Support ARM architecture for Wazuh central components #1182
Assignees
Labels
Comments
AnalysisChecking the manifests of the wazuh-puppet repository, no limitations were found for the installation of ARM packages of Wazuh components. I have performed a test with version 4.9.2 of Wazuh, which only has Wazuh manager packages on ARM. During the tests, the installation of Wazuh indexer and Wazuh dashboard failed, but because it does not find compatible packages in the repository. The installation of Wazuh manager was successful, verifying that the Wazuh manager services are correctly installed and working. TestsWazuh indexerroot@ip-172-31-41-89:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Warning: Fact value '#!/bin/sh
# Copyright (C) 2015, Wazuh Inc.
# Created by Wazuh, Inc. <[email protected]>.
# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
Notice: Requesting catalog from ip-172-31-45-111:8140 (172.31.45.111)
Notice: Catalog compiled by ip-172-31-45-111.ec2.internal
Info: Caching catalog for ip-172-31-41-89.ec2.internal
Info: Applying configuration version '1733763222'
Error: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install wazuh-indexer=4.9.2-*' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to locate package wazuh-indexer
Error: /Stage[indexerdeploy]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: change from 'purged' to '4.9.2-*' failed: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install wazuh-indexer=4.9.2-*' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to locate package wazuh-indexer
Notice: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]: Dependency Package[wazuh-indexer] has failures: true
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-node-1.pem]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-node-1-key.pem]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/root-ca.pem]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin.pem]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin-key.pem]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File[configuration file]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File_line[Insert line initial size of total heap space]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/File_line[Insert line maximum size of total heap space]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Skipping because of failed dependencies
Warning: /Stage[indexerdeploy]/Wazuh::Indexer/Service[wazuh-indexer]: Skipping because of failed dependencies
Notice: Applied catalog in 0.97 seconds
root@ip-172-31-41-89:~#Wazuh managerroot@ip-172-31-41-89:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Warning: Fact value '#!/bin/sh
# Copyright (C) 2015, Wazuh Inc.
# Created by Wazuh, Inc. <[email protected]>.
# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
Notice: Requesting catalog from ip-172-31-45-111:8140 (172.31.45.111)
Notice: Catalog compiled by ip-172-31-45-111.ec2.internal
Info: Caching catalog for ip-172-31-41-89.ec2.internal
Info: Applying configuration version '1733763390'
Notice: /Stage[manager]/Wazuh::Manager/Package[wazuh-manager]/ensure: created
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content:
--- /var/ossec/etc/shared/default/agent.conf 2024-10-28 15:35:22.000000000 +0000
+++ /tmp/puppet-file20241209-104292-a0kmrz 2024-12-09 16:57:17.779299770 +0000
@@ -2,4 +2,4 @@
<!-- Shared agent configuration here -->
-</agent_config>
+</agent_config>
\ No newline at end of file
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/content: content changed '{sha256}d76908d51018ec72afc1a7e17fbc3971c6a812446fd930fdba5ed66f1af47ed0' to '{sha256}ea2cf84c0fdc6dd290d7cba0ad0eac63850d56203aeb882568f69f22d98dccf9'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/owner: owner changed 'wazuh' to 'root'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]/mode: mode changed '0660' to '0640'
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/shared/default/agent.conf]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content:
--- /var/ossec/etc/rules/local_rules.xml 2024-10-28 15:35:22.000000000 +0000
+++ /tmp/puppet-file20241209-104292-8yrwbk 2024-12-09 16:57:17.810299554 +0000
@@ -1,14 +1,12 @@
-<!-- Local rules -->
-
<!-- Modify it at your will. -->
-<!-- Copyright (C) 2015, Wazuh Inc. -->
-<!-- Example -->
<group name="local,syslog,sshd,">
- <!--
- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
- -->
+ <!-- Note that rule id 5711 is defined at the ssh_rules file
+ - as a ssh failed login. This is just an example
+ - since ip 1.1.1.1 shouldn't be used anywhere.
+ - Level 0 means ignore.
+ -->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
@@ -16,4 +14,28 @@
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
-</group>
+
+ <!-- This example will ignore ssh failed logins for the user name XYZABC.
+ -->
+ <!--
+ <rule id="100020" level="0">
+ <if_sid>5711</if_sid>
+ <user>XYZABC</user>
+ <description>Example of rule that will ignore sshd </description>
+ <description>failed logins for user XYZABC.</description>
+ </rule>
+ -->
+
+
+ <!-- Specify here a list of rules to ignore. -->
+ <!--
+ <rule id="100030" level="0">
+ <if_sid>12345, 23456, xyz, abc</if_sid>
+ <description>List of rules to be ignored.</description>
+ </rule>
+ -->
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/content: content changed '{sha256}991dc926bd2e3aec88bd79be1c8b458777f64f489b3e6524e682ac33620425f4' to '{sha256}4b0ffe3d22c782a75fa5559839751959cc9cb33256ca06efcca298cb0109a342'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/owner: owner changed 'wazuh' to 'root'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]/mode: mode changed '0660' to '0640'
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/rules/local_rules.xml]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content:
--- /var/ossec/etc/decoders/local_decoder.xml 2024-10-28 15:35:22.000000000 +0000
+++ /tmp/puppet-file20241209-104292-1d1i3k2 2024-12-09 16:57:17.830299415 +0000
@@ -1,8 +1,6 @@
<!-- Local Decoders -->
<!-- Modify it at your will. -->
-<!-- Copyright (C) 2015, Wazuh Inc. -->
-
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/content: content changed '{sha256}21f5e1ff2ea096f2b1b6acdc1fc25bcac46734614b253f6ad1352d9c2a1c5c13' to '{sha256}7e45d35ee7a35a68fe13cd5e3f7f69ec2776322cd2d3fa42bb474ba06279aecc'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/owner: owner changed 'wazuh' to 'root'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]/mode: mode changed '0660' to '0640'
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/etc/decoders/local_decoder.xml]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/bin/.process_list]/ensure: defined content as '{sha256}5309904b42512c478b2da5e23cf756e3733d61834a9749e549af895f5d5b478c'
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/bin/.process_list]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/Exec[Generate the wazuh-keystore (username)]/returns: executed successfully
Notice: /Stage[manager]/Wazuh::Manager/Exec[Generate the wazuh-keystore (password)]/returns: executed successfully
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/content:
--- /var/ossec/api/configuration/api.yaml 2024-10-28 15:35:24.000000000 +0000
+++ /tmp/puppet-file20241209-104292-bmuhvj 2024-12-09 16:57:17.988298314 +0000
@@ -1,76 +1,51 @@
-# USE THIS FILE AS A TEMPLATE. UNCOMMENT LINES TO APPLY CUSTOM CONFIGURATION
-
-# host: ['0.0.0.0', '::']
-# port: 55000
-
-# Advanced configuration
-
-# https:
-# enabled: yes
-# key: "server.key"
-# cert: "server.crt"
-# use_ca: False
-# ca: "ca.crt"
-# ssl_protocol: "auto"
-# ssl_ciphers: ""
-
-# Modify API's intervals (time in seconds)
-# intervals:
-# request_timeout: 10
-
-# Logging configuration
-# Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level).
-# Values for API log max_size: <value><unit>. Valid units: K (kilobytes), M (megabytes)
-# Enabling the API log max_size will disable the time based rotation (on midnight)
-# logs:
-# level: "info"
-# format: "plain"
-# max_size:
-# enabled: False
-# size: "1M"
-
-# Cross-origin resource sharing: https://www.starlette.io/middleware/#corsmiddleware
-# cors:
-# enabled: no
-# source_route: "*"
-# expose_headers: "*"
-# allow_headers: "*"
-# allow_credentials: no
-
-# Access parameters
-# access:
-# max_login_attempts: 50
-# block_time: 300
-# max_request_per_minute: 300
-
-# Drop privileges (Run as wazuh user)
-# drop_privileges: yes
-
-# Enable features under development
-# experimental_features: no
-
-# Maximum body size that the API can accept, in bytes (0 -> limitless)
-# max_upload_size: 10485760
-
-# Uploadable Wazuh configuration sections
-# upload_configuration:
-# remote_commands:
-# localfile:
-# allow: yes
-# exceptions: []
-# wodle_command:
-# allow: yes
-# exceptions: []
-# limits:
-# eps:
-# allow: yes
-# agents:
-# allow_higher_versions:
-# allow: yes
-# indexer:
-# allow: yes
-# integrations:
-# virustotal:
-# public_key:
-# allow: yes
-# minimum_quota: 240
+#
+# Wazuh API configuration file
+# Copyright (C) 2015, Wazuh Inc.
+#
+host: ["0.0.0.0"]
+port: 55000
+# Advanced configuration
+https:
+ enabled: yes
+ key: server.key
+ cert: server.crt
+ use_ca: False
+ ca: ca.crt
+ ssl_protocol: TLSv1.2
+ ssl_ciphers: ""
+# Logging configuration
+# Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level).
+logs:
+ level: info
+# Cross-origin resource sharing: https://github.com/aio-libs/aiohttp-cors#usage
+cors:
+ enabled: no
+ source_route: "*"
+ expose_headers: "*"
+ allow_headers: "*"
+ allow_credentials: no
+# Cache (time in seconds)
+cache:
+ enabled: yes
+ time: 0.750
+# Access parameters
+access:
+ max_login_attempts: 5
+ block_time: 300
+ max_request_per_minute: 300
+# Drop privileges (Run as ossec user)
+drop_privileges: yes
+# Enable features under development
+experimental_features: no
+# Enable remote commands
+upload_configuration:
+ remote_commands:
+ localfile:
+ allow: yes
+ exceptions: []
+ wodle_command:
+ allow: yes
+ exceptions: []
+ limits:
+ eps:
+ allow: yes
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/content: content changed '{sha256}9366088d8dc24331cc02fb8084d8888d0f2aa838f46c239cecf3d18567c8604d' to '{sha256}92028de1365c34cc993794c6ba34d24843506aaffe68dcffed95fc37abecea8a'
Notice: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]/mode: mode changed '0660' to '0640'
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]: Scheduling refresh of Service[wazuh-manager]
Info: /Stage[manager]/Wazuh::Manager/File[/var/ossec/api/configuration/api.yaml]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2024-12-09 16:56:48.490507025 +0000
+++ /tmp/puppet-file20241209-104292-1m6pi37 2024-12-09 16:57:18.009298168 +0000
@@ -1,24 +1,15 @@
-<!--
- Wazuh - Manager - Default configuration for ubuntu 22.04
- More info at: https://documentation.wazuh.com
- Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
- <email_notification>no</email_notification>
- <smtp_server>smtp.example.wazuh.com</smtp_server>
- <email_from>[email protected]</email_from>
- <email_to>[email protected]</email_to>
- <email_maxperhour>12</email_maxperhour>
- <email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
- <update_check>yes</update_check>
+ <email_notification>no</email_notification>
+ <white_list>127.0.0.1</white_list>
+ <white_list>^localhost.localdomain$</white_list>
+ <white_list>10.0.0.2</white_list>
</global>
<alerts>
@@ -26,7 +17,6 @@
<email_alert_level>12</email_alert_level>
</alerts>
- <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
@@ -38,8 +28,9 @@
<queue_size>131072</queue_size>
</remote>
- <!-- Policy monitoring -->
- <rootcheck>
+
+
+<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
@@ -48,147 +39,117 @@
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
-
- <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
-
- <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
+ <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
+</rootcheck>
- <ignore>/var/lib/containerd</ignore>
- <ignore>/var/lib/docker/overlay2</ignore>
- </rootcheck>
-
- <wodle name="cis-cat">
+<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
+</wodle>
+<wodle name="cis-cat">
+ <disabled>yes</disabled>
+ <timeout>1800</timeout>
+ <interval>1d</interval>
+ <scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
- </wodle>
+</wodle>
+
- <!-- Osquery integration -->
- <wodle name="osquery">
+<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
- <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+ <log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
- </wodle>
+</wodle>
- <!-- System inventory -->
- <wodle name="syscollector">
- <disabled>no</disabled>
- <interval>1h</interval>
- <scan_on_start>yes</scan_on_start>
- <hardware>yes</hardware>
- <os>yes</os>
- <network>yes</network>
- <packages>yes</packages>
- <ports all="no">yes</ports>
- <processes>yes</processes>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <max_eps>10</max_eps>
- </synchronization>
- </wodle>
+
+<wodle name="syscollector">
+ <disabled>no</disabled>
