Reg: Detecting Log4j

[Vaijnath M]

Hello Team ,

I have followed this link :

https://wazuh.com/blog/detecting-log4shell-with-wazuh/ 

but unfortunately I am unable to view log4j dependency check feature on my dashboard 

Please help.

Thanks,

Vaijnath

[Sebastian Dario Bustos]

Hello Vaijnath,

Thank you for using Wazuh!!!

Can you please check that the parameter sca.remote_commands is set to "1" on the agent's local_internal_options.conf file?  on Linux agents this can be located on /var/ossec/etc/local_internal_options.conf and on Windows agents this can be found on C:\Program Files(x86)\ossec-agent\local_internal_options.conf. After this is modified please restart the agent with the command "systemctl restart wazuh-agent" or "service wazuh-agent restart" (depending on your Linux distro) or using the Wazuh agent's GUI (ran as administrator).

You may also check that the new policy on the manager has the proper ownership with the command "ls -l /var/ossec/etc/shared/default/log4j_check.yml"  in case you placed the policy for the default group (All the agents by default belong to this group) or modify the path to match your desired group. The ownership must be set to "ossec:ossec".

Then you may force a SCA scan by restarting the Wazuh manager service with the command "systemctl restart wazuh-manager" or "service wazuh-manager restart". Please monitor your SCA events after this.

Please let me know.

Thank you.

[Vaijnath M]

Hi ,

I have tried all the above mentioned options but no luck, I am using Wazuh-4.0.3-1.

I am running this as a POC in my MAC laptop as Docker containers.

Thanks,

Vaijnath

[Vaijnath M]

I am getting this message in the agent 

sca: INFO: Skipping policy '/var/ossec/etc/shared/log4j_check.yml': 'Check if Java is present on the machine'

On Monday, February 7, 2022 at 4:14:13 PM UTC-5 sebastia...@wazuh.com wrote:

[Sebastian Dario Bustos]

Hello Vaijnath,

Did you check the Java VM on the agent  system?
Please make sure Java is installed, can you provide the OS distribution of the agent so I can provide further commands to check?
Perhaps there are some missing JAVA paths.

Let me know.

[Vaijnath M]

Hi ,

Thank you for mailing back.

My agent operating system is Centos:7.9.2009 and Wazuh-agent is 4.0.3-1 .

Yes I have installed Java on the Docker container with yum install java command.

root@/]# java -version

openjdk version "1.8.0_322"

OpenJDK Runtime Environment (build 1.8.0_322-b06)

OpenJDK 64-Bit Server VM (build 25.322-b06, mixed mode)

Thanks,

Vaijnath

[Sebastian Dario Bustos]

Hello Vaijnath,

This SCA policy checks for a running JAVA process to perform the scan.
Basically runs this:
sh -c "ps aux | grep java | grep -v grep"

Which should return "java" in the result.

So since any java process is not running on that agent the policy is not executed, when you run a service that uses java on that agent then the policy will run.

Regards.

[Vaijnath M]

Hi ,

Thank you for the response.

Yes I have installed the java in the docker container as I have mentioned in my past email.

Yes I have run this command and got the result java.but still I am having the issue.

sh -c "ps aux | grep java | grep -v grep"

root@/]# java -version

openjdk version "1.8.0_322"

OpenJDK Runtime Environment (build 1.8.0_322-b06)

OpenJDK 64-Bit Server VM (build 25.322-b06, mixed mode)

Let me try to install any application/service based on the JAVA.will email you back once I have tried installing the java based service

Thanks,

Vaijnath