End-to-End (E2E) Testing Guideline

Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-agent-div3 team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

🟢 All checks passed
🟡 Found a known issue
🔴 Found a new error

Issue delivery and completion

Initial delivery: The issue's assignee must complete the testing and deliver the results by Oct 14, 2024 and notify the @wazuh/devel-agent-div3 team via Slack using the c-release channel
Review: The @wazuh/devel-agent-div3 team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Oct 15, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
Auditor: The QA team must audit, validate the results, and close the issue by Oct 16, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Ubuntu 20.04 x86_64
Server	Installation assistant	Single node	Ubuntu 20.04 x86_64
Dashboard	Installation assistant	-	Ubuntu 20.04 x86_64
Agent	Wazuh WUI one-liner deploy using FQDN	-	macOS Sequoia 15 x86_64, macOS Sequoia 15 aarch64

Test description

For the selected Wazuh Agent OS:

Check that their respective SCA policies are applied properly
Use and activate a custom policy for any of them
Disable a used policy and confirm it is not used anymore
Push SCA config through the centralized config and check it applies properly

Known issues

https://github.com/wazuh/wazuh/issues/12347

Conclusions

Summarize the errors detected (Known Issues included). Illustrate using the table below. REMOVE CURRENT EXAMPLES:

Status	Test	Failure type	Notes
:green_circle:	Check that their respective SCA policies are applied properly
:green_circle:	Use and activate a custom policy for any of them
:green_circle:	Disable a used policy and confirm it is not used anymore
:green_circle:	Push SCA config through the centralized config and check it applies properly

Feedback

We value your feedback. Please provide insights on your testing experience.

Was the testing guideline clear? Were there any ambiguities?
- Yes the guideline was clear
Did you face any challenges not covered by the guideline?
- No
Suggestions for improvement:
- None

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

[x] @davidjiglesias
[x] @wazuh/devel-agent-div3

Install central components

Wazuh indexer deployment :green_circle:

