Release 4.8.0 - RC 2 - E2E UX tests - Vulnerability Detection

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Very high priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-cppserver-div1 team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by May 15, 2024 and notify the @wazuh/devel-cppserver-div1 team via Slack using the c-release channel
• Review: The @wazuh/devel-cppserver-div1 team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by May 16, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by May 17, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Installation assistant	Single node	Ubuntu 22.04 x86_64
Server	Installation assistant	Single node	Ubuntu 22.04 x86_64
Dashboard	Installation assistant	-	Ubuntu 22.04 x86_64
Agent	Installing Wazuh agents	-	Windows server 2019 x86_64, ubuntu 20.04 x86_64, Amazon Linux 2023 x86_64, macOS Sonoma arm

Test description

• Utilize the Vulnerability Detection module to identify Operating System vulnerabilities in all agents and the manager
• Install and Mitigate Vulnerable System Packages:
  • For Windows agents, deploy .msi/.exe packages; for Linux agents, utilize .rpm packages; for macOS agents, employ .pkg packages; and for the Ubuntu manager, utilize .deb packages
  • Mitigate vulnerabilities by either removing the package entirely or upgrading it to a secure version.
• Test Vulnerable Python Packages:
  • Install a vulnerable Python package on each agent and detect the vulnerability using the Vulnerability Detection module
  • Mitigate vulnerabilities by either removing the package entirely or upgrading it to a secure version.
• Test Vulnerable NPM Packages:
  • Install a vulnerable NPM package on each agent and detect the vulnerability using the Vulnerability Detection module
  • Mitigate vulnerabilities by either removing the package entirely or upgrading it to a secure version.
• Test POC for https://documentation-dev.wazuh.com/v4.8.0-rc2/proof-of-concept-guide/poc-vulnerability-detection.html

Important

Check Known issues to ensure that every test is possible to perform.

Note

Remember to check vulnerabilities in corresponding system feeds. Check the list in the CVE lists for endpoint section

CVE lists for endpoint

• Ubuntu: https://ubuntu.com/security/cves
• ALAS: https://alas.aws.amazon.com/alas2023.html
• Windows: https://nvd.nist.gov/vuln/search
• macOS: https://nvd.nist.gov/vuln/search

Vulnerable Packages Suggestions

Package type	Windows	AmazonLinux	macOS	Ubuntu
System Packages	VLC-2.0.7 (CVE-2023-47359)	httpd-2.4.55-1.amzn2023 (CVE-2023-31122)	nodejs-20.2.0 (CVE-2023-44487)	apache2=2.4.41-4ubuntu3 (CVE-2023-31122)
Python Packages	Django-3.2.13 (CVE-2022-34265)	Django-3.2.13 (CVE-2022-34265)	Django-3.2.13 (CVE-2022-34265)	Django-3.2.13 (CVE-2022-34265)
NPM Packages	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)	axios-0.6.0 (CVE-2021-3749)

Note

These packages are only suggestions and the package availability along with the vulnerability status can change.
Consider using different vulnerable packages.

Known issues

• Vulnerability detection component not firing any events on Windows #15630
• Syscollector unable to gather python packages in macOS Ventura #22911
• Syscollector unable to gather npm packages in macOS Ventura #22896
• macOS report Microsoft Photos false positive vulnerability  #21838
• False positive in Vulnerability Detection modules #22894
• Duplicated vulnerabilities when changing agent manager #22867

Conclusions 🔴

Status	Test	Failure type	Notes
🟢	System information
🟡	System installation	Warnings in indexer status	- Known issue: wazuh/wazuh-packages#1749
🟢	Initial checks
🟡	macOS Sonoma Agent	No vulnerabilities detected from pkg packages	- Known issue: #15798 (This is an old issue with macOS. It's currently blocked, and won't be solved in 4.8.0)
🔴	macOS Sonoma Agent	No vulnerabilities detected from python packages	- New issue: #23507
🟢	Amazon Linux 2023 Agent
🟢	Windows Server 2019 Agent
🟢	Ubuntu 20.04 Agent
🟢	Proof of concept

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • Yes, no ambiguity found.
• Did you face any challenges not covered by the guideline?
  • No.
• Suggestions for improvement:
  • Not at the moment.

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• @davidjiglesias
• @wazuh/devel-cppserver-div1

[santipadilla]

System information 🟢

Manager

OS information

root@wazuh-master-pre:/home/vagrant# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

CPU information

root@wazuh-master-pre:/home/vagrant# lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  2
  On-line CPU(s) list:   0,1
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz
    CPU family:          6
    Model:               165
    Thread(s) per core:  1
    Core(s) per socket:  2
    Socket(s):           1
    Stepping:            2
    BogoMIPS:            5184.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clf
                         lush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl x
                         topology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 cx16 pcid sse
                         4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 
                         3dnowprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clf
                         lushopt md_clear flush_l1d arch_capabilities
Virtualization features: 
  Hypervisor vendor:     KVM
  Virtualization type:   full
Caches (sum of all):     
  L1d:                   64 KiB (2 instances)
  L1i:                   64 KiB (2 instances)
  L2:                    512 KiB (2 instances)
  L3:                    24 MiB (2 instances)
NUMA:                    
  NUMA node(s):          1
  NUMA node0 CPU(s):     0,1
Vulnerabilities:         
  Gather data sampling:  Unknown: Dependent on hypervisor status
  Itlb multihit:         KVM: Mitigation: VMX unsupported
  L1tf:                  Mitigation; PTE Inversion
  Mds:                   Mitigation; Clear CPU buffers; SMT Host state unknown
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT Host state unknown
  Retbleed:              Vulnerable
  Spec rstack overflow:  Not affected
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affect
                         ed
  Srbds:                 Unknown: Dependent on hypervisor status
  Tsx async abort:       Not affected

Memory information

root@wazuh-master-pre:/home/vagrant#  free -h
               total        used        free      shared  buff/cache   available
Mem:           1.9Gi       510Mi       247Mi       0.0Ki       1.2Gi       1.2Gi
Swap:          2.0Gi        89Mi       1.9Gi

Storage information

root@wazuh-master-pre:/home/vagrant# df --total -h
Filesystem                         Size  Used Avail Use% Mounted on
tmpfs                              197M  976K  196M   1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv   62G   13G   47G  21% /
tmpfs                              982M   80K  982M   1% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
/dev/sda2                          2.0G  129M  1.7G   8% /boot
tmpfs                              197M  4.0K  197M   1% /run/user/1000
total                               65G   13G   50G  20% -

Ubuntu agent

OS information

root@ubuntu-agent-pre:/home/vagrant# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

CPU information

root@ubuntu-agent-pre:/home/vagrant# lscpu
Architecture:                       x86_64
CPU op-mode(s):                     32-bit, 64-bit
Byte Order:                         Little Endian
Address sizes:                      39 bits physical, 48 bits virtual
CPU(s):                             1
On-line CPU(s) list:                0
Thread(s) per core:                 1
Core(s) per socket:                 1
Socket(s):                          1
NUMA node(s):                       1
Vendor ID:                          GenuineIntel
CPU family:                         6
Model:                              165
Model name:                         Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz
Stepping:                           2
CPU MHz:                            2592.004
BogoMIPS:                           5184.00
Hypervisor vendor:                  KVM
Virtualization type:                full
L1d cache:                          32 KiB
L1i cache:                          32 KiB
L2 cache:                           256 KiB
L3 cache:                           12 MiB
NUMA node0 CPU(s):                  0
Vulnerability Gather data sampling: Unknown: Dependent on hypervisor status
Vulnerability Itlb multihit:        KVM: Vulnerable
Vulnerability L1tf:                 Mitigation; PTE Inversion
Vulnerability Mds:                  Mitigation; Clear CPU buffers; SMT Host state unknown
Vulnerability Meltdown:             Mitigation; PTI
Vulnerability Mmio stale data:      Mitigation; Clear CPU buffers; SMT Host state unknown
Vulnerability Retbleed:             Vulnerable
Vulnerability Spec store bypass:    Vulnerable
Vulnerability Spectre v1:           Mitigation; usercopy/swapgs barriers and __user pointer sanitizat
                                    ion
Vulnerability Spectre v2:           Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS 
                                    Not affected
Vulnerability Srbds:                Unknown: Dependent on hypervisor status
Vulnerability Tsx async abort:      Not affected
Flags:                              fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat
                                     pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant
                                    _tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni
                                     pclmulqdq monitor ssse3 cx16 pcid sse4_1 sse4_2 x2apic movbe pop
                                    cnt aes xsave avx rdrand hypervisor lahf_lm abm 3dnowprefetch inv
                                    pcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt
                                     md_clear flush_l1d arch_capabilities

Memory information

root@ubuntu-agent-pre:/home/vagrant# free -h
              total        used        free      shared  buff/cache   available
Mem:          1.9Gi       113Mi       1.5Gi       0.0Ki       284Mi       1.7Gi
Swap:         1.9Gi          0B       1.9Gi

Storage information

root@ubuntu-agent-pre:/home/vagrant# df --total -h
Filesystem      Size  Used Avail Use% Mounted on
udev            941M     0  941M   0% /dev
tmpfs           198M  936K  197M   1% /run
/dev/sda3       124G  3.2G  114G   3% /
tmpfs           986M     0  986M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           986M     0  986M   0% /sys/fs/cgroup
/dev/sda1       456M  206M  216M  49% /boot
tmpfs           198M     0  198M   0% /run/user/1000
total           127G  3.4G  118G   3% -

Amazon Linux agent

OS information

[root@amazon-agent-pre vagrant]# cat /etc/*release
Amazon Linux release 2023.3.20240304 (Amazon Linux)
NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023.3.20240304"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
VENDOR_NAME="AWS"
VENDOR_URL="https://aws.amazon.com/"
SUPPORT_END="2028-03-15"
Amazon Linux release 2023.3.20240304 (Amazon Linux)

