Wazuh Commands not working
385 views
Skip to first unread message
Pradeep
Jan 31, 2023, 10:56:59 AM1/31/23
to Wazuh mailing list
Hi Team,
On running this curl command
curl --location --request PUT 'https://<IP>:55000/active-response?agents_list=405&pretty=true&wait_for_complete=true'
--data-raw '{
"command": "test-comm"
}'
We are getting this error on wazuh-agent
wazuh-execd: ERROR: (1311): Invalid command name 'test-comm' provided.
wazuh-execd: ERROR: (1311): Invalid command name 'test-comm' provided.
We already have mentioned this command in wazuh manager (ossec.conf):-
<command>
<name>test-comm</name>
<executable>pradeep.py</executable>
</command>
<command>
<name>test-comm</name>
<executable>pradeep.py</executable>
</command>
and stored this command in wazuh manager at '/var/ossec/active-response/bin'
we dont know if this command will replicate on the agent on its own or not. So we stored this command on wazuh agent as well '/var/ossec/active-response/bin'
we dont know if this command will replicate on the agent on its own or not. So we stored this command on wazuh agent as well '/var/ossec/active-response/bin'
Kindly help us to reolve this issue.
Thanks,
Pradeep
Francisco Tuduri
Jan 31, 2023, 11:14:59 AM1/31/23
to Wazuh mailing list
Hello Pradeep!
Could you tell me what is you Wazuh version?
Also, can you check the file permissions of the files at /var/ossec/active-response/bin: ls -l /var/ossec/active-response/bin
Regards!Pradeep
Jan 31, 2023, 11:18:26 AM1/31/23
to Wazuh mailing list
Hi Team,
To change the script permission I used:
chmod 750 pradeep.py
chown root:wazuh pradeep.py
-rwxr-x--- 1 root wazuh 16672 Oct 6 14:26 npf
-rwxr-x--- 1 root wazuh 16784 Oct 6 14:26 pf
-rwxr-x--- 1 root wazuh 20 Jan 31 15:28 pradeep.py
-rwxr-x--- 1 root wazuh 15384 Oct 6 14:26 restart-wazuh
-rwxr-x--- 1 root wazuh 695 Oct 6 14:26 restart.sh
-rwxr-x--- 1 root wazuh 16784 Oct 6 14:26 pf
-rwxr-x--- 1 root wazuh 20 Jan 31 15:28 pradeep.py
-rwxr-x--- 1 root wazuh 15384 Oct 6 14:26 restart-wazuh
-rwxr-x--- 1 root wazuh 695 Oct 6 14:26 restart.sh
and our wazuh version is: {"WAZUH_VERSION":"v4.3.9"}
Francisco Tuduri
Jan 31, 2023, 1:15:29 PM1/31/23
to Wazuh mailing list
There are two configurations that must be set for active response. Did you configure the active-response block? Can you please share that configuration ?
Thanks!
Thanks!
Pradeep
Feb 1, 2023, 2:12:11 AM2/1/23
to Wazuh mailing list
Hi Francisc,
We are just trying to run command from Wazuh API using command name, which only requires to add the commands configuration as I mentioned on my first message.
Kindly look into this.
Thanks!
Pradeep
Feb 1, 2023, 2:15:29 AM2/1/23
to Wazuh mailing list
<active-response>
<disabled>no</disabled>
<command> test-comm</command>
<location>defined-agent</location>
<agent_id>405</agent_id>
<level>1</level>
</active-response>
<disabled>no</disabled>
<command> test-comm</command>
<location>defined-agent</location>
<agent_id>405</agent_id>
<level>1</level>
</active-response>
Added this block as well for testing, but same. No response and on manual run 'wazuh-execd: ERROR: (1311): Invalid command name 'test-comm' provided.'
Francisco Tuduri
Feb 1, 2023, 9:53:43 AM2/1/23
to Wazuh mailing list
Hello Pradeep!
Ok, I see.
I've been testing this successfully, and these are the steps that i've done:
<command>test-comm</command>
<location>local</location>
</active-response>
Wazuh agent_control. Available active responses:
*Note the name of the command: test-comm0
On the agents:
<disabled>no</disabled>
Now to make the API call we have to use the name shown by agent_control: test-comm0 in this case:
PUT /active-response?agents_list=003
{
"command":"test-comm0"
}
2023/02/01 14:40:54 wazuh-execd[12536] execd.c:484 at ExecdStart(): DEBUG: Executing command 'active-response/bin/pradeep.py {"version":1,"origin":{"name":null,"module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{},"program":"active-response/bin/pradeep.py"}}'
Ok, I see.
I've been testing this successfully, and these are the steps that i've done:
On the manager:
- On ossec.conf:
- Add the <command> block:
<command>
<name>test-comm</name>
<executable>pradeep.py</executable>
</command>
<name>test-comm</name>
<executable>pradeep.py</executable>
</command>
- Add the <active-response> block:
<command>test-comm</command>
<location>local</location>
</active-response>
- restart the manager
- Check the available active responses with the agent_control tool:
root@jammy:/var/ossec/bin# ./agent_control -L
Response name: test-comm0, command: pradeep.py
On the agents:
- copy your script to /var/ossec/active-response/bin
- make sure it belongs to root:wazuh, just like all the other files on that folder.
- On the ossec.conf file just make sure that active response is enabled:
<disabled>no</disabled>
</active-response>
- Optionally, you might want to enable the debug mode for execd, by adding the following to /var/ossec/etc/local_internal_options.conf (you should disable debug mode after troubleshooting):
- Restart agent if you made any changes to any of these config files.
PUT /active-response?agents_list=003
{
"command":"test-comm0"
}
And the log on agent 003 shows:
Let me know if this works for you.
Regards!
Pradeep
Feb 2, 2023, 6:28:30 AM2/2/23
to Wazuh mailing list
Hello Francisc,
It's working now. Thank you so much.
The Issue was with the trailing 0 in the command name which we had to find first through agent control list.
But I guess it will be now little hectic for us as we will have to find the response name of command first before running manually.
One more help we need from your side if you can tell us if it is possible to run a command on multiple agents at once.
for example.
<location>defined-agent</location>
<agent-list>001,002</agent-list>
using 'local' command will run for all agents and currently 'defined-agent' only allows single entry.
Thanks!
Francisco Tuduri
Feb 2, 2023, 7:58:54 AM2/2/23
to Wazuh mailing list
Hi Pradeep!
Nice to see that it is working now.
About the internal naming of the AR command, I looked into it a little more: the internal name is just the name of the command and the timeout.
If the command is stateless (i.e <timeout_allowed>no</timeout_allowed> in the command block) it has no timeout, so the name will always have a 0 appended to it.
If the command is stateful (i.e <timeout_allowed>yes</timeout_allowed>) the name will the value of the timeout (of the active-response block) appended to it.
So, if your commands don't use a timeout you should always append a 0 to the name of the command when you make the API call.
About sending a command to multiple agents, you can add multiple agents in the parameter agents_list of the API query: https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response
For example:
Nice to see that it is working now.
About the internal naming of the AR command, I looked into it a little more: the internal name is just the name of the command and the timeout.
If the command is stateless (i.e <timeout_allowed>no</timeout_allowed> in the command block) it has no timeout, so the name will always have a 0 appended to it.
If the command is stateful (i.e <timeout_allowed>yes</timeout_allowed>) the name will the value of the timeout (of the active-response block) appended to it.
So, if your commands don't use a timeout you should always append a 0 to the name of the command when you make the API call.
About sending a command to multiple agents, you can add multiple agents in the parameter agents_list of the API query: https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response
For example:
?agents_list=002,003
Regards!
Pradeep
Feb 3, 2023, 6:23:12 AM2/3/23
to Wazuh mailing list
Hello Francisc,
I have tried the same with Wazuh api , but we want to do the same by adding an active response block in the config file of wazuh manager.
Francisco Tuduri
Feb 3, 2023, 2:48:31 PM2/3/23
to Wazuh mailing list
Hello Pradeep!
I believe the simplest way to execute that active response to multiple agents through the API is using the agents_list. Keep in mind that the Active Response functionality is designed to execute a script in response to the triggering of specific alerts based on the alert level or rule group.
I am not sure what your use case is. If the problem with using agents_list is getting the list of agents, you may consider putting all the target agents in a group and a create a script with multiple API calls, first, one call to get all the agents in that group (with this API call) and then, with that information, execute the active response API call with the full agents_list.
Another option, depending on your use case, is to look into the Wodle Command that allows executing commands on agents, it has several scheduling options and can also be centrally configured.
Here is a blog post that explains a little more about how this works.
Regards!
I believe the simplest way to execute that active response to multiple agents through the API is using the agents_list. Keep in mind that the Active Response functionality is designed to execute a script in response to the triggering of specific alerts based on the alert level or rule group.
I am not sure what your use case is. If the problem with using agents_list is getting the list of agents, you may consider putting all the target agents in a group and a create a script with multiple API calls, first, one call to get all the agents in that group (with this API call) and then, with that information, execute the active response API call with the full agents_list.
Another option, depending on your use case, is to look into the Wodle Command that allows executing commands on agents, it has several scheduling options and can also be centrally configured.
Here is a blog post that explains a little more about how this works.
Regards!
Pradeep
Feb 8, 2023, 1:20:42 AM2/8/23
to Wazuh mailing list
Hello Francisc,
I have a use case for specifying active response on multiple agents (comma separated) and also on a group(separately) without using the wazuh API.
I want to know what configuration we need to set in the conf file for the above.
I do not want to do it using the API.
I want to know what changes are made at the backend or what configuration of Active Response is added when we do the above using API.
I want to know what configuration we need to set in the conf file for the above.
I do not want to do it using the API.
I want to know what changes are made at the backend or what configuration of Active Response is added when we do the above using API.
Thanks!
Francisco Tuduri
Feb 9, 2023, 10:08:54 AM2/9/23
to Wazuh mailing list
Hello Pradeep!
At this moment it is not possible to configure an active response to be executed on a group of agents.
Here are a couple of relevant issues on Wazuh's repository that might be of interest to you. You can subscribe to them to get notified about any news, and feel free to comment on them to add your thoughts and/or show interest in those features:
# ./agent_control -f test-comm0 -u 003 -b 0.0.0.0
(The script can ignore the sent IP address, but that parameter is required by this tool)
Here is the code that sends that message.
At this moment it is not possible to configure an active response to be executed on a group of agents.
Here are a couple of relevant issues on Wazuh's repository that might be of interest to you. You can subscribe to them to get notified about any news, and feel free to comment on them to add your thoughts and/or show interest in those features:
- Improve Wazuh active response to run on specified agents group #15992
- Active response lacks of usability #13800
# ./agent_control -f test-comm0 -u 003 -b 0.0.0.0
(The script can ignore the sent IP address, but that parameter is required by this tool)
Here is the code that sends that message.
The recommended way to launch the active response on demand is through API calls. The API has cluster support so it can send the messages to any agent of the cluster, whereas the agent-control tool only works with the agents that are directly connected to the manager used.
Regards!
Reply all
Reply to author
Forward
0 new messages