Wazuh Rockylinux 8.5

[Alen Loncaric]

Dear,

we are testing wazuh for our organisation and we came across some issues on Rocky Linux 8.5.

We installed the agent and in the ruleset we had to change that agent recognizes the Rocky Linux. So that is fine.

The problem i have that i have more than 30 false positives. From very simple:

1. 6548 - Ensure updates, patches, and additional security software are installed

• c:yum check-update --security -> r:No packages needed for security
• Command output: 

            yum check-update --security
            Last metadata expiration check: 0:00:04 ago on Mon 09 May 2022 11:19:19 AM CEST.

2. All checks regarding Directory: /etc/audit/rules.d

    we use a single file where we added all the required lines, but it looks like that the agent is looking for that information to be present in all files not just the one. Is that the case ?

Is there a way to test particular rule on the client side ? To see why it fails ?

With kind regards,

[Alen Loncaric]

Additionaly a really strange false positive.

There is an instruction to disable ipv6 in grub, which makes some files regarding ipv6 disappear. Like:  cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory

For that reason the  6583 Ensure IPv6 router advertisements are not accepted is a failed. Also the rule regarding icmp etc etc...

Is there a way to check if these files do not exists we can assume that the policy for grub is applied?

ponedeljek, 9. maj 2022 ob 11:25:36 UTC+2 je oseba Alen Loncaric napisala:

[Jose Antonio Izquierdo]

Hi Alen, 

The problem with this SCA is that there is no Rocky Linux Policy yet. So you are getting false positives from the default Linux-based policy. 

We will create a Rocky Linux Policy using the CIS Rocky Linux 8 Benchmark v1.0.0 soon. Should be published with Wazuh v4.4.0.

Ping me if you need further details. 

[Alen Loncaric]

Dear Jose,

thank you for your feedback! As the centos is more short term not LTS as far as i understood, we are moving to the replacement ROCKY Linux and i see a lot of the guys in devops doing the same. Is there any timeframe for Wazuh 4.4 ? Or atleast some rocky like policy preview ?

With kind regards,

ponedeljek, 9. maj 2022 ob 11:45:51 UTC+2 je oseba jose.iz...@wazuh.com napisala:

[Alen Loncaric]

Oh also a question will wazuh 4.4 agent be installed somewhere else than /var ?

With kind regards,

Alen

ponedeljek, 9. maj 2022 ob 11:45:51 UTC+2 je oseba jose.iz...@wazuh.com napisala:

Hi Alen, 

[Jose Antonio Izquierdo]

Hi Alen, 

There is no release date for v4.4.0 yet. Also, the changelog is still to be defined, so we can't tell you if installing in a folder different than /var will be included. 

We will provide the SCA policy in our repo as soon as possible. We can't promise how much time it will take, but many people are moving to RL, as you said. 

Best regards, 

Jose.

[Samuel Steiner]

Hi, any updates on having full support for Rocky Linux 8?

[Jose Antonio Izquierdo]

Hi Samuel,

No ETA yet, we have SCA work in progress and Rocky Linux v8.x and v9.x (waiting for official CIS support on v9 versions) will take some time.

Here you have the main issue we use to track SCAs status for each OS - https://github.com/wazuh/wazuh/issues/14358

Thanks,

Jose.

[Alen Loncaric]

Hi all,

any progress ? Is there a light at the end of the tunnel ? 

With kind

ponedeljek, 24. oktober 2022 ob 11:51:08 UTC+2 je oseba jose.iz...@wazuh.com napisala: