.15.1-55.amzn2.2.8.x86_64 21/39 Installing : setools-libs-3.3.8-2.amzn2.0.2.x86_64 22/39 Installing : libverto-devel-0.2.5-4.amzn2.0.2.x86_64 23/39 Installing : libsanitizer-7.3.1-17.amzn2.x86_64 24/39 Installing : libselinux-python-2.5-12.amzn2.0.2.x86_64 25/39 Installing : libquadmath-7.3.1-17.amzn2.x86_64 26/39 Installing : audit-libs-python-2.8.1-3.amzn2.1.x86_64 27/39 Installing : perl-Test-Harness-3.28-3.amzn2.noarch 28/39 Installing : libitm-7.3.1-17.amzn2.x86_64 29/39 Installing : gcc-7.3.1-17.amzn2.x86_64 30/39 Installing : libcom_err-devel-1.42.9-19.amzn2.0.1.x86_64 31/39 Installing : krb5-devel-1.15.1-55.amzn2.2.8.x86_64 32/39 Installing : perl-Thread-Queue-3.02-2.amzn2.noarch 33/39 Installing : automake-1.13.4-3.1.amzn2.noarch 34/39 Installing : python-IPy-0.75-6.amzn2.0.1.noarch 35/39 Installing : policycoreutils-python-2.5-22.amzn2.x86_64 36/39 Installing : libtool-2.4.2-22.2.amzn2.0.2.x86_64 37/39 Installing : 1:openssl-devel-1.0.2k-24.amzn2.0.12.x86_64 38/39 Installing : gcc-c++-7.3.1-17.amzn2.x86_64 39/39 Verifying : python-IPy-0.75-6.amzn2.0.1.noarch 1/39 Verifying : perl-Thread-Queue-3.02-2.amzn2.noarch 2/39 Verifying : libcom_err-devel-1.42.9-19.amzn2.0.1.x86_64 3/39 Verifying : libitm-7.3.1-17.amzn2.x86_64 4/39 Verifying : perl-Test-Harness-3.28-3.amzn2.noarch 5/39 Verifying : audit-libs-python-2.8.1-3.amzn2.1.x86_64 6/39 Verifying : policycoreutils-python-2.5-22.amzn2.x86_64 7/39 Verifying : libquadmath-7.3.1-17.amzn2.x86_64 8/39 Verifying : libmpc-1.0.1-3.amzn2.0.2.x86_64 9/39 Verifying : 1:openssl-devel-1.0.2k-24.amzn2.0.12.x86_64 10/39 Verifying : glibc-headers-2.26-64.amzn2.0.2.x86_64 11/39 Verifying : libselinux-python-2.5-12.amzn2.0.2.x86_64 12/39 Verifying : libsanitizer-7.3.1-17.amzn2.x86_64 13/39 Verifying : glibc-devel-2.26-64.amzn2.0.2.x86_64 14/39 Verifying : autoconf-2.69-11.amzn2.noarch 15/39 Verifying : libverto-devel-0.2.5-4.amzn2.0.2.x86_64 16/39 Verifying : setools-libs-3.3.8-2.amzn2.0.2.x86_64 17/39 Verifying : cpp-7.3.1-17.amzn2.x86_64 18/39 Verifying : libkadm5-1.15.1-55.amzn2.2.8.x86_64 19/39 Verifying : mpfr-3.1.1-4.amzn2.0.2.x86_64 20/39 Verifying : libsemanage-python-2.5-11.amzn2.x86_64 21/39 Verifying : krb5-devel-1.15.1-55.amzn2.2.8.x86_64 22/39 Verifying : libcgroup-0.41-21.amzn2.x86_64 23/39 Verifying : checkpolicy-2.5-6.amzn2.x86_64 24/39 Verifying : automake-1.13.4-3.1.amzn2.noarch 25/39 Verifying : perl-Data-Dumper-2.145-3.amzn2.0.2.x86_64 26/39 Verifying : gcc-c++-7.3.1-17.amzn2.x86_64 27/39 Verifying : libatomic-7.3.1-17.amzn2.x86_64 28/39 Verifying : libtool-2.4.2-22.2.amzn2.0.2.x86_64 29/39 Verifying : gcc-7.3.1-17.amzn2.x86_64 30/39 Verifying : keyutils-libs-devel-1.5.8-3.amzn2.0.2.x86_64 31/39 Verifying : libmpx-7.3.1-17.amzn2.x86_64 32/39 Verifying : pcre-devel-8.32-17.amzn2.0.3.x86_64 33/39 Verifying : zlib-devel-1.2.7-19.amzn2.0.3.x86_64 34/39 Verifying : libselinux-devel-2.5-12.amzn2.0.2.x86_64 35/39 Verifying : libcilkrts-7.3.1-17.amzn2.x86_64 36/39 Verifying : m4-1.4.16-10.amzn2.0.2.x86_64 37/39 Verifying : kernel-headers-5.10.220-209.869.amzn2.x86_64 38/39 Verifying : libsepol-devel-2.5-10.amzn2.0.1.x86_64 39/39 Installed: autoconf.noarch 0:2.69-11.amzn2 automake.noarch 0:1.13.4-3.1.amzn2 gcc.x86_64 0:7.3.1-17.amzn2 gcc-c++.x86_64 0:7.3.1-17.amzn2 libtool.x86_64 0:2.4.2-22.2.amzn2.0.2 openssl-devel.x86_64 1:1.0.2k-24.amzn2.0.12 policycoreutils-python.x86_64 0:2.5-22.amzn2 Dependency Installed: audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 checkpolicy.x86_64 0:2.5-6.amzn2 cpp.x86_64 0:7.3.1-17.amzn2 glibc-devel.x86_64 0:2.26-64.amzn2.0.2 glibc-headers.x86_64 0:2.26-64.amzn2.0.2 kernel-headers.x86_64 0:5.10.220-209.869.amzn2 keyutils-libs-devel.x86_64 0:1.5.8-3.amzn2.0.2 krb5-devel.x86_64 0:1.15.1-55.amzn2.2.8 libatomic.x86_64 0:7.3.1-17.amzn2 libcgroup.x86_64 0:0.41-21.amzn2 libcilkrts.x86_64 0:7.3.1-17.amzn2 libcom_err-devel.x86_64 0:1.42.9-19.amzn2.0.1 libitm.x86_64 0:7.3.1-17.amzn2 libkadm5.x86_64 0:1.15.1-55.amzn2.2.8 libmpc.x86_64 0:1.0.1-3.amzn2.0.2 libmpx.x86_64 0:7.3.1-17.amzn2 libquadmath.x86_64 0:7.3.1-17.amzn2 libsanitizer.x86_64 0:7.3.1-17.amzn2 libselinux-devel.x86_64 0:2.5-12.amzn2.0.2 libselinux-python.x86_64 0:2.5-12.amzn2.0.2 libsemanage-python.x86_64 0:2.5-11.amzn2 libsepol-devel.x86_64 0:2.5-10.amzn2.0.1 libverto-devel.x86_64 0:0.2.5-4.amzn2.0.2 m4.x86_64 0:1.4.16-10.amzn2.0.2 mpfr.x86_64 0:3.1.1-4.amzn2.0.2 pcre-devel.x86_64 0:8.32-17.amzn2.0.3 perl-Data-Dumper.x86_64 0:2.145-3.amzn2.0.2 perl-Test-Harness.noarch 0:3.28-3.amzn2 perl-Thread-Queue.noarch 0:3.02-2.amzn2 python-IPy.noarch 0:0.75-6.amzn2.0.1 setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 zlib-devel.x86_64 0:1.2.7-19.amzn2.0.3 Complete! [root@ip-172-31-17-47 ec2-user]# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /bin/g++ /usr/bin/c++ && ln -fs /bin/gcc /usr/bin/cc && cd .. && rm -rf gcc-* % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 122M 100 122M 0 0 126M 0 --:--:-- --:--:-- --:--:-- 126M 2024-07-23 16:32:54 URL: ftp://gcc.gnu.org/pub/gcc/infrastructure/gmp-6.1.0.tar.bz2 [2383840] -> "./gmp-6.1.0.tar.bz2" [1] 2024-07-23 16:32:54 URL: ftp://gcc.gnu.org/pub/gcc/infrastructure/mpfr-3.1.4.tar.bz2 [1279284] -> "./mpfr-3.1.4.tar.bz2" [1] 2024-07-23 16:32:55 URL: ftp://gcc.gnu.org/pub/gcc/infrastructure/mpc-1.0.3.tar.gz [669925] -> "./mpc-1.0.3.tar.gz" [1] 2024-07-23 16:32:55 URL: ftp://gcc.gnu.org/pub/gcc/infrastructure/isl-0.18.tar.bz2 [1658291] -> "./isl-0.18.tar.bz2" [1] gmp-6.1.0.tar.bz2: OK mpfr-3.1.4.tar.bz2: OK mpc-1.0.3.tar.gz: OK isl-0.18.tar.bz2: OK All prerequisites downloaded successfully. checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu ... (omitted as the command generated many lines) ... ---------------------------------------------------------------------- Libraries have been installed in: /usr/lib/../lib64 If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- /bin/mkdir -p '/usr/share/info' /bin/install -c -m 644 ../.././libitm/libitm.info '/usr/share/info' install-info --info-dir='/usr/share/info' '/usr/share/info/libitm.info' make[4]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libitm' make[3]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libitm' make[2]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libitm' make[2]: Entering directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic' Makefile:867: warning: overriding recipe for target `all-multi' Makefile:861: warning: ignoring old recipe for target `all-multi' Making install in testsuite make[3]: Entering directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic/testsuite' make[4]: Entering directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic/testsuite' make[4]: Nothing to be done for `install-exec-am'. make[4]: Nothing to be done for `install-data-am'. make[4]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic/testsuite' make[3]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic/testsuite' make[3]: Entering directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic' Makefile:867: warning: overriding recipe