Release 4.8.0 - RC 3 - Specific systems

[wazuhci]

Packages tests metrics information

Main release stage issue	#23684
Main packages metrics issue	#23686
Version	4.8.0
Release stage	RC 3
Tag	https://github.com/wazuh/wazuh/tree/v4.8.0-rc3

---

Build packages

System	Status	Build
AIX	🟢	https://ci.wazuh.info/job/Packages_builder_special/985/
HPUX	🟢	https://ci.wazuh.info/job/Packages_builder_special/988/
S10 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/989/
S11 SPARC	🟢	https://ci.wazuh.info/job/Packages_builder_special/987/
OVA	🟢	https://ci.wazuh.info/job/Packages_Builder_OVA/353/
AMI	🟢	https://ci.wazuh.info/job/Packages_Builder_AMI/244/

---

Test packages

System	Build	Install	Deployment install	Upgrade	Remove	TCP	UDP	Errors found	Warnings found	Alerts found	Check users
AIX	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
HPUX	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S10 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
S11 SPARC	🟢	🟢	---	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
OVA	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢
AMI	🟢	🟢	---	---	---	🟢	🟢	🟡	🟡	🟢	🟢

---

PPC64EL packages

System	Build	Install	Deployment install	Upgrade	Uninstall	Alerts	TCP	UDP	Errors	Warnings	System users
CentOS 7	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
Debian Stretch	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

---

OVA/AMI specific tests

System	Filebeat test	Cluster green/yellow	Production repositories	UI Access	No SSH root access	SSH user access	Wazuh dashboard/APP version	Dashboard/Indexer VERSION file
OVA	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢
AMI	🟢	🟢	🟢	🟢	🟢	🟢	🟢	🟢

---

Status legend:
⚫ - Pending/In progress
⚪ - Skipped
🔴 - Rejected
🟡 - Ready to review
🟢 - Approved

---

Testing considerations

• Testing on PPC64EL systems must be done inside a container.
  • The container must be requested to CICD team using an internal-devel-request, with access through authorized keys and a specific password.
• When testing on PPC64EL Debian, installing procps may be required if it is not present in the container.

---

Conclusion 🟡

Known issues

• Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046
• Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511
• Remoted show Too big message size from socket after receiving a Wazuh agent message #17596

Auditor's validation

In order to close and proceed with the release or the next candidate version, the following auditors must give the green light to this RC.

• @davidjiglesias

---

[juliamagan]

Analysis report - AIX 🟢

System info 🟢

bash-4.4$ hostname
soaxp249
bash-4.4$ uname -a
AIX soaxp249 1 6 00CADA644C00

Installation with variables 🟢

• Wazuh agent

bash-4.4# curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.8.0-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14.3M  100 14.3M    0     0  10.7M      0  0:00:01  0:00:01 --:--:-- 10.7M

bash-4.4#  WAZUH_MANAGER="X.X.X.X" rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent                 ##################################################

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

bash-4.4# grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>

• Wazuh server

[root@wazuh-server wazuh-user]#  /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: soaxp249
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp249 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716887338

   Syscheck last started at:  Tue May 28 09:08:49 2024
   Syscheck last ended at:    Tue May 28 09:08:57 2024

Installation without variables 🟢

• Wazuh agent

bash-4.4# rpm -ivh wazuh-agent-4.8.0-1.aix.ppc.rpm
wazuh-agent                 ##################################################

  
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

bash-4.4# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]#  /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: soaxp249
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp249 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716887634

   Syscheck last started at:  Tue May 28 09:13:15 2024
   Syscheck last ended at:    Tue May 28 09:13:22 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

bash-4.4# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/28 04:13:07 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 04:13:07 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 04:13:14 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 04:13:14 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-28T09:13:37.002+0000","rule":{"level":9,"description":"SCA summary: System audit for Unix based systems: Score less than 30% (0)","id":"19005","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"soaxp249","ip":"192.168.254.249"},"manager":{"name":"wazuh-server"},"id":"1716887617.151306","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"22622","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"0","failed":"10","invalid":"13","total_checks":"23","score":"0","file":"sca_unix_audit.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

bash-4.4#  grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>

bash-4.4#  /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.


    
bash-4.4# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/28 04:15:54 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/28 04:15:54 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-28T09:16:00.061+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":41,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"soaxp249","ip":"192.168.254.249"},"manager":{"name":"wazuh-server"},"id":"1716887760.183444","full_log":"File '/tmp/.com_ibm_tools_attach/_notifier' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.com_ibm_tools_attach/_notifier"},"location":"rootcheck"}

Removal 🟢

bash-4.4# rpm -e wazuh-agent
rmdir of /var/ossec/tmp/src/init failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic/localfile-logs failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config/generic failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates/config failed: No such file or directory
rmdir of /var/ossec/tmp/etc/templates failed: No such file or directory
cannot remove /var/ossec/queue/syscollector/db - directory not empty
cannot remove /var/ossec/queue/syscollector - directory not empty
cannot remove /var/ossec/queue/logcollector - directory not empty
cannot remove /var/ossec/queue/fim/db - directory not empty
cannot remove /var/ossec/queue/fim - directory not empty
cannot remove /var/ossec/queue - directory not empty
removal of /var/ossec/logs/ossec.json failed: No such file or directory
cannot remove /var/ossec/etc/shared - directory not empty
cannot remove /var/ossec/etc - directory not empty
cannot remove /var/ossec - directory not empty

Check users and groups 🟢

bash-4.4# cat /etc/passwd | grep wazuh
wazuh:*:209:1::/home/wazuh:/usr/bin/ksh
bash-4.4# cat /etc/group | grep wazuh
wazuh:!:208:wazuh

Errors and warnings 🟢

bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

bash-4.4# curl -O -k https://packages-dev.wazuh.com/pre-release/aix/wazuh-agent-4.7.5-1.aix.ppc.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13.5M  100 13.5M    0     0  10.4M      0  0:00:01  0:00:01 --:--:-- 10.5M


bash-4.4# WAZUH_MANAGER="X.X.X.X" rpm -ivh wazuh-agent-4.7.5-1.aix.ppc.rpm
wazuh-agent                 ##################################################

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.7.5"
WAZUH_REVISION="40719"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: soaxp249
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp249 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.7.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716888234

   Syscheck last started at:  Tue May 28 09:20:45 2024
   Syscheck last ended at:    Tue May 28 09:20:52 2024

• Upgrade:

bash-4.4# rpm -U wazuh-agent-4.8.0-1.aix.ppc.rpm
bash-4.4# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 003

Wazuh agent_control. Agent information:
   Agent ID:   003
   Agent Name: soaxp249
   IP address: any
   Status:     Active

   Operating system:    AIX |soaxp249 |1 |6 |00CADA644C00
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716888374

   Syscheck last started at:  Tue May 28 09:24:35 2024
   Syscheck last ended at:    Tue May 28 09:24:42 2024

[juliamagan]

Analysis report - HP-UX 🟢

System info 🟢

bash-4.4# hostname
sovmh349
bash-4.4# uname -a
HP-UX sovmh349 B.11.31 U ia64 2082618356 unlimited-user license

Installation without variables 🟢

• Wazuh agent

bash-4.4# /usr/local/bin/curl -O -k https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 58.1M  100 58.1M    0     0  3500k      0  0:00:17  0:00:17 --:--:-- 4537k

bash-4.4# groupadd wazuh
bash-4.4# useradd -G wazuh wazuh


bash-4.4# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1952136 bytes, 3813 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2095744 bytes, 4094 tape blocks
x /var/ossec/bin/wazuh-execd, 1815136 bytes, 3546 tape blocks
x /var/ossec/bin/manage_agents, 571064 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1745388 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1887132 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 572112 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355660 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892088 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 798672 bytes, 1560 tape blocks
x /var/ossec/lib/libfimdb.so, 1267320 bytes, 2476 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41705 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9254 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6109 bytes, 12 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6909 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9801 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17232 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 22966 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38690 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14480 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

  
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 004

Wazuh agent_control. Agent information:
   Agent ID:   004
   Agent Name: sovmh349
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh349 |B.11.31 |U |ia64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716889187

   Syscheck last started at:  Tue May 28 09:38:23 2024
   Syscheck last ended at:    Tue May 28 09:39:14 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

bash-4.4#  grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/28 04:38:17 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 04:38:17 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 04:38:22 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 04:38:22 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-28T09:39:40.318+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":68,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sovmh349","ip":"192.168.253.49"},"manager":{"name":"wazuh-server"},"id":"1716889180.303069","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}

• UDP
• Wazuh Agent

bash-4.4# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
bash-4.4# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

    
bash-4.4# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/28 04:41:12 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/28 04:41:12 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-28T09:41:48.961+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":69,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"sovmh349","ip":"192.168.253.49"},"manager":{"name":"wazuh-server"},"id":"1716889308.305213","full_log":"File '/tmp/.kc.trace' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.kc.trace"},"location":"rootcheck"}

Removal 🟢

bash-4.4# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
bash-4.4# groupdel wazuh
bash-4.4# userdel wazuh
bash-4.4# rm -rf /var/ossec

Check users and groups 🟢

bash-4.4# cat /etc/passwd | grep wazuh
wazuh:*:108:20::/home/wazuh:/sbin/sh
bash-4.4#  cat /etc/group | grep wazuh
wazuh::105:wazuh

Errors and warnings 🟢

bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
0

Upgrade 🟢

• Install previous version:

bash-4.4# /usr/local/bin/curl -O -k https://packages-dev.wazuh.com/pre-release/hp-ux/wazuh-agent-4.7.5-1-hpux-11v3-ia64.tar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 52.6M  100 52.6M    0     0  3853k      0  0:00:14  0:00:14 --:--:-- 3600k


bash-4.4# groupadd wazuh
bash-4.4# useradd -G wazuh wazuh


bash-4.4# tar -xvf wazuh-agent-4.7.5-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1951716 bytes, 3812 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2374528 bytes, 4638 tape blocks
x /var/ossec/bin/wazuh-execd, 1814696 bytes, 3545 tape blocks
x /var/ossec/bin/manage_agents, 570756 bytes, 1115 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1744976 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1886704 bytes, 3685 tape blocks
x /var/ossec/bin/agent-auth, 506192 bytes, 989 tape blocks
x /var/ossec/lib/libwazuhext.so, 9804464 bytes, 19150 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355484 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1314728 bytes, 2568 tape blocks
x /var/ossec/lib/librsync.so, 900228 bytes, 1759 tape blocks
x /var/ossec/lib/libsysinfo.so, 796672 bytes, 1556 tape blocks
x /var/ossec/lib/libfimdb.so, 1267168 bytes, 2475 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3493 bytes, 7 tape blocks
x /var/ossec/wodles/aws/aws-s3, 183561 bytes, 359 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 2887 bytes, 6 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 4709 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38438 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10034 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14163 bytes, 28 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14429 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70248 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70024 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69880 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69848 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69952 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69800 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69692 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69740 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 69996 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent


  
bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-4.4# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.7.5"
WAZUH_REVISION="40719"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: sovmh349
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh349 |B.11.31 |U |ia64
   Client version:      Wazuh v4.7.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716889788

   Syscheck last started at:  Tue May 28 09:48:55 2024
   Syscheck last ended at:    Tue May 28 09:49:25 2024

• Upgrade:

bash-4.4# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.5 Stopped

bash-4.4# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
bash-4.4# cp /var/ossec/etc/client.keys ~/client.keys.bk


bash-4.4# tar -xvf wazuh-agent-4.8.0-1-hpux-11v3-ia64.tar
x /var/ossec/logs/ossec.log, 0 bytes, 0 tape blocks
x /var/ossec/logs/ossec.json, 0 bytes, 0 tape blocks
x /var/ossec/logs/active-responses.log, 0 bytes, 0 tape blocks
x /var/ossec/bin/wazuh-logcollector, 1952136 bytes, 3813 tape blocks
x /var/ossec/bin/wazuh-syscheckd, 2095744 bytes, 4094 tape blocks
x /var/ossec/bin/wazuh-execd, 1815136 bytes, 3546 tape blocks
x /var/ossec/bin/manage_agents, 571064 bytes, 1116 tape blocks
x /var/ossec/bin/wazuh-control, 7144 bytes, 14 tape blocks
x /var/ossec/bin/wazuh-modulesd, 1745388 bytes, 3409 tape blocks
x /var/ossec/bin/wazuh-agentd, 1887132 bytes, 3686 tape blocks
x /var/ossec/bin/agent-auth, 572112 bytes, 1118 tape blocks
x /var/ossec/lib/libwazuhext.so, 15675204 bytes, 30616 tape blocks
x /var/ossec/lib/libwazuhshared.so, 355660 bytes, 695 tape blocks
x /var/ossec/lib/libdbsync.so, 1315532 bytes, 2570 tape blocks
x /var/ossec/lib/librsync.so, 892088 bytes, 1743 tape blocks
x /var/ossec/lib/libsysinfo.so, 798672 bytes, 1560 tape blocks
x /var/ossec/lib/libfimdb.so, 1267320 bytes, 2476 tape blocks
x /var/ossec/lib/libstdc++.so.6.28, 27064832 bytes, 52861 tape blocks
x /var/ossec/lib/libgcc_s.so.0, 448764 bytes, 877 tape blocks
x /var/ossec/lib/libstdc++.so.6 symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libstdc++.so symbolic link to /var/ossec/lib/libstdc++.so.6.28
x /var/ossec/lib/libgcc_s.so symbolic link to /var/ossec/lib/libgcc_s.so.0
x /var/ossec/queue/syscollector/norm_config.json, 4206 bytes, 9 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml, 94882 bytes, 186 tape blocks
x /var/ossec/ruleset/sca/cis_hpux_11i.yml, 86160 bytes, 169 tape blocks
x /var/ossec/wodles/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/utils.py, 3567 bytes, 7 tape blocks
x /var/ossec/wodles/aws/buckets_s3/aws_bucket.py, 41705 bytes, 82 tape blocks
x /var/ossec/wodles/aws/buckets_s3/cloudtrail.py, 1889 bytes, 4 tape blocks
x /var/ossec/wodles/aws/buckets_s3/config.py, 8844 bytes, 18 tape blocks
x /var/ossec/wodles/aws/buckets_s3/guardduty.py, 4353 bytes, 9 tape blocks
x /var/ossec/wodles/aws/buckets_s3/__init__.py, 462 bytes, 1 tape blocks
x /var/ossec/wodles/aws/buckets_s3/load_balancers.py, 5729 bytes, 12 tape blocks
x /var/ossec/wodles/aws/buckets_s3/server_access.py, 9254 bytes, 19 tape blocks
x /var/ossec/wodles/aws/buckets_s3/umbrella.py, 2718 bytes, 6 tape blocks
x /var/ossec/wodles/aws/buckets_s3/vpcflow.py, 11310 bytes, 23 tape blocks
x /var/ossec/wodles/aws/buckets_s3/waf.py, 2897 bytes, 6 tape blocks
x /var/ossec/wodles/aws/services/aws_service.py, 6109 bytes, 12 tape blocks
x /var/ossec/wodles/aws/services/cloudwatchlogs.py, 24429 bytes, 48 tape blocks
x /var/ossec/wodles/aws/services/__init__.py, 166 bytes, 1 tape blocks
x /var/ossec/wodles/aws/services/inspector.py, 6909 bytes, 14 tape blocks
x /var/ossec/wodles/aws/subscribers/__init__.py, 201 bytes, 1 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_queue.py, 6214 bytes, 13 tape blocks
x /var/ossec/wodles/aws/subscribers/s3_log_handler.py, 10502 bytes, 21 tape blocks
x /var/ossec/wodles/aws/subscribers/sqs_message_processor.py, 1825 bytes, 4 tape blocks
x /var/ossec/wodles/aws/aws-s3, 9801 bytes, 20 tape blocks
x /var/ossec/wodles/aws/__init__.py, 0 bytes, 0 tape blocks
x /var/ossec/wodles/aws/aws_tools.py, 17232 bytes, 34 tape blocks
x /var/ossec/wodles/aws/wazuh_integration.py, 22966 bytes, 45 tape blocks
x /var/ossec/wodles/gcloud/pubsub/subscriber.py, 6085 bytes, 12 tape blocks
x /var/ossec/wodles/gcloud/buckets/bucket.py, 12735 bytes, 25 tape blocks
x /var/ossec/wodles/gcloud/buckets/access_logs.py, 1870 bytes, 4 tape blocks
x /var/ossec/wodles/gcloud/gcloud, 4513 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/integration.py, 3119 bytes, 7 tape blocks
x /var/ossec/wodles/gcloud/tools.py, 4420 bytes, 9 tape blocks
x /var/ossec/wodles/gcloud/exceptions.py, 4704 bytes, 10 tape blocks
x /var/ossec/wodles/docker/DockerListener, 5111 bytes, 10 tape blocks
x /var/ossec/wodles/azure/azure-logs, 38690 bytes, 76 tape blocks
x /var/ossec/wodles/azure/orm.py, 10097 bytes, 20 tape blocks
x /var/ossec/etc/TIMEZONE, 21 bytes, 1 tape blocks
x /var/ossec/etc/internal_options.conf, 14480 bytes, 29 tape blocks
x /var/ossec/etc/local_internal_options.conf, 320 bytes, 1 tape blocks
x /var/ossec/etc/client.keys, 0 bytes, 0 tape blocks
x /var/ossec/etc/ossec.conf, 4816 bytes, 10 tape blocks
x /var/ossec/etc/shared/cis_apache2224_rcl.txt, 28411 bytes, 56 tape blocks
x /var/ossec/etc/shared/cis_debian_linux_rcl.txt, 12576 bytes, 25 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt, 7609 bytes, 15 tape blocks
x /var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt, 10297 bytes, 21 tape blocks
x /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt, 35781 bytes, 70 tape blocks
x /var/ossec/etc/shared/cis_rhel6_linux_rcl.txt, 33870 bytes, 67 tape blocks
x /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, 36957 bytes, 73 tape blocks
x /var/ossec/etc/shared/cis_rhel_linux_rcl.txt, 17658 bytes, 35 tape blocks
x /var/ossec/etc/shared/cis_sles11_linux_rcl.txt, 34376 bytes, 68 tape blocks
x /var/ossec/etc/shared/cis_sles12_linux_rcl.txt, 35081 bytes, 69 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt, 94877 bytes, 186 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt, 28006 bytes, 55 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt, 100530 bytes, 197 tape blocks
x /var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt, 376002 bytes, 735 tape blocks
x /var/ossec/etc/shared/rootkit_files.txt, 16174 bytes, 32 tape blocks
x /var/ossec/etc/shared/rootkit_trojans.txt, 5548 bytes, 11 tape blocks
x /var/ossec/etc/shared/system_audit_rcl.txt, 4466 bytes, 9 tape blocks
x /var/ossec/etc/shared/system_audit_ssh.txt, 3285 bytes, 7 tape blocks
x /var/ossec/etc/shared/win_applications_rcl.txt, 5214 bytes, 11 tape blocks
x /var/ossec/etc/shared/win_audit_rcl.txt, 4277 bytes, 9 tape blocks
x /var/ossec/etc/shared/win_malware_rcl.txt, 7314 bytes, 15 tape blocks
x /var/ossec/etc/wpk_root.pem, 1367 bytes, 3 tape blocks
x /var/ossec/active-response/bin/restart.sh, 695 bytes, 2 tape blocks
x /var/ossec/active-response/bin/kaspersky.py, 14491 bytes, 29 tape blocks
x /var/ossec/active-response/bin/firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/default-firewall-drop, 70216 bytes, 138 tape blocks
x /var/ossec/active-response/bin/pf, 70064 bytes, 137 tape blocks
x /var/ossec/active-response/bin/npf, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ipfw, 69888 bytes, 137 tape blocks
x /var/ossec/active-response/bin/firewalld-drop, 69864 bytes, 137 tape blocks
x /var/ossec/active-response/bin/disable-account, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/host-deny, 69976 bytes, 137 tape blocks
x /var/ossec/active-response/bin/ip-customblock, 69824 bytes, 137 tape blocks
x /var/ossec/active-response/bin/restart-wazuh, 69716 bytes, 137 tape blocks
x /var/ossec/active-response/bin/route-null, 69856 bytes, 137 tape blocks
x /var/ossec/active-response/bin/kaspersky, 69724 bytes, 137 tape blocks
x /var/ossec/active-response/bin/wazuh-slack, 70028 bytes, 137 tape blocks
x /var/ossec/agentless/main.exp, 2453 bytes, 5 tape blocks
x /var/ossec/agentless/register_host.sh, 2406 bytes, 5 tape blocks
x /var/ossec/agentless/ssh.exp, 1476 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_asa-fwsmconfig_diff, 5283 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_foundry_diff, 5403 bytes, 11 tape blocks
x /var/ossec/agentless/ssh_generic_diff, 898 bytes, 2 tape blocks
x /var/ossec/agentless/ssh_integrity_check_bsd, 1091 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_integrity_check_linux, 1099 bytes, 3 tape blocks
x /var/ossec/agentless/ssh_nopass.exp, 1616 bytes, 4 tape blocks
x /var/ossec/agentless/ssh_pixconfig_diff, 5265 bytes, 11 tape blocks
x /var/ossec/agentless/sshlogin.exp, 915 bytes, 2 tape blocks
x /var/ossec/agentless/su.exp, 1381 bytes, 3 tape blocks
x /sbin/init.d/wazuh-agent, 691 bytes, 2 tape blocks
x /sbin/rc2.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent
x /sbin/rc3.d/S97wazuh-agent symbolic link to /sbin/init.d/wazuh-agent

bash-4.4# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
bash-4.4# chown root:wazuh /var/ossec/etc/ossec.conf
bash-4.4# mv ~/client.keys.bk /var/ossec/etc/client.keys
bash-4.4# chown root:wazuh /var/ossec/etc/client.keys

bash-4.4# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

bash-4.4# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"


bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
bash-4.4# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: sovmh349
   IP address: any
   Status:     Active

