________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 18 May 2021 09:54
To: wa...@googlegroups.com
Subject: Shared config is not correctly sync'ed in v4.1.5
HI all.
I am encountering major configuration synchronisation problems for shared config in version 4.1.5. The configuration is not updated correctly for macOS, Windows and Ubuntu platforms (in any of their versions) and this is creating serious problems of congruence and integrity config in the agents.
As an example for macOS agents. Currently, these are the files that should be synchronised across all macOS agents (I am using a cluster architecture):
In wazuh master server:
root@wazuhmaster:/var/ossec/etc/shared/macos# ls -al
total 200
drwxrwx--- 3 ossec ossec 241 May 18 07:23 .
drwxrwx--- 12 root ossec 190 May 16 07:41 ..
-rw-r----- 1 ossec ossec 4462 May 16 07:53 agent.conf
lrwxrwxrwx 1 root root 53 May 14 06:53 com.custom.wazuhaddons.plist -> ../../configs/os/macos/com.custom.wazuhaddons.plist
lrwxrwxrwx 1 root root 38 May 14 06:53 create_tasks.sh -> ../../configs/os/macos/create_tasks.sh
lrwxrwxrwx 1 root root 41 May 13 07:11 hardening_macos.sh -> ../../configs/os/macos/hardening_macos.sh
lrwxrwxrwx 1 root root 40 May 14 06:53 install_addons.sh -> ../../configs/os/macos/install_addons.sh
lrwxrwxrwx 1 root root 31 Feb 26 07:18 macos_cis_yml -> ../../configs/cis/macos_cis_yml
-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg/>
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4CFAE784-24A4-4A2C-8251-218C7C0D654A%40outlook.com<https://groups.google.com/d/msgid/wazuh/4CFAE784-24A4-4A2C-8251-218C7C0D654A%40outlook.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com.
Any news regarding this issue?
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 27 May 2021 17:22
To: Matias Ezequiel Moreno
Cc: wa...@googlegroups.com
Subject: Re: Shared config is not correctly sync'ed in v4.1.5
Hi Matias,
This issue appears on all groups defined in my Wazuh infrastructure. I have verified all my shared confs with this guide and they are correct.
Best regards,
C. L. Martinez
On 27 May 2021, at 17:16, Matias Ezequiel Moreno <matias...@wazuh.com<mailto:matias...@wazuh.com>> wrote:
Hi Carlos, how are you?
First of all, sorry for the late response.
To provide better support, could you verify to which agent_groups the agents that are having the problem belong?
Here I share a guide<https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=shared> that details what are the requirements to be able to correctly synchronize
Regards
Matias
On Tuesday, May 18, 2021 at 4:55:00 AM UTC-3 Carlos Lopez wrote:
HI all.
I am encountering major configuration synchronisation problems for shared config in version 4.1.5. The configuration is not updated correctly for macOS, Windows and Ubuntu platforms (in any of their versions) and this is creating serious problems of congruence and integrity config in the agents.
As an example for macOS agents. Currently, these are the files that should be synchronised across all macOS agents (I am using a cluster architecture):
In wazuh master server:
root@wazuhmaster:/var/ossec/etc/shared/macos# ls -al
total 200
drwxrwx--- 3 ossec ossec 241 May 18 07:23 .
drwxrwx--- 12 root ossec 190 May 16 07:41 ..
-rw-r----- 1 ossec ossec 4462 May 16 07:53 agent.conf
lrwxrwxrwx 1 root root 53 May 14 06:53 com.custom.wazuhaddons.plist -> ../../configs/os/macos/com.custom.wazuhaddons.plist
lrwxrwxrwx 1 root root 38 May 14 06:53 create_tasks.sh -> ../../configs/os/macos/create_tasks.sh
lrwxrwxrwx 1 root root 41 May 13 07:11 hardening_macos.sh -> ../../configs/os/macos/hardening_macos.sh
lrwxrwxrwx 1 root root 40 May 14 06:53 install_addons.sh -> ../../configs/os/macos/install_addons.sh
lrwxrwxrwx 1 root root 31 Feb 26 07:18 macos_cis_yml -> ../../configs/cis/macos_cis_yml
-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg/>
drwxrwx--- 2 root ossec 53 Apr 6 09:31 osquery
lrwxrwxrwx 1 root root 28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx 1 root root 30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt
Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx--- 2 ossec ossec 23 May 17 09:12 .
drwxrwx--- 12 root ossec 190 May 11 06:37 ..
-rw-rw---- 1 ossec ossec 98781 May 17 09:12 merged.mg<http://merged.mg/>
In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4471 May 17 11:12 agent.conf
-rw-rw---- 1 root ossec 77 May 17 11:12 ar.conf
-rw-rw---- 1 root ossec 523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw---- 1 root ossec 1167 May 17 11:12 create_tasks.sh
-rw-rw---- 1 root ossec 160 May 17 11:12 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 May 17 11:12 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 May 17 11:12 macos_cis_yml
-rw-rw---- 1 root ossec 93221 May 17 11:12 merged.mg<http://merged.mg/>
drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 May 17 11:12 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared
As you can see, old files appear that should not be in use or synchronised to any agent.
On the other hand, the merged.mg<http://merged.mg/> md5 sums do not match between agents and servers.
root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/>
root@wazuhwork01:/var/ossec/etc/shared/macos
root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/>
root@wazuhmaster:/var/ossec/etc/shared/macos
macosdsk01:shared root# md5 merged.mg<http://merged.mg/>
MD5 (merged.mg<http://merged.mg/>) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#
This inconsistency causes multiple errors in several defined wodles as well as in the monitoring of several event files.
The only platform I've seen shared config sync works is in RHEL, but on all the others it doesn't: macOS, Windows and Ubuntu.
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com<https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com?utm_medium=email&utm_source=footer>.
No news?? It is quite complicated to manage shared configurations if production versions are maintained at the same time as bad versions.
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 03 June 2021 10:30
Hi all,
Hi Matias,
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/PR3PR07MB66177F1E0C83E484A04CB3B7DB3C9%40PR3PR07MB6617.eurprd07.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/98997350-39cc-43c5-86fb-638a48d2a65cn%40googlegroups.com.
There is no errors in ossec.log ... I have not detected any problem in sync process regarding when new files are created in manager side. But the old files that are deleted in the shared directory of the manager, continue on the client side.
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Matias Ezequiel Moreno <matias...@wazuh.com>
Sent: 27 July 2021 21:09
To: Wazuh mailing list
Subject: Re: Shared config is not correctly sync'ed in v4.1.5
Hi Carlos, could you share what errors appear in the file /var/ossec/log/ossec.log?
Best regards,
Matias
On Monday, July 26, 2021 at 3:04:54 AM UTC-3 Carlos Lopez wrote:
Hi Matias,
All files belongs to ossec:ossec user and group. Files in /var/ossec/etc/shared/macos, for example, are softlinks to original files …
Best regards,
C. L. Martinez
On 23 Jul 2021, at 16:48, Matias Ezequiel Moreno <matias...@wazuh.com> wrote:
Hi Carlos,
There reviewing a little more about your topic in inquiring with the team, we can see that the owner and the group of the files that you want to synchronize correspond to the root user, could you try to change them to ossec user? I leave you a guide that can help you Changing the Owner, Group, and Permissions<https://www.oreilly.com/library/view/running-linux-third/156592469X/ch04s14.html>
Hi all,
Hi Matias,
-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg/><http://merged.mg/>
drwxrwx--- 2 root ossec 53 Apr 6 09:31 osquery
lrwxrwxrwx 1 root root 28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx 1 root root 30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt
Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx--- 2 ossec ossec 23 May 17 09:12 .
drwxrwx--- 12 root ossec 190 May 11 06:37 ..
-rw-rw---- 1 ossec ossec 98781 May 17 09:12 merged.mg<http://merged.mg/><http://merged.mg/>
In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4471 May 17 11:12 agent.conf
-rw-rw---- 1 root ossec 77 May 17 11:12 ar.conf
-rw-rw---- 1 root ossec 523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw---- 1 root ossec 1167 May 17 11:12 create_tasks.sh
-rw-rw---- 1 root ossec 160 May 17 11:12 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 May 17 11:12 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 May 17 11:12 macos_cis_yml
-rw-rw---- 1 root ossec 93221 May 17 11:12 merged.mg<http://merged.mg/><http://merged.mg/>
drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 May 17 11:12 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared
As you can see, old files appear that should not be in use or synchronised to any agent.
On the other hand, the merged.mg<http://merged.mg/><http://merged.mg/> md5 sums do not match between agents and servers.
root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/><http://merged.mg/>
root@wazuhwork01:/var/ossec/etc/shared/macos
root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg/><http://merged.mg/>
root@wazuhmaster:/var/ossec/etc/shared/macos
macosdsk01:shared root# md5 merged.mg<http://merged.mg/><http://merged.mg/>
MD5 (merged.mg<http://merged.mg/><http://merged.mg/>) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#
This inconsistency causes multiple errors in several defined wodles as well as in the monitoring of several event files.
The only platform I've seen shared config sync works is in RHEL, but on all the others it doesn't: macOS, Windows and Ubuntu.
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/747b650f-8c62-4786-8c25-0a3776af2363n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com<https://groups.google.com/d/msgid/wazuh/6FE451DF-71A5-414C-A944-284160B68730%40outlook.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/PR3PR07MB66177F1E0C83E484A04CB3B7DB3C9%40PR3PR07MB6617.eurprd07.prod.outlook.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/98997350-39cc-43c5-86fb-638a48d2a65cn%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/98997350-39cc-43c5-86fb-638a48d2a65cn%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/39733f38-dc2e-4f0a-a08e-a06caa32a52an%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/39733f38-dc2e-4f0a-a08e-a06caa32a52an%40googlegroups.com?utm_medium=email&utm_source=footer>.
Sure. I have tried with hardlinks on manager side, but same result. Old files are not removed in agent side:
macbook:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4580 Jul 22 09:01 agent.conf
-rw-rw---- 1 root ossec 77 Jul 22 09:01 ar.conf
-rw-rw---- 1 root ossec 1198 Jul 22 09:01 create_tasks.sh
-rw-rw---- 1 root ossec 160 Jul 22 09:01 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 Jul 22 09:01 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 Jul 22 09:01 macos_cis_yml
-rw-rw---- 1 root ossec 93361 Jul 22 09:01 merged.mg
drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 Jul 22 09:01 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
File update_wazuh_agent.sh and install_osquery_macos.sh should not be there....
Regards.
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Matias Ezequiel Moreno <matias...@wazuh.com>
Sent: 28 July 2021 17:01
Hi Carlos, here again.
Best regards
Hi all,
Hi Matias,
-rw-rw---- 1 ossecr ossec 98781 May 18 07:23 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
drwxrwx--- 2 root ossec 53 Apr 6 09:31 osquery
lrwxrwxrwx 1 root root 28 Feb 24 15:41 rootkit_files.txt -> ../default/rootkit_files.txt
lrwxrwxrwx 1 root root 30 Feb 24 15:41 rootkit_trojans.txt -> ../default/rootkit_trojans.txt
Wazuh worker nodes:
root@wazuhwork01:/var/ossec/etc/shared/macos# ls -al
total 100
drwxrwx--- 2 ossec ossec 23 May 17 09:12 .
drwxrwx--- 12 root ossec 190 May 11 06:37 ..
-rw-rw---- 1 ossec ossec 98781 May 17 09:12 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
In macOS agents (all of them):
macosdsk01:shared root# ls -al
total 416
drwxrwx--- 14 root ossec 448 May 13 15:34 .
drwxrwx--- 9 ossec ossec 288 May 13 15:34 ..
-rw-rw---- 1 root ossec 4471 May 17 11:12 agent.conf
-rw-rw---- 1 root ossec 77 May 17 11:12 ar.conf
-rw-rw---- 1 root ossec 523 May 17 11:12 com.custom.wazuhaddons.plist
-rw-rw---- 1 root ossec 1167 May 17 11:12 create_tasks.sh
-rw-rw---- 1 root ossec 160 May 17 11:12 hardening_macos_staging.sh
-rw-rw---- 1 root ossec 1406 May 17 11:12 install_addons.sh
-rw-rw---- 1 root ossec 898 May 13 15:34 install_osquery_macos.sh
-rw-rw---- 1 root ossec 65531 May 17 11:12 macos_cis_yml
-rw-rw---- 1 root ossec 93221 May 17 11:12 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
drwxr-x--- 4 root ossec 128 May 13 15:34 osquery
-rw-rw---- 1 root ossec 16179 May 17 11:12 rootkit_files.txt
-rw-rw---- 1 root ossec 454 May 13 15:34 update_wazuh_agent.sh
macosdsk01:shared root# pwd
/Library/Ossec/etc/shared
As you can see, old files appear that should not be in use or synchronised to any agent.
On the other hand, the merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/> md5 sums do not match between agents and servers.
root@wazuhwork01:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
root@wazuhwork01:/var/ossec/etc/shared/macos
root@wazuhmaster:/var/ossec/etc/shared/macos# md5sum merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
b9e71d5f76c17ea12441c8b916e2673d merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
root@wazuhmaster:/var/ossec/etc/shared/macos
macosdsk01:shared root# md5 merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>
MD5 (merged.mg<http://merged.mg><http://merged.mg/><http://merged.mg/>) = 536a5665d1f533d70a733e005f29f6df
macosdsk01:shared root#
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/63350baf-144e-4053-a20c-a51fcae91fb8n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/63350baf-144e-4053-a20c-a51fcae91fb8n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Hi Matias,
Regarding your question:
If you add new files, the synchronization works correctly, is this correct? No. New files are sync’ed but old files remains in client shared dir.
Output commands:
root@wazuh-master:~# cmp --silent /var/ossec/etc/shared/macos/merged.mg /tmp/worker01/merged.mg
root@wazuh-master:~#
root@wazuh-master:~# curl -k -X GET https://localhost:55000/agents/009/group/is_sync -H
"Authorization: Bearer $TOKEN"
{"data": {"affected_items": [{"id": "009", "synced": true}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "Sync info was returned for all selected agents", "error": 0}
As you can see synchronization works ok …. But old files remains in client …
Thanks for your help.
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/4a679f4b-0e7a-4a30-bf25-a351777b3060n%40googlegroups.com.