for target `all-multi' Makefile:861: warning: ignoring old recipe for target `all-multi' true DO=all multi-do # make make[4]: Entering directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic' Makefile:867: warning: overriding recipe for target `all-multi' Makefile:861: warning: ignoring old recipe for target `all-multi' true DO=install multi-do # make /bin/mkdir -p '/usr/lib/../lib64' /bin/sh ./libtool --mode=install /bin/install -c libatomic.la '/usr/lib/../lib64' libtool: install: /bin/install -c .libs/libatomic.so.1.2.0 /usr/lib/../lib64/libatomic.so.1.2.0 libtool: install: (cd /usr/lib/../lib64 && { ln -s -f libatomic.so.1.2.0 libatomic.so.1 || { rm -f libatomic.so.1 && ln -s libatomic.so.1.2.0 libatomic.so.1; }; }) libtool: install: (cd /usr/lib/../lib64 && { ln -s -f libatomic.so.1.2.0 libatomic.so || { rm -f libatomic.so && ln -s libatomic.so.1.2.0 libatomic.so; }; }) libtool: install: /bin/install -c .libs/libatomic.lai /usr/lib/../lib64/libatomic.la libtool: install: /bin/install -c .libs/libatomic.a /usr/lib/../lib64/libatomic.a libtool: install: chmod 644 /usr/lib/../lib64/libatomic.a libtool: install: ranlib /usr/lib/../lib64/libatomic.a libtool: finish: PATH="/sbin:/bin:/usr/sbin:/usr/bin:/sbin" ldconfig -n /usr/lib/../lib64 ---------------------------------------------------------------------- Libraries have been installed in: /usr/lib/../lib64 If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- make[4]: Nothing to be done for `install-data-am'. make[4]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic' make[3]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic' make[2]: Leaving directory `/home/ec2-user/gcc-9.4.0/x86_64-pc-linux-gnu/libatomic' make[1]: Leaving directory `/home/ec2-user/gcc-9.4.0' root@ip-172-31-17-47 ec2-user]# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8765k 100 8765k 0 0 24.6M 0 --:--:-- --:--:-- --:--:-- 24.6M [root@ip-172-31-17-47 ec2-user]# cd cmake-3.18.3 && ./bootstrap --no-system-curl --------------------------------------------- CMake 3.18.3, Copyright 2000-2020 Kitware, Inc. and Contributors Found GNU toolchain C compiler on this system is: gcc C++ compiler on this system is: g++ Makefile processor on this system is: gmake g++ has setenv g++ has unsetenv g++ does not have environ in stdlib.h g++ has stl wstring g++ has --------------------------------------------- ... (omitted as it generated many lines) .... -- Checking support for ARCHIVE_CRYPTO_SHA1_LIBMD -- not found -- Checking support for ARCHIVE_CRYPTO_SHA256_LIBMD -- Checking support for ARCHIVE_CRYPTO_SHA256_LIBMD -- not found -- Checking support for ARCHIVE_CRYPTO_SHA512_LIBMD -- Checking support for ARCHIVE_CRYPTO_SHA512_LIBMD -- not found -- Checking for curses support -- Checking for curses support - Failed -- Looking for elf.h -- Looking for elf.h - found -- Looking for a Fortran compiler -- Looking for a Fortran compiler - NOTFOUND -- Performing Test run_pic_test -- Performing Test run_pic_test - Success -- Performing Test run_inlines_hidden_test -- Performing Test run_inlines_hidden_test - Success -- Configuring done -- Generating done -- Build files have been written to: /home/ec2-user/cmake-3.18.3 --------------------------------------------- CMake has bootstrapped. Now run gmake. [root@ip-172-31-17-47 cmake-3.18.3]# make -j$(nproc) && make install Scanning dependencies of target cmstd Scanning dependencies of target kwiml_test Scanning dependencies of target cmsys_c Scanning dependencies of target cmsys [ 0%] Building CXX object Utilities/std/CMakeFiles/cmstd.dir/cm/bits/string_view.cxx.o [ 0%] Building C object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test.c.o [ 0%] Building C object Source/kwsys/CMakeFiles/cmsys_c.dir/ProcessUNIX.c.o [ 0%] Building C object Source/kwsys/CMakeFiles/cmsys.dir/ProcessUNIX.c.o [ 0%] Building C object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test_abi_C.c.o [ 0%] Building C object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test_int_C.c.o [ 0%] Linking CXX static library libcmstd.a [ 0%] Built target cmstd Scanning dependencies of target cmlibrhash [ 0%] Building C object Utilities/cmlibrhash/CMakeFiles/cmlibrhash.dir/librhash/algorithms.c.o [ 0%] Building C object Utilities/cmlibrhash/CMakeFiles/cmlibrhash.dir/librhash/byte_order.c.o [ 0%] Building C object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test_include_C.c.o [ 0%] Building CXX object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test_abi_CXX.cxx.o [ 1%] Building C object Utilities/cmlibrhash/CMakeFiles/cmlibrhash.dir/librhash/hex.c.o [ 1%] Building CXX object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test_int_CXX.cxx.o [ 1%] Building C object Utilities/cmlibrhash/CMakeFiles/cmlibrhash.dir/librhash/md5.c.o [ 1%] Building CXX object Utilities/KWIML/test/CMakeFiles/kwiml_test.dir/test_include_CXX.cxx.o [ 1%] Building C object Utilities/cmlibrhash/CMakeFiles/cmlibrhash.dir/librhash/rhash.c.o [ 1%] Building C object Source/kwsys/CMakeFiles/cmsys_c.dir/Base64.c.o [ 1%] Building C object Utilities/cmlibrhash/CMakeFiles/cmlibrhash.dir/librhash/sha1.c.o [ 1%] Building C object Source/kwsys/CMakeFiles/cmsys.dir/Base64.c.o [ 1%] Linking CXX executable kwiml_test ... (omitted as it generated many lines) .... -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_CL.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_CSharp.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_Cuda.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_CudaHost.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_LIB.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_Link.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_MASM.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_NASM.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v10_RC.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v11_CL.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v11_CSharp.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v11_LIB.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v11_Link.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v11_MASM.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v11_RC.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v12_CL.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v12_CSharp.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v12_LIB.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v12_Link.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v12_MASM.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v12_RC.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v140_CL.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v140_CSharp.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v140_Link.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v141_CL.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v141_CSharp.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v141_Link.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v142_CL.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v142_CSharp.