New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 4.3.6 - Release Candidate 1 - E2E UX tests - Vulnerability Detector #3106

Closed

9 of 10 tasks

damarisg opened this issue Jul 15, 2022 · 4 comments

Closed

9 of 10 tasks

Release 4.3.6 - Release Candidate 1 - E2E UX tests - Vulnerability Detector #3106

damarisg opened this issue Jul 15, 2022 · 4 comments

Assignees

Labels

dev-testing feature/vuln-detector

Milestone

Release 4.3.6 RC-1

Member

damarisg commented Jul 15, 2022 •

edited by jmv74211

Description

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information


Test name	Vulnerability detection
Category	Vulnerability detection
Deployment option	Quickstart
Main release issue	wazuh/wazuh#14260
Release candidate #	RC1

Components	Instalation	OS
Wazuh Indexer	Quickstart	Amazon Linux 2
Wazuh Dashboard	Quickstart	Amazon Linux 2
Wazuh Server	Quickstart	Amazon Linux 2
Wazuh agent	Installation from sources	Amazon Linux, Arch Linux, CentOS, Ubuntu, Windows

Tasks

Use the new UI for vulnerabilities.

Install vulnerable package to force an alert.

Patch or uninstall vulnerable packe to force a "solved" alert.

References

Color	Status
🟢	All tests passed successfully
🟡	All tests passed but there are some warnings
🔴	Some tests have failures or errors
🔵	Test execution in progress
⚫	To Do
🟠	Jenkins provision fails
🟣	All skipped

Conclusions 🟢

Comment

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

damarisg added team/qa dev-testing feature/vuln-detector labels

damarisg mentioned this issue

Release 4.3.6 - Release Candidate 1 - E2E UX tests wazuh/wazuh#14260

Closed

1 task

damarisg assigned CamiRomero and damarisg

jmv74211 added this to the Release 4.3.6 RC-1 milestone

jmv74211 removed the status/not-tracked label

damarisg assigned QU3B1M and unassigned CamiRomero

Member Author

damarisg commented Jul 19, 2022 •

edited

General Setting in the manager

Configure ossec.conf file required.

Configuration to test Amazon Linux

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
  <enabled>yes</enabled>
  <os>amazon-linux</os>
  <os>amazon-linux-2</os>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test CentOS

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
  <enabled>yes</enabled>
  <os>5</os>
  <os>6</os>
  <os>7</os>
  <os>8</os>
  <os>9</os>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test Ubuntu

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
  <enabled>yes</enabled>
  <os>trusty</os>
  <os>xenial</os>
  <os>bionic</os>
  <os>focal</os>
  <os>jammy</os>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test Windows

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test Arch Linux

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Arch OS vulnerabilities -->
<provider name="arch">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configure local_internal_option.conf file with:

wazuh_modules.debug=2
monitord.rotate_log=0
Connect the agent with the manager.
Start the Wazuh manager and agent.
Verify that each module works successfully with /var/ossec/bin/wazuh-control status command:

Manager

wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Agent

wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Member Author

damarisg commented Jul 19, 2022 •

edited

Fresh Install: Patch the vulnerable package to force a "solved" alert. 🟢

Patch the vulnerable package to force a "solved" alert. 🟢

Amazon Linux

The libcurl alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum install libcurl
Restart the agent
The alert solved generated is shown on Dashboard.

Centos

The python alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum install python
Restart the agent
The alert solved generated is shown on Dashboard.

Ubuntu

The curl alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

apt install curl
Restart the agent
The alert solved generated is shown on Dashboard.

Windows

The Mozilla Firefox alert generated is shown on Dashboard.
Update the vulnerable package to force a "solved" alert.
Restart the agent
The alert solved generated is shown on Dashboard.

Uninstall the vulnerable package to force a "solved" alert. 🟢

Amazon Linux

The python27-pip alert generated is shown on Dashboard.
Uninstall the vulnerable package to force a "solved" alert.

yum remove python27-pip
Restart the agent
The alert solved generated is shown on Dashboard.

CentOS

The pyyaml alert generated is shown on Dashboard.
Uninstall the vulnerable package to force a "solved" alert.

yum remove PyYAML
Restart the agent
The alert solved generated is shown on Dashboard.

Windows

The Mozilla Firefox alert generated is shown on Dashboard.
Remove the vulnerable package to force a "solved" alert.
Restart the agent
The alert solved generated is shown on Dashboard.

Arch Linux

The perl alert generated is shown on Dashboard.
Remove the vulnerable package to force a "solved" alert.

pacman -Rdd perl
Restart the agent
The alert solved generated is shown on Dashboard.

Member Author

damarisg commented Jul 19, 2022 •

edited

Upgrade 4.3.5 to 4.3.6: Patch the vulnerable package to force a "solved" alert. 🟢

Upgrade Section

Check our manager with 4.3.6:

[root@ip-172-31-16-71 ec2-user]# /var/ossec/bin/wazuh-control info -v
v4.3.6
Check our agent with 4.3.5:

[root@ip-172-31-31-210 centos]# /var/ossec/bin/wazuh-control info -v
v4.3.5
Check status to agent and manager

Manager:

[root@ip-172-31-16-71 ec2-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Agent:

[root@ip-172-31-31-210 centos]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
Upgrade the agent to 4.3.6
Verify the correct version was install:

[root@ip-172-31-16-71 ec2-user]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.6"
WAZUH_REVISION="40318"
WAZUH_TYPE="server"

[root@ip-172-31-31-210 centos]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.6"
WAZUH_REVISION="40318"
WAZUH_TYPE="agent"
Restart manager and agent. Check status

Manager:

[root@ip-172-31-16-71 ec2-user]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Agent:

[root@ip-172-31-31-210 centos]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Centos - Patch the vulnerable package to force a "solved" alert.

The alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum install curl
Restart the agent
The alert solved generated is shown on Dashboard.

Centos - Remove the vulnerable package to force a "solved" alert.

The alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum remove freestyle
Restart the agent
The alert solved generated is shown on Dashboard.

Member Author

damarisg commented Jul 20, 2022 •

edited

Conclusion

After testing the cases, we can visualize the generated and resolved alerts with the new UI.
Also, we can see that once the vulnerable package is resolved, it disappears from the Inventory list.

Finally, I would like to clarify a doubt:

Why doesn't the content of the selected alert appear? Is it normal?

davidjiglesias closed this as completed

vikman90 mentioned this issue

Release 4.3.7 - Release Candidate 1 - E2E UX tests - Vulnerability Detector wazuh/wazuh#14683

Closed

10 tasks

damarisg mentioned this issue

Document onboarding and internal day-to-day processes #4240

Closed

7 tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment