Can ossec-agent connect to wazuh server?

[Michael Muenz]

Hi,

sorry if this is a very stupid question, I'm very new to wazuh/ossec and want to write a plugin for OPNsense firewall.

OPNsense is based on Free/HardenedBSD and there's only a port for ossec-agent. I had a look at the install process but the install.sh script makes it very hard to build a FreeBSD port.

So my second thought was, if it's possible to use the ossec-agent from FreeBSD to speak with wazuh server?

Pushing google around only gives me results about how to migrate from ossec to wazuh.

Again, please forgive me if it's self-explanatory if this is possible or not, for me it's more a strategic decision about wrinting a plugin for an agent to feed wazuh-server, or, the easier way but feature-less, write a plugin for filebeat to feed wazuh-server.

Thanks

Michael 

[Pablo Navarro]

Hi Michael,

Don't worry, we are here to help and there are no stupid questions.

OSSEC agents are compatible with Wazuh server. You can even have different versions of Wazuh and OSSEC agents reporting to a centralized Wazuh server. 

You don't have to change anything, just configure the ossec.conf of the agent in order to report to the Wazuh server.

If you have any doubt or you face any trouble feel free to ask in the mailing list and we will be pleased to help you.

Kind regards,

Pablo.

 

[Michael Muenz]

Hi Pablo,

Thanks for your help. 

Currently I'm still trying to build an official FreeBSD port for wazuh-agent.

When sticking in src/ directory, is this enough?

cd ${WRKSRC}/src && ${GMAKE} deps && ${GMAKE} TARGET=agent PREFIX=/usr/local/ossec

Or does it need more to copy the files to PREFIX like a make install.

Thanks

Michael

[Pablo Navarro]

Hi Michael,

The PREFIX tag point out where the agent is going to be installed. You just need to compile in the src folder and then execute the install.sh located in the Wazuh folder. The installer will install the agent in /usr/local/ossec in your case.

Don't forget to check if the installation directory is /usr/local/ossec when you run the installation script.

Regards,

Pablo.

[Michael Muenz]

Hi Pablo,

thanks for the hint. My problem is that for a FreeBSD port I can't use interactive stuff.

Thats why I change to src and run gmake. It compiles all binarys but it doesn't copy them to prefix.

Is there some non-interactive mode available?

Thanks,

Michael

[Pablo Navarro]

Hi Michael,

You can preload all the variables that are prompted in the install script in the preloaded_vars file. This file is located in the folder etc of the Wazuh folder.

You can use as reference our documentation: https://documentation.wazuh.com/current/user-manual/reference/unattended-installation.html?highlight=preloaded%20vars

After you uncommented the lines needed for the install, it must run in non-interactive mode.

Regards,

Pablo

[Michael Muenz]

Hi Pablo,

thanks for the hint. I finally got it working, but install.sh tries to start the service afterwards. 

Is there an option to prevent starting the daemon? 

Thanks,

Michael

[Pablo Navarro]

Hi Michael,

Yes, the option USER_AUTO_START of the unattended instalation must prevent the install.sh from start the service after the install.

Regards,

Pablo.

[Michael Muenz]

Ok, my file looks like this:

USER_NO_STOP="y"

USER_INSTALL_TYPE="agent"

USER_DIR="/usr/local/ossec"

USER_DELETE_DIR="n"

USER_ENABLE_ACTIVE_RESPONSE="y"

USER_ENABLE_SYSCHECK="y"

USER_ENABLE_ROOTCHECK="y"

USER_ENABLE_OPENSCAP="y"

USER_ENABLE_SYSCOLLECTOR="y"

USER_ENABLE_SECURITY_CONFIGURATION_ASSESSMENT="y"

USER_ENABLE_AUTHD="y"

USER_GENERATE_AUTHD_CERT="n"

USER_UPDATE="n"

USER_AGENT_SERVER_IP="127.0.0.1"

USER_CREATE_SSL_CERT="n"

USER_AUTO_START="n"

But running install.sh it's still asking for:

  3.6- Remote upgrades use packages signed by the system maintainer. The

       corresponding certificate (or root certificate) must be installed

       in the system in order to verify the WPK packages. By default,

       the root certificate by Wazuh is installed.

   - Do you want to add more certificates? (y/n)? [n]:

[Juan Carlos]

Hi Michael,

In order to skip that prompt you may use:

USER_CA_STORE="n"

I see this is not clear from our documentation.

I'll see to it that it gets added.

Best Regards,

Juan Carlos Tello

[Michael Muenz]

Hi Carlos,

thx for also jumping in. :)

I think there is one last thing which will be rejected by FreeBSD core:

 - Init script modified to start Wazuh during boot.

Adding a command to rc.local is some kind of a linux hack.

Is there a way to prevent this? 

I'll write a small rc.script and patch it to the port to make int FBSD compliant.

Michael

[Michael Muenz]

I added a patch to init.sh to not detect FreeBSD so it doesn't add the rc.local stuff.

Port is already submitted

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237900 

[Juan Carlos]

Hi Michael,

Thank you very much for that submission, I'm sure the Wazuh/FreeBSD community will benefit from it in the future.

Don't hesitate to write if you have any more questions or comments.

Best Regards,

Juan Carlos

[Michael Muenz]

Hi,

Seems I have to get back to you :)

FreeBSD folks complain that install.sh loads files from your server during build process.

Are those files patched version of are they just mirrored on your server?

If they are just a mirror I need to patch install.sh to not load these and fetch them from official repo as a dependecy.

Best,

Michael

[Daniel Moreno]

Indeed, we included 3rd party sources in the Wazuh code (folder _src/external_).

 

However this folder grew too much (about 115 MB!), we were not interested in versioning that software, and that's why we put it in another repo.

 

In other words, we pretend that downloading the Wazuh source is getting both the core software (from GitHub) and the 3rd party libraries (from packages.wazuh.com):

git clone + make deps

I'm sorry I don't know how ports work.

If the source code must be saved, you can store the sources after running make deps.

If it's mandatory to get the sources in one command, maybe we could consider storing the sources plus the 3rd party in our packages repo.

 

This answer comes from our Slack's community thread. It is reflected here in order to help someone with the same question.

Regards.