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v142_Link.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v14_LIB.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v14_MASM.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/FlagTables/v14_RC.json -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/nasm.props.in -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/nasm.targets -- Installing: /usr/local/share/cmake-3.18/Templates/MSBuild/nasm.xml -- Installing: /usr/local/share/cmake-3.18/Templates/TestDriver.cxx.in -- Installing: /usr/local/share/cmake-3.18/Templates/Windows -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/ApplicationIcon.png -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/Logo.png -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/SmallLogo.png -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/SmallLogo44x44.png -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/SplashScreen.png -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/StoreLogo.png -- Installing: /usr/local/share/cmake-3.18/Templates/Windows/Windows_TemporaryKey.pfx -- Installing: /usr/local/share/vim/vimfiles/indent -- Installing: /usr/local/share/vim/vimfiles/indent/cmake.vim -- Installing: /usr/local/share/vim/vimfiles/syntax -- Installing: /usr/local/share/vim/vimfiles/syntax/cmake.vim -- Installing: /usr/local/share/emacs/site-lisp/cmake-mode.el -- Installing: /usr/local/share/aclocal/cmake.m4 -- Installing: /usr/local/share/bash-completion/completions/cmake -- Installing: /usr/local/share/bash-completion/completions/cpack -- Installing: /usr/local/share/bash-completion/completions/ctest [root@ip-172-31-17-47 cmake-3.18.3]# cd .. && rm -rf cmake-* [root@ip-172-31-17-47 ec2-user]# [root@ip-172-31-17-47 ec2-user]# curl -Ls https://github.com/wazuh/wazuh/archive/refs/tags/v4.9.0-alpha3.tar.gz | tar zx [root@ip-172-31-17-47 ec2-user]# ll total 4 drwxrwxr-x 15 root root 4096 jul 19 10:06 wazuh-4.9.0-alpha3 [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# ./install.sh ** Para instalação em português, escolha [br]. ** 要使用中文进行安装, 请选择 [cn]. ** Für eine deutsche Installation, wählen Sie [de]. ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el]. ** For installation in English, choose [en]. ** Para instalar en español, elija [es]. ** Pour une installation en français, choisissez [fr] ** A Magyar nyelvű telepítéshez válassza [hu]. ** Per l'installazione in Italiano, scegli [it]. ** 日本語でインストールします．選択して下さい．[jp]. ** Voor installatie in het Nederlands, kies [nl]. ** Aby instalować w języku Polskim, wybierz [pl]. ** Для инструкций по установке на русском ,введите [ru]. ** Za instalaciju na srpskom, izaberi [sr]. ** Türkçe kurulum için seçin [tr]. (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en Wazuh v4.9.0 (Rev. 40903) Installation Script - https://www.wazuh.com You are about to start the installation process of Wazuh. You must have a C compiler pre-installed in your system. - System: Linux ip-172-31-17-47.us-east-2.compute.internal 5.10.220-209.869.amzn2.x86_64 (amzn 2.0) - User: root - Host: ip-172-31-17-47.us-east-2.compute.internal -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent - Agent (client) installation chosen. 2- Choose where to install Wazuh [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring Wazuh. 3.1- What's the IP Address or hostname of the Wazuh server?: 172.31.22.197 - Adding Server IP 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.5 - Do you want to enable active response? (y/n) [y]: - Active response enabled. 3.6- Remote upgrades use packages signed by the system maintainer. The corresponding certificate (or root certificate) must be installed in the system in order to verify the WPK packages. By default, the root certificate by Wazuh is installed. - Do you want to add more certificates? (y/n)? [n]: 3.7- Setting the configuration to analyze the following logs: -- journald -- /var/log/audit/audit.log -- /var/ossec/logs/active-responses.log - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at https://documentation.wazuh.com/. --- Press ENTER to continue --- 4- Installing the system DIR="/var/ossec" - Running the Makefile Makefile:2650: warning: overriding recipe for target `win32/ui_resource.o' (omitted) Makefile:2653: warning: overriding recipe for target `win32/auth_resource.o' Makefile:2593: warning: ignoring old recipe for target `win32/auth_resource.o' General settings: TARGET: agent V: DEBUG: DEBUGAD INSTALLDIR: /var/ossec DATABASE: ONEWAY: no CLEANFULL: no RESOURCES_URL: https://packages.wazuh.com/deps/30 EXTERNAL_SRC_ONLY: HTTP_REQUEST_BRANCH:v1.0.0 User settings: WAZUH_GROUP: wazuh WAZUH_USER: wazuh USE settings: USE_ZEROMQ: no USE_GEOIP: no USE_PRELUDE: no USE_INOTIFY: no USE_BIG_ENDIAN: no USE_SELINUX: yes USE_AUDIT: yes DISABLE_SYSC: no DISABLE_CISCAT: no IMAGE_TRUST_CHECKS: 1 CA_NAME: DigiCert Assured ID Root CA Mysql settings: includes: libs: Pgsql settings: includes: libs: Defines: -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_AUDIT -DCLIENT Compiler: CFLAGS -pthread -Iexternal/pacman/lib/libalpm/ -Iexternal/libarchive/libarchive -Wl,--start-group -Iexternal/audit-userspace/lib -DNDEBUG -O2 -DOSSECHIDS -DUSER="wazuh" -DGROUPGLOBAL="wazuh" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DIMAGE_TRUST_CHECKS=1 -DCA_NAME='DigiCert Assured ID Root CA' -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_AUDIT -DCLIENT -pipe -Wall -Wextra -std=gnu99 -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include -Iexternal/bzip2/ -Ishared_modules/common -Ishared_modules/dbsync/include -Ishared_modules/rsync/include -Iwazuh_modules/syscollector/include -Idata_provider/include -Iexternal/libpcre2/include -Iexternal/rpm//builddir/output/include -Isyscheckd/include -Ishared_modules/router/include -Ishared_modules/content_manager/include -Iwazuh_modules/vulnerability_scanner/include -I./shared_modules/ LDFLAGS '-Wl,-rpath,/../lib' -pthread -lrt -ldl -O2 -Lshared_modules/dbsync/build/lib -Lshared_modules/rsync/build/lib -Lwazuh_modules/syscollector/build/lib -Ldata_provider/build/lib -Lsyscheckd/build/lib LIBS -lrt -ldl -lm CC gcc MAKE make make[1]: Leaving directory `/home/ec2-user/wazuh-4.9.0-alpha3/src' Done building agent Wait for success... success Removing old SCA policies... Installing SCA policies... Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-agent.service to /etc/systemd/system/wazuh-agent.service. - Configuration finished properly. - To start Wazuh: /var/ossec/bin/wazuh-control start - To stop Wazuh: /var/ossec/bin/wazuh-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using Wazuh. Please don't hesitate to contact us if you need help or find any bugs. Use our public Mailing List at: https://groups.google.com/forum/#!forum/wazuh More information can be found at: - http://www.wazuh.com --- Press ENTER to finish (maybe more information below). --- - More information at: https://documentation.wazuh.com/ [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# cat /var/ossec/etc/ossec.conf

172.31.22.197

1514 tcp

amzn, amzn2

10

60

yes aes no 5000 500 no yes yes yes yes yes yes yes 43200 etc/shared/rootkit_files.txt etc/shared/rootkit_trojans.txt yes /var/lib/containerd /var/lib/docker/overlay2 yes 1800 1d

yes

wodles/java wodles/ciscat yes yes /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes no 1h yes yes yes yes yes yes yes 10 yes yes 12h yes no 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.swp$ /etc/ssl/private.key yes yes yes yes 10 50 yes 5m 10 journald journald audit /var/log/audit/audit.log syslog /var/ossec/logs/active-responses.log command df -P 360 full_command netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d netstat listening ports 360 full_command last -n 20 360

no etc/wpk_root.pem yes

plain [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# ping 172.31.22.197 PING 172.31.22.197 (172.31.22.197) 56(84) bytes of data. 64 bytes from 172.31.22.197: icmp_seq=1 ttl=64 time=1.44 ms 64 bytes from 172.31.22.197: icmp_seq=2 ttl=64 time=1.63 ms ^C [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# systemctl status wazuh-agent ● wazuh-agent.service - Wazuh agent Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: inactive (dead) [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# systemctl start wazuh-agent [root@ip-172-31-17-47 wazuh-4.9.0-alpha3]# systemctl status wazuh-agent ● wazuh-agent.service - Wazuh agent Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled) Active: active (running) since mié 2024-07-24 14:02:01 UTC; 2s ago Process: 31787 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) CGroup: /system.slice/wazuh-agent.service ├─31814 /var/ossec/bin/wazuh-execd ├─31826 /var/ossec/bin/wazuh-agentd ├─31840 /var/ossec/bin/wazuh-syscheckd ├─31851 /var/ossec/bin/wazuh-logcollector ├─31869 /var/ossec/bin/wazuh-modulesd └─32080 rpm -q ypbind jul 24 14:01:55 ip-172-31-17-47.us-east-2.compute.internal systemd[1]: Starting Wazuh agent... jul 24 14:01:55 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Starting Wazuh v4.9.0... jul 24 14:01:56 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Started wazuh-execd... jul 24 14:01:57 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Started wazuh-agentd... jul 24 14:01:57 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Started wazuh-syscheckd... jul 24 14:01:58 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Started wazuh-logcollector... jul 24 14:01:59 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Started wazuh-modulesd... jul 24 14:02:01 ip-172-31-17-47.us-east-2.compute.internal env[31787]: Completed. jul 24 14:02:01 ip-172-31-17-47.us-east-2.compute.internal systemd[1]: Started Wazuh agent. ``` ![image](https://github.com/user-attachments/assets/e547f685-56a4-4a97-9c24-f3d867c1a94b) ![image](https://github.com/user-attachments/assets/708c00b7-5b95-4a48-8ea3-1c11858ffbf3)

efahnle commented 3 months ago

Cloudtrail configuration :green_circle:

Creating trail and bucket

![Screenshot from 2024-07-23 13-27-54](https://github.com/user-attachments/assets/edc6bbcc-739c-487e-90b0-d4a3ff0728cc) ![Screenshot from 2024-07-23 13-28-04](https://github.com/user-attachments/assets/0a8e6b1e-50e5-4773-8030-cf734783d94f) ![Screenshot from 2024-07-23 13-31-54](https://github.com/user-attachments/assets/2b9347b0-91a3-4d3e-9a05-e4da06e57415)

Configuring profile

```console ec2-user@suse15-server:~> sudo bash suse15-server:/home/ec2-user # cd /root/ suse15-server:~ # ll total 16 -rw------- 1 root root 0 Jun 26 14:11 .bash_history drwx------ 2 root root 6 Mar 15 2022 .gnupg drwx------ 2 root root 29 Jul 23 14:22 .ssh -rw------- 1 root root 13122 Jul 23 15:38 .viminfo drwxr-xr-x 2 root root 6 Mar 15 2022 bin suse15-server:~ # mkdir .aws suse15-server:~ # cd .aws suse15-server:~/.aws # vim credentials suse15-server:~/.aws # cat credentials [default] aws_access_key_id = aws_secret_access_key = region=us-east-2 suse15-server:~/.aws # vim /var/ossec/etc/ossec.conf suse15-server:~/.aws # grep -A10 "aws-s3" /var/ossec/etc/ossec.conf no 30m yes no aws-cloudtrail-v4.9.0-alpha3-e2e-test default ```

efahnle commented 3 months ago

Cloudtrail use cases and events :green_circle:

IAM :green_circle:

### Get Group ![Screenshot from 2024-07-23 13-36-58](https://github.com/user-attachments/assets/0efdcdc4-34e5-449e-8167-b2892abf7b47) ![Screenshot from 2024-07-23 13-37-09](https://github.com/user-attachments/assets/4a3d2068-01af-42fe-acac-e794af5b858e) ### List users ![image](https://github.com/user-attachments/assets/1116c607-612b-4496-870d-b81e76b206ac)

EC2 :green_circle:

### Stop instance ![image](https://github.com/user-attachments/assets/881b073b-ad37-4a21-b3d3-cc158abf24cf) ### Run instance ![image](https://github.com/user-attachments/assets/fac8e20c-8acf-415c-be8a-e50705ee04cd)

Console login :green_circle:

![Screenshot from 2024-07-23 14-00-28](https://github.com/user-attachments/assets/c79868d6-2248-42d1-bfd2-58d48224266a)

Login failure :green_circle:

Trying with non existing user ![image](https://github.com/user-attachments/assets/b487f19b-6c2e-4aea-affa-7e3792c4dcb5)

Discard regex :green_circle:

```console suse15-server:~/.aws # vim /var/ossec/etc/ossec.conf suse15-server:~/.aws # suse15-server:~/.aws # grep -A11 "aws-s3" /var/ossec/etc/ossec.conf no 10m yes no aws-cloudtrail-v4.9.0-alpha3-e2e-test default Failure suse15-server:~/.aws # systemctl restart wazuh-manager suse15-server:~/.aws # ``` After that, I generated lots of login failed: ![image](https://github.com/user-attachments/assets/acd564ad-b4bf-4b4e-8260-a628c04f2d81) But none of those events actually got to Wazuh ![image](https://github.com/user-attachments/assets/365ed5a1-a825-4b6f-94ba-e9d673d9c9b2) ![image](https://github.com/user-attachments/assets/5b3d2f0b-bc69-426b-90cf-924731d8c8eb)

fdalmaup commented 3 months ago

Great work!

LGTM!

wazuh / wazuh

Release 4.9.0 - Alpha 3 - E2E UX tests - Amazon Cloudtrail integration #24859

End-to-End (E2E) Testing Guideline

Issue delivery and completion

Deployment requirements

Test description

Known issues

Conclusions

Feedback

Reviewers validation

Server installation

System information

Step by step installation

Indexer :green_circle:

Step by step installation

Manager :green_circle:

Step by step installation

Dashboard :yellow_circle:

Agent installation :green_circle:

System information

Installation (from sources)

Cloudtrail configuration :green_circle:

Creating trail and bucket

Configuring profile

Cloudtrail use cases and events :green_circle:

IAM :green_circle:

EC2 :green_circle:

Console login :green_circle:

Login failure :green_circle:

Discard regex :green_circle: