freebsd14: sca does not work

[M V]

Hello Wazuh gurus,

I am running `wazuh-agent` on `freebsd-14` (which runs opnsense). Base configuration seems to work fine. However, `sca` rules do not work. I have two `sca`: *default* (`sca_unix_audit.yml`) and a custom file. Neither seem to function (please see screenshot attached).

Merged `agent.conf` file can be found below (sensitive information is removed):

```

<!-- Source file: freebsd14/agent.conf -->
  <agent_config>
    <!-- Shared agent configuration here -->
    <localfile>
      <location>/var/log/boot.log</location>
      <log_format>syslog</log_format>
    </localfile>
    <localfile>
      <location>/var/log/dmesg.today</location>
      <log_format>syslog</log_format>
    </localfile>
    <localfile>
      <location>/var/log/userlog</location>
      <log_format>syslog</log_format>
    </localfile>
    <localfile>
      <location>/var/log/system/latest.log</location>
      <log_format>syslog</log_format>
    </localfile>
    <localfile>
      <location>/var/log/audit/latest.log</location>
      <log_format>syslog</log_format>
    </localfile>
    <sca>
      <policies>
        <policy>etc/shared/cis_freebsd14.yml</policy>
        <policy>etc/shared/sca_unix_audit.yml</policy>
      </policies>
    </sca>
  </agent_config>
```

Below is the `ossec.log` from freebsd:

```

2025/02/12 22:33:12 wazuh-execd: INFO: Started (pid: 21).
2025/02/12 22:33:12 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2025/02/12 22:33:12 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2025/02/12 22:33:12 wazuh-agentd: INFO: Version detected -> FreeBSD |MorikCage.esco.ghaar |14.1-RELEASE-p7 |FreeBSD 14.1-RELEASE-p7 stable/24.7-n268020-d553534fe81 SMP |amd64 [BSD|bsd: 14.1] - Wazuh v4.7.5
2025/02/12 22:33:12 wazuh-agentd: INFO: Started (pid: 1187).
2025/02/12 22:33:12 wazuh-agentd: INFO: Using AES as encryption method.
2025/02/12 22:33:12 wazuh-agentd: INFO: Trying to connect to server ([scanner.esco.ghaar]:1514/tcp).
2025/02/12 22:33:12 wazuh-agentd: INFO: (4102): Connected to the server ([scanner.esco.ghaar]:1514/tcp).
2025/02/12 22:33:13 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: Started (pid: 18028).
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/sys/kernel/security'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/sys/kernel/debug'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6000): Starting daemon...
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/02/12 22:33:13 rootcheck: INFO: Starting rootcheck scan.
2025/02/12 22:33:13 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_ssh.txt'
2025/02/12 22:33:14 wazuh-modulesd: INFO: Started (pid: 55654).
2025/02/12 22:33:14 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2025/02/12 22:33:14 sca: INFO: Module started.
2025/02/12 22:33:14 wazuh-modulesd:control: INFO: Starting control thread.
2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/etc/shared/cis_freebsd14.yml'
2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/etc/shared/sca_unix_audit.yml'
2025/02/12 22:33:14 sca: INFO: Starting Security Configuration Assessment scan.
2025/02/12 22:33:14 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2025/02/12 22:33:14 wazuh-modulesd:syscollector: INFO: Module started.
2025/02/12 22:33:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/02/12 22:33:15 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/opnsense_syslog.log'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/caddy/caddy.log'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/boot.log'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dmesg.today'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/userlog'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/system/latest.log'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/latest.log'.
2025/02/12 22:33:17 wazuh-logcollector: INFO: Started (pid: 53835).
2025/02/12 22:33:26 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/02/12 22:33:26 wazuh-syscheckd: INFO: FIM sync module started.
2025/02/12 22:34:06 rootcheck: INFO: Ending rootcheck scan.

```

Enabling debug log with `agent_debug=1` does not yield additional sea-related information. 

Any help or pointing me in the right direction would be much appreciated.

/r

maulik

[Md. Nazmur Sakib]

Hi M V,

Based on this it seems like the SCA check is working.

2025/02/12 22:33:14 sca: INFO: Module started.

2025/02/12 22:33:14 wazuh-modulesd:control: INFO: Starting control thread.

2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'

2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/etc/shared/cis_freebsd14.yml'

2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/etc/shared/sca_unix_audit.yml'

2025/02/12 22:33:14 sca: INFO: Starting Security Configuration Assessment scan.

2025/02/12 22:33:14 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/sca_unix_audit.yml'

You should also get an output like the scan is finished or not complete due to an error

2025/02/12 12:02:00 sca: INFO: Security Configuration Assessment scan finished. Duration: 33041 seconds.



You can evaluate your SCA script based on this:
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

If you need further assistance, please share the output of this

cat /var/ossec/logs/ossec.log | grep -iE "error|warn|sca"


Looking forward to your update on this issue.

[M V]

Thank you so much Namur for the prompt response. Great tool and wonderful people (such as yourself) supporting it!

The output of the command does not yield anything of significance. Wazuh dashboard still shows, per previous attachment, "You don't have SCA scans in this agent".

```

2025/02/12 22:11:31 rootcheck: INFO: Starting rootcheck scan.
2025/02/12 22:11:31 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_ssh.txt'
2025/02/12 22:11:33 sca: INFO: Module started.
2025/02/12 22:11:33 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2025/02/12 22:11:33 sca: INFO: Loaded policy '/var/ossec/etc/shared/cis_freebsd14.yml'
2025/02/12 22:11:33 sca: INFO: Loaded policy '/var/ossec/etc/shared/sca_unix_audit.yml'
2025/02/12 22:11:33 sca: INFO: Starting Security Configuration Assessment scan.
2025/02/12 22:11:33 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2025/02/12 22:11:44 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/02/12 22:12:25 rootcheck: INFO: Ending rootcheck scan.

2025/02/12 22:33:12 wazuh-agentd: INFO: Trying to connect to server ([scanner.esco.ghaar]:1514/tcp).
2025/02/12 22:33:12 wazuh-agentd: INFO: (4102): Connected to the server ([scanner.esco.ghaar]:1514/tcp).
2025/02/12 22:33:13 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.

2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2025/02/12 22:33:13 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/02/12 22:33:13 rootcheck: INFO: Starting rootcheck scan.
2025/02/12 22:33:13 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_ssh.txt'

2025/02/12 22:33:14 sca: INFO: Module started.

2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/etc/shared/cis_freebsd14.yml'
2025/02/12 22:33:14 sca: INFO: Loaded policy '/var/ossec/etc/shared/sca_unix_audit.yml'
2025/02/12 22:33:14 sca: INFO: Starting Security Configuration Assessment scan.
2025/02/12 22:33:14 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/sca_unix_audit.yml'

2025/02/12 22:33:26 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.

2025/02/12 22:34:06 rootcheck: INFO: Ending rootcheck scan.

cat /var/ossec/logs/ossec.log | grep -iE "error|warn|sca"

2025/02/13 10:33:27 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2025/02/13 10:33:38 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/02/13 10:34:07 rootcheck: INFO: Starting rootcheck scan.
2025/02/13 10:34:08 rootcheck: ERROR: No unixaudit file: '/var/ossec/etc/shared/system_audit_ssh.txt'
2025/02/13 10:34:59 rootcheck: INFO: Ending rootcheck scan.

```

sca starts with only the first scan which is installed by default on the freebsd installation (in `ruleset/sca`). But, I don't see it finish - even after weeks of firewall being up and running.

Also, I did notice that installation of `wazuh-agent` on freebsd still has `<localfiles>` from ubuntu/linux configuration as defaults. In my case, it prevented startup of Wazuh-agent. Removal of offending files allowed successful startup. 

/r

maulik 

[Md. Nazmur Sakib]

It can be due to the policy script is not correct

You can configure a SCA policy like this and check if this works for you.
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/use-cases.html#use-cases

Next, you can follow this document to review your SCA policies.
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

Wazuh agent is not officially supported on Freebsd. You can check the current supported packages in this link:

https://documentation.wazuh.com/current/installation-guide/packages-list.html


So you need to make the adjustment to make it work on Freebsd

Let me know if you need any further information.

[M V]

Thank you.

Is there an SCA policy validator / checker tool within the wazuh toolset? The policy file can be found here. As it is rather long, having a validator tool would be rather helpful in pinpointing any offending lines. 