CPU information

[root@amazon-agent-pre vagrant]# lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  1
  On-line CPU(s) list:   0
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz
    CPU family:          6
    Model:               165
    Thread(s) per core:  1
    Core(s) per socket:  1
    Socket(s):           1
    Stepping:            2
    BogoMIPS:            5184.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflus
                         h mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopolo
                         gy nonstop_tsc cpuid tsc_known_freq pni pclmulqdq monitor ssse3 cx16 pcid sse4
                         _1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm abm 3dno
                         wprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed clflushopt
                          md_clear flush_l1d arch_capabilities
Virtualization features: 
  Hypervisor vendor:     KVM
  Virtualization type:   full
Caches (sum of all):     
  L1d:                   32 KiB (1 instance)
  L1i:                   32 KiB (1 instance)
  L2:                    256 KiB (1 instance)
  L3:                    12 MiB (1 instance)
NUMA:                    
  NUMA node(s):          1
  NUMA node0 CPU(s):     0
Vulnerabilities:         
  Gather data sampling:  Unknown: Dependent on hypervisor status
  Itlb multihit:         KVM: Mitigation: VMX unsupported
  L1tf:                  Mitigation; PTE Inversion
  Mds:                   Mitigation; Clear CPU buffers; SMT Host state unknown
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT Host state unknown
  Retbleed:              Vulnerable
  Spec rstack overflow:  Not affected
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Unknown: Dependent on hypervisor status
  Tsx async abort:       Not affected

Memory information

[root@amazon-agent-pre vagrant]# free -h
               total        used        free      shared  buff/cache   available
Mem:           1.9Gi       191Mi       1.1Gi       5.0Mi       655Mi       1.6Gi
Swap:             0B          0B          0B

Storage information

[root@amazon-agent-pre vagrant]# df --total -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        4.0M     0  4.0M   0% /dev
tmpfs           980M     0  980M   0% /dev/shm
tmpfs           392M  5.4M  387M   2% /run
/dev/sda1        25G  2.2G   23G   9% /
tmpfs           980M     0  980M   0% /tmp
/dev/sda128      10M  1.3M  8.7M  13% /boot/efi
vagrant         234G  206G   28G  89% /vagrant
tmpfs           196M     0  196M   0% /run/user/1000
total           262G  208G   54G  80% -

MacOS agent

OS information

sh-3.2# uname -a
Darwin macos-1400 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14:40:03 PDT 2023; root:xnu-10002.1.13~1/RELEASE_ARM64_VMAPPLE arm64

sh-3.2# sw_vers
ProductName:		macOS
ProductVersion:		14.0
BuildVersion:		23A344

CPU information

sh-3.2# system_profiler SPHardwareDataType
Hardware:

    Hardware Overview:

      Model Name: Apple Virtual Machine 1
      Model Identifier: VirtualMac2,1
      Model Number: VM0001LL/A
      Chip: Apple M1 Max (Virtual)
      Total Number of Cores: 2
      Memory: 4 GB
      System Firmware Version: 10151.1.1
      OS Loader Version: 10151.1.1
      Serial Number (system): ZGHNPYVQG6
      Hardware UUID: 2E6953F4-CFA4-50CB-96B9-7A70F47BFABE
      Provisioning UDID: 0000FE00-9C55689FB529FB1A
      Activation Lock Status: Disabled

Memory information

sh-3.2# vm_stat
Mach Virtual Memory Statistics: (page size of 16384 bytes)
Pages free:                                4114.
Pages active:                            104231.
Pages inactive:                           98937.
Pages speculative:                         5320.
Pages throttled:                              0.
Pages wired down:                         34368.
Pages purgeable:                            667.
"Translation faults":                   7069291.
Pages copy-on-write:                     690853.
Pages zero filled:                      2135430.
Pages reactivated:                        93960.
Pages purged:                              9669.
File-backed pages:                       133145.
Anonymous pages:                          75343.
Pages stored in compressor:               50363.
Pages occupied by compressor:             14438.
Decompressions:                           36982.
Compressions:                            248546.
Pageins:                                 389734.
Pageouts:                                  1978.
Swapins:                                      0.
Swapouts:                                     0.

Storage information

sh-3.2# df -h
Filesystem        Size    Used   Avail Capacity iused ifree %iused  Mounted on
/dev/disk5s1s1    59Gi   9,1Gi    37Gi    20%    387k  390M    0%   /
devfs            201Ki   201Ki     0Bi   100%     694     0  100%   /dev
/dev/disk5s6      59Gi    20Ki    37Gi     1%       0  390M    0%   /System/Volumes/VM
/dev/disk5s2      59Gi   5,2Gi    37Gi    13%     735  390M    0%   /System/Volumes/Preboot
/dev/disk5s4      59Gi   4,9Mi    37Gi     1%      44  390M    0%   /System/Volumes/Update
/dev/disk3s2     500Mi    20Ki   495Mi     1%       0  5,1M    0%   /System/Volumes/xarts
/dev/disk3s1     500Mi   104Ki   495Mi     1%      24  5,1M    0%   /System/Volumes/iSCPreboot
/dev/disk3s3     500Mi    72Ki   495Mi     1%      18  5,1M    0%   /System/Volumes/Hardware
/dev/disk5s5      59Gi   6,1Gi    37Gi    15%    150k  390M    0%   /System/Volumes/Data
/dev/disk2       1,8Ti   931Gi   927Gi    51%    355k  4,3G    0%   /Volumes/My Shared Files
/dev/disk0s2      20Mi    20Mi     0Bi   100%      88  4,3G    0%   /Volumes/Parallels Tools
map auto_home      0Bi     0Bi     0Bi   100%       0     0     -   /System/Volumes/Data/home

Windows agent

OS information

CPU information

Memory information

Storage information

[santipadilla]

System installation 🟡

Indexer 🟡

Initial configuration

root@wazuh-indexer-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh
root@wazuh-indexer-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/config.yml
root@wazuh-indexer-pre:/home/vagrant# ls
config.yml  wazuh-install.sh
root@wazuh-indexer-pre:/home/vagrant# nano config.yml 

root@wazuh-indexer-pre:/home/vagrant# bash wazuh-install.sh --generate-config-files
15/05/2024 08:23:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
15/05/2024 08:23:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/05/2024 08:23:56 INFO: Verifying that your system meets the recommended minimum hardware requirements.
15/05/2024 08:24:11 INFO: --- Configuration files ---
15/05/2024 08:24:11 INFO: Generating configuration files.
15/05/2024 08:24:11 INFO: Generating the root certificate.
15/05/2024 08:24:11 INFO: Generating Admin certificates.
15/05/2024 08:24:12 INFO: Generating Wazuh indexer certificates.
15/05/2024 08:24:12 INFO: Generating Filebeat certificates.
15/05/2024 08:24:12 INFO: Generating Wazuh dashboard certificates.
15/05/2024 08:24:12 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.

Wazuh indexer nodes installation

root@wazuh-indexer-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh

root@wazuh-indexer-pre:/home/vagrant# bash wazuh-install.sh --wazuh-indexer wazuh-indexer-pre
15/05/2024 08:34:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
15/05/2024 08:34:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/05/2024 08:34:07 INFO: Verifying that your system meets the recommended minimum hardware requirements.
15/05/2024 08:34:18 INFO: --- Dependencies ----
15/05/2024 08:34:18 INFO: Installing apt-transport-https.
15/05/2024 08:34:23 INFO: Wazuh development repository added.
15/05/2024 08:34:23 INFO: --- Wazuh indexer ---
15/05/2024 08:34:23 INFO: Starting Wazuh indexer installation.
15/05/2024 08:35:35 INFO: Wazuh indexer installation finished.
15/05/2024 08:35:35 INFO: Wazuh indexer post-install configuration finished.
15/05/2024 08:35:35 INFO: Starting service wazuh-indexer.
15/05/2024 08:35:48 INFO: wazuh-indexer service started.
15/05/2024 08:35:48 INFO: Initializing Wazuh indexer cluster security settings.
15/05/2024 08:35:50 INFO: Wazuh indexer cluster initialized.
15/05/2024 08:35:50 INFO: Installation finished.

Cluster initialization

root@wazuh-indexer-pre:/home/vagrant# bash wazuh-install.sh --start-cluster
15/05/2024 08:37:57 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
15/05/2024 08:37:57 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/05/2024 08:37:59 INFO: Verifying that your system meets the recommended minimum hardware requirements.
15/05/2024 08:38:10 INFO: Wazuh indexer cluster security configuration initialized.
15/05/2024 08:38:36 INFO: Updating the internal users.
15/05/2024 08:38:38 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
15/05/2024 08:38:44 INFO: Wazuh indexer cluster started.

Testing the cluster installation

root@wazuh-indexer-pre:/home/vagrant# curl -k -u admin:PASSWORD https://172.16.1.31:9200
{
  "name" : "wazuh-indexer-pre",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "oIzMBIErRIqOQunRhyqs8A",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


root@wazuh-indexer-pre:/home/vagrant# curl -k -u admin:PASSWORD https://172.16.1.31:9200/_cat/nodes?v
ip          heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                               cluster_manager name
172.16.1.31           32          90   4    0.01    0.11     0.08 dimr      data,ingest,master,remote_cluster_client *               wazuh-indexer-pre

Indexer status

root@wazuh-indexer-pre:/home/vagrant# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-05-15 08:35:48 UTC; 4h 9min ago
       Docs: https://documentation.wazuh.com
   Main PID: 5490 (java)
      Tasks: 73 (limit: 2220)
     Memory: 1.2G
        CPU: 4min 1.728s
     CGroup: /system.slice/wazuh-indexer.service
             └─5490 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.c>

May 15 08:35:36 wazuh-indexer-pre systemd[1]: Starting Wazuh-indexer...
May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: A terminally deprecated method >
May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager has >
May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: Please consider reporting this >
May 15 08:35:38 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager will>
May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: A terminally deprecated method >
May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager has >
May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: Please consider reporting this >
May 15 08:35:39 wazuh-indexer-pre systemd-entrypoint[5490]: WARNING: System::setSecurityManager will>
May 15 08:35:48 wazuh-indexer-pre systemd[1]: Started Wazuh-indexer.

Note: Warnings in indexer status. - Known issue: wazuh/wazuh-packages#1749

Server 🟢

Wazuh server cluster installation

root@wazuh-master-pre:/home/vagrant# bash wazuh-install.sh --wazuh-server wazuh-master-pre
15/05/2024 08:52:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
15/05/2024 08:52:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/05/2024 08:52:17 INFO: Verifying that your system meets the recommended minimum hardware requirements.
15/05/2024 08:52:34 INFO: --- Dependencies ----
15/05/2024 08:52:34 INFO: Installing apt-transport-https.
15/05/2024 08:52:38 INFO: Wazuh development repository added.
15/05/2024 08:52:39 INFO: --- Wazuh server ---
15/05/2024 08:52:39 INFO: Starting the Wazuh manager installation.
15/05/2024 08:53:31 INFO: Wazuh manager installation finished.
15/05/2024 08:53:31 INFO: Wazuh manager vulnerability detection configuration finished.
15/05/2024 08:53:31 INFO: Starting service wazuh-manager.
15/05/2024 08:53:47 INFO: wazuh-manager service started.
15/05/2024 08:53:47 INFO: Starting Filebeat installation.
15/05/2024 08:54:08 INFO: Filebeat installation finished.
15/05/2024 08:54:10 INFO: Filebeat post-install configuration finished.
15/05/2024 08:54:36 INFO: Starting service filebeat.
15/05/2024 08:54:37 INFO: filebeat service started.
15/05/2024 08:54:37 INFO: Installation finished.

Manager status

root@wazuh-master-pre:/home/vagrant# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-05-15 08:54:33 UTC; 39s ago
      Tasks: 146 (limit: 2220)
     Memory: 1.3G
        CPU: 40.013s
     CGroup: /system.slice/wazuh-manager.service
             ├─50787 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─50788 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─50791 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─50794 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─50835 /var/ossec/bin/wazuh-authd
             ├─50852 /var/ossec/bin/wazuh-db
             ├─50877 /var/ossec/bin/wazuh-execd
             ├─50894 /var/ossec/bin/wazuh-analysisd
             ├─50937 /var/ossec/bin/wazuh-syscheckd
             ├─50955 /var/ossec/bin/wazuh-remoted
             ├─50992 /var/ossec/bin/wazuh-logcollector
             ├─51030 /var/ossec/bin/wazuh-monitord
             └─51084 /var/ossec/bin/wazuh-modulesd

May 15 08:54:26 wazuh-master-pre env[50731]: Started wazuh-analysisd...
May 15 08:54:27 wazuh-master-pre env[50731]: Started wazuh-syscheckd...
May 15 08:54:28 wazuh-master-pre env[50731]: Started wazuh-remoted...
May 15 08:54:29 wazuh-master-pre env[50731]: Started wazuh-logcollector...
May 15 08:54:30 wazuh-master-pre env[50731]: Started wazuh-monitord...
May 15 08:54:30 wazuh-master-pre env[51082]: 2024/05/15 08:54:30 wazuh-modulesd:router: INFO: Loade>
May 15 08:54:30 wazuh-master-pre env[51082]: 2024/05/15 08:54:30 wazuh-modulesd:content_manager: IN>
May 15 08:54:31 wazuh-master-pre env[50731]: Started wazuh-modulesd...
May 15 08:54:33 wazuh-master-pre env[50731]: Completed.
May 15 08:54:33 wazuh-master-pre systemd[1]: Started Wazuh manager.

Manager version

root@wazuh-master-pre:/home/vagrant# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40810"
WAZUH_TYPE="server"

Dashboard 🟢

Wazuh dashboard installation

root@wazuh-dashboard-pre:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh

root@wazuh-dashboard-pre:/home/vagrant# bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard-pre -o
15/05/2024 09:26:44 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
15/05/2024 09:26:44 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/05/2024 09:26:44 INFO: --- Removing existing Wazuh installation ---
15/05/2024 09:26:44 INFO: Removing Wazuh dashboard.
15/05/2024 09:26:49 INFO: Wazuh dashboard removed.
15/05/2024 09:26:49 INFO: Installation cleaned.
15/05/2024 09:26:49 INFO: Verifying that your system meets the recommended minimum hardware requirements.
15/05/2024 09:26:53 INFO: Wazuh web interface port will be 443.
15/05/2024 09:26:58 INFO: Wazuh development repository added.
15/05/2024 09:26:58 INFO: --- Wazuh dashboard ----
15/05/2024 09:26:58 INFO: Starting Wazuh dashboard installation.
15/05/2024 09:27:31 INFO: Wazuh dashboard installation finished.
15/05/2024 09:27:31 INFO: Wazuh dashboard post-install configuration finished.
15/05/2024 09:27:31 INFO: Starting service wazuh-dashboard.
15/05/2024 09:27:32 INFO: wazuh-dashboard service started.
15/05/2024 09:27:45 INFO: Initializing Wazuh dashboard web application.
15/05/2024 09:27:46 INFO: Wazuh dashboard web application initialized.
15/05/2024 09:27:46 INFO: --- Summary ---
15/05/2024 09:27:46 INFO: You can access the web interface https://172.16.1.32:443
    User: admin
    Password: PASSWORD
15/05/2024 09:27:46 INFO: Installation finished.

Dashboard status

root@wazuh-dashboard-pre:/home/vagrant# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-05-15 12:49:58 UTC; 4min 25s ago
   Main PID: 639 (node)
      Tasks: 11 (limit: 4558)
     Memory: 282.2M
        CPU: 6.180s
     CGroup: /system.slice/wazuh-dashboard.service
             └─639 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=655>

May 15 12:49:58 wazuh-dashboard-pre systemd[1]: Started wazuh-dashboard.
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:04 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:05 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->
May 15 12:50:05 wazuh-dashboard-pre opensearch-dashboards[639]: {"type":"log","@timestamp":"2024-05->

Dashboard interface

[santipadilla]

Initial checks 🟢

No error in manager 🟢

This warning appears when the manager starts:

2024/05/15 08:53:44 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-master-pre', retrying until the connection is successful.

But then the initialization is done correctly:

2024/05/15 08:54:31 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-master-pre.

All indices green 🟢

root@wazuh-master-pre:/home/vagrant# curl -k -u admin:PASSWORD https://172.16.1.31:9200/_cat/indices
green open wazuh-states-vulnerabilities-wazuh-master-pre 0QxdKOf3RZaliXx8S5VTNQ 1 0   0 0    208b    208b
green open .opensearch-observability                     8PGOhqzHSXuhCRyJlet4OQ 1 0   0 0    208b    208b
green open .plugins-ml-config                            IZXJTwnMTMexsZbfvkyeRA 1 0   1 0   3.9kb   3.9kb
green open wazuh-statistics-2024.20w                     5Bv7S4SbTAub0V_n2mMHpQ 1 0  18 0 179.6kb 179.6kb
green open wazuh-alerts-4.x-2024.05.15                   Yp3Yt5PRRjmCTUZGHwT0dQ 3 0 194 0 571.9kb 571.9kb
green open wazuh-monitoring-2024.20w                     Pq5EgjhYSZycEpQPtV8_mA 1 0   0 0    208b    208b
green open .opendistro_security                          P5EIXB7zTTGvc94FiUrH3A 1 0  10 1  44.1kb  44.1kb
green open .kibana_1                                     oXgdYsJnSAWOhg6fSwbLOA 1 0   6 1  69.8kb  69.8kb

[santipadilla]

macOS Sonoma Agent 🔴

Initial scan 🟢

Disable and enable VD 🟢

System package 🟡

sh-3.2# curl -o node-v20.2.0.pkg https://nodejs.org/dist/v20.2.0/node-v20.2.0.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 69.9M  100 69.9M    0     0  43.5M      0  0:00:01  0:00:01 --:--:-- 43.7M

sh-3.2# sudo installer -pkg node-v20.2.0.pkg -target /
installer: Package name is Node.js
installer: Installing at base path /
installer: The install was successful.

sh-3.2# node -v
v20.2.0

Note: No vulnerabilities detected. Known issue: #15798
This is an old issue with macOS. It's currently blocked, and won't be solved in 4.8.0

Python package 🔴

sh-3.2# python3 -m venv my_django_env

sh-3.2# source my_django_env/bin/activate
(my_django_env) sh-3.2# 
(my_django_env) sh-3.2# pip install Django==3.2.13
Collecting Django==3.2.13
  Downloading Django-3.2.13-py3-none-any.whl (7.9 MB)
     |████████████████████████████████| 7.9 MB 7.8 MB/s 
Collecting pytz
  Downloading pytz-2024.1-py2.py3-none-any.whl (505 kB)
     |████████████████████████████████| 505 kB 81.8 MB/s 
Collecting asgiref<4,>=3.3.2
  Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Collecting sqlparse>=0.2.2
  Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB)
     |████████████████████████████████| 43 kB 11.3 MB/s 
Collecting typing-extensions>=4
  Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB)
Installing collected packages: typing-extensions, sqlparse, pytz, asgiref, Django
Successfully installed Django-3.2.13 asgiref-3.8.1 pytz-2024.1 sqlparse-0.5.0 typing-extensions-4.11.0
WARNING: You are using pip version 21.2.4; however, version 24.0 is available.
You should consider upgrading via the '/Users/vagrant/my_django_env/bin/python3 -m pip install --upgrade pip' command.
(my_django_env) sh-3.2# django-admin --version
3.2.13

Note: It does not detect vulnerabilities and they do not appear in the inventory either.
New issue: #23507

NPM package 🟢

• Install package

sh-3.2# npm install -g [email protected]
npm WARN deprecated [email protected]: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

added 1 package in 362ms
npm notice 
npm notice New major version of npm available! 9.6.6 -> 10.7.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.7.0
npm notice Run npm install -g [email protected] to update!
npm notice 
sh-3.2# 
sh-3.2# npm list -g
/usr/local/lib
├── [email protected]
├── [email protected]
└── [email protected]

• Cves detected

{"timestamp":"2024-05-15T12:10:40.803+0000","rule":{"level":7,"description":"CVE-2019-10742 affects axios","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775040.1699688","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"snyk","cve":"CVE-2019-10742","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-755","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 0.18.1","name":"axios","source":"https://github.com/mzabriskie/axios","version":"0.6.0"},"published":"2019-05-07T19:29:00Z","rationale":"Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.","reference":"https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505, https://github.com/axios/axios/issues/1098, https://github.com/axios/axios/pull/1485","severity":"Medium","status":"Active","title":"CVE-2019-10742 affects axios","type":"Packages","updated":"2021-07-21T11:39:23Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-05-15T12:10:40.813+0000","rule":{"level":7,"description":"CVE-2020-28168 affects axios","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775040.1702115","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2020-28168","cvss":{"cvss2":{"base_score":"4.300000","vector":{"access_complexity":"MEDIUM","authentication":"NONE","availability":"NONE","confidentiality_impact":"PARTIAL","integrity_impact":"NONE"}}},"cwe_reference":"CWE-918","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 0.21.1","name":"axios","source":"https://github.com/mzabriskie/axios","version":"0.6.0"},"published":"2020-11-06T20:15:13Z","rationale":"Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.","reference":"https://github.com/axios/axios/issues/3369, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E","severity":"Medium","status":"Active","title":"CVE-2020-28168 affects axios","type":"Packages","updated":"2023-11-07T03:21:07Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-05-15T12:10:40.823+0000","rule":{"level":10,"description":"CVE-2021-3749 affects axios","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775040.1705369","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"@huntrdev","cve":"CVE-2021-3749","cvss":{"cvss2":{"base_score":"7.800000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-1333","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 0.21.2","name":"axios","source":"https://github.com/mzabriskie/axios","version":"0.6.0"},"published":"2021-08-31T11:15:07Z","rationale":"axios is vulnerable to Inefficient Regular Expression Complexity","reference":"https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31, https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://www.oracle.com/security-alerts/cpujul2022.html, https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a%40%3Cdev.druid.apache.org%3E, https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103%40%3Ccommits.druid.apache.org%3E","severity":"High","status":"Active","title":"CVE-2021-3749 affects axios","type":"Packages","updated":"2023-11-07T03:38:14Z"}},"location":"vulnerability-detector"}

• Uninstall package

sh-3.2# npm uninstall -g axios

removed 1 package in 95ms

sh-3.2# npm list -g
/usr/local/lib
├── [email protected]
└── [email protected]

• Mitigate vulnerabilities

{"timestamp":"2024-05-15T12:15:02.114+0000","rule":{"level":3,"description":"The CVE-2019-10742 that affected axios was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775302.1710435","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2019-10742","cvss":{"cvss2":{"base_score":"5"}},"enumeration":"CVE","package":{"architecture":" ","name":"axios","version":"0.6.0"},"published":"2019-05-07T19:29:00Z","reference":"https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505, https://github.com/axios/axios/issues/1098, https://github.com/axios/axios/pull/1485","severity":"Medium","status":"Solved","title":"CVE-2019-10742 affecting axios was solved","type":"Packages","updated":"2021-07-21T11:39:23Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-05-15T12:15:02.124+0000","rule":{"level":3,"description":"The CVE-2021-3749 that affected axios was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775302.1711840","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2021-3749","cvss":{"cvss2":{"base_score":"7.800000"}},"enumeration":"CVE","package":{"architecture":" ","name":"axios","version":"0.6.0"},"published":"2021-08-31T11:15:07Z","reference":"https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31, https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://www.oracle.com/security-alerts/cpujul2022.html, https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a%40%3Cdev.druid.apache.org%3E, https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103%40%3Ccommits.druid.apache.org%3E","severity":"High","status":"Solved","title":"CVE-2021-3749 affecting axios was solved","type":"Packages","updated":"2023-11-07T03:38:14Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-05-15T12:15:02.135+0000","rule":{"level":3,"description":"The CVE-2020-28168 that affected axios was solved due to a package removal/update or a system upgrade","id":"23502","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"agent1","ip":"192.168.64.10"},"manager":{"name":"ip-172-31-5-207"},"id":"1715775302.1716079","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2020-28168","cvss":{"cvss2":{"base_score":"4.300000"}},"enumeration":"CVE","package":{"architecture":" ","name":"axios","version":"0.6.0"},"published":"2020-11-06T20:15:13Z","reference":"https://github.com/axios/axios/issues/3369, https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf, https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E, https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E","severity":"Medium","status":"Solved","title":"CVE-2020-28168 affecting axios was solved","type":"Packages","updated":"2023-11-07T03:21:07Z"}},"location":"vulnerability-detector"}

[santipadilla]

Amazon Linux 2023 Agent 🟢

Installation 🟢

[root@amazon-agent-pre vagrant]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@amazon-agent-pre vagrant]# cat > /etc/yum.repos.d/wazuh.repo << EOF
> [wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
EOF

[root@amazon-agent-pre vagrant]# WAZUH_MANAGER="172.16.1.30" yum install wazuh-agent-4.8.0-1
EL-2023.3.20240304 - Wazuh                                                 5.8 MB/s |  25 MB     00:04    
Last metadata expiration check: 0:00:06 ago on Wed May 15 15:19:00 2024.
Dependencies resolved.
===========================================================================================================
 Package                     Architecture           Version                    Repository             Size
===========================================================================================================
Installing:
 wazuh-agent                 x86_64                 4.8.0-1                    wazuh                  10 M

Transaction Summary
===========================================================================================================
Install  1 Package

Total download size: 10 M
Installed size: 29 M
Is this ok [y/N]: y
Downloading Packages:
wazuh-agent-4.8.0-1.x86_64.rpm                                             4.4 MB/s |  10 MB     00:02    
-----------------------------------------------------------------------------------------------------------
Total                                                                      4.4 MB/s |  10 MB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                   1/1 
  Running scriptlet: wazuh-agent-4.8.0-1.x86_64                                                        1/1 
  Installing       : wazuh-agent-4.8.0-1.x86_64                                                        1/1 
  Running scriptlet: wazuh-agent-4.8.0-1.x86_64                                                        1/1 
  Verifying        : wazuh-agent-4.8.0-1.x86_64                                                        1/1 

Installed:
  wazuh-agent-4.8.0-1.x86_64                                                                               

Complete!

[root@amazon-agent-pre vagrant]# systemctl daemon-reload

[root@amazon-agent-pre vagrant]# systemctl enable wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /usr/lib/systemd/system/wazuh-agent.service.

[root@amazon-agent-pre vagrant]# systemctl start wazuh-agent

[root@amazon-agent-pre vagrant]# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-05-15 15:20:43 UTC; 46s ago
    Process: 5977 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 32 (limit: 2307)
     Memory: 322.9M
        CPU: 11.226s
     CGroup: /system.slice/wazuh-agent.service
             ├─6235 /var/ossec/bin/wazuh-execd
             ├─6247 /var/ossec/bin/wazuh-agentd
             ├─6261 /var/ossec/bin/wazuh-syscheckd
             ├─6276 /var/ossec/bin/wazuh-logcollector
             └─6294 /var/ossec/bin/wazuh-modulesd

May 15 15:20:35 amazon-agent-pre systemd[1]: Starting wazuh-agent.service - Wazuh agent...
May 15 15:20:35 amazon-agent-pre env[5977]: Starting Wazuh v4.8.0...
May 15 15:20:36 amazon-agent-pre env[5977]: Started wazuh-execd...
May 15 15:20:37 amazon-agent-pre env[5977]: Started wazuh-agentd...
May 15 15:20:38 amazon-agent-pre env[5977]: Started wazuh-syscheckd...
May 15 15:20:39 amazon-agent-pre env[5977]: Started wazuh-logcollector...
May 15 15:20:41 amazon-agent-pre env[5977]: Started wazuh-modulesd...
May 15 15:20:43 amazon-agent-pre env[5977]: Completed.
May 15 15:20:43 amazon-agent-pre systemd[1]: Started wazuh-agent.service - Wazuh agent.

[root@amazon-agent-pre vagrant]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40810"
WAZUH_TYPE="agent"

Initial scan 🟢

Disable and enable VD 🟢

System package 🟢

• Install package

[root@amazon-agent-pre vagrant]# sudo yum install -y httpd-2.4.55-1.amzn2023
Last metadata expiration check: 16:21:57 ago on Wed May 15 15:19:00 2024.
Dependencies resolved.
=========================================================================================================
 Package                      Architecture    Version                         Repository            Size
=========================================================================================================
Installing:
 httpd                        x86_64          2.4.55-1.amzn2023               amazonlinux           48 k
Installing dependencies:
 apr                          x86_64          1.7.2-2.amzn2023.0.2            amazonlinux          129 k
 apr-util                     x86_64          1.6.3-1.amzn2023.0.1            amazonlinux           98 k
 generic-logos-httpd          noarch          18.0.0-12.amzn2023.0.3          amazonlinux           19 k
 httpd-core                   x86_64          2.4.55-1.amzn2023               amazonlinux          1.4 M
 httpd-filesystem             noarch          2.4.55-1.amzn2023               amazonlinux           15 k
 httpd-tools                  x86_64          2.4.55-1.amzn2023               amazonlinux           82 k
 libbrotli                    x86_64          1.0.9-4.amzn2023.0.2            amazonlinux          315 k
 mailcap                      noarch          2.1.49-3.amzn2023.0.3           amazonlinux           33 k
Installing weak dependencies:
 apr-util-openssl             x86_64          1.6.3-1.amzn2023.0.1            amazonlinux           17 k
 mod_http2                    x86_64          2.0.11-2.amzn2023               amazonlinux          150 k
 mod_lua                      x86_64          2.4.55-1.amzn2023               amazonlinux           62 k

Transaction Summary
=========================================================================================================
Install  12 Packages

Total download size: 2.3 M
Installed size: 6.8 M
Downloading Packages:
(1/12): apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64.rpm                  98 kB/s |  17 kB     00:00    
(2/12): mod_http2-2.0.11-2.amzn2023.x86_64.rpm                           344 kB/s | 150 kB     00:00    
(3/12): apr-1.7.2-2.amzn2023.0.2.x86_64.rpm                              322 kB/s | 129 kB     00:00    
(4/12): apr-util-1.6.3-1.amzn2023.0.1.x86_64.rpm                         570 kB/s |  98 kB     00:00    
(5/12): httpd-2.4.55-1.amzn2023.x86_64.rpm                                58 kB/s |  48 kB     00:00    
(6/12): mod_lua-2.4.55-1.amzn2023.x86_64.rpm                              68 kB/s |  62 kB     00:00    
(7/12): httpd-tools-2.4.55-1.amzn2023.x86_64.rpm                          81 kB/s |  82 kB     00:01    
(8/12): libbrotli-1.0.9-4.amzn2023.0.2.x86_64.rpm                        255 kB/s | 315 kB     00:01    
(9/12): generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch.rpm            413 kB/s |  19 kB     00:00    
(10/12): mailcap-2.1.49-3.amzn2023.0.3.noarch.rpm                        502 kB/s |  33 kB     00:00    
(11/12): httpd-filesystem-2.4.55-1.amzn2023.noarch.rpm                    24 kB/s |  15 kB     00:00    
(12/12): httpd-core-2.4.55-1.amzn2023.x86_64.rpm                         689 kB/s | 1.4 MB     00:02    
---------------------------------------------------------------------------------------------------------
Total                                                                    506 kB/s | 2.3 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                 1/1 
  Installing       : apr-1.7.2-2.amzn2023.0.2.x86_64                                                1/12 
  Installing       : apr-util-1.6.3-1.amzn2023.0.1.x86_64                                           2/12 
  Installing       : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64                                   3/12 
  Installing       : mailcap-2.1.49-3.amzn2023.0.3.noarch                                           4/12 
  Installing       : httpd-tools-2.4.55-1.amzn2023.x86_64                                           5/12 
  Installing       : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch                              6/12 
  Running scriptlet: httpd-filesystem-2.4.55-1.amzn2023.noarch                                      7/12 
  Installing       : httpd-filesystem-2.4.55-1.amzn2023.noarch                                      7/12 
  Installing       : httpd-core-2.4.55-1.amzn2023.x86_64                                            8/12 
  Installing       : mod_http2-2.0.11-2.amzn2023.x86_64                                             9/12 
  Installing       : mod_lua-2.4.55-1.amzn2023.x86_64                                              10/12 
  Installing       : libbrotli-1.0.9-4.amzn2023.0.2.x86_64                                         11/12 
  Installing       : httpd-2.4.55-1.amzn2023.x86_64                                                12/12 
  Running scriptlet: httpd-2.4.55-1.amzn2023.x86_64                                                12/12 
  Verifying        : httpd-2.4.55-1.amzn2023.x86_64                                                 1/12 
  Verifying        : mod_http2-2.0.11-2.amzn2023.x86_64                                             2/12 
  Verifying        : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64                                   3/12 
  Verifying        : apr-1.7.2-2.amzn2023.0.2.x86_64                                                4/12 
  Verifying        : mod_lua-2.4.55-1.amzn2023.x86_64                                               5/12 
  Verifying        : apr-util-1.6.3-1.amzn2023.0.1.x86_64                                           6/12 
  Verifying        : httpd-tools-2.4.55-1.amzn2023.x86_64                                           7/12 
  Verifying        : libbrotli-1.0.9-4.amzn2023.0.2.x86_64                                          8/12 
  Verifying        : httpd-core-2.4.55-1.amzn2023.x86_64                                            9/12 
  Verifying        : httpd-filesystem-2.4.55-1.amzn2023.noarch                                     10/12 
  Verifying        : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch                             11/12 
  Verifying        : mailcap-2.1.49-3.amzn2023.0.3.noarch                                          12/12 
=========================================================================================================
WARNING:
  A newer release of "Amazon Linux" is available.

  Available Versions:

  Version 2023.3.20240312:
    Run the following command to upgrade to 2023.3.20240312:

      dnf upgrade --releasever=2023.3.20240312

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html

  Version 2023.4.20240319:
    Run the following command to upgrade to 2023.4.20240319:

      dnf upgrade --releasever=2023.4.20240319

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html

  Version 2023.4.20240401:
    Run the following command to upgrade to 2023.4.20240401:

      dnf upgrade --releasever=2023.4.20240401

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html

  Version 2023.4.20240416:
    Run the following command to upgrade to 2023.4.20240416:

      dnf upgrade --releasever=2023.4.20240416

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html

  Version 2023.4.20240429:
    Run the following command to upgrade to 2023.4.20240429:

      dnf upgrade --releasever=2023.4.20240429

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html

  Version 2023.4.20240513:
    Run the following command to upgrade to 2023.4.20240513:

      dnf upgrade --releasever=2023.4.20240513

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html

=========================================================================================================

Installed:
  apr-1.7.2-2.amzn2023.0.2.x86_64                  apr-util-1.6.3-1.amzn2023.0.1.x86_64                 
  apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64     generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch    
  httpd-2.4.55-1.amzn2023.x86_64                   httpd-core-2.4.55-1.amzn2023.x86_64                  
  httpd-filesystem-2.4.55-1.amzn2023.noarch        httpd-tools-2.4.55-1.amzn2023.x86_64                 
  libbrotli-1.0.9-4.amzn2023.0.2.x86_64            mailcap-2.1.49-3.amzn2023.0.3.noarch                 
  mod_http2-2.0.11-2.amzn2023.x86_64               mod_lua-2.4.55-1.amzn2023.x86_64                     

Complete!

[root@amazon-agent-pre vagrant]# httpd -v
Server version: Apache/2.4.55 (Amazon Linux)
Server built:   Feb 10 2023 00:00:00

• Uninstall package

[root@amazon-agent-pre vagrant]# sudo systemctl stop httpd
[root@amazon-agent-pre vagrant]# sudo systemctl disable httpd
[root@amazon-agent-pre vagrant]# sudo yum remove -y httpd
Dependencies resolved.
=========================================================================================================
 Package                     Architecture   Version                           Repository            Size
=========================================================================================================
Removing:
 httpd                       x86_64         2.4.55-1.amzn2023                 @amazonlinux          60 k
Removing unused dependencies:
 apr                         x86_64         1.7.2-2.amzn2023.0.2              @amazonlinux         297 k
 apr-util                    x86_64         1.6.3-1.amzn2023.0.1              @amazonlinux         217 k
 apr-util-openssl            x86_64         1.6.3-1.amzn2023.0.1              @amazonlinux          24 k
 generic-logos-httpd         noarch         18.0.0-12.amzn2023.0.3            @amazonlinux          21 k
 httpd-core                  x86_64         2.4.55-1.amzn2023                 @amazonlinux         4.7 M
 httpd-filesystem            noarch         2.4.55-1.amzn2023                 @amazonlinux         464  
 httpd-tools                 x86_64         2.4.55-1.amzn2023                 @amazonlinux         201 k
 libbrotli                   x86_64         1.0.9-4.amzn2023.0.2              @amazonlinux         771 k
 mailcap                     noarch         2.1.49-3.amzn2023.0.3             @amazonlinux          78 k
 mod_http2                   x86_64         2.0.11-2.amzn2023                 @amazonlinux         395 k
 mod_lua                     x86_64         2.4.55-1.amzn2023                 @amazonlinux         143 k

Transaction Summary
=========================================================================================================
Remove  12 Packages

Freed space: 6.8 M
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                 1/1 
  Running scriptlet: httpd-2.4.55-1.amzn2023.x86_64                                                 1/12 
  Erasing          : httpd-2.4.55-1.amzn2023.x86_64                                                 1/12 
  Running scriptlet: httpd-2.4.55-1.amzn2023.x86_64                                                 1/12 
  Erasing          : mod_lua-2.4.55-1.amzn2023.x86_64                                               2/12 
  Erasing          : mod_http2-2.0.11-2.amzn2023.x86_64                                             3/12 
  Erasing          : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch                              4/12 
  Erasing          : httpd-core-2.4.55-1.amzn2023.x86_64                                            5/12 
  Erasing          : httpd-tools-2.4.55-1.amzn2023.x86_64                                           6/12 
  Erasing          : mailcap-2.1.49-3.amzn2023.0.3.noarch                                           7/12 
  Erasing          : httpd-filesystem-2.4.55-1.amzn2023.noarch                                      8/12 
  Erasing          : apr-util-1.6.3-1.amzn2023.0.1.x86_64                                           9/12 
  Erasing          : apr-1.7.2-2.amzn2023.0.2.x86_64                                               10/12 
  Erasing          : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64                                  11/12 
  Erasing          : libbrotli-1.0.9-4.amzn2023.0.2.x86_64                                         12/12 
  Running scriptlet: libbrotli-1.0.9-4.amzn2023.0.2.x86_64                                         12/12 
  Verifying        : apr-1.7.2-2.amzn2023.0.2.x86_64                                                1/12 
  Verifying        : apr-util-1.6.3-1.amzn2023.0.1.x86_64                                           2/12 
  Verifying        : apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64                                   3/12 
  Verifying        : generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch                              4/12 
  Verifying        : httpd-2.4.55-1.amzn2023.x86_64                                                 5/12 
  Verifying        : httpd-core-2.4.55-1.amzn2023.x86_64                                            6/12 
  Verifying        : httpd-filesystem-2.4.55-1.amzn2023.noarch                                      7/12 
  Verifying        : httpd-tools-2.4.55-1.amzn2023.x86_64                                           8/12 
  Verifying        : libbrotli-1.0.9-4.amzn2023.0.2.x86_64                                          9/12 
  Verifying        : mailcap-2.1.49-3.amzn2023.0.3.noarch                                          10/12 
  Verifying        : mod_http2-2.0.11-2.amzn2023.x86_64                                            11/12 
  Verifying        : mod_lua-2.4.55-1.amzn2023.x86_64                                              12/12 
=========================================================================================================
WARNING:
  A newer release of "Amazon Linux" is available.

  Available Versions:

  Version 2023.3.20240312:
    Run the following command to upgrade to 2023.3.20240312:

      dnf upgrade --releasever=2023.3.20240312

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html

  Version 2023.4.20240319:
    Run the following command to upgrade to 2023.4.20240319:

      dnf upgrade --releasever=2023.4.20240319

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html

  Version 2023.4.20240401:
    Run the following command to upgrade to 2023.4.20240401:

      dnf upgrade --releasever=2023.4.20240401

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html

  Version 2023.4.20240416:
    Run the following command to upgrade to 2023.4.20240416:

      dnf upgrade --releasever=2023.4.20240416

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html

  Version 2023.4.20240429:
    Run the following command to upgrade to 2023.4.20240429:

      dnf upgrade --releasever=2023.4.20240429

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html

  Version 2023.4.20240513:
    Run the following command to upgrade to 2023.4.20240513:

      dnf upgrade --releasever=2023.4.20240513

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html

=========================================================================================================

Removed:
  apr-1.7.2-2.amzn2023.0.2.x86_64                  apr-util-1.6.3-1.amzn2023.0.1.x86_64                 
  apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64     generic-logos-httpd-18.0.0-12.amzn2023.0.3.noarch    
  httpd-2.4.55-1.amzn2023.x86_64                   httpd-core-2.4.55-1.amzn2023.x86_64                  
  httpd-filesystem-2.4.55-1.amzn2023.noarch        httpd-tools-2.4.55-1.amzn2023.x86_64                 
  libbrotli-1.0.9-4.amzn2023.0.2.x86_64            mailcap-2.1.49-3.amzn2023.0.3.noarch                 
  mod_http2-2.0.11-2.amzn2023.x86_64               mod_lua-2.4.55-1.amzn2023.x86_64                     

Complete!

Python package 🟢

• Install package

[root@amazon-agent-pre vagrant]# sudo yum install -y python3-pip
Last metadata expiration check: 16:39:53 ago on Wed May 15 15:19:00 2024.
Dependencies resolved.
=========================================================================================================
 Package                    Architecture     Version                         Repository             Size
=========================================================================================================
Installing:
 python3-pip                noarch           21.3.1-2.amzn2023.0.7           amazonlinux           1.8 M
Installing weak dependencies:
 libxcrypt-compat           x86_64           4.4.33-7.amzn2023               amazonlinux            92 k

Transaction Summary
=========================================================================================================
Install  2 Packages

Total download size: 1.9 M
Installed size: 11 M
Downloading Packages:
(1/2): libxcrypt-compat-4.4.33-7.amzn2023.x86_64.rpm                     277 kB/s |  92 kB     00:00    
(2/2): python3-pip-21.3.1-2.amzn2023.0.7.noarch.rpm                      799 kB/s | 1.8 MB     00:02    
---------------------------------------------------------------------------------------------------------
Total                                                                    547 kB/s | 1.9 MB     00:03     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                 1/1 
  Installing       : libxcrypt-compat-4.4.33-7.amzn2023.x86_64                                       1/2 
  Installing       : python3-pip-21.3.1-2.amzn2023.0.7.noarch                                        2/2 
  Running scriptlet: python3-pip-21.3.1-2.amzn2023.0.7.noarch                                        2/2 
  Verifying        : libxcrypt-compat-4.4.33-7.amzn2023.x86_64                                       1/2 
  Verifying        : python3-pip-21.3.1-2.amzn2023.0.7.noarch                                        2/2 
=========================================================================================================
WARNING:
  A newer release of "Amazon Linux" is available.

  Available Versions:

  Version 2023.3.20240312:
    Run the following command to upgrade to 2023.3.20240312:

      dnf upgrade --releasever=2023.3.20240312

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html

  Version 2023.4.20240319:
    Run the following command to upgrade to 2023.4.20240319:

      dnf upgrade --releasever=2023.4.20240319

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html

  Version 2023.4.20240401:
    Run the following command to upgrade to 2023.4.20240401:

      dnf upgrade --releasever=2023.4.20240401

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html

  Version 2023.4.20240416:
    Run the following command to upgrade to 2023.4.20240416:

      dnf upgrade --releasever=2023.4.20240416

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html

  Version 2023.4.20240429:
    Run the following command to upgrade to 2023.4.20240429:

      dnf upgrade --releasever=2023.4.20240429

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html

  Version 2023.4.20240513:
    Run the following command to upgrade to 2023.4.20240513:

      dnf upgrade --releasever=2023.4.20240513

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html

=========================================================================================================

Installed:
  libxcrypt-compat-4.4.33-7.amzn2023.x86_64           python3-pip-21.3.1-2.amzn2023.0.7.noarch          

Complete!

[root@amazon-agent-pre vagrant]# pip3 --version
pip 21.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[root@amazon-agent-pre vagrant]# 
[root@amazon-agent-pre vagrant]# python3 -m pip install Django==3.2.13
Collecting Django==3.2.13
  Downloading Django-3.2.13-py3-none-any.whl (7.9 MB)
     |████████████████████████████████| 7.9 MB 829 kB/s            
Collecting asgiref<4,>=3.3.2
  Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Requirement already satisfied: pytz in /usr/lib/python3.9/site-packages (from Django==3.2.13) (2022.7.1)
Collecting sqlparse>=0.2.2
  Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB)
     |████████████████████████████████| 43 kB 649 kB/s            
Collecting typing-extensions>=4
  Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB)
Installing collected packages: typing-extensions, sqlparse, asgiref, Django
Successfully installed Django-3.2.13 asgiref-3.8.1 sqlparse-0.5.0 typing-extensions-4.11.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[root@amazon-agent-pre vagrant]# django-admin --version
3.2.13

• Uninstall package

[root@amazon-agent-pre vagrant]# python3 -m pip uninstall Django
Found existing installation: Django 3.2.13
Uninstalling Django-3.2.13:
  Would remove:
    /usr/local/bin/django-admin
    /usr/local/bin/django-admin.py
    /usr/local/lib/python3.9/site-packages/Django-3.2.13.dist-info/*
    /usr/local/lib/python3.9/site-packages/django/*
Proceed (Y/n)? Y
  Successfully uninstalled Django-3.2.13
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

NPM package 🟢

• Install package

[root@amazon-agent-pre vagrant]# npm install -g [email protected]
npm warn deprecated [email protected]: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

added 1 package in 2s
npm notice
npm notice New minor version of npm available! 10.7.0 -> 10.8.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.8.0
npm notice To update run: npm install -g [email protected]
npm notice

• Cves detected

• Uninstall package

[root@amazon-agent-pre vagrant]# npm uninstall -g axios

removed 1 package in 216ms

• Mitigate vulnerabilities

[santipadilla]

Windows Server 2019 Agent 🟢

Installation 🟢

PS C:\Users\vagrant> Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.8.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q
WAZUH_MANAGER='172.16.1.30'

PS C:\Users\vagrant> NET START Wazuh
The Wazuh service is starting.
The Wazuh service was started successfully.

PS C:\Users\vagrant> Get-Service -DisplayName *Wazuh*

Status   Name           	DisplayName
------   ----           	-----------
Running  WazuhSvc       	Wazuh

Initial scan 🟢

Disable and enable VD 🟢

System package 🟢

• Installation

• Uninstallation

Python package 🟢

• Installation

• Uninstallation

NPM package 🟢

• Install package

• Cves detected

• Uninstall package

• Mitigate vulnerabilities

[santipadilla]

Ubuntu 20.04 Agent 🟢

Installation 🟢

root@ubuntu-agent-pre:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

root@ubuntu-agent-pre:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main

root@ubuntu-agent-pre:/home/vagrant# apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease                 
Get:2 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages [979 kB]
Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.8 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [3,328 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [524 kB]       
Get:9 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [17.2 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [2,946 kB]
Get:11 https://packages-dev.wazuh.com/pre-release/apt unstable/main i386 Packages [11.1 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted i386 Packages [37.7 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [412 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 c-n-f Metadata [552 B]
Get:15 http://us.archive.ubuntu.com/ubuntu focal-updates/universe i386 Packages [784 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,187 kB]
Get:17 http://us.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [284 kB]
Get:18 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [25.7 kB]
Get:19 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse i386 Packages [8,444 B]
Get:20 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [26.2 kB]
Get:21 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse Translation-en [7,880 B]
Get:22 http://us.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [620 B]
Get:23 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:24 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [2,951 kB]              
Get:25 http://security.ubuntu.com/ubuntu focal-security/main i386 Packages [754 kB]                 
Get:26 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [442 kB]                
Get:27 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [13.2 kB]         
Get:28 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [2,830 kB]        
Get:29 http://security.ubuntu.com/ubuntu focal-security/restricted i386 Packages [36.4 kB]          
Get:30 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [396 kB]          
Get:31 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 c-n-f Metadata [552 B]     
Get:32 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [961 kB]            
Get:33 http://security.ubuntu.com/ubuntu focal-security/universe i386 Packages [657 kB]             
Get:34 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [202 kB]            
Get:35 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [19.2 kB]     
Get:36 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [24.0 kB]         
Get:37 http://security.ubuntu.com/ubuntu focal-security/multiverse i386 Packages [7,200 B]          
Get:38 http://security.ubuntu.com/ubuntu focal-security/multiverse Translation-en [5,904 B]         
Get:39 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [548 B]     
Fetched 20.3 MB in 8s (2,502 kB/s)                                                                  
Reading package lists... Done

root@ubuntu-agent-pre:/home/vagrant# WAZUH_MANAGER="172.16.1.30" apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 120 not upgraded.
Need to get 10.3 MB of archives.
After this operation, 34.0 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.8.0-1 [10.3 MB]
Fetched 10.3 MB in 8s (1,315 kB/s)      
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 111955 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
Processing triggers for systemd (245.4-4ubuntu3.22) ...