- System info ``` root@ip-172-31-46-118:/home/ubuntu# cat /etc/os-release NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal root@ip-172-31-46-118:/home/ubuntu# ``` - Setup ``` root@ip-172-31-46-118:/home/ubuntu# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh root@ip-172-31-46-118:/home/ubuntu# curl -sO https://packages-dev.wazuh.com/4.9/config.yml root@ip-172-31-46-118:/home/ubuntu# nano config.yml root@ip-172-31-46-118:/home/ubuntu# cat config.yml nodes: # Wazuh indexer nodes indexer: - name: node-1 ip: 172.31.46.118 #- name: node-2 # ip: "" #- name: node-3 # ip: "" # Wazuh server nodes # If there is more than one Wazuh server # node, each one must have a node_type server: - name: wazuh-1 ip: 172.31.35.223 # node_type: master #- name: wazuh-2 # ip: "" # node_type: worker #- name: wazuh-3 # ip: "" # node_type: worker # Wazuh dashboard nodes dashboard: - name: dashboard ip: 172.31.32.21 root@ip-172-31-46-118:/home/ubuntu# sudo bash wazuh-install.sh --generate-config-files -i 16/10/2024 15:00:08 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.1 16/10/2024 15:00:08 INFO: Verbose logging redirected to /var/log/wazuh-install.log 16/10/2024 15:00:26 WARNING: Hardware checks ignored. 16/10/2024 15:00:26 INFO: --- Configuration files --- 16/10/2024 15:00:26 INFO: Generating configuration files. 16/10/2024 15:00:26 INFO: Generating the root certificate. 16/10/2024 15:00:26 INFO: Generating Admin certificates. 16/10/2024 15:00:27 INFO: Generating Wazuh indexer certificates. 16/10/2024 15:00:27 INFO: Generating Filebeat certificates. 16/10/2024 15:00:27 INFO: Generating Wazuh dashboard certificates. 16/10/2024 15:00:27 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. root@ip-172-31-46-118:/home/ubuntu# ``` - Copy wazuh-intall-files.tar to all host: ``` $ sudo scp -P 2200 -i /tmp/test_e2e_4.9.1_rc4/idr-1669 ubuntu@ec2-18-232-68-118.compute-1.amazonaws.com:/home/ubuntu/wazuh-install-files.tar /tmp/test_e2e_4.9.1_rc4/ wazuh-install-files.tar 100% 11KB 72.4KB/s 00:00 $ scp -P 2200 -i /tmp/test_e2e_4.9.1_rc4/idr-1669 /tmp/test_e2e_4.9.1_rc4/wazuh-install-files.tar ubuntu@ec2-54-145-34-64.compute-1.amazonaws.com:/home/ubuntu wazuh-install-files.tar 100% 11KB 69.6KB/s 00:00 $ scp -P 2200 -i /tmp/test_e2e_4.9.1_rc4/idr-1669 /tmp/test_e2e_4.9.1_rc4/wazuh-install-files.tar ubuntu@ec2-3-92-127-73.compute-1.amazonaws.com:/home/ubuntu wazuh-install-files.tar 100% 11KB 49.0KB/s 00:00 $ ``` - Wazuh indexer install ``` root@ip-172-31-46-118:/home/ubuntu# sudo bash wazuh-install.sh --wazuh-indexer node-1 -i -o 16/10/2024 15:01:43 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.1 16/10/2024 15:01:43 INFO: Verbose logging redirected to /var/log/wazuh-install.log 16/10/2024 15:01:48 WARNING: Hardware checks ignored. 16/10/2024 15:01:52 INFO: --- Dependencies ---- 16/10/2024 15:01:52 INFO: Installing apt-transport-https. 16/10/2024 15:01:59 INFO: Wazuh development repository added. 16/10/2024 15:01:59 INFO: --- Wazuh indexer --- 16/10/2024 15:01:59 INFO: Starting Wazuh indexer installation. 16/10/2024 15:02:55 INFO: Wazuh indexer installation finished. 16/10/2024 15:02:55 INFO: Wazuh indexer post-install configuration finished. 16/10/2024 15:02:55 INFO: Starting service wazuh-indexer. 16/10/2024 15:03:07 INFO: wazuh-indexer service started. 16/10/2024 15:03:07 INFO: Initializing Wazuh indexer cluster security settings. 16/10/2024 15:03:09 INFO: Wazuh indexer cluster initialized. 16/10/2024 15:03:09 INFO: Installation finished. root@ip-172-31-46-118:/home/ubuntu# sudo bash wazuh-install.sh --start-cluster -i 16/10/2024 15:06:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.1 16/10/2024 15:06:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log 16/10/2024 15:06:33 WARNING: Hardware checks ignored. 16/10/2024 15:06:37 INFO: Wazuh indexer cluster security configuration initialized. 16/10/2024 15:06:38 INFO: Updating the internal users. 16/10/2024 15:06:40 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 16/10/2024 15:06:49 INFO: Wazuh indexer cluster started. root@ip-172-31-46-118:/home/ubuntu# ``` - Wazuh indexer cluster checks ``` root@ip-172-31-46-118:/home/ubuntu# sudo tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1 indexer_username: 'admin' indexer_password: 't8+2NZa85+gUjBNyGk.*NzBBqD1DkmCD' root@ip-172-31-46-118:/home/ubuntu# curl -k -u admin:t8+2NZa85+gUjBNyGk.*NzBBqD1DkmCD https://172.31.46.118:9200 { "name" : "node-1", "cluster_name" : "wazuh-indexer-cluster", "cluster_uuid" : "e4Uy8zXNTQehCUTN89u8Aw", "version" : { "number" : "7.10.2", "build_type" : "deb", "build_hash" : "df77813b351f3b8729809c90f18e6f4509e045f5", "build_date" : "2024-10-15T17:46:28.890396Z", "build_snapshot" : false, "lucene_version" : "9.10.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" } root@ip-172-31-46-118:/home/ubuntu# curl -k -u admin:t8+2NZa85+gUjBNyGk.*NzBBqD1DkmCD https://172.31.46.118:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name 172.31.46.118 24 55 1 0.05 0.03 0.05 dimr data,ingest,master,remote_cluster_client * node-1 root@ip-172-31-46-118:/home/ubuntu# root@ip-172-31-46-118:/home/ubuntu# root@ip-172-31-46-118:/home/ubuntu# curl -k -u admin:t8+2NZa85+gUjBNyGk.*NzBBqD1DkmCD https://172.31.46.118:9200/_cat/indices? green open .opensearch-observability 88Ig1rHURXaJ_vCwcdK64Q 1 0 0 0 208b 208b green open .plugins-ml-config sWoNF6I8Rd-Px0L3pAeSPw 1 0 1 0 3.9kb 3.9kb green open .opendistro_security XowN82wNTUuigYHqDapujg 1 0 10 1 58.1kb 58.1kb root@ip-172-31-46-118:/home/ubuntu# ```

Wazuh server deployment :green_circle:

- System info ``` root@ip-172-31-35-223:/home/ubuntu# cat /etc/os-release NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal root@ip-172-31-35-223:/home/ubuntu# ``` - Wazuh server install ``` root@ip-172-31-35-223:/home/ubuntu# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh root@ip-172-31-35-223:/home/ubuntu# ls -ltr total 200 -rw-r--r-- 1 root root 190522 Oct 16 15:27 wazuh-install.sh -rwxr-xr-x 1 ubuntu ubuntu 11094 Oct 16 15:33 wazuh-install-files.tar root@ip-172-31-35-223:/home/ubuntu# sudo bash wazuh-install.sh --wazuh-server wazuh-1 -i 16/10/2024 15:35:37 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.1 16/10/2024 15:35:37 INFO: Verbose logging redirected to /var/log/wazuh-install.log 16/10/2024 15:35:51 WARNING: Hardware checks ignored. 16/10/2024 15:35:55 INFO: --- Dependencies ---- 16/10/2024 15:35:55 INFO: Installing apt-transport-https. 16/10/2024 15:36:02 INFO: Wazuh development repository added. 16/10/2024 15:36:02 INFO: --- Wazuh server --- 16/10/2024 15:36:02 INFO: Starting the Wazuh manager installation. 16/10/2024 15:36:54 INFO: Wazuh manager installation finished. 16/10/2024 15:36:54 INFO: Wazuh manager vulnerability detection configuration finished. 16/10/2024 15:36:54 INFO: Starting service wazuh-manager. 16/10/2024 15:37:09 INFO: wazuh-manager service started. 16/10/2024 15:37:09 INFO: Starting Filebeat installation. 16/10/2024 15:37:22 INFO: Filebeat installation finished. 16/10/2024 15:37:23 INFO: Filebeat post-install configuration finished. 16/10/2024 15:37:25 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password. 16/10/2024 15:37:47 INFO: Starting service filebeat. 16/10/2024 15:37:47 INFO: filebeat service started. 16/10/2024 15:37:48 INFO: Installation finished. root@ip-172-31-35-223:/home/ubuntu# sudo /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.9.1" WAZUH_REVISION="40914" WAZUH_TYPE="server" root@ip-172-31-35-223:/home/ubuntu# sudo grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log 2024/10/16 15:37:06 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-ip-172-31-35-223', retrying until the connection is successful. root@ip-172-31-35-223:/home/ubuntu# sudo systemctl status wazuh-manager ● wazuh-manager.service - Wazuh manager Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-10-16 15:37:44 UTC; 2min 43s ago Tasks: 173 (limit: 9398) Memory: 3.9G CGroup: /system.slice/wazuh-manager.service ├─54658 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─54659 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─54662 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─54665 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py ├─54706 /var/ossec/bin/wazuh-authd ├─54722 /var/ossec/bin/wazuh-db ├─54747 /var/ossec/bin/wazuh-execd ├─54761 /var/ossec/bin/wazuh-analysisd ├─54826 /var/ossec/bin/wazuh-syscheckd ├─54843 /var/ossec/bin/wazuh-remoted ├─54906 /var/ossec/bin/wazuh-logcollector ├─54963 /var/ossec/bin/wazuh-monitord └─55021 /var/ossec/bin/wazuh-modulesd Oct 16 15:37:37 ip-172-31-35-223 env[54596]: Started wazuh-analysisd... Oct 16 15:37:38 ip-172-31-35-223 env[54596]: Started wazuh-syscheckd... Oct 16 15:37:39 ip-172-31-35-223 env[54596]: Started wazuh-remoted... Oct 16 15:37:40 ip-172-31-35-223 env[54596]: Started wazuh-logcollector... Oct 16 15:37:41 ip-172-31-35-223 env[54596]: Started wazuh-monitord... Oct 16 15:37:41 ip-172-31-35-223 env[55019]: 2024/10/16 15:37:41 wazuh-modulesd:router: INFO: Loaded router module. Oct 16 15:37:41 ip-172-31-35-223 env[55019]: 2024/10/16 15:37:41 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Oct 16 15:37:42 ip-172-31-35-223 env[54596]: Started wazuh-modulesd... Oct 16 15:37:44 ip-172-31-35-223 env[54596]: Completed. Oct 16 15:37:44 ip-172-31-35-223 systemd[1]: Started Wazuh manager. root@ip-172-31-35-223:/home/ubuntu# ```

Wazuh dashboard deployment :green_circle:

- System info ``` ubuntu@ip-172-31-42-116:~$ cat /etc/os-release NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal ``` - Wazuh dashboard install ``` root@ip-172-31-32-21:/home/ubuntu# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh root@ip-172-31-32-21:/home/ubuntu# ls -ltr total 200 -rwxr-xr-x 1 ubuntu ubuntu 11094 Oct 16 15:33 wazuh-install-files.tar -rw-r--r-- 1 root root 190522 Oct 16 15:41 wazuh-install.sh root@ip-172-31-32-21:/home/ubuntu# sudo bash wazuh-install.sh --wazuh-dashboard dashboard -i 16/10/2024 15:41:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.1 16/10/2024 15:41:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log 16/10/2024 15:41:42 WARNING: Hardware checks ignored. 16/10/2024 15:41:42 INFO: Wazuh web interface port will be 443. 16/10/2024 15:41:46 INFO: --- Dependencies ---- 16/10/2024 15:41:46 INFO: Installing debhelper. 16/10/2024 15:42:34 INFO: Installing apt-transport-https. 16/10/2024 15:42:40 INFO: Wazuh development repository added. 16/10/2024 15:42:40 INFO: --- Wazuh dashboard ---- 16/10/2024 15:42:40 INFO: Starting Wazuh dashboard installation. 16/10/2024 15:43:19 INFO: Wazuh dashboard installation finished. 16/10/2024 15:43:19 INFO: Wazuh dashboard post-install configuration finished. 16/10/2024 15:43:19 INFO: Starting service wazuh-dashboard. 16/10/2024 15:43:19 INFO: wazuh-dashboard service started. 16/10/2024 15:43:33 INFO: Initializing Wazuh dashboard web application. 16/10/2024 15:43:33 INFO: Wazuh dashboard web application initialized. 16/10/2024 15:43:33 INFO: --- Summary --- 16/10/2024 15:43:33 INFO: You can access the web interface https://172.31.32.21:443 User: admin Password: t8+2NZa85+gUjBNyGk.*NzBBqD1DkmCD 16/10/2024 15:43:33 INFO: Installation finished. root@ip-172-31-32-21:/home/ubuntu# ``` ![image](https://github.com/user-attachments/assets/2675194d-7048-46a0-be94-12943ed03ae7)

Install agents Agents using FQDN

Agent macOS Sequoia 15 x86_64 🟢

- OS information ``` sh-3.2# uname -a Darwin idr-1669-sequoia-15-4641 24.0.0 Darwin Kernel Version 24.0.0: Mon Aug 12 20:54:30 PDT 2024; root:xnu-11215.1.10~2/RELEASE_X86_64 x86_64 sh-3.2# ``` - add FQDN to MacOS endpoint ``` sh-3.2# echo 54.145.34.64 wazuh-server.com >> /etc/hosts sh-3.2# grep server /etc/hosts ec2-54-145-34-64.compute-1.amazonaws.com wazuh-server.com 54.145.34.64 wazuh-server.com sh-3.2# ``` ![image](https://github.com/user-attachments/assets/c4239555-6446-4f5b-b35b-fd99e227c13a) ![image](https://github.com/user-attachments/assets/25216baf-ab8a-4aac-994d-5df0bfcc9964) ![image](https://github.com/user-attachments/assets/4959e777-4e93-4081-9ec6-2785a0c8896a) - Install Agent ``` sh-3.2# curl -so wazuh-agent.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.9.1-1.intel64.pkg && echo "WAZUH_MANAGER='wazuh-server.com' && WAZUH_AGENT_GROUP='default' && WAZUH_AGENT_NAME='MacOS-Sequoia-15-amd'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# sh-3.2# sudo /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# sudo /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.9.1" WAZUH_REVISION="40914" WAZUH_TYPE="agent" sh-3.2# sh-3.2# sudo grep "address" /Library/Ossec/etc/ossec.conf