On Feb 17, 2025, at 10:28 PM, 'Md. Nazmur Sakib' via Wazuh | Mailing List <wa...@googlegroups.com> wrote:



--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6Hr_5dDRyok/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/ad780571-b946-468e-a731-f6b59b1de484n%40googlegroups.com.

[Alonso Cárdenas Márquez]

Hello M V

What is the content of /etc/os-release in your OPNSense system?  Look at the top part of my SCA file, it checks info from this file and some sysctl variables. 

requirements:
  title: "Check FreeBSD version."
  description: "Requirements for running the SCA scan against FreeBSD 14.x"
  condition: all
  rules:
    - "f:/etc/os-release -> r:^NAME=FreeBSD"
    - "c:sysctl -n kern.ostype -> r:^FreeBSD"
    - "c:sysctl -n kern.osrelease -> r:^14."

I think that the OPNSense os-release file is different. Maybe you have NAME=OPNSense instead of NAME=FreeBSD there. I don't know. Changing that into sca file should fix your issue

Greetings

You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/692B2503-F4F1-4225-AD71-C79050049C3F%40gmail.com.

[M V]

Greetings Alonso,

Thank you for pointing me in the right direction.

Indeed, /etc/os-release pointed to /var/run/os-release which didn't exist.

As the rule condition was match all, i changed the match condition to as follows:

    - "c:uname -a -> r:^FreeBSD"

    - "c:sysctl -n kern.ostype -> r:^FreeBSD"

    - "c:sysctl -n kern.osrelease -> r:^14." 

as confirmed by:

uname -a

FreeBSD MorikCage.esco.ghaar 14.1-RELEASE-p7 FreeBSD 14.1-RELEASE-p7 stable/24.7-n268020-d553534fe81 SMP amd64

The logs (at freebsd appliance) still show the same output as previous:

2025/02/18 08:28:20 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/sca_unix_audit.yml'
2025/02/18 08:28:20 sca: INFO: Loaded policy '/var/ossec/etc/shared/cis_freebsd14.yml'
2025/02/18 08:28:20 sca: INFO: Starting Security Configuration Assessment scan.

I'll revert after giving it more time (~24hrs) to see whether sca completes a scan.

Akin to log-tester, it would be still be nice to some sort of sca validator for custom rules.

Regards

[Md. Nazmur Sakib]

We do not have any SCA conditions validator at this moment like the ruleset test tool.

I will suggest making a small script file with one rule at a time and checking the rules one by one and adding them to the SCA script instead of checking all of them together.

Run the command on your endpoint check the output and validate it with your rule, this way you can write the rule correctly.

Let me know the update on the issue.

[M V]

Thank you.

The issue seemed to be with the Wazuh-agent installation on freebsd. Here's a log of successful sca completion:

```

2025/02/19 11:55:57 sca: INFO: Evaluation finished for policy '/var/ossec/etc/shared/cis_freebsd14.yml'
2025/02/19 11:55:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 8 seconds.
2025/02/19 11:56:02 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2025/02/19 11:56:02 wazuh-syscheckd: INFO: FIM sync module started.
2025/02/19 11:56:48 rootcheck: INFO: Ending rootcheck scan.

```

Issue#1: `wazuh-moduled` was crashing at startup.

`pid 79079 (wazuh-modulesd), jid 0, uid 0: exited on signal 4 (no core dump - bad address)`

Fixed by disabling `sys collector` wodle - as that's the culprit for when running on freebsd. 

```

 <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
   <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <synchronization>
       <max_eps>10</max_eps>
    </synchronization>
  </wodle>

```

Issue#2: SCA was hanging up due to the default `sca_unix_audit.yml` installed with Wazuh-agent installation. Its removal allowed completion of sca.

[Md. Nazmur Sakib]

As Wazuh agents Feebsd is not officially supported.
Based on this the SCA and some syscollector modules are not working properly on FreeBSD.
https://github.com/wazuh/wazuh/issues/23387

I believe the syscollector is working due to the agent you are using the Freebsd is not fully compatible, specially the syscollector module.

Further, you can make a feature request on developing agents for FreeBSD so that the development team can consider this during playing future roadmap.
https://github.com/wazuh/wazuh/issues/new?template=default.md

Let me know if you need any further information.