+ <interval>1h</interval>
+ <scan_on_start>yes</scan_on_start>
+ <hardware>yes</hardware>
+ <os>yes</os>
+ <network>yes</network>
+ <packages>yes</packages>
+ <ports all="no">yes</ports>
+ <processes>yes</processes>
+</wodle>
- <sca>
+<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
+
</sca>
-
- <vulnerability-detection>
+
+ # Configuration for Vulnerability detection
+<vulnerability-detection>
+ <enabled>yes</enabled>
+ <index-status>yes</index-status>
+ <feed-update-interval>60m</feed-update-interval>
+</vulnerability-detection>
+# indexer configuration for vulnerability detection
+<indexer>
+ <enabled>yes</enabled>
+ <hosts>
+ <host>https://127.0.0.1:9200</host>
+ </hosts>
+ <ssl>
+ <certificate_authorities>
+ <ca>/etc/filebeat/certs/root-ca.pem</ca>
+ </certificate_authorities>
+ <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
+ <key>/etc/filebeat/certs/filebeat-key.pem</key>
+ </ssl>
+</indexer>
+
+<syscheck>
+ <disabled>no</disabled>
+ <frequency>43200</frequency>
+ <scan_on_start>yes</scan_on_start>
+ <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+ <process_priority>10</process_priority>
+ <synchronization>
<enabled>yes</enabled>
- <index-status>yes</index-status>
- <feed-update-interval>60m</feed-update-interval>
- </vulnerability-detection>
+ <interval>5m</interval>
+ <max_interval>1h</max_interval>
+ <max_eps>10</max_eps>
+ </synchronization>
+
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes" >/bin,/sbin,/boot</directories>
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/random.seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ <ignore>/sys/kernel/security</ignore>
+ <ignore>/sys/kernel/debug</ignore>
+ <ignore>/dev/core</ignore>
+ <ignore type="sregex">^/proc</ignore>
+ <ignore type="sregex">.log$|.swp$</ignore>
+ <nodiff>/etc/ssl/private.key</nodiff>
+ <skip_nfs>yes</skip_nfs>
+</syscheck>
- <indexer>
- <enabled>yes</enabled>
- <hosts>
- <host>https://0.0.0.0:9200</host>
- </hosts>
- <ssl>
- <certificate_authorities>
- <ca>/etc/filebeat/certs/root-ca.pem</ca>
- </certificate_authorities>
- <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
- <key>/etc/filebeat/certs/filebeat-key.pem</key>
- </ssl>
- </indexer>
- <!-- File integrity monitoring -->
- <syscheck>
- <disabled>no</disabled>
- <!-- Frequency that syscheck is executed default every 12 hours -->
- <frequency>43200</frequency>
-
- <scan_on_start>yes</scan_on_start>
-
- <!-- Generate alert when new file detected -->
- <alert_new_files>yes</alert_new_files>
-
- <!-- Don't ignore files that change more than 'frequency' times -->
- <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
-
- <!-- Directories to check (perform all possible verifications) -->
- <directories>/etc,/usr/bin,/usr/sbin</directories>
- <directories>/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
- <ignore>/etc/utmpx</ignore>
- <ignore>/etc/wtmpx</ignore>
- <ignore>/etc/cups/certs</ignore>
- <ignore>/etc/dumpdates</ignore>
- <ignore>/etc/svc/volatile</ignore>
-
- <!-- File types to ignore -->
- <ignore type="sregex">.log$|.swp$</ignore>
-
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
-
- <skip_nfs>yes</skip_nfs>
- <skip_dev>yes</skip_dev>
- <skip_proc>yes</skip_proc>
- <skip_sys>yes</skip_sys>
-
- <!-- Nice value for Syscheck process -->
- <process_priority>10</process_priority>
-
- <!-- Maximum output throughput -->
- <max_eps>50</max_eps>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <enabled>yes</enabled>
- <interval>5m</interval>
- <max_eps>10</max_eps>
- </synchronization>
- </syscheck>
-
- <!-- Active response -->
- <global>
- <white_list>127.0.0.1</white_list>
- <white_list>^localhost.localdomain$</white_list>
- <white_list>127.0.0.53</white_list>
- </global>
<command>
<name>disable-account</name>
@@ -197,8 +158,8 @@
</command>
<command>
- <name>restart-wazuh</name>
- <executable>restart-wazuh</executable>
+ <name>restart-ossec</name>
+ <executable>restart-ossec</executable>
</command>
<command>