wazuh-server.com

sh-3.2# sh-3.2# sudo /Library/Ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... sh-3.2# ``` - Check agent status on Dashboard ![image](https://github.com/user-attachments/assets/b21d6d83-f377-4af6-ae5d-607da37690a4) - Check agent status on Wazuh-server ``` root@ip-172-31-35-223:/home/ubuntu# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-35-223 (server), IP: 127.0.0.1, Active/Local ID: 001, Name: MacOS-Sequoia-15-amd, IP: any, Active List of agentless devices: root@ip-172-31-35-223:/home/ubuntu# /var/ossec/bin/agent_control -i 001 Wazuh agent_control. Agent information: Agent ID: 001 Agent Name: MacOS-Sequoia-15-amd IP address: any Status: Active Operating system: Darwin |idr-1669-sequoia-15-4641 |24.0.0 |Darwin Kernel Version 24.0.0: Mon Aug 12 20:54:30 PDT 2024; root:xnu-11215.1.10~2/RELEASE_X86_64 |x86_64 Client version: Wazuh v4.9.1 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1729094680 Syscheck last started at: Wed Oct 16 16:02:41 2024 Syscheck last ended at: Wed Oct 16 16:02:48 2024 root@ip-172-31-35-223:/home/ubuntu# ```

Agent macOS Sequoia 15 aarch64 🟢

- OS information ``` sh-3.2# uname -a Darwin idr-1669-sequoia-15-1214 24.0.0 Darwin Kernel Version 24.0.0: Mon Aug 12 20:54:20 PDT 2024; root:xnu-11215.1.10~2/RELEASE_ARM64_VMAPPLE arm64 sh-3.2# ``` - add FQDN to endpoint ``` sh-3.2# echo 54.145.34.64 wazuh-server.com >> /etc/hosts sh-3.2# echo ec2-54-145-34-64.compute-1.amazonaws.com wazuh-server.com >> /etc/hosts sh-3.2# grep server /etc/hosts 54.145.34.64 wazuh-server.com ec2-54-145-34-64.compute-1.amazonaws.com wazuh-server.com sh-3.2# ``` ![image](https://github.com/user-attachments/assets/c2dc718b-5ac4-4c76-8b54-cd0fa16d9c98) ![image](https://github.com/user-attachments/assets/a4744cd0-fad6-4f28-9185-519ab219a467) ![image](https://github.com/user-attachments/assets/f18007df-e71a-4c8b-ae01-6f544f6d77cd) ``` sh-3.2# curl -so wazuh-agent.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.9.1-1.arm64.pkg && echo "WAZUH_MANAGER='wazuh-server.com' && WAZUH_AGENT_GROUP='default' && WAZUH_AGENT_NAME='MacOS-Sequoia-15-arm'" > /tmp/wazuh_envs && sudo installer -pkg ./wazuh-agent.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. sh-3.2# sudo /Library/Ossec/bin/wazuh-control start Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# sudo /Library/Ossec/bin/wazuh-control info WAZUH_VERSION="v4.9.1" WAZUH_REVISION="40914" WAZUH_TYPE="agent" sh-3.2# sudo grep "address" /Library/Ossec/etc/ossec.conf

wazuh-server.com

sh-3.2# sudo /Library/Ossec/bin/wazuh-control status wazuh-modulesd is running... wazuh-logcollector is running... wazuh-syscheckd is running... wazuh-agentd is running... wazuh-execd is running... sh-3.2# ``` - Check agent status on Dashboard ![image](https://github.com/user-attachments/assets/b70cb5a7-a6b8-4f07-84ba-2cecaaced020) - Check agent status on Wazuh-server ``` root@ip-172-31-35-223:/home/ubuntu# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: ip-172-31-35-223 (server), IP: 127.0.0.1, Active/Local ID: 001, Name: MacOS-Sequoia-15-amd, IP: any, Active ID: 002, Name: MacOS-Sequoia-15-arm, IP: any, Active List of agentless devices: root@ip-172-31-35-223:/home/ubuntu# /var/ossec/bin/agent_control -i 002 Wazuh agent_control. Agent information: Agent ID: 002 Agent Name: MacOS-Sequoia-15-arm IP address: any Status: Active Operating system: Darwin |idr-1669-sequoia-15-1214 |24.0.0 |Darwin Kernel Version 24.0.0: Mon Aug 12 20:54:20 PDT 2024; root:xnu-11215.1.10~2/RELEASE_ARM64_VMAPPLE |arm64 Client version: Wazuh v4.9.1 Configuration hash: ab73af41699f13fdd81903b5f23d8d00 Shared file hash: 4a8724b20dee0124ff9656783c490c4e Last keep alive: 1729095128 Syscheck last started at: Wed Oct 16 16:10:29 2024 Syscheck last ended at: Wed Oct 16 16:10:31 2024 root@ip-172-31-35-223:/home/ubuntu# ```

Tests

Check that their respective SCA policies are applied properly :green_circle:

Agent macOS Sequoia 15 x86_64 🟢

- Check SCA Policies are checked and applied ![image](https://github.com/user-attachments/assets/d9d8cce6-cc4b-4a0f-87aa-6361428641c0)

Agent macOS Sequoia 15 aarch64 🟢

- Check SCA Policies are checked and applied ![image](https://github.com/user-attachments/assets/70250ed7-f872-4902-b382-695f39b3d926)

Use and activate a custom policy for any of agent :green_circle:

Use case used: https://documentation-dev.wazuh.com/v4.9.1-rc4/user-manual/capabilities/sec-config-assessment/use-cases.html#id5

Agent macOS Sequoia 15 x86_64 🟢

- Configure policy ``` sh-3.2# mkdir /Library/Ossec/etc/custom-sca-files/ sh-3.2# nano /Library/Ossec/etc/custom-sca-files/processcheck.yml sh-3.2# cat /Library/Ossec/etc/custom-sca-files/processcheck.yml policy: id: "process_check" file: "processcheck.yml" name: "SCA use case to detect running processes" description: "Guidance for checking running processes on mac endpoints." references: - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html requirements: title: "Check macOS" description: "Requirements to verify that the endpoint is macOS." condition: any rules: - 'c:sw_vers -> r:^ProductName:\t*\s*macOS' checks: - id: 10005 title: "Ensure that netcat is not running on your endpoint" description: "Netcat is running on your endpoint." rationale: "Threat actors can use netcat to open ports on your endpoints or to connect to remote servers." remediation: "Kill the netcat process if confirmed to be malicious after further investigation." condition: none rules: - 'c:sh -c "ps -e -o command | grep -E \"^(nc|netcat) .*((-.*l.+[0-9]{1,5})|([0-9]{1,5}.*-.*l))\"" -> r:nc' sh-3.2# sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# grep -n3 "processcheck.yml" /Library/Ossec/etc/ossec.conf 90- 91- 92- 93: /Library/Ossec/etc/custom-sca-files/processcheck.yml 94- 95- 96- sh-3.2# nc -l 4444& [1] 3745 sh-3.2# /Library/Ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.9.1 Stopped Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# ``` ![image](https://github.com/user-attachments/assets/469398ed-18d4-4b7d-8d49-f33b71a76151)

Agent macOS Sequoia 15 aarch64 🟢

- Configure policy ``` sh-3.2# mkdir /Library/Ossec/etc/custom-sca-files/ sh-3.2# nano /Library/Ossec/etc/custom-sca-files/processcheck.yml sh-3.2# cat /Library/Ossec/etc/custom-sca-files/processcheck.yml policy: id: "process_check" file: "processcheck.yml" name: "SCA use case to detect running processes" description: "Guidance for checking running processes on mac endpoints." references: - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html requirements: title: "Check macOS" description: "Requirements to verify that the endpoint is macOS." condition: any rules: - 'c:sw_vers -> r:^ProductName:\t*\s*macOS' checks: - id: 10005 title: "Ensure that netcat is not running on your endpoint" description: "Netcat is running on your endpoint." rationale: "Threat actors can use netcat to open ports on your endpoints or to connect to remote servers." remediation: "Kill the netcat process if confirmed to be malicious after further investigation." condition: none rules: - 'c:sh -c "ps -e -o command | grep -E \"^(nc|netcat) .*((-.*l.+[0-9]{1,5})|([0-9]{1,5}.*-.*l))\"" -> r:nc' sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# grep -n3 "processcheck.yml" /Library/Ossec/etc/ossec.conf 90- 91- 92- 93: /Library/Ossec/etc/custom-sca-files/processcheck.yml 94- 95- 96- sh-3.2# nc -l 4444& [1] 6091 sh-3.2# /Library/Ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.9.1 Stopped Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# ``` ![image](https://github.com/user-attachments/assets/53748972-14e4-4fd4-86cd-1b7c87cafb42)

Disable a used policy and confirm it is not used anymore :green_circle:

Agent macOS Sequoia 15 x86_64 🟢

- Configure policy ``` sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# grep -n3 "processcheck.yml" /Library/Ossec/etc/ossec.conf 90- 91- 92- 93: /Library/Ossec/etc/custom-sca-files/processcheck.yml 94- 95- 96- sh-3.2# /Library/Ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.9.1 Stopped Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# grep "disabled by configuration" /Library/Ossec/logs/ossec.log 2024/10/16 09:32:57 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. sh-3.2# ``` ![image](https://github.com/user-attachments/assets/f26d81f7-363e-4f63-b951-6654e4eee865)

Agent macOS Sequoia 15 aarch64 🟢

- Configure policy ``` sh-3.2# nano /Library/Ossec/etc/ossec.conf sh-3.2# grep "processcheck.yml" /Library/Ossec/etc/ossec.conf /Library/Ossec/etc/custom-sca-files/processcheck.yml sh-3.2# sh-3.2# /Library/Ossec/bin/wazuh-control restart Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.9.1 Stopped Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. sh-3.2# sh-3.2# grep "disabled by configuration" /Library/Ossec/logs/ossec.log 2024/10/16 09:34:55 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. sh-3.2# ``` ![image](https://github.com/user-attachments/assets/1c970920-fe20-455d-808f-437d83d3eef3)

Push SCA config through the centralized config and check it applies properly :green_circle:

Shared configuration for Wazuh-server in Ubuntu Endpoint

``` root@ip-172-31-35-223:/home/ubuntu# nano /var/ossec/etc/shared/default/shared_custom_policy.yml root@ip-172-31-35-223:/home/ubuntu# cat /var/ossec/etc/shared/default/shared_custom_policy.yml policy: id: "shared_custom_policy" file: "shared_custom_policy.yml" name: "Custom shared policy for centralized SCA test." description: "Review whether shared policy for SCA is working as expected" checks: - id: 20000 title: "Linux endpoint should have Wazuh installed" description: "Check that the Linux endpoint contains the Wazuh installation directory" condition: all rules: - 'd:/var/ossec' root@ip-172-31-35-223:/home/ubuntu# nano /var/ossec/etc/shared/default/agent.conf root@ip-172-31-35-223:/home/ubuntu# cat /var/ossec/etc/shared/default/agent.conf etc/shared/shared_custom_policy.yml shared/shared_custom_policy.txt root@ip-172-31-35-223:/home/ubuntu# root@ip-172-31-35-223:/home/ubuntu# cp /var/ossec/etc/shared/default/shared_custom_policy.yml /var/ossec/etc/shared/default/shared_custom_policy.txt root@ip-172-31-35-223:/home/ubuntu# systemctl restart wazuh-manager root@ip-172-31-35-223:/home/ubuntu# /var/ossec/bin/verify-agent-conf verify-agent-conf: Verifying [etc/shared/default/agent.conf] 2024/10/16 16:44:52 sca: WARNING: File 'etc/shared/shared_custom_policy.yml' not found. 2024/10/16 16:44:52 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. verify-agent-conf: OK root@ip-172-31-35-223:/home/ubuntu# ```

Agent macOS Sequoia 15 x86_64 🟢

``` sh-3.2# nano /Library/Ossec/etc/internal_options.conf sh-3.2# grep sca.remote_commands /Library/Ossec/etc/internal_options.conf sca.remote_commands=1 sh-3.2# /Library/Ossec/bin/wazuh-control restart 2024/10/16 09:47:13 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.9.1 Stopped Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... 2024/10/16 09:47:18 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. Started wazuh-modulesd... Completed. sh-3.2# sh-3.2# grep "custom" /Library/Ossec/logs/ossec.log 2024/10/16 09:25:21 sca: INFO: Loaded policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' 2024/10/16 09:25:30 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/custom-sca-files/processcheck.yml' 2024/10/16 09:25:33 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' 2024/10/16 09:32:57 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:42:41 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:43:21 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:43:21 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:43:27 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:43:27 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:43:27 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:43:42 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:43:45 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:44:28 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:44:28 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:44:35 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:44:35 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:44:35 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:44:44 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:44:47 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:47:13 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:47:18 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:47:18 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:47:18 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:47:29 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:47:32 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' sh-3.2# ``` ![image](https://github.com/user-attachments/assets/3e22fe44-30c0-42ec-95e5-caea93d61629)

Agent macOS Sequoia 15 aarch64 🟢

``` sh-3.2# nano /Library/Ossec/etc/internal_options.conf sh-3.2# grep sca.remote_commands /Library/Ossec/etc/internal_options.conf sca.remote_commands=1 sh-3.2# /Library/Ossec/bin/wazuh-control restart 2024/10/16 09:50:00 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. Killing wazuh-modulesd... Killing wazuh-logcollector... Killing wazuh-syscheckd... Killing wazuh-agentd... Killing wazuh-execd... Wazuh v4.9.1 Stopped Starting Wazuh v4.9.1... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... 2024/10/16 09:50:06 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. Started wazuh-modulesd... Completed. sh-3.2# grep "custom" /Library/Ossec/logs/ossec.log 2024/10/16 09:28:47 sca: INFO: Loaded policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' 2024/10/16 09:28:53 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/custom-sca-files/processcheck.yml' 2024/10/16 09:28:56 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' 2024/10/16 09:34:55 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:42:41 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:43:20 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:43:20 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:43:26 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:43:26 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:43:26 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:43:42 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:43:45 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:44:28 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:44:28 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:44:34 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:44:34 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:44:34 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:44:45 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:44:48 sca: INFO: Evaluation finished for policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' 2024/10/16 09:50:00 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:50:06 sca: WARNING: File 'shared/shared_custom_policy.txt' not found. 2024/10/16 09:50:06 sca: INFO: Policy '/Library/Ossec/etc/custom-sca-files/processcheck.yml' disabled by configuration. 2024/10/16 09:50:06 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/shared_custom_policy.yml' sh-3.2# ``` ![image](https://github.com/user-attachments/assets/ee2f00a4-afeb-4e48-88bc-a6ae6c4d3db2)

Observations

Install central components ✅
- Indexer Installation
- Installation of Wazuh Server
- The command filebeat test output, could be included as an extra validation of filebeat's status.
- Installation of Dashboard
Install agents Agents using FQDN ✅
- it would be useful to include the result of the uname -a command to validate the OS version.
Check that their respective SCA policies are applied properly ✅
Use and activate a custom policy for any of agent ✅
Disable a used policy and confirm it is not used anymore ✅
Push SCA config through the centralized config and check it applies properly ✅

Conclusion

I'm moving it to pending final review.

Added uname -a output for MacOS agents. Thanks @cborla

wazuh / wazuh

Release 4.9.1 - RC 4 - E2E UX tests - Security Configuration Assessment #26310

End-to-End (E2E) Testing Guideline

Issue delivery and completion

Deployment requirements

Test description

Known issues

Conclusions

Feedback

Reviewers validation

Install central components

Install agents Agents using FQDN

Tests

Check that their respective SCA policies are applied properly :green_circle:

Use and activate a custom policy for any of agent :green_circle:

Disable a used policy and confirm it is not used anymore :green_circle:

Push SCA config through the centralized config and check it applies properly :green_circle:

Observations

Conclusion