SCA module doesn't scans
Carlos Lopez
I have detected certain anomalies in the SCA module. My current configuration is:
<sca>
<enabled>yes</enabled>
<scan_on_start>no</scan_on_start>
<interval>24h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_rhel7_linux_rcl.yml</policy>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
It is the same config for my manager, all workers and all agents (I am using centralized configuration for my agents). Surprisingly, scanning does not occur on servers or agents as you can see in the attached screenshot.
Both the OpenSCAP and vulnerability detector modules don't present problems.
is this a bug or a configuration error?
Regards,
C. L. Martinez
Sergio Cervilla
# cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
# cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
# cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
IT Engineer — Wazuh, Inc.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/VI1PR10MB2253B7A1C7A542B478FC943CDB060%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.
Carlos Lopez
Outputs:
cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
None
cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
2019/05/20 09:55:19 sca: INFO: Starting Security Configuration Assessment scan.
2019/05/20 09:55:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 17 seconds.
cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
No output.
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
* About to connect() to 127.0.0.1 port 55000 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 55000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
UHmm ... It doesn't work ...
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com>
Sent: 20 May 2019 11:53
To: Carlos Lopez
Cc: wazuh
Subject: Re: SCA module doesn't scans
Hi Carlos,
I have been trying to reproduce your issue without success. I've set your configuration and I can see the alerts on Kibana.
First of all, let's check if you have any error or warning on your elasticsearch cluster:
# cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
Now, let's check if the Security Configuration Assessment module is working properly. You can achieve this using the following command:
# cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
In addition, could you search in the ossec.log for errors or warnings too?
# cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
You can see if the agents or the manager has data about SCA scans using the API with the following command:
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
I'm waiting for your response.
Regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 20, 2019 at 8:31 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Hi all,
I have detected certain anomalies in the SCA module. My current configuration is:
<sca>
<enabled>yes</enabled>
<scan_on_start>no</scan_on_start>
<interval>24h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_rhel7_linux_rcl.yml</policy>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
It is the same config for my manager, all workers and all agents (I am using centralized configuration for my agents). Surprisingly, scanning does not occur on servers or agents as you can see in the attached screenshot.
Both the OpenSCAP and vulnerability detector modules don't present problems.
is this a bug or a configuration error?
Regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Sergio Cervilla
curl -u foo:bar -k "http://127.0.0.1:55000/sca/000?pretty"
IT Engineer — Wazuh, Inc.
Carlos Lopez
{
"error": 0,
"data": {
"totalItems": 4,
"items": [
{
"description": "Guidance for establishing a secure configuration for SSH service vulnerabilities.",
"total_checks": 9,
"hash_file": "4c7d05c9501ea38910e20ae22b1670b4f778669bd488482b4a19d179da9556ea",
"references": "https://www.ssh.com/ssh/",
"name": "System audit for SSH hardening",
"start_scan": "2019-05-20 09:55:29",
"score": 22,
"pass": 2,
"fail": 7,
"policy_id": "system_audit_ssh",
"invalid": 0,
"end_scan": "2019-05-20 09:55:29"
},
{
"description": "Guidance for establishing a secure configuration for password vulnerabilities.",
"total_checks": 4,
"hash_file": "1803ba1239bef3a052d7866a43af0518000b2db9c54809ff1a3def2796394685",
"references": "https://www.cisecurity.org/cis-benchmarks/",
"name": "System audit for password-related vulnerabilities",
"start_scan": "2019-05-20 09:55:32",
"score": 25,
"pass": 1,
"fail": 3,
"policy_id": "system_audit_pw",
"invalid": 0,
"end_scan": "2019-05-20 09:55:32"
},
{
"description": "Guidance for establishing a secure configuration for web-related vulnerabilities.",
"total_checks": 16,
"hash_file": "a4ad3c3a1409e04217eabb884589717861b9389b68eba897093a5571a7671e2f",
"name": "System audit for web-related vulnerabilities",
"start_scan": "2019-05-20 09:55:26",
"score": 0,
"pass": 0,
"fail": 0,
"policy_id": "system_audit",
"invalid": 16,
"end_scan": "2019-05-20 09:55:26"
},
{
"description": "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 7 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 7.4.",
"total_checks": 75,
"hash_file": "c4cf49ae248ddb5a3f0cd89fa659d64c0d6f90f9fdfcfc41defd8b0e916f1281",
"references": "https://www.cisecurity.org/cis-benchmarks/",
"name": "CIS Benchmark for Red Hat Enterprise Linux 7",
"start_scan": "2019-05-20 09:55:23",
"score": 62,
"pass": 33,
"fail": 20,
"policy_id": "cis_rhel7",
"invalid": 22,
"end_scan": "2019-05-20 09:55:23"
}
]
}
}
I have changed time range in Kibana, but result is the same. I've done another test with the SCA module. I have changed the option from <interval> to <time> and everything has started working correctly.
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com>
Sent: 21 May 2019 08:50
To: Carlos Lopez
Cc: wazuh
Subject: Re: SCA module doesn't scans
Hi Carlos,
Since there are no errors or warnings in the logs, we must check if your database has data about SCA scans.
Try to execute the API call again but this time, using the http protocol instead of https because your API appears to be running with the first option.
curl -u foo:bar -k "http://127.0.0.1:55000/sca/000?pretty"
Furthermore, the agent will send only those checks which status have changed from previous scans in order to save network traffic and decreasing manager load.
If your database it's not empty, this could be the reason that you aren't seeing any alerts on your manager in that timeframe. To discard this scenario, you can change
the time range to a wider one.
Best regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 20, 2019 at 4:25 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Hi Sergio,
Outputs:
cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
None
cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
2019/05/20 09:55:19 sca: INFO: Starting Security Configuration Assessment scan.
2019/05/20 09:55:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 17 seconds.
cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
No output.
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
* About to connect() to 127.0.0.1 port 55000 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 55000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
UHmm ... It doesn't work ...
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com<mailto:sergio....@wazuh.com>>
Sent: 20 May 2019 11:53
To: Carlos Lopez
Cc: wazuh
Subject: Re: SCA module doesn't scans
Hi Carlos,
I have been trying to reproduce your issue without success. I've set your configuration and I can see the alerts on Kibana.
First of all, let's check if you have any error or warning on your elasticsearch cluster:
# cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
Now, let's check if the Security Configuration Assessment module is working properly. You can achieve this using the following command:
# cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
In addition, could you search in the ossec.log for errors or warnings too?
# cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
You can see if the agents or the manager has data about SCA scans using the API with the following command:
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
I'm waiting for your response.
Regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 20, 2019 at 8:31 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
Hi all,
I have detected certain anomalies in the SCA module. My current configuration is:
<sca>
<enabled>yes</enabled>
<scan_on_start>no</scan_on_start>
<interval>24h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_rhel7_linux_rcl.yml</policy>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
It is the same config for my manager, all workers and all agents (I am using centralized configuration for my agents). Surprisingly, scanning does not occur on servers or agents as you can see in the attached screenshot.
Both the OpenSCAP and vulnerability detector modules don't present problems.
is this a bug or a configuration error?
Regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>.
Sergio Cervilla
cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"sca"'
IT Engineer — Wazuh, Inc.
Carlos Lopez
root@wazuh-0:/var/ossec/logs# cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"sca"'
{"timestamp":"2019-05-21T01:13:09.832+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure separate partition exists for /tmp","id":"19007","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.0","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6500","title":"Ensure separate partition exists for /tmp","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition for /tmp if not using tmpfs. Enable systemd /tmp mounting","compliance":{"cis":"1.1.2"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.863+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure nosuid option set on /tmp partition","id":"19007","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.2372","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6502","title":"Ensure nosuid option set on /tmp partition","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid","compliance":{"cis":"1.1.4","pci_dss":"2.2.4"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.863+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure nodev option set on /tmp partition","id":"19007","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.4087","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6501","title":"Ensure nodev option set on /tmp partition","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.","remediation":"Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid","compliance":{"cis":"1.1.3","pci_dss":"2.2.4"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.863+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure noexec option set on /tmp partition","id":"19007","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.5848","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6503","title":"Ensure noexec option set on /tmp partition","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.","remediation":"Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid","compliance":{"cis":"1.1.5","cis_csc":"2","pci_dss":"2.2.4"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.894+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure separate partition exists for /var","id":"19007","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.7635","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6504","title":"Ensure separate partition exists for /var","description":"The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.","rationale":"Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.6"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.894+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure separate partition exists for /var/tmp","id":"19007","firedtimes":6,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.9783","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6505","title":"Ensure separate partition exists for /var/tmp","description":"The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.7"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.894+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure separate partition exists for /var/log","id":"19007","firedtimes":7,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.12039","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6506","title":"Ensure separate partition exists for /var/log","description":"The /var/log directory is used by system services to store log data .","rationale":"There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.11","cis_csc":"6.3"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.924+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure nodev option set on /home partition","id":"19007","firedtimes":8,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.14153","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6509","title":"Ensure nodev option set on /home partition","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home","compliance":{"cis":"1.1.14","pci_dss":"2.2.4"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.924+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure separate partition exists for /home","id":"19007","firedtimes":9,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.15881","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6508","title":"Ensure separate partition exists for /home","description":"The /home directory is used to support disk storage needs of local users.","rationale":"If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.13"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.924+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure separate partition exists for /var/log/audit","id":"19007","firedtimes":10,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.17947","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6507","title":"Ensure separate partition exists for /var/log/audit","description":"The auditing daemon, auditd , stores log data in the /var/log/audit directory.","rationale":"There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.12","cis_csc":"6.3"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.955+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure nosuid option set on removable media partitions","id":"19007","firedtimes":11,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.20165","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6511","title":"Ensure nosuid option set on removable media partitions","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom.","compliance":{"cis":"1.1.19","pci_dss":"2.2.4"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
{"timestamp":"2019-05-21T01:13:09.955+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 7: Ensure nodev option set on removable media partitions","id":"19007","firedtimes":12,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"secoffice-ids-2","ip":"10.80.40.38"},"manager":{"name":"secoffice-wazuh-0.c.edo-prod01.internal"},"id":"1558401189.22033","cluster":{"name":"wazuh-gcp-so","node":"secoffice-wazuh-0"},"decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1430434507","policy":"CIS Benchmark for Red Hat Enterprise Linux 7","check":{"id":"6510","title":"Ensure nodev option set on removable media partitions","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.","compliance":{"cis":"1.1.18","pci_dss":"2.2.4"},"file":["/etc/fstab"],"result":"failed"}}},"location":"sca"}
If it's all right with you, I'll wait till tomorrow and see if it's working again. If it didn't work, I'll send you my feedback.
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com>
Sent: 21 May 2019 15:37
To: Carlos Lopez
Cc: wazuh
Subject: Re: SCA module doesn't scans
Hello Carlos,
I think you're getting alerts not for the change in the configuration but because of the restart of the wazuh-manager. Could you change the setting again and test if now it's working?
In addition, we can search for past alerts in the /var/ossec/logs/alerts/alerts.json file with the following command:
cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"sca"'
If we can see past alerts, then we can search for them using the Discover feature inside Kibana. Please, note that I've only applied the filter rule.groups and that you can choose a timeframe wider to search for the past alerts:
[kibana-discover-sca.png]
I'm waiting for your response, Carlos.
Best regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com<mailto:sergio....@wazuh.com>>
Sent: 21 May 2019 08:50
To: Carlos Lopez
Cc: wazuh
Subject: Re: SCA module doesn't scans
Hi Carlos,
Since there are no errors or warnings in the logs, we must check if your database has data about SCA scans.
Try to execute the API call again but this time, using the http protocol instead of https because your API appears to be running with the first option.
curl -u foo:bar -k "http://127.0.0.1:55000/sca/000?pretty"
Furthermore, the agent will send only those checks which status have changed from previous scans in order to save network traffic and decreasing manager load.
If your database it's not empty, this could be the reason that you aren't seeing any alerts on your manager in that timeframe. To discard this scenario, you can change
the time range to a wider one.
Best regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 20, 2019 at 4:25 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
Hi Sergio,
Outputs:
cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
None
cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
2019/05/20 09:55:19 sca: INFO: Starting Security Configuration Assessment scan.
2019/05/20 09:55:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 17 seconds.
cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
No output.
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
* About to connect() to 127.0.0.1 port 55000 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 55000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
UHmm ... It doesn't work ...
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>
Sent: 20 May 2019 11:53
To: Carlos Lopez
Cc: wazuh
Subject: Re: SCA module doesn't scans
Hi Carlos,
I have been trying to reproduce your issue without success. I've set your configuration and I can see the alerts on Kibana.
First of all, let's check if you have any error or warning on your elasticsearch cluster:
# cat /var/log/elasticsearch/<cluster-name>.log | grep -i -E "warn|error|critical"
Now, let's check if the Security Configuration Assessment module is working properly. You can achieve this using the following command:
# cat /var/ossec/logs/ossec.log | grep -i -E "security configuration assessment"
In addition, could you search in the ossec.log for errors or warnings too?
# cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
You can see if the agents or the manager has data about SCA scans using the API with the following command:
curl -u <user:password> -k -X GET "https://<manager_ip>:55000/sca/<agent_id>?pretty"
I'm waiting for your response.
Regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 20, 2019 at 8:31 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>><mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>> wrote:
Hi all,
I have detected certain anomalies in the SCA module. My current configuration is:
<sca>
<enabled>yes</enabled>
<scan_on_start>no</scan_on_start>
<interval>24h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_rhel7_linux_rcl.yml</policy>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
It is the same config for my manager, all workers and all agents (I am using centralized configuration for my agents). Surprisingly, scanning does not occur on servers or agents as you can see in the attached screenshot.
Both the OpenSCAP and vulnerability detector modules don't present problems.
is this a bug or a configuration error?
Regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>>>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>.
Carlos Lopez
Sorry for this late response. Everything remains the same. No scans are produced for the cluster. I have restarted manager and workers, but nothing.
On the other side, configuration is working on the agents.
Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 21 May 2019 15:44
To: Sergio Cervilla
Regards,
C. L. Martinez
Hello Carlos,
Best regards,
Regards,
C. L. Martinez
Hi Carlos,
Best regards,
Regards,
C. L. Martinez
Hi Carlos,
Regards,
C. L. Martinez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/VI1PR10MB22535CD3D5D5277F2FF1B6BFDB070%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
Sergio Cervilla
IT Engineer — Wazuh, Inc.
Carlos Lopez
Correct, this is not the case. There is no SCA alerts in the general
tab. Alerts are showed for the agents only.
Regards,
C. L. Martinez
On 24/05/2019 14:11, Sergio Cervilla wrote:
> Hi Carlos,
>
> If you want to see the SCA alerts of the managers (master and workers)
> you must navigate into the overview
> tab in your Kibana application. It was decided that managers related
> alerts should not be displayed in the agent's tab.
>
> If this is not the case, please don't hesitate to let me know.
>
> Best regards,
>
> IT Engineer — *Wazuh, Inc.*
> <https://wazuh.com/>
>
>
> On Fri, May 24, 2019 at 9:51 AM Carlos Lopez <clo...@outlook.com
> <mailto:clo...@outlook.com>> wrote:
>
> HI Sergio,
>
> Sorry for this late response. Everything remains the same. No
> scans are produced for the cluster. I have restarted manager and
> workers, but nothing.
>
> On the other side, configuration is working on the agents.
>
>
>
> Regards,
> C. L. Martinez
>
>
> ________________________________________
> <wa...@googlegroups.com <mailto:wa...@googlegroups.com>> on behalf
> of Carlos Lopez <clo...@outlook.com <mailto:clo...@outlook.com>>
> To: Carlos Lopez
> Cc: wazuh
> Subject: Re: SCA module doesn't scans
>
> Hello Carlos,
>
> I think you're getting alerts not for the change in the
> configuration but because of the restart of the wazuh-manager. Could
> you change the setting again and test if now it's working?
>
> In addition, we can search for past alerts in the
> /var/ossec/logs/alerts/alerts.json file with the following command:
>
>
> cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"sca"'
>
> If we can see past alerts, then we can search for them using the
> Discover feature inside Kibana. Please, note that I've only applied
> the filter rule.groups and that you can choose a timeframe wider to
> search for the past alerts:
> [kibana-discover-sca.png]
>
> I'm waiting for your response, Carlos.
>
> Best regards,
>
> Sergio Cervilla
> IT Engineer — Wazuh, Inc.
> [https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
>
>
>
> On Tue, May 21, 2019 at 1:03 PM Carlos Lopez <clo...@outlook.com
> To: Carlos Lopez
> Cc: wazuh
> Subject: Re: SCA module doesn't scans
>
> Hi Carlos,
>
> Since there are no errors or warnings in the logs, we must check if
> your database has data about SCA scans.
>
> Try to execute the API call again but this time, using the http
> protocol instead of https because your API appears to be running
> with the first option.
>
>
> curl -u foo:bar -k "http://127.0.0.1:55000/sca/000?pretty"
>
>
> Furthermore, the agent will send only those checks which status have
> changed from previous scans in order to save network traffic and
> decreasing manager load.
> If your database it's not empty, this could be the reason that you
> aren't seeing any alerts on your manager in that timeframe. To
> discard this scenario, you can change
> the time range to a wider one.
>
> Best regards,
>
> Sergio Cervilla
> IT Engineer — Wazuh, Inc.
> [https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
>
>
>
> On Mon, May 20, 2019 at 4:25 PM Carlos Lopez <clo...@outlook.com
> <mailto:clo...@outlook.com><mailto:clo...@outlook.com
> <mailto:wazuh%252Buns...@googlegroups.com><mailto:wazuh%252Buns...@googlegroups.com
> <mailto:wazuh%25252Bun...@googlegroups.com>><mailto:wazuh%252Buns...@googlegroups.com
> <mailto:wazuh%25252Bun...@googlegroups.com><mailto:wazuh%25252Bun...@googlegroups.com
> <mailto:wazuh%2525252Bu...@googlegroups.com>>>>.
> <mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com
> <mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com
> <mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com
> <mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com
> <mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com
> <mailto:wa...@googlegroups.com>>>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/VI1PR10MB2253B7A1C7A542B478FC943CDB060%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to wazuh+un...@googlegroups.com
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> For more options, visit https://groups.google.com/d/optout.
>
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/wazuh/CAB1odHdqwgBoa_LreSjwEHJknXQapDtSQY-AkHbWqAMFVCa7VA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Sergio Cervilla
cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"id":"000".*"sca"'agent.id : "000" AND rule.groups : "sca"
IT Engineer — Wazuh, Inc.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/VI1PR10MB22531E942D3D80D1560AC851DB020%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
Carlos Lopez
There is no output executing: cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"id":"000".*"sca"'. I have checked previous days also, but result is the same: nothing
I have attached a capture with lastest 72h ... nothing.
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com>
Sent: 27 May 2019 11:28
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: SCA module doesn't scans
Hi Carlos,
I'm not able to reproduce your issue. I've configured a cluster environment and I can see SCA alerts related to
agents and managers without a problem. Let's check if you have alerts related to SCA on your master node:
cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"id":"000".*"sca"'
If you have alerts int the alerts.json, then you can use the following query on Kibana's discover and see if you have the alerts there:
agent.id<http://agent.id> : "000" AND rule.groups : "sca"
As you can see, I have alerts related to SCA in a cluster environment:
[image.png]
If you can see the alerts in the alerts.json but not in the Kibana application, it'd be useful if you paste here some examples of these SCA alerts.
Best regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Fri, May 24, 2019 at 5:46 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Hi Sergio,
Correct, this is not the case. There is no SCA alerts in the general
tab. Alerts are showed for the agents only.
Regards,
C. L. Martinez
On 24/05/2019 14:11, Sergio Cervilla wrote:
> Hi Carlos,
>
> If you want to see the SCA alerts of the managers (master and workers)
> you must navigate into the overview
> tab in your Kibana application. It was decided that managers related
> alerts should not be displayed in the agent's tab.
>
> If this is not the case, please don't hesitate to let me know.
>
> Best regards,
>
> *Sergio Cervilla*
> IT Engineer — *Wazuh, Inc.*
> <https://wazuh.com/>
>
>
>
> On Fri, May 24, 2019 at 9:51 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
>
> HI Sergio,
>
> Sorry for this late response. Everything remains the same. No
> scans are produced for the cluster. I have restarted manager and
> workers, but nothing.
>
> On the other side, configuration is working on the agents.
>
>
>
> Regards,
> C. L. Martinez
>
>
> ________________________________________
> From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <wa...@googlegroups.com<mailto:wa...@googlegroups.com> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>> on behalf
> of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>
> Sent: 21 May 2019 15:37
> To: Carlos Lopez
> Cc: wazuh
> Subject: Re: SCA module doesn't scans
>
> Hello Carlos,
>
> I think you're getting alerts not for the change in the
> configuration but because of the restart of the wazuh-manager. Could
> you change the setting again and test if now it's working?
>
> In addition, we can search for past alerts in the
> /var/ossec/logs/alerts/alerts.json file with the following command:
>
>
> cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"sca"'
>
> If we can see past alerts, then we can search for them using the
> Discover feature inside Kibana. Please, note that I've only applied
> the filter rule.groups and that you can choose a timeframe wider to
> search for the past alerts:
> [kibana-discover-sca.png]
>
> I'm waiting for your response, Carlos.
>
> Best regards,
>
> Sergio Cervilla
> IT Engineer — Wazuh, Inc.
> [https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
>
>
>
> On Tue, May 21, 2019 at 1:03 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>>
> Sent: 21 May 2019 08:50
> To: Carlos Lopez
> Cc: wazuh
> Subject: Re: SCA module doesn't scans
>
> Hi Carlos,
>
> Since there are no errors or warnings in the logs, we must check if
> your database has data about SCA scans.
>
> Try to execute the API call again but this time, using the http
> protocol instead of https because your API appears to be running
> with the first option.
>
>
> curl -u foo:bar -k "http://127.0.0.1:55000/sca/000?pretty"
>
>
> Furthermore, the agent will send only those checks which status have
> changed from previous scans in order to save network traffic and
> decreasing manager load.
> If your database it's not empty, this could be the reason that you
> aren't seeing any alerts on your manager in that timeframe. To
> discard this scenario, you can change
> the time range to a wider one.
>
> Best regards,
>
> Sergio Cervilla
> IT Engineer — Wazuh, Inc.
> [https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
>
>
>
> On Mon, May 20, 2019 at 4:25 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>>>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com>><mailto:clo...@outlook.com<mailto:clo...@outlook.com>
> <mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>>>><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>
> <mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>
> <mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>>><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>
> <mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>><mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>
> <mailto:wazuh%2525252Bu...@googlegroups.com<mailto:wazuh%252525252B...@googlegroups.com>>>>>.
> To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/VI1PR10MB2253B7A1C7A542B478FC943CDB060%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>
> <mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>.
> To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/VI1PR10MB22535CD3D5D5277F2FF1B6BFDB070%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>
> <mailto:wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>>.
> To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/CAB1odHdqwgBoa_LreSjwEHJknXQapDtSQY-AkHbWqAMFVCa7VA%40mail.gmail.com
> <https://groups.google.com/d/msgid/wazuh/CAB1odHdqwgBoa_LreSjwEHJknXQapDtSQY-AkHbWqAMFVCa7VA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.
Sergio Cervilla
# cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
# cat /var/ossec/logs/alerts/alerts.json | grep -i -E "sca"
IT Engineer — Wazuh, Inc.
Sergio Cervilla
IT Engineer — Wazuh, Inc.
Carlos Lopez
I have found the problem. Because these servers have been upgraded from versions 3.7.X, they dragged "obsolete" configurations. Among them the one that refers to <system_audit>. Disabling these rootcheck options:
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/cis_rhel7_linux_rcl.txt</system_audit>
..everything works correctly.
Many thanks for your help Sergio.
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com>
Sent: 27 May 2019 17:27
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: SCA module doesn't scans
Hi again Carlos,
Could you please paste here the /var/ossec/etc/ossec.conf of one of your managers? It'd be useful too.
Thanks in advance.
Regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 27, 2019 at 5:24 PM Sergio Cervilla <sergio....@wazuh.com<mailto:sergio....@wazuh.com>> wrote:
Hi Carlos,
Could you please change the configuration of one of your manager and set <interval>1m</interval> and <scan_on_start>yes</scan_on_start> inside de SCA configuration tag.
After this, restart the manager and check the ossec.log for errors or warnings using the following command:
# cat /var/ossec/logs/ossec.log | grep -i -E "warn|error|critical"
Then, check the alerts.json of that manager and search from SCA alerts using the following command:
# cat /var/ossec/logs/alerts/alerts.json | grep -i -E "sca"
I'm waiting for your response.
Regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Mon, May 27, 2019 at 11:37 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Hi Sergio,
There is no output executing: cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"id":"000".*"sca"'. I have checked previous days also, but result is the same: nothing
I have attached a capture with lastest 72h ... nothing.
Regards,
C. L. Martinez
________________________________________
From: Sergio Cervilla <sergio....@wazuh.com<mailto:sergio....@wazuh.com>>
Sent: 27 May 2019 11:28
To: Carlos Lopez
Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>
Subject: Re: SCA module doesn't scans
Hi Carlos,
I'm not able to reproduce your issue. I've configured a cluster environment and I can see SCA alerts related to
agents and managers without a problem. Let's check if you have alerts related to SCA on your master node:
cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"id":"000".*"sca"'
If you have alerts int the alerts.json, then you can use the following query on Kibana's discover and see if you have the alerts there:
agent.id<http://agent.id><http://agent.id> : "000" AND rule.groups : "sca"
As you can see, I have alerts related to SCA in a cluster environment:
[image.png]
If you can see the alerts in the alerts.json but not in the Kibana application, it'd be useful if you paste here some examples of these SCA alerts.
Best regards,
Sergio Cervilla
IT Engineer — Wazuh, Inc.
[https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
On Fri, May 24, 2019 at 5:46 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
Hi Sergio,
Correct, this is not the case. There is no SCA alerts in the general
tab. Alerts are showed for the agents only.
Regards,
C. L. Martinez
On 24/05/2019 14:11, Sergio Cervilla wrote:
> Hi Carlos,
>
> If you want to see the SCA alerts of the managers (master and workers)
> you must navigate into the overview
> tab in your Kibana application. It was decided that managers related
> alerts should not be displayed in the agent's tab.
>
> If this is not the case, please don't hesitate to let me know.
>
> Best regards,
>
> *Sergio Cervilla*
> IT Engineer — *Wazuh, Inc.*
> <https://wazuh.com/>
>
>
>
> On Fri, May 24, 2019 at 9:51 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>> wrote:
>
> HI Sergio,
>
> Sorry for this late response. Everything remains the same. No
> scans are produced for the cluster. I have restarted manager and
> workers, but nothing.
>
> On the other side, configuration is working on the agents.
>
>
>
> Regards,
> C. L. Martinez
>
>
> ________________________________________
> From: wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>
> <wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>> on behalf
> of Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>> <mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>>
> Sent: 21 May 2019 15:37
> To: Carlos Lopez
> Cc: wazuh
> Subject: Re: SCA module doesn't scans
>
> Hello Carlos,
>
> I think you're getting alerts not for the change in the
> configuration but because of the restart of the wazuh-manager. Could
> you change the setting again and test if now it's working?
>
> In addition, we can search for past alerts in the
> /var/ossec/logs/alerts/alerts.json file with the following command:
>
>
> cat /var/ossec/logs/alerts/alerts.json | grep -i -E '"sca"'
>
> If we can see past alerts, then we can search for them using the
> Discover feature inside Kibana. Please, note that I've only applied
> the filter rule.groups and that you can choose a timeframe wider to
> search for the past alerts:
> [kibana-discover-sca.png]
>
> I'm waiting for your response, Carlos.
>
> Best regards,
>
> Sergio Cervilla
> IT Engineer — Wazuh, Inc.
> [https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
>
>
>
> On Tue, May 21, 2019 at 1:03 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>>>
> Sent: 21 May 2019 08:50
> To: Carlos Lopez
> Cc: wazuh
> Subject: Re: SCA module doesn't scans
>
> Hi Carlos,
>
> Since there are no errors or warnings in the logs, we must check if
> your database has data about SCA scans.
>
> Try to execute the API call again but this time, using the http
> protocol instead of https because your API appears to be running
> with the first option.
>
>
> curl -u foo:bar -k "http://127.0.0.1:55000/sca/000?pretty"
>
>
> Furthermore, the agent will send only those checks which status have
> changed from previous scans in order to save network traffic and
> decreasing manager load.
> If your database it's not empty, this could be the reason that you
> aren't seeing any alerts on your manager in that timeframe. To
> discard this scenario, you can change
> the time range to a wider one.
>
> Best regards,
>
> Sergio Cervilla
> IT Engineer — Wazuh, Inc.
> [https://www.google.com/a/cpanel/wazuh.com/images/logo.gif?alpha=1&service=google_default]<https://wazuh.com/>
>
>
>
> On Mon, May 20, 2019 at 4:25 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>><mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>
> <mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>>><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com><mailto:sergio....@wazuh.com<mailto:sergio....@wazuh.com>>
> <mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>>><mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>
> <mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com><mailto:wazuh%2525252Bu...@googlegroups.com<mailto:wazuh%252525252B...@googlegroups.com>>>>><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>>
> <mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com><mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>>><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com><mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>>
> <mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com><mailto:wazuh%2525252Bu...@googlegroups.com<mailto:wazuh%252525252B...@googlegroups.com>>>><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com><mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com>>
> <mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com><mailto:wazuh%2525252Bu...@googlegroups.com<mailto:wazuh%252525252B...@googlegroups.com>>><mailto:wazuh%25252Bun...@googlegroups.com<mailto:wazuh%2525252Bu...@googlegroups.com><mailto:wazuh%2525252Bu...@googlegroups.com<mailto:wazuh%252525252B...@googlegroups.com>>
> <mailto:wazuh%2525252Bu...@googlegroups.com<mailto:wazuh%252525252B...@googlegroups.com><mailto:wazuh%252525252B...@googlegroups.com<mailto:wazuh%25252525252...@googlegroups.com>>>>>>.
> To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>>>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/VI1PR10MB2253B7A1C7A542B478FC943CDB060%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>
> <mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>>>.
> To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/VI1PR10MB22535CD3D5D5277F2FF1B6BFDB070%40VI1PR10MB2253.EURPRD10.PROD.OUTLOOK.COM.
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>
> <mailto:wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>>.
> To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
> <mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>>.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/CAB1odHdqwgBoa_LreSjwEHJknXQapDtSQY-AkHbWqAMFVCa7VA%40mail.gmail.com
> <https://groups.google.com/d/msgid/wazuh/CAB1odHdqwgBoa_LreSjwEHJknXQapDtSQY-AkHbWqAMFVCa7VA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>.
Visit this group at https://groups.google.com/group/wazuh.
Sergio Cervilla
IT Engineer — Wazuh, Inc.