   Operating system:    HP-UX |sovmh349 |B.11.31 |U |ia64
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716890030

   Syscheck last started at:  Tue May 28 09:52:37 2024
   Syscheck last ended at:    Tue May 28 09:53:08 2024

[juliamagan]

Analysis report - Solaris 10 🟢

System info 🟢

bash-3.2# hostname
sossp109
bash-3.2# uname -a
SunOS sossp109 5.10 Generic_147147-26 sun4v sparc sun4v

Installation without variables 🟢

• Wazuh agent

bash-3.2# /opt/csw/bin/curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.8.0-sol10-sparc.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 17.4M  100 17.4M    0     0  6431k      0  0:00:02  0:00:02 --:--:-- 6431k

bash-3.2# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </wazuh-agent_v4.8.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.


bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 006

Wazuh agent_control. Agent information:
   Agent ID:   006
   Agent Name: sossp109
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716890424

   Syscheck last started at:  Tue May 28 15:58:58 2024
   Syscheck last ended at:    Tue May 28 15:59:18 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

bash-3.2# egrep "tcp" /var/ossec/logs/ossec.log
2024/05/28 10:58:51 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 10:58:51 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 10:58:57 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 10:58:57 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-28T10:00:07.767+0000","rule":{"level":7,"description":"SCA summary: System audit for Unix based systems: Score less than 50% (45)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"sossp109","ip":"192.168.253.109"},"manager":{"name":"wazuh-server"},"id":"1716890407.362097","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"21737","policy":"System audit for Unix based systems","description":"Guidance for establishing a secure configuration for Unix based systems.","policy_id":"unix_audit","passed":"5","failed":"6","invalid":"12","total_checks":"23","score":"45","file":"sca_unix_audit.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

bash-3.2# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
bash-3.2# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# grep "udp" /var/ossec/logs/ossec.log
2024/05/28 11:01:02 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/28 11:01:02 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-28T10:01:55.821+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"sossp109","ip":"192.168.253.109"},"manager":{"name":"wazuh-server"},"id":"1716890515.363880","full_log":"File '/tmp/.X11-pipe/X0' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/tmp/.X11-pipe/X0"},"location":"rootcheck"}

Removal 🟢

bash-3.2# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.8.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

Check users and groups 🟢

bash-3.2# cat /etc/passwd | grep wazuh
wazuh:x:46203:57447::/var/ossec:/bin/false
bash-3.2# cat /etc/group | grep wazuh
wazuh::57447:

Errors and warnings 🟢

bash-3.2# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
bash-3.2#  grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

bash-3.2# /opt/csw/bin/curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/10/wazuh-agent_v4.7.5-sol10-sparc.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15.7M  100 15.7M    0     0  6017k      0  0:00:02  0:00:02 --:--:-- 6018k

bash-3.2# pkgadd -d wazuh-agent_v4.7.5-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </wazuh-agent_v4.7.5-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.7.5
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.5"
WAZUH_REVISION="40719"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007

Wazuh agent_control. Agent information:
   Agent ID:   007
   Agent Name: sossp109
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.7.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716890925

   Syscheck last started at:  Tue May 28 16:07:50 2024
   Syscheck last ended at:    Tue May 28 16:07:56 2024

• Upgrade:

bash-3.2# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.5 Stopped
bash-3.2# cp /var/ossec/etc/ossec.conf ~/ossec.conf.bk
bash-3.2# cp /var/ossec/etc/client.keys ~/client.keys.bk
bash-3.2# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.
                (sparc) 4.7.5

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.7.5 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.
bash-3.2# rm -rf /var/ossec

bash-3.2# pkgadd -d wazuh-agent_v4.8.0-sol10-sparc.pkg wazuh-agent

Processing package instance <wazuh-agent> from </wazuh-agent_v4.8.0-sol10-sparc.pkg>

Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers.(sparc) 4.8.0
Wazuh, Inc <info@wazuh.com>
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <wazuh-agent> [y,n,?] y

Installing Wazuh - Wazuh unifies historically separate functions into a single agent and platform architecture. Providing protection for public clouds, private clouds, and on-premise data centers. as <wazuh-agent>

## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/wazuh-agent
/etc/rc2.d/S97wazuh-agent <symbolic link>
/etc/rc3.d/S97wazuh-agent <symbolic link>
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/agentless/main.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/su.exp
/var/ossec/bin/agent-auth
/var/ossec/bin/manage_agents
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-syscheckd
/var/ossec/etc/TIMEZONE
/var/ossec/etc/client.keys
/var/ossec/etc/internal_options.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/ossec.conf
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/wpk_root.pem
/var/ossec/lib/libdbsync.so
/var/ossec/lib/libfimdb.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/librsync.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libwazuhshared.so
/var/ossec/logs/active-responses.log
/var/ossec/logs/ossec.json
/var/ossec/logs/ossec.log
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/wodles/__init__.py
/var/ossec/wodles/aws/__init__.py
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws/aws_tools.py
/var/ossec/wodles/aws/buckets_s3/__init__.py
/var/ossec/wodles/aws/buckets_s3/aws_bucket.py
/var/ossec/wodles/aws/buckets_s3/cloudtrail.py
/var/ossec/wodles/aws/buckets_s3/config.py
/var/ossec/wodles/aws/buckets_s3/guardduty.py
/var/ossec/wodles/aws/buckets_s3/load_balancers.py
/var/ossec/wodles/aws/buckets_s3/server_access.py
/var/ossec/wodles/aws/buckets_s3/umbrella.py
/var/ossec/wodles/aws/buckets_s3/vpcflow.py
/var/ossec/wodles/aws/buckets_s3/waf.py
/var/ossec/wodles/aws/services/__init__.py
/var/ossec/wodles/aws/services/aws_service.py
/var/ossec/wodles/aws/services/cloudwatchlogs.py
/var/ossec/wodles/aws/services/inspector.py
/var/ossec/wodles/aws/subscribers/__init__.py
/var/ossec/wodles/aws/subscribers/s3_log_handler.py
/var/ossec/wodles/aws/subscribers/sqs_message_processor.py
/var/ossec/wodles/aws/subscribers/sqs_queue.py
/var/ossec/wodles/aws/wazuh_integration.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/utils.py
[ verifying class <none> ]
## Executing postinstall script.

Installation of <wazuh-agent> was successful.

bash-3.2# mv ~/ossec.conf.bk /var/ossec/etc/ossec.conf
bash-3.2# chown root:wazuh /var/ossec/etc/ossec.conf
bash-3.2# mv ~/client.keys.bk /var/ossec/etc/client.keys
bash-3.2# chown root:wazuh /var/ossec/etc/client.keys

bash-3.2# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
bash-3.2# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 007

Wazuh agent_control. Agent information:
   Agent ID:   007
   Agent Name: sossp109
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp109 |5.10 |Generic_147147-26 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716891089

   Syscheck last started at:  Tue May 28 16:10:34 2024
   Syscheck last ended at:    Tue May 28 16:10:40 2024

[juliamagan]

Analysis report - Solaris 11 🟢

System info 🟢

root@sossp104:~# hostname
sossp104
root@sossp104:~# uname -a
SunOS sossp104 5.11 11.3 sun4v sparc sun4v

Installation without variables 🟢

• Wazuh agent

root@sossp104:~# curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.8.0-sol11-sparc.p5p
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7030k  100 7030k    0     0  6390k      0  0:00:01  0:00:01 --:--:-- 6740k

root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1       119/119      6.5/6.5 30.8M/s

PHASE                                          ITEMS
Installing new actions                       175/175
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 


root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 008

Wazuh agent_control. Agent information:
   Agent ID:   008
   Agent Name: sossp104
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716891459

   Syscheck last started at:  Tue May 28 10:16:38 2024
   Syscheck last ended at:    Tue May 28 10:17:05 2024

Generate alerts (TCP & UDP) 🟢

• TCP

• Wazuh Agent

root@sossp104:~# grep "tcp" /var/ossec/logs/ossec.log 
2024/05/28 05:16:34 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 05:16:34 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 05:16:37 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 05:16:37 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-28T10:17:27.554+0000","rule":{"level":7,"description":"SCA summary: CIS Benchmark for Oracle Solaris 11 v1.1.0: Score less than 50% (31)","id":"19004","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"008","name":"sossp104","ip":"192.168.253.104"},"manager":{"name":"wazuh-server"},"id":"1716891447.567109","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"12601","policy":"CIS Benchmark for Oracle Solaris 11 v1.1.0","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against  Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","policy_id":"cis_solaris11","passed":"16","failed":"35","invalid":"0","total_checks":"51","score":"31","file":"cis_solaris11.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

root@sossp104:~# grep udp /var/ossec/etc/ossec.conf
      <protocol>udp</protocol>
root@sossp104:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# grep "udp" /var/ossec/logs/ossec.log
2024/05/28 05:18:39 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/28 05:18:39 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-28T10:19:11.438+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":9,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"008","name":"sossp104","ip":"192.168.253.104"},"manager":{"name":"wazuh-server"},"id":"1716891551.570237","full_log":"Trojaned version of file '/usr/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\\.h|bash|tmp' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/kill"},"location":"rootcheck"}

Removal 🟢

root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
root@sossp104:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         222/222
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240528T052049Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240528T052049Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240528T052049Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240528T052049Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240528T052049Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240528T052049Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240528T052049Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240528T052049Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240528T052049Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240528T052049

Check users and groups 🟢

root@sossp104:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp104:~#  cat /etc/group | grep wazuh
wazuh::13:

Errors and warnings 🟢

root@sossp104:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
root@sossp104:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

root@sossp104:~# curl -O https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.7.5-sol11-sparc.p5p
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6270k  100 6270k    0     0  5087k      0  0:00:01  0:00:01 --:--:-- 5225k


root@sossp104:~# pkg install -g wazuh-agent_v4.7.5-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         98/98      5.8/5.8    0B/s

PHASE                                          ITEMS
Installing new actions                       151/151
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.5"
WAZUH_REVISION="40719"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 009

Wazuh agent_control. Agent information:
   Agent ID:   009
   Agent Name: sossp104
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.7.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716892061

   Syscheck last started at:  Tue May 28 10:27:10 2024
   Syscheck last ended at:    Tue May 28 10:27:15 2024

• Upgrade:

root@sossp104:~# /var/ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.7.5 Stopped
root@sossp104:~# pkg install -g wazuh-agent_v4.8.0-sol11-sparc.p5p wazuh-agent
            Packages to update:   1
       Create boot environment:  No
Create backup boot environment: Yes

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         57/57      5.7/5.7 43.8M/s

PHASE                                          ITEMS
Installing new actions                         24/24
Updating modified actions                      38/38
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 
root@sossp104:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

root@sossp104:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"


root@sossp104:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log
root@sossp104:~# grep  "ERROR|WARNING|CRITICAL" /var/ossec/logs/ossec.log | wc -l
       0

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 009

Wazuh agent_control. Agent information:
   Agent ID:   009
   Agent Name: sossp104
   IP address: any
   Status:     Active

   Operating system:    SunOS |sossp104 |5.11 |11.3 |sun4v
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716892200

   Syscheck last started at:  Tue May 28 10:29:19 2024
   Syscheck last ended at:    Tue May 28 10:29:26 2024

[juliamagan]

Analysis report - Debian Stretch PPC64EL 🟢

System info

root@4ee160c16552:~#  cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Installation with variables 🟢

• Wazuh agent

root@4ee160c16552:~# curl -O https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_ppc64el.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6308k  100 6308k    0     0  15.2M      0 --:--:-- --:--:-- --:--:-- 15.2M

root@4ee160c16552:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb'
The following additional packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Suggested packages:
  bzip2-doc libdpkg-perl lsb python3-doc python3-tk python3-venv python3.5-venv python3.5-doc binutils
  binfmt-support readline-doc
The following NEW packages will be installed:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common wazuh-agent xz-utils
0 upgraded, 21 newly installed, 0 to remove and 3 not upgraded.
Need to get 6437 kB/12.9 MB of archives.
After this operation, 76.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [6460 kB]
Get:2 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-minimal ppc64el 3.5.3-1+deb9u1 [574 kB]
Get:3 http://archive.debian.org/debian stretch/main ppc64el python3.5-minimal ppc64el 3.5.3-1+deb9u1 [1704 kB]
Get:4 http://archive.debian.org/debian stretch/main ppc64el python3-minimal ppc64el 3.5.3-1 [35.3 kB]
Get:5 http://archive.debian.org/debian stretch/main ppc64el mime-support all 3.60 [36.7 kB]
Get:6 http://archive.debian.org/debian stretch/main ppc64el libmpdec2 ppc64el 2.4.2-1 [81.9 kB]
Get:7 http://archive.debian.org/debian stretch/main ppc64el readline-common all 7.0-3 [70.4 kB]
Get:8 http://archive.debian.org/debian stretch/main ppc64el libreadline7 ppc64el 7.0-3 [139 kB]
Get:9 http://archive.debian.org/debian stretch/main ppc64el libsqlite3-0 ppc64el 3.16.2-5+deb9u1 [525 kB]
Get:10 http://archive.debian.org/debian stretch/main ppc64el libpython3.5-stdlib ppc64el 3.5.3-1+deb9u1 [2179 kB]
Get:11 http://archive.debian.org/debian stretch/main ppc64el python3.5 ppc64el 3.5.3-1+deb9u1 [229 kB]
Get:12 http://archive.debian.org/debian stretch/main ppc64el libpython3-stdlib ppc64el 3.5.3-1 [18.6 kB]
Get:13 http://archive.debian.org/debian stretch/main ppc64el dh-python all 2.20170125 [86.8 kB]        
Get:14 http://archive.debian.org/debian stretch/main ppc64el python3 ppc64el 3.5.3-1 [21.6 kB]         
Get:15 http://archive.debian.org/debian stretch/main ppc64el bzip2 ppc64el 1.0.6-8.1 [46.3 kB]         
Get:16 http://archive.debian.org/debian stretch/main ppc64el libmagic-mgc ppc64el 1:5.30-1+deb9u3 [222 kB]
Get:17 http://archive.debian.org/debian stretch/main ppc64el libmagic1 ppc64el 1:5.30-1+deb9u3 [108 kB]
Get:18 http://archive.debian.org/debian stretch/main ppc64el file ppc64el 1:5.30-1+deb9u3 [64.4 kB]    
Get:19 http://archive.debian.org/debian stretch/main ppc64el xz-utils ppc64el 5.2.2-1.2+b1 [262 kB]    
Get:20 http://archive.debian.org/debian stretch/main ppc64el distro-info-data all 0.36 [5810 B]        
Get:21 http://archive.debian.org/debian stretch/main ppc64el lsb-release all 9.20161125 [27.1 kB]      
Fetched 6437 kB in 10s (589 kB/s)                                                                      
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libpython3.5-minimal:ppc64el.
(Reading database ... 11722 files and directories currently installed.)
Preparing to unpack .../00-libpython3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5-minimal.
Preparing to unpack .../01-python3.5-minimal_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5-minimal (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3-minimal.
Preparing to unpack .../02-python3-minimal_3.5.3-1_ppc64el.deb ...
Unpacking python3-minimal (3.5.3-1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../03-mime-support_3.60_all.deb ...
Unpacking mime-support (3.60) ...
Selecting previously unselected package libmpdec2:ppc64el.
Preparing to unpack .../04-libmpdec2_2.4.2-1_ppc64el.deb ...
Unpacking libmpdec2:ppc64el (2.4.2-1) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../05-readline-common_7.0-3_all.deb ...
Unpacking readline-common (7.0-3) ...
Selecting previously unselected package libreadline7:ppc64el.
Preparing to unpack .../06-libreadline7_7.0-3_ppc64el.deb ...
Unpacking libreadline7:ppc64el (7.0-3) ...
Selecting previously unselected package libsqlite3-0:ppc64el.
Preparing to unpack .../07-libsqlite3-0_3.16.2-5+deb9u1_ppc64el.deb ...
Unpacking libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Selecting previously unselected package libpython3.5-stdlib:ppc64el.
Preparing to unpack .../08-libpython3.5-stdlib_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Selecting previously unselected package python3.5.
Preparing to unpack .../09-python3.5_3.5.3-1+deb9u1_ppc64el.deb ...
Unpacking python3.5 (3.5.3-1+deb9u1) ...
Selecting previously unselected package libpython3-stdlib:ppc64el.
Preparing to unpack .../10-libpython3-stdlib_3.5.3-1_ppc64el.deb ...
Unpacking libpython3-stdlib:ppc64el (3.5.3-1) ...
Selecting previously unselected package dh-python.
Preparing to unpack .../11-dh-python_2.20170125_all.deb ...
Unpacking dh-python (2.20170125) ...
Setting up libpython3.5-minimal:ppc64el (3.5.3-1+deb9u1) ...
Setting up python3.5-minimal (3.5.3-1+deb9u1) ...
Setting up python3-minimal (3.5.3-1) ...
Selecting previously unselected package python3.
(Reading database ... 12694 files and directories currently installed.)
Preparing to unpack .../0-python3_3.5.3-1_ppc64el.deb ...
Unpacking python3 (3.5.3-1) ...
Selecting previously unselected package bzip2.
Preparing to unpack .../1-bzip2_1.0.6-8.1_ppc64el.deb ...
Unpacking bzip2 (1.0.6-8.1) ...
Selecting previously unselected package libmagic-mgc.
Preparing to unpack .../2-libmagic-mgc_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic-mgc (1:5.30-1+deb9u3) ...
Selecting previously unselected package libmagic1:ppc64el.
Preparing to unpack .../3-libmagic1_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Selecting previously unselected package file.
Preparing to unpack .../4-file_1%3a5.30-1+deb9u3_ppc64el.deb ...
Unpacking file (1:5.30-1+deb9u3) ...
Selecting previously unselected package xz-utils.
Preparing to unpack .../5-xz-utils_5.2.2-1.2+b1_ppc64el.deb ...
Unpacking xz-utils (5.2.2-1.2+b1) ...
Selecting previously unselected package distro-info-data.
Preparing to unpack .../6-distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../7-lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Selecting previously unselected package wazuh-agent.
Preparing to unpack .../8-wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up readline-common (7.0-3) ...
Setting up mime-support (3.60) ...
Setting up libreadline7:ppc64el (7.0-3) ...
Setting up distro-info-data (0.36) ...
Setting up libmagic-mgc (1:5.30-1+deb9u3) ...
Setting up bzip2 (1.0.6-8.1) ...
Setting up libmagic1:ppc64el (1:5.30-1+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up xz-utils (5.2.2-1.2+b1) ...
update-alternatives: using /usr/bin/xz to provide /usr/bin/lzma (lzma) in auto mode
Processing triggers for systemd (232-25+deb9u12) ...
Setting up libsqlite3-0:ppc64el (3.16.2-5+deb9u1) ...
Setting up libmpdec2:ppc64el (2.4.2-1) ...
Setting up libpython3.5-stdlib:ppc64el (3.5.3-1+deb9u1) ...
Setting up file (1:5.30-1+deb9u3) ...
Setting up python3.5 (3.5.3-1+deb9u1) ...
Setting up libpython3-stdlib:ppc64el (3.5.3-1) ...
Setting up python3 (3.5.3-1) ...
running python rtupdate hooks for python3.5...
running python post-rtupdate hooks for python3.5...
Setting up lsb-release (9.20161125) ...
Setting up dh-python (2.20170125) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)


root@4ee160c16552:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@4ee160c16552:~# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"
root@4ee160c16552:~# grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 010

Wazuh agent_control. Agent information:
   Agent ID:   010
   Agent Name: 4ee160c16552
   IP address: any
   Status:     Active

   Operating system:    Linux |4ee160c16552 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716893699

   Syscheck last started at:  Tue May 28 10:54:30 2024
   Syscheck last ended at:    Tue May 28 10:54:39 2024

Installation without variables 🟢

• Wazuh agent

root@4ee160c16552:~# apt-get install ./wazuh-agent_4.8.0-1_ppc64el.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.8.0-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/6460 kB of archives.
After this operation, 40.4 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.8.0-1_ppc64el.deb wazuh-agent ppc64el 4.8.0-1 [6460 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 12838 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.8.0-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

root@4ee160c16552:~# vim /var/ossec/etc/ossec.conf 
root@4ee160c16552:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@4ee160c16552:~# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
   Agent ID:   011
   Agent Name: 4ee160c16552
   IP address: any
   Status:     Active

   Operating system:    Linux |4ee160c16552 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716894039

   Syscheck last started at:  Tue May 28 10:59:40 2024
   Syscheck last ended at:    Tue May 28 10:59:42 2024

 

Generate alerts (TCP & UDP) 🟢

• TCP
• Wazuh Agent

root@4ee160c16552:~# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/28 10:59:35 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 10:59:35 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 10:59:39 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 10:59:39 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-28T11:00:04.670+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"011","name":"4ee160c16552","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1716894004.1656584","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1974405837","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"}

• UDP
• Wazuh Agent

root@4ee160c16552:~# vim /var/ossec/etc/ossec.conf 
root@4ee160c16552:~# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@4ee160c16552:~# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/28 11:02:46 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/28 11:02:46 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp).

• UDP
• Wazuh Server

{"timestamp":"2024-05-28T11:03:06.058+0000","rule":{"level":7,"description":"SCA summary: CIS Debian Linux 9 Benchmark v1.0.1: Score less than 50% (39)","id":"19004","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"011","name":"4ee160c16552","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1716894186.1682856","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1654674339","policy":"CIS Debian Linux 9 Benchmark v1.0.1","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9.","policy_id":"cis_debian9","passed":"58","failed":"89","invalid":"28","total_checks":"175","score":"39","file":"cis_debian9.yml"}},"location":"sca"}

Removal 🟢

root@4ee160c16552:~# apt-get remove wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 40.4 MB disk space will be freed.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 13245 files and directories currently installed.)
Removing wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
root@4ee160c16552:~# apt-get remove --purge wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 dh-python distro-info-data file libmagic-mgc libmagic1 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libreadline7 libsqlite3-0 lsb-release mime-support python3
  python3-minimal python3.5 python3.5-minimal readline-common xz-utils
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
(Reading database ... 12852 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.8.0-1) ...
Processing triggers for systemd (232-25+deb9u12) ...

Check users and groups 🟢

root@4ee160c16552:~# cat /etc/passwd | grep wazuh
wazuh:x:107:108::/var/ossec:/bin/false
root@4ee160c16552:~# cat /etc/group | grep wazuh
wazuh:x:108:

Errors and warnings 🟢

root@4ee160c16552:~# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
root@4ee160c16552:~# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

root@4ee160c16552:~# curl -O https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.5-1_ppc64el.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5595k  100 5595k    0     0  13.8M      0 --:--:-- --:--:-- --:--:-- 13.9M


root@4ee160c16552:~# WAZUH_MANAGER="X.X.X.X" apt-get install ./wazuh-agent_4.7.5-1_ppc64el.deb
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.7.5-1_ppc64el.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/5730 kB of archives.
After this operation, 37.1 MB of additional disk space will be used.
Get:1 /root/wazuh-agent_4.7.5-1_ppc64el.deb wazuh-agent ppc64el 4.7.5-1 [5730 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 14648 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.7.5-1_ppc64el.deb ...
Unpacking wazuh-agent (4.7.5-1) ...
Setting up wazuh-agent (4.7.5-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
N: Download is performed unsandboxed as root as file '/root/wazuh-agent_4.7.5-1_ppc64el.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)


root@4ee160c16552:~# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@4ee160c16552:~# /var/ossec/bin/wazuh-control info 
WAZUH_VERSION="v4.7.5"
WAZUH_REVISION="40719"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013

Wazuh agent_control. Agent information:
   Agent ID:   013
   Agent Name: 4ee160c16552
   IP address: any
   Status:     Active

   Operating system:    Linux |4ee160c16552 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.7.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716895751

   Syscheck last started at:  Tue May 28 11:26:21 2024
   Syscheck last ended at:    Tue May 28 11:27:28 2024

• Upgrade:

root@4ee160c16552:~# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <support@wazuh.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

root@4ee160c16552:~# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main

root@4ee160c16552:~# apt-get update
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://archive.debian.org/debian stretch Release
Get:4 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el Packages [8264 B]
Fetched 25.5 kB in 0s (46.5 kB/s)
Reading package lists... Done

root@4ee160c16552:~#  apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 6460 kB of archives.
After this operation, 3280 kB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main ppc64el wazuh-agent ppc64el 4.8.0-1 [6460 kB]
Fetched 6460 kB in 0s (11.2 MB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TIME = "es_ES.UTF-8",
	LC_MONETARY = "es_ES.UTF-8",
	LC_ADDRESS = "es_ES.UTF-8",
	LC_TELEPHONE = "es_ES.UTF-8",
	LC_NAME = "es_ES.UTF-8",
	LC_MEASUREMENT = "es_ES.UTF-8",
	LC_IDENTIFICATION = "es_ES.UTF-8",
	LC_NUMERIC = "es_ES.UTF-8",
	LC_PAPER = "es_ES.UTF-8",
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 15234 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_ppc64el.deb ...
Unpacking wazuh-agent (4.8.0-1) over (4.7.5-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...

root@4ee160c16552:~# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@4ee160c16552:~# /var/ossec/bin/wazuh-control info  
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 013

Wazuh agent_control. Agent information:
   Agent ID:   013
   Agent Name: 4ee160c16552
   IP address: any
   Status:     Active

   Operating system:    Linux |4ee160c16552 |4.9.0-13-powerpc64le |#1 SMP Debian 4.9.228-1 (2020-07-05) |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716896111

   Syscheck last started at:  Tue May 28 11:34:02 2024
   Syscheck last ended at:    Tue May 28 11:34:03 2024

[juliamagan]

Analysis report - CentOS 7 PPC64EL 🟢

System info

[root@9e67f7a2dcf1 ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (AltArch)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (AltArch)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7:server"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Installation with variables 🟢

• Wazuh agent

[root@9e67f7a2dcf1 ~]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.8.0-1.ppc64le.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7997k  100 7997k    0     0  3871k      0  0:00:02  0:00:02 --:--:-- 3872k

[root@9e67f7a2dcf1 ~]# WAZUH_MANAGER="X.X.X.X" yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le
Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package               Arch              Version           Repository                              Size
========================================================================================================
Installing:
 wazuh-agent           ppc64le           4.8.0-1           /wazuh-agent-4.8.0-1.ppc64le            36 M

Transaction Summary
========================================================================================================
Install  1 Package

Total size: 36 M
Installed size: 36 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 

Installed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!



[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.



[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

[root@9e67f7a2dcf1 ~]# grep address /var/ossec/etc/ossec.conf
      <address>X.X.X.X</address>

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 014

Wazuh agent_control. Agent information:
   Agent ID:   014
   Agent Name: 9e67f7a2dcf1
   IP address: any
   Status:     Active

   Operating system:    Linux |9e67f7a2dcf1 |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716896453

   Syscheck last started at:  Tue May 28 11:40:14 2024
   Syscheck last ended at:    Tue May 28 11:40:28 2024
 

Installation without variables 🟢

• Wazuh agent

[root@9e67f7a2dcf1 ~]# yum install ./wazuh-agent-4.8.0-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.8.0-1.ppc64le.rpm: wazuh-agent-4.8.0-1.ppc64le
Marking ./wazuh-agent-4.8.0-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package               Arch              Version           Repository                              Size
========================================================================================================
Installing:
 wazuh-agent           ppc64le           4.8.0-1           /wazuh-agent-4.8.0-1.ppc64le            36 M

Transaction Summary
========================================================================================================
Install  1 Package

Total size: 36 M
Installed size: 36 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 

Installed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!


[root@9e67f7a2dcf1 ~]# vi /var/ossec/etc/ossec.conf 
[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh server

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 015

Wazuh agent_control. Agent information:
   Agent ID:   015
   Agent Name: 9e67f7a2dcf1
   IP address: any
   Status:     Active

   Operating system:    Linux |9e67f7a2dcf1 |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716896629

   Syscheck last started at:  Tue May 28 11:43:50 2024
   Syscheck last ended at:    Tue May 28 11:43:52 2024

 

Generate alerts (TCP & UDP) 🟢

• TCP
• Wazuh Agent

[root@9e67f7a2dcf1 ~]# grep -Ei "tcp" /var/ossec/logs/ossec.log
2024/05/28 11:43:43 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 11:43:43 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 11:43:49 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 11:43:49 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).
2024/05/28 11:44:04 wazuh-agentd: INFO: Closing connection to server ([X.X.X.X]:1514/tcp).
2024/05/28 11:44:04 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/tcp).
2024/05/28 11:44:05 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/tcp).

• TCP
• Wazuh Server

{"timestamp":"2024-05-28T11:44:31.056+0000","rule":{"level":3,"description":"CIS CentOS Linux 7 Benchmark v3.0.0: Ensure LDAP Server is not installed.","id":"19008","firedtimes":245,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2","2.2.2"],"nist_800_53":["CM.1","CM.1"],"tsc":["CC7.1","CC7.2","CC5.2"],"cis":["2.2.6"],"cis_csc":["9.2"],"cis_level":["1"]},"agent":{"id":"015","name":"9e67f7a2dcf1","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1716896671.3726304","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1952446512","policy":"CIS CentOS Linux 7 Benchmark v3.0.0","check":{"id":"6059","title":"Ensure LDAP Server is not installed.","description":"The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.","rationale":"If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface.","remediation":"Run the following command to remove slapd: # yum remove openldap-servers","compliance":{"cis":"2.2.6","cis_csc":"9.2","pci_dss":"2.2.2","nist_800_53":"CM.1","tsc":"CC5.2","cis_level":"1"},"references":"More detailed documentation on OpenLDAP is available at https://www.openldap.org","command":["rpm -q openldap-servers"],"result":"passed"}}},"location":"sca"}

• UDP
• Wazuh Agent

[root@9e67f7a2dcf1 ~]# vi /var/ossec/etc/ossec.conf 
[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.8.0 Stopped
Starting Wazuh v4.8.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@9e67f7a2dcf1 ~]# grep -Ei "udp" /var/ossec/logs/ossec.log
2024/05/28 11:45:40 wazuh-agentd: INFO: Trying to connect to server ([X.X.X.X]:1514/udp).
2024/05/28 11:45:40 wazuh-agentd: INFO: (4102): Connected to the server ([X.X.X.X]:1514/udp

• UDP
• Wazuh Server

{"timestamp":"2024-05-28T12:06:56.132+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"015","name":"9e67f7a2dcf1","ip":"172.17.0.2"},"manager":{"name":"wazuh-server"},"id":"1716898016.3741314","full_log":"File '/etc/test.txt' modified\nMode: realtime\nChanged attributes: mtime\nOld modification time was: '1716897976', now it is '1716898016'\n","syscheck":{"path":"/etc/test.txt","mode":"realtime","size_after":"6","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"b1946ac92492d2347c6235b4d2611184","sha1_after":"f572d396fae9206628714fb2ce00f72e94f2258f","sha256_after":"5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03","uname_after":"root","gname_after":"root","mtime_before":"2024-05-28T12:06:16","mtime_after":"2024-05-28T12:06:56","inode_after":786299,"changed_attributes":["mtime"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Removal 🟢

[root@9e67f7a2dcf1 ~]# yum remove wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package              Arch             Version             Repository                              Size
========================================================================================================
Removing:
 wazuh-agent          ppc64le          4.8.0-1             @/wazuh-agent-4.8.0-1.ppc64le           36 M

Transaction Summary
========================================================================================================
Remove  1 Package

Installed size: 36 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
warning: /var/ossec/etc/client.keys saved as /var/ossec/etc/client.keys.rpmsave
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/1 

Removed:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!

