Some errors with SCA on agent sides
Carlos Lopez
Regarding to SCA config, according to docs SCA policies needs to be
copied in /var/ossec/etc/shared/agent_group to be distributed to agents.
Is it right?
I am doing simple tests with sca_unix_audit.yml policy file but there
are some errors in the agent side. An example:
2019/10/13 17:23:54 sca: INFO: Could not open the default SCA ruleset
folder '/var/ossec/ruleset/sca/': No such file or directory
2019/10/13 17:23:54 sca: WARNING: File 'sca_unix_audit.yml' not found.
2019/10/13 17:23:54 ossec-agentd: INFO: Agent is restarting due to
shared configuration changes.
2019/10/13 17:23:55 sca: WARNING: File 'sca_unix_audit.yml' not found.
2019/10/13 17:23:55 wazuh-modulesd:syscollector: INFO: Module finished.
2019/10/13 17:23:55 ossec-logcollector: INFO: (1225): SIGNAL
[(15)-(Terminated)] Received. Exit Cleaning...
2019/10/13 17:23:55 ossec-syscheckd: INFO: (1225): SIGNAL
[(15)-(Terminated)] Received. Exit Cleaning...
2019/10/13 17:23:55 ossec-agentd: INFO: (1225): SIGNAL
[(15)-(Terminated)] Received. Exit Cleaning...
2019/10/13 17:23:55 ossec-execd: INFO: (1314): Shutdown received.
Deleting responses.
2019/10/13 17:23:55 ossec-execd: INFO: (1225): SIGNAL
[(15)-(Terminated)] Received. Exit Cleaning...
2019/10/13 17:23:56 ossec-execd: INFO: No option <ca_store> defined.
Using Wazuh default CA (/var/ossec/etc/wpk_root.pem).
2019/10/13 17:23:56 ossec-execd: INFO: Started (pid: 4939).
2019/10/13 17:23:56 ossec-agentd: INFO: Using notify time: 60 and max
time to reconnect: 300
2019/10/13 17:23:56 ossec-agentd: INFO: Version detected -> Linux
|stirling.lab.uxdom.org |4.18.0-80.11.2.el8_0.x86_64 |#1 SMP Sun Sep 15
11:24:21 UTC 2019 |x86_64 [Red Hat Enterprise Linux|rhel: 8.0 (Ootpa)] -
Wazuh v3.10.2
2019/10/13 17:23:56 ossec-agentd: INFO: (1410): Reading authentication
keys file.
2019/10/13 17:23:56 ossec-agentd: INFO: Using AES as encryption method.
2019/10/13 17:23:56 ossec-agentd: INFO: Started (pid: 4944).
2019/10/13 17:23:56 ossec-agentd: INFO: Server IP Address: 172.22.59.4
2019/10/13 17:23:56 ossec-agentd: INFO: Trying to connect to server
(172.22.59.4:1575/udp).
2019/10/13 17:23:56 ossec-logcollector: INFO: Monitoring output of
command(360): df -P
2019/10/13 17:23:56 ossec-logcollector: INFO: Monitoring full output of
command(360): last -n 20
2019/10/13 17:23:56 ossec-logcollector: INFO: (1950): Analyzing file:
'/var/log/audit/audit.log'.
2019/10/13 17:23:56 ossec-logcollector: INFO: (1950): Analyzing file:
'/var/log/messages'.
2019/10/13 17:23:56 ossec-logcollector: INFO: (1950): Analyzing file:
'/var/log/secure'.
2019/10/13 17:23:56 ossec-logcollector: INFO: (1950): Analyzing file:
'/var/ossec/logs/active-responses.log'.
2019/10/13 17:23:56 ossec-logcollector: INFO: Started (pid: 4956).
2019/10/13 17:23:56 sca: WARNING: File 'sca_unix_audit.yml' not found.
2019/10/13 17:23:56 wazuh-modulesd: INFO: Process started.
2019/10/13 17:23:56 sca: INFO: Module started.
2019/10/13 17:23:56 sca: INFO: Loaded policy
'/var/ossec/ruleset/sca/cis_rhel7_linux.yml'
2019/10/13 17:23:56 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/13 17:23:56 sca: INFO: Starting Security Configuration
Assessment scan.
2019/10/13 17:23:56 wazuh-modulesd:control: INFO: Starting control thread.