root@ubuntu-agent-pre:/home/vagrant# systemctl daemon-reload

root@ubuntu-agent-pre:/home/vagrant# systemctl enable wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.

root@ubuntu-agent-pre:/home/vagrant# systemctl start wazuh-agent
root@ubuntu-agent-pre:/home/vagrant# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-05-16 11:39:02 UTC; 11s ago
    Process: 3096 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/S>
      Tasks: 28 (limit: 2257)
     Memory: 17.6M
     CGroup: /system.slice/wazuh-agent.service
             ├─3134 /var/ossec/bin/wazuh-execd
             ├─3145 /var/ossec/bin/wazuh-agentd
             ├─3158 /var/ossec/bin/wazuh-syscheckd
             ├─3171 /var/ossec/bin/wazuh-logcollector
             └─3188 /var/ossec/bin/wazuh-modulesd

May 16 11:38:55 ubuntu-agent-pre systemd[1]: Starting Wazuh agent...
May 16 11:38:55 ubuntu-agent-pre env[3096]: Starting Wazuh v4.8.0...
May 16 11:38:56 ubuntu-agent-pre env[3096]: Started wazuh-execd...
May 16 11:38:57 ubuntu-agent-pre env[3096]: Started wazuh-agentd...
May 16 11:38:58 ubuntu-agent-pre env[3096]: Started wazuh-syscheckd...
May 16 11:38:59 ubuntu-agent-pre env[3096]: Started wazuh-logcollector...
May 16 11:39:00 ubuntu-agent-pre env[3096]: Started wazuh-modulesd...
May 16 11:39:02 ubuntu-agent-pre env[3096]: Completed.
May 16 11:39:02 ubuntu-agent-pre systemd[1]: Started Wazuh agent.

root@ubuntu-agent-pre:/home/vagrant# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40810"
WAZUH_TYPE="agent"

Initial scan 🟢

Disable and enable VD 🟢

System package 🟢

• Installation

root@ubuntu-agent-pre:/home/vagrant# sudo apt install apparmor
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  apparmor-profiles-extra apparmor-utils
The following NEW packages will be installed:
  apparmor
0 upgraded, 1 newly installed, 0 to remove and 118 not upgraded.
Need to get 502 kB of archives.
After this operation, 2,020 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 apparmor amd64 2.13.3-7ubuntu5.3 [502 kB]
Fetched 502 kB in 1s (581 kB/s)   
Preconfiguring packages ...
Selecting previously unselected package apparmor.
(Reading database ... 146284 files and directories currently installed.)
Preparing to unpack .../apparmor_2.13.3-7ubuntu5.3_amd64.deb ...
Unpacking apparmor (2.13.3-7ubuntu5.3) ...
Setting up apparmor (2.13.3-7ubuntu5.3) ...
Reloading AppArmor profiles 
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.22) ...

Note: Same number of vulnerabilities because the package was already installed, the vulnerability has been resolved and has been activated. 🟢

• Uninstallation

root@ubuntu-agent-pre:/home/vagrant# sudo apt remove apparmor
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  apparmor
0 upgraded, 0 newly installed, 1 to remove and 118 not upgraded.
After this operation, 2,020 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 146312 files and directories currently installed.)
Removing apparmor (2.13.3-7ubuntu5.3) ...
Processing triggers for man-db (2.9.1-1) ...

Python package 🟢

• Installation

root@ubuntu-agent-pre:/home/vagrant# python3 -m pip install Django==3.2.13
Collecting Django==3.2.13
  Downloading Django-3.2.13-py3-none-any.whl (7.9 MB)
     |████████████████████████████████| 7.9 MB 3.2 MB/s 
Collecting sqlparse>=0.2.2
  Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB)
     |████████████████████████████████| 43 kB 5.4 MB/s 
Collecting asgiref<4,>=3.3.2
  Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Collecting pytz
  Downloading pytz-2024.1-py2.py3-none-any.whl (505 kB)
     |████████████████████████████████| 505 kB 30.6 MB/s 
Collecting typing-extensions>=4; python_version < "3.11"
  Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB)
Installing collected packages: sqlparse, typing-extensions, asgiref, pytz, Django
Successfully installed Django-3.2.13 asgiref-3.8.1 pytz-2024.1 sqlparse-0.5.0 typing-extensions-4.11.0

• Uninstall

root@ubuntu-agent-pre:/home/vagrant# python3 -m pip uninstall Django
Found existing installation: Django 3.2.13
Uninstalling Django-3.2.13:
  Would remove:
    /usr/local/bin/django-admin
    /usr/local/bin/django-admin.py
    /usr/local/lib/python3.8/dist-packages/Django-3.2.13.dist-info/*
    /usr/local/lib/python3.8/dist-packages/django/*
Proceed (y/n)? y
  Successfully uninstalled Django-3.2.13

NPM package 🟢

• Install package

root@ubuntu-agent-pre:/home/vagrant# curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash -
2024-05-16 14:23:55 - Installing pre-requisites
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:3 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Get:4 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,186 kB]
Hit:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease
Hit:6 http://security.ubuntu.com/ubuntu focal-security InRelease
Fetched 1,300 kB in 6s (231 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20230311ubuntu0.20.04.1).
gnupg is already the newest version (2.2.19-3ubuntu2.2).
The following additional packages will be installed:
  libcurl4
The following NEW packages will be installed:
  apt-transport-https
The following packages will be upgraded:
  curl libcurl4
2 upgraded, 1 newly installed, 0 to remove and 110 not upgraded.
Need to get 398 kB of archives.
After this operation, 162 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 apt-transport-https all 2.0.10 [1,704 B]
Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 curl amd64 7.68.0-1ubuntu2.22 [161 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libcurl4 amd64 7.68.0-1ubuntu2.22 [235 kB]
Fetched 398 kB in 1s (434 kB/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 152732 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_2.0.10_all.deb ...
Unpacking apt-transport-https (2.0.10) ...
Preparing to unpack .../curl_7.68.0-1ubuntu2.22_amd64.deb ...
Unpacking curl (7.68.0-1ubuntu2.22) over (7.68.0-1ubuntu2.20) ...
Preparing to unpack .../libcurl4_7.68.0-1ubuntu2.22_amd64.deb ...
Unpacking libcurl4:amd64 (7.68.0-1ubuntu2.22) over (7.68.0-1ubuntu2.20) ...
Setting up apt-transport-https (2.0.10) ...
Setting up libcurl4:amd64 (7.68.0-1ubuntu2.22) ...
Setting up curl (7.68.0-1ubuntu2.22) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.12) ...
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease          
Get:3 https://deb.nodesource.com/node_18.x nodistro InRelease [12.1 kB]                             
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease                                   
Get:5 https://deb.nodesource.com/node_18.x nodistro/main amd64 Packages [8,669 B]
Hit:6 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease  
Hit:7 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease
Fetched 20.8 kB in 1s (18.5 kB/s)
Reading package lists... Done
2024-05-16 14:24:08 - Repository configured successfully. To install Node.js, run: apt-get install nodejs -y
root@ubuntu-agent-pre:/home/vagrant# 
root@ubuntu-agent-pre:/home/vagrant# sudo apt install -y nodejs
Reading package lists... Done
Building dependency tree... 50%
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  nodejs
0 upgraded, 1 newly installed, 0 to remove and 110 not upgraded.
Need to get 29.6 MB of archives.
After this operation, 187 MB of additional disk space will be used.
Get:1 https://deb.nodesource.com/node_18.x nodistro/main amd64 nodejs amd64 18.20.2-1nodesource1 [29.6 MB]
Fetched 29.6 MB in 1s (32.6 MB/s) 
Selecting previously unselected package nodejs.
(Reading database ... 152736 files and directories currently installed.)
Preparing to unpack .../nodejs_18.20.2-1nodesource1_amd64.deb ...
Unpacking nodejs (18.20.2-1nodesource1) ...
Setting up nodejs (18.20.2-1nodesource1) ...
Processing triggers for man-db (2.9.1-1) ...

root@ubuntu-agent-pre:/home/vagrant# npm -v
10.5.0
 
root@ubuntu-agent-pre:/home/vagrant# npm install -g [email protected]
npm WARN deprecated [email protected]: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

added 1 package in 1s
npm notice 
npm notice New minor version of npm available! 10.5.0 -> 10.8.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.8.0
npm notice Run npm install -g [email protected] to update!
npm notice 

root@ubuntu-agent-pre:/home/vagrant# npm list -g
/usr/lib
├── [email protected]
├── [email protected]
└── [email protected]

• Cves detected

• Uninstall package

root@ubuntu-agent-pre:/home/vagrant# npm uninstall -g axios

removed 1 package in 193ms
root@ubuntu-agent-pre:/home/vagrant# npm list -g
/usr/lib
├── [email protected]
└── [email protected]

• Mitigate vulnerabilities

[santipadilla]

Proof of concept 🟢

Agent Information 🟢

root@debian-agent-pre:/home/vagrant# cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

root@debian-agent-pre:/home/vagrant# lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  1
  On-line CPU(s) list:   0
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz
    BIOS Model name:       CPU @ 0.0GHz
    BIOS CPU family:     0
    CPU family:          6
    Model:               165
    Thread(s) per core:  1
    Core(s) per socket:  1
    Socket(s):           1
    Stepping:            2
    BogoMIPS:            5184.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clfl
                         ush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xto
                         pology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq monitor ssse3 cx16 pci
                         d sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm 
                         abm 3dnowprefetch invpcid_single pti fsgsbase bmi1 avx2 bmi2 invpcid rdseed 
                         clflushopt md_clear flush_l1d arch_capabilities
Virtualization features: 
  Hypervisor vendor:     KVM
  Virtualization type:   full
Caches (sum of all):     
  L1d:                   32 KiB (1 instance)
  L1i:                   32 KiB (1 instance)
  L2:                    256 KiB (1 instance)
  L3:                    12 MiB (1 instance)
NUMA:                    
  NUMA node(s):          1
  NUMA node0 CPU(s):     0
Vulnerabilities:         
  Gather data sampling:  Unknown: Dependent on hypervisor status
  Itlb multihit:         KVM: Mitigation: VMX unsupported
  L1tf:                  Mitigation; PTE Inversion
  Mds:                   Mitigation; Clear CPU buffers; SMT Host state unknown
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT Host state unknown
  Retbleed:              Vulnerable
  Spec rstack overflow:  Not affected
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affecte
                         d
  Srbds:                 Unknown: Dependent on hypervisor status
  Tsx async abort:       Not affected

root@debian-agent-pre:/home/vagrant# free -h
               total        used        free      shared  buff/cache   available
Mem:           1.9Gi       309Mi       1.0Gi       476Ki       760Mi       1.6Gi
Swap:          1.9Gi          0B       1.9Gi

root@debian-agent-pre:/home/vagrant# df --total -h
Filesystem      Size  Used Avail Use% Mounted on
udev            962M     0  962M   0% /dev
tmpfs           197M  476K  197M   1% /run
/dev/sda3       124G  2.3G  115G   2% /
tmpfs           984M     0  984M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/sda1       447M  172M  246M  42% /boot
tmpfs           197M     0  197M   0% /run/user/1000
total           126G  2.5G  118G   3% -

Agent installation 🟢

root@debian-agent-pre:/home/vagrant# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
gpg: keyring '/usr/share/keyrings/wazuh.gpg' created
gpg: directory '/root/.gnupg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

root@debian-agent-pre:/home/vagrant# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main" | tee -a /etc/apt/sources.list.d/wazuh.list
deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
root@debian-agent-pre:/home/vagrant# 
root@debian-agent-pre:/home/vagrant# apt-get update
Get:1 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB]                                      
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]                             
Get:4 http://security.debian.org/debian-security bookworm-security/main Sources [96.0 kB]
Get:5 http://deb.debian.org/debian bookworm/main Sources [9,489 kB]                       
Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [156 kB]
Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [92.9 kB]
Get:8 http://deb.debian.org/debian bookworm-updates/main Sources.diff/Index [10.6 kB]               
Get:9 http://deb.debian.org/debian bookworm-updates/main amd64 Packages.diff/Index [10.6 kB]
Get:10 http://deb.debian.org/debian bookworm-updates/main Translation-en.diff/Index [10.6 kB]
Get:11 http://deb.debian.org/debian bookworm-updates/main Sources T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [831 B]
Get:12 http://deb.debian.org/debian bookworm-updates/main amd64 Packages T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [1,595 B]
Get:13 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB]
Get:11 http://deb.debian.org/debian bookworm-updates/main Sources T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [831 B]
Get:12 http://deb.debian.org/debian bookworm-updates/main amd64 Packages T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [1,595 B]
Get:14 http://deb.debian.org/debian bookworm-updates/main Translation-en T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [2,563 B]
Get:14 http://deb.debian.org/debian bookworm-updates/main Translation-en T-2024-04-23-2036.10-F-2024-04-23-2036.10.pdiff [2,563 B]
Get:15 http://deb.debian.org/debian bookworm/main amd64 Packages [8,786 kB]
Get:16 http://deb.debian.org/debian bookworm/main Translation-en [6,109 kB]
Get:17 http://deb.debian.org/debian bookworm-updates/non-free-firmware Sources [2,076 B]
Get:18 http://deb.debian.org/debian bookworm-updates/non-free-firmware amd64 Packages [616 B]
Get:19 http://deb.debian.org/debian bookworm-updates/non-free-firmware Translation-en [384 B]
Get:20 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.8 kB]
Fetched 25.1 MB in 3s (8,732 kB/s)                          
Reading package lists... Done
N: Repository 'http://deb.debian.org/debian bookworm InRelease' changed its 'Version' value from '12.4' to '12.5'

root@debian-agent-pre:/home/vagrant# WAZUH_MANAGER="172.16.1.30" apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 50 not upgraded.
Need to get 10.3 MB of archives.
After this operation, 34.0 MB of additional disk space will be used.
Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-agent amd64 4.8.0-1 [10.3 MB]
Fetched 10.3 MB in 2s (4,158 kB/s)      
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 60505 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.8.0-1_amd64.deb ...
Unpacking wazuh-agent (4.8.0-1) ...
Setting up wazuh-agent (4.8.0-1) ...
 
root@debian-agent-pre:/home/vagrant# systemctl daemon-reload

root@debian-agent-pre:/home/vagrant# systemctl enable wazuh-agent
Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service.
root@debian-agent-pre:/home/vagrant# 
root@debian-agent-pre:/home/vagrant# systemctl start wazuh-agent
root@debian-agent-pre:/home/vagrant# 
root@debian-agent-pre:/home/vagrant# systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-05-16 14:46:03 UTC; 6s ago
    Process: 3862 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/S>
      Tasks: 28 (limit: 2307)
     Memory: 31.1M
        CPU: 1.668s
     CGroup: /system.slice/wazuh-agent.service
             ├─3885 /var/ossec/bin/wazuh-execd
             ├─3896 /var/ossec/bin/wazuh-agentd
             ├─3909 /var/ossec/bin/wazuh-syscheckd
             ├─3922 /var/ossec/bin/wazuh-logcollector
             └─3939 /var/ossec/bin/wazuh-modulesd

May 16 14:45:56 debian-agent-pre systemd[1]: Starting wazuh-agent.service - Wazuh agent...
May 16 14:45:56 debian-agent-pre env[3862]: Starting Wazuh v4.8.0...
May 16 14:45:57 debian-agent-pre env[3862]: Started wazuh-execd...
May 16 14:45:58 debian-agent-pre env[3862]: Started wazuh-agentd...
May 16 14:45:59 debian-agent-pre env[3862]: Started wazuh-syscheckd...
May 16 14:46:00 debian-agent-pre env[3862]: Started wazuh-logcollector...
May 16 14:46:01 debian-agent-pre env[3862]: Started wazuh-modulesd...
May 16 14:46:03 debian-agent-pre env[3862]: Completed.
May 16 14:46:03 debian-agent-pre systemd[1]: Started wazuh-agent.service - Wazuh agent.

root@debian-agent-pre:/home/vagrant# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40810"
WAZUH_TYPE="agent"

Configuration 🟢

• Manager

<vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://172.16.1.31:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh-master-pre.pem</certificate>
      <key>/etc/filebeat/certs/wazuh-master-pre-key.pem</key>
    </ssl>
  </indexer>

• Debian Agent

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

Initial scan 🟢

Package uninstallation 🟢

Note: That version of vim was already pre-installed in Debian 12 so we proceed to uninstall it first.

root@debian-agent-pre:/home/vagrant# sudo apt remove vim
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libsodium23 vim-runtime
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  vim
0 upgraded, 0 newly installed, 1 to remove and 50 not upgraded.
After this operation, 3,738 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 60909 files and directories currently installed.)
Removing vim (2:9.0.1378-2) ...
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/view (view) in auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/vi (vi) in auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/rview (rview) in auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/ex (ex) in auto mode

• Cves solved

Package installation 🟢

root@debian-agent-pre:/home/vagrant# sudo apt install vim=2:9.0.1378-2
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  ctags vim-doc vim-scripts
The following NEW packages will be installed:
  vim
0 upgraded, 1 newly installed, 0 to remove and 50 not upgraded.
Need to get 0 B/1,567 kB of archives.
After this operation, 3,738 kB of additional disk space will be used.
Selecting previously unselected package vim.
(Reading database ... 60900 files and directories currently installed.)
Preparing to unpack .../vim_2%3a9.0.1378-2_amd64.deb ...
Unpacking vim (2:9.0.1378-2) ...
Setting up vim (2:9.0.1378-2) ...
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/ex (ex) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rview (rview) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rvim (rvim) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vi (vi) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/view (view) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vim (vim) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vimdiff (vimdiff) in auto mode

• Cves detected

Dashboard filters 🟢

• package.name:vim

• Active vulnerability alerts – data.vulnerability.package.name: vim AND data.vulnerability.status:Active

• Solved vulnerability alerts – data.vulnerability.package.name: vim AND data.vulnerability.status:Solved

[sebasfalcone]

Feedback

• Testing looks good and also really well presented, awesome job
• About macOS not detecting System packages:
  • Enable detect installed packages on MacOS #15798
  • This is an old issue with macOS. It's currently blocked, and won't be solved in 4.8.0
  • We can add this to the notes
• About macOS not detecting Python packages:
  • It's weird that it did detect npm packages but not the python ones (is the python package on the inventory?)

[santipadilla]

Hi @sebasfalcone, about macOS Sonoma:

• System packages: note added in the commentary and in the conclusion.
• Python packages: It does not detect vulnerabilities and they do not appear in the inventory either.
  • I have opened an issue about it.

Thanks you!

[sebasfalcone]

Feedback

@GabrielEValenzuela pointed out that the Python package was installed on a virtual environment

We need to repeat the test without the use of the virtual environment to validate the issue

[santipadilla]

@sebasfalcone Hi, it has been tested with and without virtual environment and with different packages. In no case are they detected. I have added the comment in the issue.

[sebasfalcone]

Feedback

Thanks @santipadilla! Testing LGTM

[juliamagan]

LGTM