Check users and groups 🟢

[root@9e67f7a2dcf1 ~]# cat /etc/passwd | grep wazuh
wazuh:x:999:997::/var/ossec:/sbin/nologin
[root@9e67f7a2dcf1 ~]#  cat /etc/group | grep wazuh
wazuh:x:997:wazuh

Errors and warnings 🟢

[root@9e67f7a2dcf1 ~]# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log
[root@9e67f7a2dcf1 ~]# grep -iE "err|warn|crit" /var/ossec/logs/ossec.log | wc -l
       0

Upgrade 🟢

• Install previous version:

[root@9e67f7a2dcf1 ~]# curl -O https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.7.5-1.ppc64le.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 7045k  100 7045k    0     0  10.9M      0 --:--:-- --:--:-- --:--:-- 10.9M


[root@9e67f7a2dcf1 ~]# WAZUH_MANAGER="X.X.X.X" yum install ./wazuh-agent-4.7.5-1.ppc64le.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Examining ./wazuh-agent-4.7.5-1.ppc64le.rpm: wazuh-agent-4.7.5-1.ppc64le
Marking ./wazuh-agent-4.7.5-1.ppc64le.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.5-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package               Arch              Version           Repository                              Size
========================================================================================================
Installing:
 wazuh-agent           ppc64le           4.7.5-1           /wazuh-agent-4.7.5-1.ppc64le            32 M

Transaction Summary
========================================================================================================
Install  1 Package

Total size: 32 M
Installed size: 32 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.7.5-1.ppc64le                                                          1/1 
  Verifying  : wazuh-agent-4.7.5-1.ppc64le                                                          1/1 

Installed:
  wazuh-agent.ppc64le 0:4.7.5-1                                                                         

Complete!



[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.7.5...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.5"
WAZUH_REVISION="40719"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 016

Wazuh agent_control. Agent information:
   Agent ID:   016
   Agent Name: 9e67f7a2dcf1
   IP address: any
   Status:     Active

   Operating system:    Linux |9e67f7a2dcf1 |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.7.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716898322

   Syscheck last started at:  Tue May 28 12:11:33 2024
   Syscheck last ended at:    Tue May 28 12:11:35 2024

• Upgrade:

[root@9e67f7a2dcf1 ~]#  rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@9e67f7a2dcf1 ~]# cat > /etc/yum.repos.d/wazuh.repo << EOF
> [wazuh]
> gpgcheck=1
> gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
> enabled=1
> name=EL-\$releasever - Wazuh
> baseurl=https://packages-dev.wazuh.com/pre-release/yum/
> protect=1
> EOF

[root@9e67f7a2dcf1 ~]#  yum clean all
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Cleaning repos: base extras updates wazuh
Cleaning up list of fastest mirrors


[root@9e67f7a2dcf1 ~]# yum upgrade wazuh-agent
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
 * base: mirrors.xtom.com
 * extras: mirrors.xtom.com
 * updates: mirrors.xtom.com
base                                                                             | 3.6 kB  00:00:00     
extras                                                                           | 2.9 kB  00:00:00     
updates                                                                          | 2.9 kB  00:00:00     
wazuh                                                                            | 3.4 kB  00:00:00     
(1/5): base/7/ppc64le/group_gz                                                   | 153 kB  00:00:00     
(2/5): extras/7/ppc64le/primary_db                                               | 233 kB  00:00:00     
(3/5): wazuh/primary_db                                                          | 468 kB  00:00:00     
(4/5): base/7/ppc64le/primary_db                                                 | 4.8 MB  00:00:00     
(5/5): updates/7/ppc64le/primary_db                                              |  21 MB  00:00:02     
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.ppc64le 0:4.7.5-1 will be updated
---> Package wazuh-agent.ppc64le 0:4.8.0-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package                    Arch                   Version                   Repository            Size
========================================================================================================
Updating:
 wazuh-agent                ppc64le                4.8.0-1                   wazuh                7.8 M

Transaction Summary
========================================================================================================
Upgrade  1 Package

Total download size: 7.8 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-agent-4.8.0-1.ppc64le.rpm                                                  | 7.8 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-agent-4.8.0-1.ppc64le                                                          1/2 
  Cleanup    : wazuh-agent-4.7.5-1.ppc64le                                                          2/2 
  Verifying  : wazuh-agent-4.8.0-1.ppc64le                                                          1/2 
  Verifying  : wazuh-agent-4.7.5-1.ppc64le                                                          2/2 

Updated:
  wazuh-agent.ppc64le 0:4.8.0-1                                                                         

Complete!


[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
[root@9e67f7a2dcf1 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

[root@wazuh-server wazuh-user]# /var/ossec/bin/agent_control -i 016

Wazuh agent_control. Agent information:
   Agent ID:   016
   Agent Name: 9e67f7a2dcf1
   IP address: any
   Status:     Active

   Operating system:    Linux |9e67f7a2dcf1 |3.10.0-1160.71.1.el7.ppc64le |#1 SMP Tue Jun 28 18:34:40 UTC 2022 |ppc64le
   Client version:      Wazuh v4.8.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1716898755

   Syscheck last started at:  Tue May 28 12:14:26 2024
   Syscheck last ended at:    Tue May 28 12:14:28 2024

[juliamagan]

Analysis Report - AMI 🟡

WUI 🟢

• Loading Screen: OK
  

• Login Screen: OK
  

• Credentials: OK

• Health Check
  

• Overview OK
  

Logs 🟡

• Wazuh Dashboard - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
may 28 14:16:15 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T14:16:15Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 28 10:05:58 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T10:05:58Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
may 28 10:05:50 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T10:05:50Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
may 28 09:46:12 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:46:12Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
may 28 09:45:56 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:45:56Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","name":"Error","stack":"Error: 139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","code":"ERR_SSL_WRONG_VERSION_NUMBER"},"message":"139807266264960:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"}
may 28 09:45:41 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:45:41Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139807266264960:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139807266264960:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 28 09:45:41 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:45:41Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139807266264960:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139807266264960:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 28 09:45:41 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:45:41Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 28 09:45:41 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:45:41Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 28 09:11:36 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:11:36Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","name":"Error","stack":"Error: 139807266264960:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n","code":"ERR_SSL_BAD_KEY_SHARE"},"message":"139807266264960:error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share:../deps/openssl/openssl/ssl/statem/extensions_srvr.c:698:\n"}
may 28 09:11:36 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:11:36Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","name":"Error","stack":"Error: 139807266264960:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139807266264960:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1781:\n"}
may 28 09:11:35 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:11:35Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_UNSUPPORTED_PROTOCOL"},"message":"139807266264960:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 28 09:11:33 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:11:33Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 28 09:09:32 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:09:32Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","name":"Error","stack":"Error: 139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n","code":"ERR_SSL_NO_SHARED_CIPHER"},"message":"139807266264960:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../deps/openssl/openssl/ssl/statem/statem_srvr.c:2285:\n"}
may 28 09:08:55 wazuh-server opensearch-dashboards[5583]: {"type":"error","@timestamp":"2024-05-28T09:08:55Z","tags":["connection","client","error"],"pid":5583,"level":"error","error":{"message":"139807266264960:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","name":"Error","stack":"Error: 139807266264960:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n","code":"ERR_SSL_VERSION_TOO_LOW"},"message":"139807266264960:error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:\n"}
may 28 08:47:13 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:47:13Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ResponseError]: Response Error"}
may 28 08:47:11 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:47:11Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ResponseError]: Response Error"}
may 28 08:47:08 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:47:08Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ResponseError]: Response Error"}
may 28 08:47:06 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:47:06Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ResponseError]: Response Error"}
may 28 08:47:03 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:47:03Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ResponseError]: Response Error"}
may 28 08:47:02 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:47:02Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ResponseError]: Response Error"}
may 28 08:46:58 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:58Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:56 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:56Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:53 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:53Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:51 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:51Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:48 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:48Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:46 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:46Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:43 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:43Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 08:46:41 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:41Z","tags":["error","savedobjects-service"],"pid":1755,"message":"Unable to retrieve version information from OpenSearch nodes."}
may 28 08:46:41 wazuh-server opensearch-dashboards[1755]: {"type":"log","@timestamp":"2024-05-28T08:46:41Z","tags":["error","opensearch","data"],"pid":1755,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

• Reported in : Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449

• Wazuh Indexer - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
may 28 08:45:56 wazuh-server systemd-entrypoint[2270]: WARNING: System::setSecurityManager will be removed in a future release
may 28 08:45:56 wazuh-server systemd-entrypoint[2270]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 28 08:45:56 wazuh-server systemd-entrypoint[2270]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 28 08:45:56 wazuh-server systemd-entrypoint[2270]: WARNING: A terminally deprecated method in java.lang.System has been called
may 28 08:45:49 wazuh-server systemd-entrypoint[2270]: WARNING: System::setSecurityManager will be removed in a future release
may 28 08:45:49 wazuh-server systemd-entrypoint[2270]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 28 08:45:49 wazuh-server systemd-entrypoint[2270]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 28 08:45:49 wazuh-server systemd-entrypoint[2270]: WARNING: A terminally deprecated method in java.lang.System has been called

• Reported in Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

• Wazuh Indexer - /var/logs/wazuh-indexer 🟡

[root@wazuh-server wazuh-user]# grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-28T08:46:47,721Z", "level": "ERROR", "component": "o.o.s.a.s.SinkProvider", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Default endpoint could not be created, auditlog will not work properly." }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-28T08:47:01,506Z", "level": "ERROR", "component": "o.o.s.c.ConfigurationLoaderSecurity7", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@1bb6f8f5] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)", "cluster.uuid": "lweC8nHbTcqIxWtqvySrGA", "node.id": "gaC6CSE2THWgzIbKKQ5OeQ"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-28T08:47:13,839Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "lweC8nHbTcqIxWtqvySrGA", "node.id": "gaC6CSE2THWgzIbKKQ5OeQ"  }
/var/log/wazuh-indexer/wazuh-cluster_server.json:{"type": "server", "timestamp": "2024-05-28T08:47:14,339Z", "level": "ERROR", "component": "o.o.s.a.BackendRegistry", "cluster.name": "wazuh-cluster", "node.name": "node-1", "message": "Not yet initialized (you may need to run securityadmin)", "cluster.uuid": "lweC8nHbTcqIxWtqvySrGA", "node.id": "gaC6CSE2THWgzIbKKQ5OeQ"  }

• Wazuh Server - /var/ossec/logs 🟡

2024/05/28 14:18:39 wazuh-remoted[20404] netbuffer.c:95 at nb_recv(): WARNING: Unexpected message (hex): '4d075f2d63ff7f1b1eff64ff7664ffffff60ff1447ffff35ffffffff79ffffffffff11ff40ffff5e5effffffff7f722a67ffff2dff7bff052807ffffffff2618533f4d390affffffffff0d127f43ffff44ffffffffffff3a0c3eff37425effff023fffffff68ffff3035210dffff6c1aff3fffffffff3cffffffffff7a3e22ff40ffffffff3e047f0f3effffffff17ffffff03ffffff2fff6b52ffff02ff0fff20ff2dffff3a16ff2dff23ffffffff4a70026bffffff64ffffff62ffff027140ff65426affffff56ffffffffffffffff54ffffff29214c59ff7effff3b6affff5eff6933ffff447507ffff3f3c38ff18747b0eff6dff3aff2a51ffffffff72ff2950ff5dff233764ff35ff2470ffff6432ff7affff79ffffff58ff4dff35ffff615fffff2cffffff18ff4f5317ffffff65ffff6aff33ffff0cff43ff38ffffffffff20ff003550ffffff05ffff2a33ff1e581701436f72ffff3f10ff00ff4d075f2d63ff7f1b1eff64ff7664ffffff60ff1447ffff35ffffffff79ffffffffff11ff40ffff5e5effffffff7f722a67ffff2dff7bff052807ffffffff2618533f4d390affffffffff0d127f43ffff44ffffffffffff3a0c3eff37425effff023fffffff68ffff3035210dffff6c1aff3fffffffff3cffffffffff7a3e22ff40ffffffff3e047f0f3effffffff17ffffff03ffffff2fff6b52ffff02ff0fff20ff2dffff3a16ff2dff23ffffffff4a70026bffffff64ffffff62ffff027140ff65426affffff56ffffffffffffffff54ffffff29214c59ff7effff3b6affff5eff6933ffff447507ffff3f3c38ff18747b0eff6dff3aff2a51ffffffff72ff2950ff5dff233764ff35ff2470ffff6432ff7affff79ffffff58ff4dff35ffff615fffff2cffffff18ff4f5317ffffff65ffff6aff33ffff0cff43ff38ffffffffff20ff003550ffffff05ffff2a33ff1e581701436f72ffff3f10ff00ff4d075f2d63ff7f1b1eff64ff7664ffffff60ff1447ffff35ffffffff79ffffffffff11ff40ffff5e5effffffff7f722a67ffff2dff7bff052807ffffffff2618533f4d390affffffffff0d127f43ffff44ffffffffffff3a0c3eff37425effff023fffffff68ffff3035210dffff6c1aff3fffffffff3cffffffffff7a3e22ff40ffffffff3e047f0f3effffffff17ffffff03ffffff2fff6b52ffff02ff0fff20ff2dffff3a16ff2dff23ffffffff4a70026bffffff64ffffff62ffff027140ff65426affffff56ffffffffffffffff54ffffff29214c59ff7effff3b6affff5eff6933ffff447507ffff3f3c38ff18747b0eff6dff3aff2a51ffffffff72ff2950ff5dff233764ff35ff2470ffff6432ff7affff79ffffff58ff4dff35ffff615fffff2cffffff18ff4f5317ffffff65ffff6aff33ffff0cff43ff38ffffffffff20ff'
2024/05/28 14:18:39 wazuh-remoted[20404] secure.c:343 at handle_incoming_data_from_tcp_socket(): WARNING: Too big message size from socket [34].

• Related to Remoted show Too big message size from socket after receiving a Wazuh agent message #17596

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "lweC8nHbTcqIxWtqvySrGA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           58          97   2    0.02    0.01     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1


[root@wazuh-server wazuh-user]# curl -k -u admin:pass https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 10,
  "active_shards" : 10,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1001:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1001:1001::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

Versions 🟢

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="server"
[root@wazuh-server wazuh-user]#  cat /usr/share/wazuh-indexer/VERSION
4.8.0
[root@wazuh-server wazuh-user]#  cat /usr/share/wazuh-dashboard/VERSION
4.8.0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.10.0",
  "branch": "2.x",
  "build": {
    "number": 48011,
    "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Processes 🟢

[root@wazuh-server wazuh-user]#  ps -ef | grep wazuh
root      2023     1  0 08:45 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
root      2063     1  0 08:45 ?        00:00:00 /sbin/dhclient -6 -nw -lf /var/lib/dhclient/dhclient6--eth0.lease -pf /var/run/dhclient6-eth0.pid eth0 -H wazuh-server
wazuh-i+  2270     1  1 08:45 ?        00:04:17 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms1941m -Xmx1941m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-13746084381302178196 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=1018167296 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
wazuh-d+  5583     1  0 08:48 ?        00:00:50 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root      7020  2607  0 08:58 ?        00:00:00 sshd: wazuh-user [priv]
wazuh-u+  7037  7020  0 08:58 ?        00:00:00 sshd: wazuh-user@pts/0
wazuh-u+  7038  7037  0 08:58 pts/0    00:00:00 -bash
wazuh    20239     1  0 12:00 ?        00:00:08 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    20240 20239  0 12:00 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    20243 20239  0 12:00 ?        00:00:02 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    20246 20239  0 12:00 ?        00:00:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     20289     1  0 12:00 ?        00:00:21 /var/ossec/bin/wazuh-authd
wazuh    20307     1  0 12:00 ?        00:00:11 /var/ossec/bin/wazuh-db
root     20333     1  0 12:00 ?        00:00:00 /var/ossec/bin/wazuh-execd
wazuh    20348     1  0 12:00 ?        00:00:12 /var/ossec/bin/wazuh-analysisd
root     20359     1  0 12:00 ?        00:00:14 /var/ossec/bin/wazuh-syscheckd
wazuh    20408     1  0 12:00 ?        00:00:17 /var/ossec/bin/wazuh-remoted
root     20444     1  0 12:00 ?        00:00:01 /var/ossec/bin/wazuh-logcollector
wazuh    20465     1  0 12:00 ?        00:00:00 /var/ossec/bin/wazuh-monitord
root     20489     1  0 12:00 ?        00:00:06 /var/ossec/bin/wazuh-modulesd
root     22777  7061  0 14:35 pts/0    00:00:00 grep --color=auto wazuh



[root@wazuh-server wazuh-user]#  /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

SSH Root Access Denied 🟢

juliamagan@pop-os:~/Downloads$ ssh -i idr-1179.pem -p 2200 root@X.X.X.X
Please login as the user "wazuh-user" rather than the user "root".

Connection to X.X.X.X closed.

SSH wazuh-user Access Allowed 🟢

juliamagan@pop-os:~/Downloads$ ssh -i idr-1179.pem -p 2200 wazuh-user@X.X.X.X
Last login: Tue May 28 08:58:43 2024 from 33.red-81-38-118.dynamicip.rima-tde.net


wwwwww.           wwwwwww.          wwwwwww.
wwwwwww.          wwwwwww.          wwwwwww.
 wwwwww.         wwwwwwwww.        wwwwwww.
 wwwwwww.        wwwwwwwww.        wwwwwww.
  wwwwww.       wwwwwwwwwww.      wwwwwww.
  wwwwwww.      wwwwwwwwwww.      wwwwwww.
   wwwwww.     wwwwww.wwwwww.    wwwwwww.
   wwwwwww.    wwwww. wwwwww.    wwwwwww.
    wwwwww.   wwwwww.  wwwwww.  wwwwwww.
    wwwwwww.  wwwww.   wwwwww.  wwwwwww.
     wwwwww. wwwwww.    wwwwww.wwwwwww.
     wwwwwww.wwwww.     wwwwww.wwwwwww.
      wwwwwwwwwwww.      wwwwwwwwwwww.
      wwwwwwwwwww.       wwwwwwwwwwww.      oooooo
       wwwwwwwwww.        wwwwwwwwww.      oooooooo
       wwwwwwwww.         wwwwwwwwww.     oooooooooo
        wwwwwwww.          wwwwwwww.      oooooooooo
        wwwwwww.           wwwwwwww.       oooooooo
         wwwwww.            wwwwww.         oooooo


         WAZUH Open Source Security Platform
                  https://wazuh.com


[wazuh-user@wazuh-server ~]$ 

Production Repositories 🟢

[wazuh-user@wazuh-server ~]$ cat /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1

TCP and UDP 🟢

TCP, UDP and alerts have been tested before since this was the manager used for the previous agents.

[juliamagan]

Analysis Report - OVA 🟡

Check System 🟢

• System Info

[wazuh-user@wazuh-server ~]$ cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

• Wazuh Processes

[wazuh-user@wazuh-server ~]$ ps aux | grep wazuh
wazuh-d+  2031  4.2  2.0 1033060 169108 ?      Ssl  14:46   0:06 /usr/share/wazuh-dashboard/node/fallback/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist
root     13311  0.0  0.0  98668  2036 ?        Ss   14:47   0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid -H wazuh-server eth0
wazuh-i+ 14326 26.5 55.8 8272348 4553116 ?     Ssl  14:47   0:36 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3981m -Xmx3981m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-1179655812526536963 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -XX:MaxDirectMemorySize=2087714816 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet
root     14349  0.0  0.0  86424  3744 ?        Ss   14:47   0:00 login -- wazuh-user
wazuh    16437  1.9  1.3 1003812 108516 ?      Sl   14:47   0:02 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    16459  0.0  0.7 283300 60972 ?        S    14:47   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    16465  0.2  0.8 435496 69352 ?        S    14:47   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
wazuh    16473  0.0  0.7 578096 58508 ?        S    14:47   0:00 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
root     16732  0.0  0.0 131596  5932 ?        Sl   14:47   0:00 /var/ossec/bin/wazuh-authd
wazuh    17324  0.2  0.2 945696 17400 ?        Sl   14:47   0:00 /var/ossec/bin/wazuh-db
root     17355  0.0  0.0  41320  4028 ?        Sl   14:47   0:00 /var/ossec/bin/wazuh-execd
wazuh    17372  0.4  0.3 1442312 28500 ?       Sl   14:47   0:00 /var/ossec/bin/wazuh-analysisd
root     17438  5.8  0.1 360272 13644 ?        SNl  14:47   0:07 /var/ossec/bin/wazuh-syscheckd
wazuh    17458  0.1  0.1 774572 10992 ?        Sl   14:47   0:00 /var/ossec/bin/wazuh-remoted
root     17493  0.0  0.0 483712  4800 ?        Sl   14:47   0:00 /var/ossec/bin/wazuh-logcollector
wazuh    17515  0.0  0.0  41384  4208 ?        Sl   14:47   0:00 /var/ossec/bin/wazuh-monitord
root     17553 32.4  1.7 746496 141688 ?       Sl   14:47   0:39 /var/ossec/bin/wazuh-modulesd
wazuh-u+ 18733  0.0  0.0 124864  4044 tty1     Ss+  14:48   0:00 -bash
root     18916  0.2  0.1 150628  9132 ?        Ss   14:48   0:00 sshd: wazuh-user [priv]
wazuh-u+ 18919  0.0  0.0 150628  4708 ?        S    14:48   0:00 sshd: wazuh-user@pts/0
wazuh-u+ 18920  0.0  0.0 124732  4128 pts/0    Ss   14:48   0:00 -bash
wazuh-u+ 18943  0.0  0.0 162292  4340 pts/0    R+   14:49   0:00 ps aux
wazuh-u+ 18944  0.0  0.0 119416   928 pts/0    S+   14:49   0:00 grep --color=auto wazuh

• Manager Version

[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="server"

• Indexer Version

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-indexer/VERSION
4.8.0

• Dashboard Version

[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/VERSION
4.8.0
0
[root@wazuh-server wazuh-user]# cat /usr/share/wazuh-dashboard/package.json
{
  "name": "opensearch-dashboards",
  "description": "OpenSearch Dashboards is a browser based analytics and search dashboard for OpenSearch. OpenSearch Dashboards is a snap to setup and start using. OpenSearch Dashboards strives to be easy to get started with, while also being flexible and powerful, just like OpenSearch.",
  "keywords": [
    "opensearch-dashboards",
    "opensearch",
    "logstash",
    "analytics",
    "visualizations",
    "dashboards",
    "dashboarding"
  ],
  "version": "2.10.0",
  "branch": "2.x",
  "build": {
    "number": 48011,
    "sha": "c1120d93e2ee647977f917a1249258a622d4eb5b",
    "distributable": true,
    "release": true
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/opensearch-project/opensearch-dashboards.git"
  },
  "engines": {
    "node": ">=14.20.1 <19"
  }
}

Users 🟢

[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/group
wheel:x:10:wazuh-user
wazuh-user:x:1000:
wazuh-indexer:x:993:
wazuh:x:992:wazuh
wazuh-dashboard:x:991:wazuh-dashboard
[root@wazuh-server wazuh-user]# grep -R "wazuh" /etc/passwd
wazuh-user:x:1000:1000::/home/wazuh-user:/bin/bash
wazuh-indexer:x:995:993:wazuh-indexer user:/usr/share/wazuh-indexer:/sbin/nologin
wazuh:x:994:992::/var/ossec:/sbin/nologin
wazuh-dashboard:x:993:991::/usr/share/wazuh-dashboard/:/sbin/nologin

WUI 🟢

Credentials: admin/admin

Logs 🟡

• Wazuh Dashboard - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-dashboard | grep -i -E "error|critical|fatal|warning"
may 28 14:47:36 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:36Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ResponseError]: Response Error"}
may 28 14:47:34 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:34Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ResponseError]: Response Error"}
may 28 14:47:31 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:31Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ResponseError]: Response Error"}
may 28 14:47:29 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:29Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ResponseError]: Response Error"}
may 28 14:47:26 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:26Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ResponseError]: Response Error"}
may 28 14:47:24 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:24Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ResponseError]: Response Error"}
may 28 14:47:21 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:21Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 14:47:19 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:19Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 14:47:16 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:16Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 14:47:14 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:14Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 14:47:11 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T14:47:11Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:47:08 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:47:08Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:47:06 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:47:06Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:47:03 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:47:03Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:47:01 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:47:01Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:46:58 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:46:58Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:46:56 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:46:56Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:46:53 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:46:53Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:46:51 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:46:51Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
may 28 16:46:48 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:46:48Z","tags":["error","savedobjects-service"],"pid":2031,"message":"Unable to retrieve version information from OpenSearch nodes."}
may 28 16:46:48 wazuh-server opensearch-dashboards[2031]: {"type":"log","@timestamp":"2024-05-28T16:46:48Z","tags":["error","opensearch","data"],"pid":2031,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

• Reported in Unexpected Parse Error "Pause on PRI/Upgrade" in logs wazuh-packages#2449

• Wazuh Indexer - journalctl 🟡

[root@wazuh-server wazuh-user]# journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning"
may 28 14:47:11 wazuh-server systemd-entrypoint[14326]: WARNING: System::setSecurityManager will be removed in a future release
may 28 14:47:11 wazuh-server systemd-entrypoint[14326]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
may 28 14:47:11 wazuh-server systemd-entrypoint[14326]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 28 14:47:11 wazuh-server systemd-entrypoint[14326]: WARNING: A terminally deprecated method in java.lang.System has been called
may 28 14:47:10 wazuh-server systemd-entrypoint[14326]: WARNING: System::setSecurityManager will be removed in a future release
may 28 14:47:10 wazuh-server systemd-entrypoint[14326]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
may 28 14:47:10 wazuh-server systemd-entrypoint[14326]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
may 28 14:47:10 wazuh-server systemd-entrypoint[14326]: WARNING: A terminally deprecated method in java.lang.System has been called

• Reported in Systemd-entrypoint warnings in wazuh indexer wazuh-packages#2046

• Wazuh Indexer - /var/logs/wazuh-indexer 🟡

/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-28T14:47:23,422][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@35282764] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-28T14:47:23,422][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure No shard available for [org.opensearch.action.get.MultiGetShardRequest@35282764] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-28T14:47:24,054][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
/var/log/wazuh-indexer/wazuh-cluster.log:[2024-05-28T14:47:24,070][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)

• Related to Warning and error logs found in wazuh-indexer in demo environment wazuh-packages#1511

• Wazuh Server - /var/ossec/logs 🟡

[root@wazuh-server wazuh-user]# grep -i -E "error|critical|fatal|warning" /var/ossec/logs/ossec.log
2024/05/28 14:47:19 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.

Succesfully connected:

2024/05/28 14:47:49 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.

Filebeat Test 🟢

[root@wazuh-server wazuh-user]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh Indexer Cluster 🟢

[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "g_Po3XBiSEyI5c1Gx2unZA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}



[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cat/nodes?v
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
127.0.0.1           11          98   6    0.19    0.59     0.41 dimr      cluster_manager,data,ingest,remote_cluster_client *               node-1



[root@wazuh-server wazuh-user]# curl -k -u admin:admin https://127.0.0.1:9200/_cluster/health?pretty
{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 10,
  "active_shards" : 10,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

No Root SSH Access 🟢

juliamagan@pop-os:~$ ssh root@192.168.1.61
root@192.168.1.61's password: 
Permission denied, please try again.
root@192.168.1.61's password: 
Permission denied, please try again.
root@192.168.1.61's password: 
root@192.168.1.61: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Installation - Agent 🟢

• Generate command from WUI

• Install

root@ubuntu-jammy:/home/vagrant# wget https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.61' WAZUH_AGENT_NAME='ubuntu_agent' dpkg -i ./wazuh-agent_4.8.0-1_amd64.deb
--2024-05-28 14:59:30--  https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.0-1_amd64.deb
Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 52.84.66.65, 52.84.66.16, 52.84.66.124, ...
Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|52.84.66.65|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10268378 (9.8M) [binary/octet-stream]
Saving to: ‘wazuh-agent_4.8.0-1_amd64.deb’

wazuh-agent_4.8.0-1_amd64 100%[=====================================>]   9.79M  17.1MB/s    in 0.6s    

2024-05-28 14:59:31 (17.1 MB/s) - ‘wazuh-agent_4.8.0-1_amd64.deb’ saved [10268378/10268378]

Selecting previously unselected package wazuh-agent.
(Reading database ... 64003 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...



root@ubuntu-jammy:/home/vagrant# sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.


root@ubuntu-jammy:/home/vagrant#  /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@ubuntu-jammy:/home/vagrant#  /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40811"
WAZUH_TYPE="agent"

• Wazuh Server

TCP, UDP and alerts 🟢

TCP

• Wazuh server:

[root@wazuh-server wazuh-user]# egrep protocol /var/ossec/etc/ossec.conf 
    <protocol>tcp,udp</protocol>

• Agent:

root@ubuntu-jammy:/home/vagrant# egrep tcp /var/ossec/logs/ossec.log 
2024/05/28 15:02:38 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.61]:1514/tcp).
2024/05/28 15:02:38 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.61]:1514/tcp).

• Alerts:

{"timestamp":"2024-05-28T15:00:38.339+0000","rule":{"level":7,"description":"SCA summary: CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.: Score less than 50% (42)","id":"19004","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"ubuntu_agent","ip":"192.168.1.60"},"manager":{"name":"wazuh-server"},"id":"1716908438.665248","decoder":{"name":"sca"},"data":{"sca":{"type":"summary","scan_id":"1298045772","policy":"CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","passed":"76","failed":"104","invalid":"2","total_checks":"182","score":"42","file":"cis_ubuntu22-04.yml"}},"location":"sca"}

UDP

• Wazuh server:

[root@wazuh-server wazuh-user]# egrep protocol /var/ossec/etc/ossec.conf 
    <protocol>tcp,udp</protocol>

• Agent:

root@ubuntu-jammy:/home/vagrant#  egrep udp /var/ossec/logs/ossec.log 
2024/05/28 15:04:25 wazuh-agentd: INFO: Trying to connect to server ([192.168.1.61]:1514/udp).
2024/05/28 15:04:25 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.1.61]:1514/udp).

• Alerts:

{"timestamp":"2024-05-28T15:04:26.518+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"ubuntu_agent","ip":"192.168.1.60"},"manager":{"name":"wazuh-server"},"id":"1716908666.671994","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}

[MARCOSD4]

LGTM