2019/10/13 17:23:56 sca: INFO: Skipping policy
'/var/ossec/ruleset/sca/cis_rhel7_linux.yml': 'Check RHEL7 family platform'
As you can see, SCA returns an error about "No such file or
directory", which is wrong. Directory exists and file exists. But after
some seconds:
2019/10/13 17:23:59 rootcheck: INFO: Started (pid: 4951).
2019/10/13 17:24:01 ossec-logcollector: INFO: Agent is now online.
Process unlocked, continuing...
2019/10/13 17:24:01 wazuh-modulesd: INFO: Agent is now online. Process
unlocked, continuing...
2019/10/13 17:24:02 sca: INFO: Security Configuration Assessment scan
finished. Duration: 6 seconds.
What? ... In /var/ossec/etc/shared agent's dir, there are these files:
root@stirling:~# ls -la /var/ossec/etc/shared/
total 52
drwxrwx---. 2 root ossec 82 Oct 13 17:23 .
drwxrwx---. 3 ossec ossec 204 Oct 13 17:13 ..
-rw-r--r--. 1 ossec ossec 2986 Oct 13 17:23 agent.conf
-rw-r--r--. 1 ossec ossec 123 Oct 13 17:23 ar.conf
-rw-r--r--. 1 ossec ossec 22181 Oct 13 17:23 merged.mg
-rw-r--r--. 1 ossec ossec 19010 Oct 13 17:23 sca_unix_audit.yml
As you can see, sca_unix_audit.yml file exists and it is downloaded
from the manager. Then, why this error "sca: WARNING: File
'sca_unix_audit.yml' not found." and this "sca: INFO: Could not open the
default SCA ruleset folder '/var/ossec/ruleset/sca/': No such file or
directory"? Both are wrong ...
On the other side, I don't see any warning that the policy is being
checked (I have enabled ssh protocol version 1 to produce an alert) ...
so it doesn't look like the policy is being implemented.
Any ideas? Agent and Manager are RHEL8, fully updated.
--
Regards,
C. L. Martinez
Juan Pablo Saez
Regarding to SCA config, according to docs SCA policies needs to be copied in /var/ossec/etc/shared/agent_group to be distributed to agents. Is it right?
- Yes, that's right. On the manager side, you should copy the SCA policy files to /var/ossec/etc/shared/agent_group and the agent will store these policy shared files in /var/ossec/etc/shared not in a group folder.
root@stirling:~# ls -la /var/ossec/etc/shared/
total 52
drwxrwx---. 2 root ossec 82 Oct 13 17:23 .
drwxrwx---. 3 ossec ossec 204 Oct 13 17:13 ..
-rw-r--r--. 1 ossec ossec 2986 Oct 13 17:23 agent.conf
-rw-r--r--. 1 ossec ossec 123 Oct 13 17:23 ar.conf
-rw-r--r--. 1 ossec ossec 22181 Oct 13 17:23 merged.mg
-rw-r--r--. 1 ossec ossec 19010 Oct 13 17:23 sca_unix_audit.yml
- Here seems like the sca_unix_audit.yml file has the right owner:group and the right permissions.
As you can see, sca_unix_audit.yml file exists and it is downloaded from the manager. Then, why this error "sca: WARNING: File 'sca_unix_audit.yml' not found." and this "sca: INFO: Could not open the default SCA ruleset folder '/var/ossec/ruleset/sca/': No such file or directory"? Both are wrong ...
- Looks like the agent wants to open the file in /var/ossec/ruleset/sca/sca_unix_audit.yml while your file should be at /var/ossec/etc/shared/sca_unix_audit.yml
- Could you please try using <policy>/var/ossec/etc/shared/sca_unix_audit.yml</policy> ?
Carlos Lopez
Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Juan Pablo Saez <jp....@wazuh.com>
Sent: 14 October 2019 12:06
To: Wazuh mailing list
Subject: Re: Some errors with SCA on agent sides
Hi Carlos,
Regarding to SCA config, according to docs SCA policies needs to be copied in /var/ossec/etc/shared/agent_group to be distributed to agents. Is it right?
* Yes, that's right. On the manager side, you should copy the SCA policy files to /var/ossec/etc/shared/agent_group and the agent will store these policy shared files in /var/ossec/etc/shared not in a group folder.
root@stirling:~# ls -la /var/ossec/etc/shared/
total 52
drwxrwx---. 2 root ossec 82 Oct 13 17:23 .
drwxrwx---. 3 ossec ossec 204 Oct 13 17:13 ..
-rw-r--r--. 1 ossec ossec 2986 Oct 13 17:23 agent.conf
-rw-r--r--. 1 ossec ossec 123 Oct 13 17:23 ar.conf
-rw-r--r--. 1 ossec ossec 22181 Oct 13 17:23 merged.mg
<http://merged.mg/>-rw-r--r--. 1 ossec ossec 19010 Oct 13 17:23 sca_unix_audit.yml
* Here seems like the sca_unix_audit.yml file has the right owner:group and the right permissions.
As you can see, sca_unix_audit.yml file exists and it is downloaded from the manager. Then, why this error "sca: WARNING: File 'sca_unix_audit.yml' not found." and this "sca: INFO: Could not open the default SCA ruleset folder '/var/ossec/ruleset/sca/': No such file or directory"? Both are wrong ...
I think the problem is in the SCA configuration:
* Looks like the agent wants to open the file in /var/ossec/ruleset/sca/sca_unix_audit.yml while your file should be at /var/ossec/etc/shared/sca_unix_audit.yml
* Could you please try using <policy>/var/ossec/etc/shared/sca_unix_audit.yml</policy> ?
Greetings, JP Sáez
|stirling.lab.uxdom.org<http://stirling.lab.uxdom.org> |4.18.0-80.11.2.el8_0.x86_64 |#1 SMP Sun Sep 15
11:24:21 UTC 2019 |x86_64 [Red Hat Enterprise Linux|rhel: 8.0 (Ootpa)] -
Wazuh v3.10.2
2019/10/13 17:23:56 ossec-agentd: INFO: (1410): Reading authentication
keys file.
2019/10/13 17:23:56 ossec-agentd: INFO: Using AES as encryption method.
2019/10/13 17:23:56 ossec-agentd: INFO: Started (pid: 4944).
2019/10/13 17:23:56 ossec-agentd: INFO: Server IP Address: 172.22.59.4
2019/10/13 17:23:56 ossec-agentd: INFO: Trying to connect to server
(172.22.59.4:1575/udp<http://172.22.59.4:1575/udp>).
-rw-r--r--. 1 ossec ossec 22181 Oct 13 17:23 merged.mg<http://merged.mg>
-rw-r--r--. 1 ossec ossec 19010 Oct 13 17:23 sca_unix_audit.yml
As you can see, sca_unix_audit.yml file exists and it is downloaded
from the manager. Then, why this error "sca: WARNING: File
'sca_unix_audit.yml' not found." and this "sca: INFO: Could not open the
default SCA ruleset folder '/var/ossec/ruleset/sca/': No such file or
directory"? Both are wrong ...
On the other side, I don't see any warning that the policy is being
checked (I have enabled ssh protocol version 1 to produce an alert) ...
so it doesn't look like the policy is being implemented.
Any ideas? Agent and Manager are RHEL8, fully updated.
--
Regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/57c9d421-772f-4aca-9e14-5ba75fd70ae9%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/57c9d421-772f-4aca-9e14-5ba75fd70ae9%40googlegroups.com?utm_medium=email&utm_source=footer>.
Juan Pablo Saez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com<mailto:wazuh+unsub...@googlegroups.com>.
Carlos Lopez
Good afternoon Juan Pablo,
Sorry for this later response. It is working with your work around. But, do I need to specify a full path for every policy on the agent side? Why not policy is loaded from ruleset/sca dir?
--
Regards,
C. L. Martinez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
wazuh+un...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/7318c746-6bc1-4807-8571-cfa4809e2636%40googlegroups.com.
Juan Pablo Saez
do I need to specify a full path for every policy on the agent side? Why not policy is loaded from ruleset/sca dir?
- Policies pushed from Manager to Agent using centralized configuration are placed in /var/ossec/etc/shared/ (agent). If you want to use one of these policies you should specify the full path. <policy>/var/ossec/etc/shared</policy>
- Policies installed in Agent by default:
Default installation detects target SO and places compatible policy files in /var/ossec/ruleset/sca. These pre-installed policy files are enabled by default and to disable one you should use <policy enabled="no">/var/ossec/ruleset/sca/policyname.yml</policy>
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com<mailto:wazuh+unsub...@googlegroups.com>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.