@@ -221,108 +182,124 @@
<command>
<name>win_route-null</name>
- <executable>route-null.exe</executable>
+ <executable>route-null</executable>
+ <timeout_allowed>yes</timeout_allowed>
+ </command>
+
+ <command>
+ <name>win_route-null-2012</name>
+ <executable>route-null-2012</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
- <executable>netsh.exe</executable>
+ <executable>netsh</executable>
+ <timeout_allowed>yes</timeout_allowed>
+ </command>
+
+ <command>
+ <name>netsh-win-2016</name>
+ <executable>netsh-win-2016</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
- <!--
- <active-response>
- active-response options here
- </active-response>
- -->
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/syslog</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/dpkg.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/kern.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/auth.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/ossec/logs/active-responses.log</location>
+ </localfile>
- <!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
- <ruleset>
- <!-- Default ruleset -->
+
+
+
+<ruleset>
+ <!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
- <list>etc/lists/audit-keys</list>
- <list>etc/lists/amazon/aws-eventnames</list>
- <list>etc/lists/security-eventchannel</list>
-
- <!-- User-defined ruleset -->
+ <list>etc/lists/audit-keys</list>
+ <list>etc/lists/amazon/aws-eventnames</list>
+ <list>etc/lists/security-eventchannel</list>
+
+ <!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
- </ruleset>
+</ruleset>
- <rule_test>
- <enabled>yes</enabled>
- <threads>1</threads>
- <max_sessions>64</max_sessions>
- <session_timeout>15m</session_timeout>
- </rule_test>
- <!-- Configuration for wazuh-authd -->
- <auth>
- <disabled>no</disabled>
- <port>1515</port>
- <use_source_ip>no</use_source_ip>
- <purge>yes</purge>
- <use_password>no</use_password>
- <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
- <!-- <ssl_agent_ca></ssl_agent_ca> -->
- <ssl_verify_host>no</ssl_verify_host>
- <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
- <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
- <ssl_auto_negotiate>no</ssl_auto_negotiate>
- </auth>
-
- <cluster>
- <name>wazuh</name>
- <node_name>node01</node_name>
- <node_type>master</node_type>
- <key></key>
- <port>1516</port>
- <bind_addr>0.0.0.0</bind_addr>
- <nodes>
- <node>NODE_IP</node>
- </nodes>
- <hidden>no</hidden>
- <disabled>yes</disabled>
- </cluster>
-</ossec_config>
-<ossec_config>
- <localfile>
- <log_format>journald</log_format>
- <location>journald</location>
- </localfile>
+<!-- Client Authentication Settings -->
+<auth>
+ <disabled>no</disabled>
+ <port>1515</port>
+ <use_source_ip>yes</use_source_ip>
+ <force>
+ <enabled>yes</enabled>
+ <key_mismatch>yes</key_mismatch>
+ <disconnected_time enabled="yes">1h</disconnected_time>
+ <after_registration_time>1h</after_registration_time>
+ </force>
+ <purge>yes</purge>
+ <use_password>no</use_password>
+ <limit_maxagents>yes</limit_maxagents>
+ <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+ <ssl_verify_host>no</ssl_verify_host>
+ <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
+ <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+ <ssl_auto_negotiate>no</ssl_auto_negotiate>
+</auth>
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/ossec/logs/active-responses.log</location>
- </localfile>
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/dpkg.log</location>
- </localfile>
+
+
+<cluster>
+ <name>wazuh</name>
+ <node_name>node01</node_name>
+ <node_type>master</node_type>
+ <key>KEY</key>
+ <port>1516</port>
+ <bind_addr>0.0.0.0</bind_addr>
+ <nodes>
+ <node>NODE_IP</node>
+ </nodes>
+ <hidden>no</hidden>
+ <disabled>yes</disabled>
+</cluster>
+
</ossec_config>
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 621828585cf43e1906cbc49e1eae2d565369962244722e1ebec9225e52e149b0
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}621828585cf43e1906cbc49e1eae2d565369962244722e1ebec9225e52e149b0' to '{sha256}d801d178273a64d34ad24c7d14dcdc62bc89f94454c96bebb81fa54c3937438c'
Notice: /Stage[manager]/Wazuh::Manager/Concat[manager_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640'
Info: Concat[manager_ossec.conf]: Scheduling refresh of Service[wazuh-manager]
Notice: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[manager]/Wazuh::Manager/Service[wazuh-manager]: Unscheduling refresh on Service[wazuh-manager]
Notice: Applied catalog in 63.54 seconds
root@ip-172-31-41-89:~#Statusroot@ip-172-31-41-89:~# TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 398 100 398 0 0 1446 0 --:--:-- --:--:-- --:--:-- 1447
root@ip-172-31-41-89:~# echo $TOKEN
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNzMzNzYzOTY3LCJleHAiOjE3MzM3NjQ4NjcsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.AMKVXbtMfLvt4boFWqlkN_QigPc0hpk1O4GheadAohXSteQN65_e1jQhYbNjbWriDeaNHupS-YPQTmqX2cQrp8aMAOoCyjvZ9KqG5ux_qvbwL3qUuvWlR-O_6sBOhZtFDORInI6_UJAtbfqUT3Uagu4srzy54hTvq4Jwylo4FbjlxpHw
root@ip-172-31-41-89:~# curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer $TOKEN"
{
"data": {
"affected_items": [
{
"wazuh-agentlessd": "stopped",
"wazuh-analysisd": "running",
"wazuh-authd": "running",
"wazuh-csyslogd": "stopped",
"wazuh-dbd": "stopped",
"wazuh-monitord": "running",
"wazuh-execd": "running",
"wazuh-integratord": "stopped",
"wazuh-logcollector": "running",
"wazuh-maild": "stopped",
"wazuh-remoted": "running",
"wazuh-reportd": "stopped",
"wazuh-syscheckd": "running",
"wazuh-clusterd": "stopped",
"wazuh-modulesd": "running",
"wazuh-db": "running",
"wazuh-apid": "running"
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Processes status was successfully read",
"error": 0
}root@ip-172-31-41-89:~#Wazuh dashboardroot@ip-172-31-41-89:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Warning: Fact value '#!/bin/sh
# Copyright (C) 2015, Wazuh Inc.
# Created by Wazuh, Inc. <[email protected]>.
# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
Notice: Requesting catalog from ip-172-31-45-111:8140 (172.31.45.111)
Notice: Catalog compiled by ip-172-31-45-111.ec2.internal
Info: Caching catalog for ip-172-31-41-89.ec2.internal
Info: Applying configuration version '1733764093'
Error: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install wazuh-dashboard=4.9.2-*' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to locate package wazuh-dashboard
Error: /Stage[dashboard]/Wazuh::Dashboard/Package[wazuh-dashboard]/ensure: change from 'purged' to '4.9.2-*' failed: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install wazuh-dashboard=4.9.2-*' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to locate package wazuh-dashboard
Notice: /Stage[dashboard]/Wazuh::Dashboard/Exec[ensure full path of /etc/wazuh-dashboard/certs]: Dependency Package[wazuh-dashboard] has failures: true
Warning: /Stage[dashboard]/Wazuh::Dashboard/Exec[ensure full path of /etc/wazuh-dashboard/certs]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard.pem]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/dashboard-key.pem]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/certs/root-ca.pem]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/etc/wazuh-dashboard/opensearch_dashboards.yml]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/File[/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml]: Skipping because of failed dependencies
Warning: /Stage[dashboard]/Wazuh::Dashboard/Service[wazuh-dashboard]: Skipping because of failed dependencies
Notice: Applied catalog in 0.95 seconds
root@ip-172-31-41-89:~# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
In the Wazuh 4.10.2 version, Wazuh central components support ARM64 architecture, so it is necessary to verify that the operating systems supported by Puppet for AMD64 architecture also support ARM64.
Tasks
Related
Modify installation scripts for ARM architecture.
The text was updated successfully, but these errors were encountered: