Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MALW-3280 - Does not find wazuh-agent #1581

Open
vk6xebec opened this issue Nov 28, 2024 · 2 comments
Open

MALW-3280 - Does not find wazuh-agent #1581

vk6xebec opened this issue Nov 28, 2024 · 2 comments

Comments

@vk6xebec
Copy link
Contributor

Describe the bug
'wazuh-agent' not found despite it running as part of MALW-3280

Version

  • Distribution [e.g. Ubuntu 24.10]
  • Lynis version [e.g. 3.1.2]

Expected behavior
Result passes

Output

2024-11-27 11:53:48 IsRunning: process 'wazuh-agent' not found
2024-11-27 11:53:48 Result: no commercial anti-virus tools found
2024-11-27 11:53:48 Hardening: assigned partial number of hardening points (0 of 3). Currently having 352 points (out of 363)

Additional context

root@ub2410test:~# sudo systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-11-27 23:46:02 AWST; 12h ago
 Invocation: 6dd5de4195ce4403835b99a52fb106d3
      Tasks: 28 (limit: 3936)
     Memory: 24.6M (peak: 26.9M)
        CPU: 1min 17.763s
     CGroup: /system.slice/wazuh-agent.service
             ├─361351 /var/ossec/bin/wazuh-execd
             ├─361715 /var/ossec/bin/wazuh-agentd
             ├─362154 /var/ossec/bin/wazuh-syscheckd
             ├─362611 /var/ossec/bin/wazuh-logcollector
             └─362994 /var/ossec/bin/wazuh-modulesd

Nov 27 23:45:53 ub2410test.home systemd[1]: Starting wazuh-agent.service - Wazuh agent...
Nov 27 23:45:53 ub2410test.home env[361278]: Starting Wazuh v4.9.2...
Nov 27 23:45:55 ub2410test.home env[361278]: Started wazuh-execd...
Nov 27 23:45:56 ub2410test.home env[361278]: Started wazuh-agentd...
Nov 27 23:45:57 ub2410test.home env[361278]: Started wazuh-syscheckd...
Nov 27 23:45:58 ub2410test.home env[361278]: Started wazuh-logcollector...
Nov 27 23:46:00 ub2410test.home env[361278]: Started wazuh-modulesd...
Nov 27 23:46:02 ub2410test.home env[361278]: Completed.
Nov 27 23:46:02 ub2410test.home systemd[1]: Started wazuh-agent.service - Wazuh agent.
root@ub2410test:~# pgrep wazuh-agent
361715
2024-11-27 11:53:43 Performing test ID FINT-4344 (Wazuh syscheck daemon running)
2024-11-27 11:53:43 Test: Checking if Wazuh syscheck daemon is running
2024-11-27 11:53:43 Performing pgrep scan without uid
2024-11-27 11:53:43 IsRunning: process 'wazuh-syscheckd' found (362154 )
2024-11-27 11:53:43 Result: syscheck (Wazuh) active
2024-11-27 11:53:44 Performing test ID TOOL-5128 (Check for active Wazuh daemon)
2024-11-27 11:53:44 Performing pgrep scan without uid
2024-11-27 11:53:44 IsRunning: process 'wazuh-analysisd' not found
2024-11-27 11:53:44 Result: Wazuh analysis daemon not active
2024-11-27 11:53:44 Performing pgrep scan without uid
2024-11-27 11:53:44 IsRunning: process 'wazuh-agentd' found (361715 )
2024-11-27 11:53:44 Result: Wazuh agent daemon is active
2024-11-27 11:51:11 Found running service: wazuh-agent
2024-11-27 11:51:16 Found enabled service at boot: wazuh-agent
@mboelen
Copy link
Member

mboelen commented Nov 28, 2024

Not sure that I follow, as it looks like the agent (agentd) was found:

2024-11-27 11:53:44 Result: Wazuh agent daemon is active

When looking at the entries, I see that 'wazuh-agentd' was found, which is also the process as listed in the "Started" list. The service name is different than the actual daemon that runs as part of it.

So, I am missing here or is detection correct?

@vk6xebec
Copy link
Contributor Author

yea that's what confuses me. The agent is running but the antivirus scan is not picking up the presence of the agent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants