OPNSense - Wazuh Agent

[Rhys Evans]

Hi

I am trying to integrate an OPNSense (FreeBSD and HardenedBSD) firewall into Wazuh. I have tried sysloging out , however Wazuh does not have built in a built in decoder for the Suricata "basic" logs.

So I am trying to install the Wazuh agent , via compiling it. However I am unable to do so , with the following error

os_auth/ssl.c:106:27: warning: implicit declaration of function 'TLS_method' is invalid in C99 [-Wimplicit-function-declaration]

    if (ctx = SSL_CTX_new(TLS_method()), !ctx) {

                          ^

os_auth/ssl.c:106:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const SSL_METHOD *' (aka 'const struct ssl_method_st *') [-Wint-conversion]

    if (ctx = SSL_CTX_new(TLS_method()), !ctx) {

                          ^~~~~~~~~~~~

/usr/local/include/openssl/ssl.h:2131:40: note: passing argument to parameter 'meth' here

SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);

                                       ^

2 warnings generated.

    CC os_auth/check_cert.o

os_auth/check_cert.c:314:25: warning: implicit declaration of function 'ASN1_STRING_get0_data' is invalid in C99 [-Wimplicit-function-declaration]

    if (!(tmp = (char *)ASN1_STRING_get0_data(astr))) {

                        ^

os_auth/check_cert.c:314:17: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast]

    if (!(tmp = (char *)ASN1_STRING_get0_data(astr))) {

                ^

2 warnings generated.

    CC agent-auth

os_auth/ssl.o: In function `get_ssl_context':

ssl.c:(.text+0x1a1): undefined reference to `SSL_library_init'

ssl.c:(.text+0x1a6): undefined reference to `SSL_load_error_strings'

ssl.c:(.text+0x1ab): undefined reference to `OPENSSL_add_all_algorithms_noconf'

os_auth/check_cert.o: In function `check_subject_alt_names':

check_cert.c:(.text+0xcb): undefined reference to `sk_num'

check_cert.c:(.text+0xe6): undefined reference to `sk_value'

check_cert.c:(.text+0x123): undefined reference to `sk_num'

cc: error: linker command failed with exit code 1 (use -v to see invocation)

gmake[1]: *** [Makefile:1225: agent-auth] Error 1

gmake[1]: Leaving directory '/root/wazuh-3.8.2/src'

gmake: *** [Makefile:562: agent] Error 2

 Error 0x5.

 Building error. Unable to finish the installation.

I followed the following

pkg install wget gmake

uname -r

11.2-RELEASE-p9-HBSD

gmake -v

GNU Make 4.2.1

Built for amd64-portbld-freebsd11.2

Copyright (C) 1988-2016 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

wget https://github.com/wazuh/wazuh/archive/v3.8.2.tar.gz

tar zx -f v3.8.2.tar.gz

wazuh-3.8.2/install.sh

step through installer - agent -> no to additional modules

Once I can get the agent installed , I can get the eve.log json shipped to Wazuh

Any ideas appreciated

Thanks

[Julio Cesar]

Hi! We're using here with OSSEC and Wazuh agents on OPNsense without problems. 

I even created a ISSUE on github to Wazuh team create a FreeBSD port to Wazuh agent, unfortunatelly seems this isn't a priority now. So I've compiled from source on a FreeBSD devel machine we've here to it.

The localfile entry that we're using here:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>

[Rhys Evans]

Hi

Good to hear, are you able to provide instructions on how to get the wazuh / ossec agent onto the opnsense boxes ?

I can then compare against my notes and see where I went wrong?

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/HSVTp43Rykk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7d5e9124-5e0f-495a-ad0e-9dfb4b43386a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rhys Evans]

Hi,

Ok, I have tried a number of options with this, with no luck.

I am now getting the following using 3.9.0 

Enter     CC wazuh_modules/wm_fluent.o

wazuh_modules/wm_fluent.c:206:31: warning: implicit declaration of function 'TLS_method' is invalid in C99 [-Wimplicit-function-declaration]

    fluent->ctx = SSL_CTX_new(TLS_method());

                              ^

wazuh_modules/wm_fluent.c:206:31: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const SSL_METHOD *' (aka 'const struct ssl_method_st *') [-Wint-conversion]

    fluent->ctx = SSL_CTX_new(TLS_method());

                              ^~~~~~~~~~~~

/usr/local/include/openssl/ssl.h:2131:40: note: passing argument to parameter 'meth' here

SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);

                                       ^

2 warnings generated.

    CC wazuh_modules/wm_sca.o

SOME LINES ARE MISSING

    CC os_zlib/os_zlib.o

    LINK libwazuh.a

    RANLIB libwazuh.a

    CC ossec-agentd

libwazuh.a(wm_fluent.o): In function `wm_fluent_main':

wm_fluent.c:(.text+0x190): undefined reference to `SSL_load_error_strings'

wm_fluent.c:(.text+0x195): undefined reference to `SSL_library_init'

cc: error: linker command failed with exit code 1 (use -v to see invocation)

gmake[1]: *** [Makefile:1177: ossec-agentd] Error 1

gmake[1]: Leaving directory '/root/wazuh-3.9.0/src'

gmake: *** [Makefile:572: agent] Error 2

gmake: Leaving directory '/root/wazuh-3.9.0/src'code here...

Anyone got working instructions to get this installed on OPNsense (Hardened Freebsd (from what I can tell)) ?

Thanks

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

[Victor Fernandez]

Hi Rhys,

Just as Carlos wrote, Wazuh is compatible with FreeBSD —although we must install it from sources— and other systems based on it, like OPNsense.

This error that you reported:

/usr/local/include/openssl/ssl.h:2131:40: note: passing argument to parameter 'meth' here

It indicates that the compiler is getting the incorrect version of the OpenSSL library. The correct file is external/openssl/include/openssl/ssl.h.

The problem is that OPNsense includes the OpenSSL headers out of the box, and it conflicts with the same library shipped with Wazuh. We can fix this easily, removing "-I/usr/local/include" from this line of the Makefile: Makefile#L128

Option A: overwrite the default definitions

The command "make TARGET=agent settings" prints the options that the compiler will use. In the particular case of OPNsense:

$ gmake TARGET=agent settings
(...)
Compiler:
    CFLAGS             -pthread -I/usr/local/include -O2 -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DFreeBSD -DFreeBSD -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_SHARED -DCLIENT -pipe -Wall -Wextra -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include
(...)

We can overwrite this flag by defining OSSEC_CFLAGS, and remove "-I/usr/local/include". Maybe we need to escape the double quotes (").

Follow these steps:

# Install needed packages
pkg install -y git gmake
# Get Wazuh sources
git clone https://github.com/wazuh/wazuh.git -b 3.9
cd wazuh/src
# Downlaod dependencies
gmake deps
# Check settings
gmake TARGET=agent settings
# Compile redefining OSSEC_CFLAGS (remove -I/usr/local/include)
gmake OSSEC_CFLAGS='-pthread -O2 -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DFreeBSD -DFreeBSD -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_SHARED -DCLIENT -pipe -Wall -Wextra -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include' TARGET=agent
# Install Wazuh agent
cd ..
./install.sh

Option B: patch the Makefile

If compiling before installing was a problem or complex, we can patch the Makefile and remove the mentioned option before compiling:

# Install needed packages
pkg install -y git gmake
# Get Wazuh sources
git clone https://github.com/wazuh/wazuh.git -b 3.9
cd wazuh
# Patch Makefile
sed -i' ' "s,CFLAGS+=-pthread -I/usr/local/include,CFLAGS+=-pthread," src/Makefile
# Install Wazuh agent
./install.sh

Let us investigate if we can remove that option for all compile modes so we will fix the Makefile in further versions.

Hope it helps you. Let us know if you have any trouble with these steps.

Best regards,

Victor Manuel Fernandez-Castro 
Core Engineering | vic...@wazuh.com

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7d5e9124-5e0f-495a-ad0e-9dfb4b43386a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f0cdb547-5395-45ec-b97a-420df57101a5%40googlegroups.com.

[Rhys Evans]

Hi

Thank you 

Option A worked perfectly for me

Thanks