-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 4.3.6 - Release Candidate 1 - E2E UX tests - File Integrity Monitoring #14266
Comments
Installing the Wazuh manager, dashboard, and indexer 🟢Hardware and operating systemTalking about the installation process, and following the Quickstart documentation section, the three components: manager, indexer, and dashboard will be installed in the same Ubuntu 22.04 instance. Instance: Canonical, Ubuntu, 22.04 LTS, amd64 jammy image build on 2022-06-09 Following the Quickstart guide, the requirements for this test case are 4 vCPU, 8 GiB RAM, and 50 GB of storage. Instance type: c5.xlarge - 4 vCPU, 8 GiB
InstallationDownload and run the Wazuh installation assistant.
Note that in this case, as we want to install 4.3.6 and it is a pre-release version, we have to use use the wazuh-install.sh new variables
Installation, error found:
Checking /var/log/wazuh-install.log:
The error is due to the
After the change and installation:
Dashboard healthcheck: |
Agents deployment 🟢Using the WUI one-liner deployment. Ubuntu 22.04 🟢
This is the command provided by the Wazuh UI. It won't work as the repository must be
After changing to the proper repo:
Agent properly installed: |
Windows 7 🟢One-liner:
As in the other cases, the URL needs to be changed:
Error found. I cannot install with the one-liner due to the fact that I am using Windows 7, which includes PowerShell v1.0 and v3.0 or greater is needed. Therefore, I will use the Windows installer: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html Again, the documentation page includes a link to the 4.3.5 package. I will use the https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.6-1.msi
MacOS 10.14 🟢One-liner:
This time, I updated the URL before trying to deploy the agent to use the pre-release package. Starting the agent:
Agents review: |
Test different FIM use cases for Windows, Linux, and macOS1. MacOS X 🟢1.1. whodata ⚪
1.2. report_changes 🟢Added the following line to the syscheck configuration and changed the syscheck
Add {"timestamp":"2022-07-20T09:20:45.763+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":18,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"macos1014","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658308845.269012","full_log":"File '/test_fim/test_fim_report.txt' added\nMode: scheduled\n","syscheck":{"path":"/test_fim/test_fim_report.txt","mode":"scheduled","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"wheel","mtime_after":"2022-07-20T09:20:40","inode_after":533696,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"} Modify {"timestamp":"2022-07-20T09:21:38.200+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":3,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"macos1014","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658308898.269708","full_log":"File '/test_fim/test_fim_report.txt' modified\nMode: scheduled\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '0' to '24'\nOld modification time was: '1658308840', now it is '1658308883'\nOld inode was: '533696', now it is '534152'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '96fe445f0f6dea9395b874ef3243298d'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'a1d649d9a80deba385b5e21cf6b17687e24a4ff7'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '57d19ae7363cb8ffcdf251a2e99904dc7cd89fc6139770770a8a315a7454116a'\n","syscheck":{"path":"/test_fim/test_fim_report.txt","mode":"scheduled","size_before":"0","size_after":"24","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"96fe445f0f6dea9395b874ef3243298d","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"a1d649d9a80deba385b5e21cf6b17687e24a4ff7","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"57d19ae7363cb8ffcdf251a2e99904dc7cd89fc6139770770a8a315a7454116a","uname_after":"root","gname_after":"wheel","mtime_before":"2022-07-20T09:20:40","mtime_after":"2022-07-20T09:21:23","inode_before":533696,"inode_after":534152,"diff":"0a1\n> Testing report changes!\n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} Remove {"timestamp":"2022-07-20T09:22:11.479+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":7,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"macos1014","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658308931.271044","full_log":"File '/test_fim/test_fim_report.txt' deleted\nMode: scheduled\n","syscheck":{"path":"/test_fim/test_fim_report.txt","mode":"scheduled","size_after":"24","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"96fe445f0f6dea9395b874ef3243298d","sha1_after":"a1d649d9a80deba385b5e21cf6b17687e24a4ff7","sha256_after":"57d19ae7363cb8ffcdf251a2e99904dc7cd89fc6139770770a8a315a7454116a","uname_after":"root","gname_after":"wheel","mtime_after":"2022-07-20T09:21:23","inode_after":534152,"event":"deleted"},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"} WUI: 1.3. Inventory of files 🟢2. Ubuntu 🟢Added the following configuration to test whodata and report_changes: <directories whodata="yes">/test_fim</directories>
<directories report_changes="yes" realtime="yes">/test_fim_report</directories> Agent restarted. 2.1. whodata 🟢The audit information was properly added to the alerts. Add {"timestamp":"2022-07-20T09:41:13.913+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":19,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310073.291868","full_log":"File '/test_fim/test_fim_whodata.txt' added\nMode: whodata\n","syscheck":{"path":"/test_fim/test_fim_whodata.txt","mode":"whodata","size_after":"8","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"ddce269a1e3d054cae349621c198dd52","sha1_after":"7893883873a705aec69e2942901f20d7b1e28dec","sha256_after":"13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:41:13","inode_after":774148,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"18573","name":"/usr/bin/vim.basic","cwd":"/home/ubuntu","parent_name":"/usr/bin/bash","parent_cwd":"/home/ubuntu","ppid":"13228"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"ubuntu"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"} Modify {"timestamp":"2022-07-20T09:42:57.832+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":9,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310177.317724","full_log":"File '/test_fim/test_fim_whodata.txt' modified\nMode: whodata\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '10' to '23'\nOld modification time was: '1658310154', now it is '1658310176'\nOld inode was: '774149', now it is '774148'\nOld md5sum was: 'e014eec264bf3fe62ed76e03eec9ed4f'\nNew md5sum is : '36b12c2575a3f9fdd633615b1c62430e'\nOld sha1sum was: '8b08c91a23f15386d4af2b8139f9bbd77106e3e5'\nNew sha1sum is : 'e75296c39cecbde158e1ec6f6ea6ea3e8f02d9c2'\nOld sha256sum was: '4aa70a3106d3d12bbfab684460a21fa3b781ba8c72ea078599490dcb2a42b7a3'\nNew sha256sum is : 'dad4dba748cd3d653c1de9cb6102a36ff4aae1e7ccdb3e59cc4ad2b266fff00b'\n","syscheck":{"path":"/test_fim/test_fim_whodata.txt","mode":"whodata","size_before":"10","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"e014eec264bf3fe62ed76e03eec9ed4f","md5_after":"36b12c2575a3f9fdd633615b1c62430e","sha1_before":"8b08c91a23f15386d4af2b8139f9bbd77106e3e5","sha1_after":"e75296c39cecbde158e1ec6f6ea6ea3e8f02d9c2","sha256_before":"4aa70a3106d3d12bbfab684460a21fa3b781ba8c72ea078599490dcb2a42b7a3","sha256_after":"dad4dba748cd3d653c1de9cb6102a36ff4aae1e7ccdb3e59cc4ad2b266fff00b","uname_after":"root","gname_after":"root","mtime_before":"2022-07-20T09:42:34","mtime_after":"2022-07-20T09:42:56","inode_before":774149,"inode_after":774148,"changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"0","name":"root"},"process":{"id":"18586","name":"/usr/bin/vim.basic","cwd":"/home/ubuntu","parent_name":"/usr/bin/bash","parent_cwd":"/home/ubuntu","ppid":"13228"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"ubuntu"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} Remove {"timestamp":"2022-07-20T09:43:19.837+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":8,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310199.330648","full_log":"File '/test_fim/test_fim_whodata.txt' deleted\nMode: whodata\n","syscheck":{"path":"/test_fim/test_fim_whodata.txt","mode":"whodata","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"36b12c2575a3f9fdd633615b1c62430e","sha1_after":"e75296c39cecbde158e1ec6f6ea6ea3e8f02d9c2","sha256_after":"dad4dba748cd3d653c1de9cb6102a36ff4aae1e7ccdb3e59cc4ad2b266fff00b","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:42:56","inode_after":774148,"event":"deleted","audit":{"user":{"id":"0","name":"root"},"process":{"id":"18589","name":"/usr/bin/rm","cwd":"/home/ubuntu","parent_name":"/usr/bin/bash","parent_cwd":"/home/ubuntu","ppid":"13228"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"ubuntu"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"} 2.2. report_changes 🟢Add {"timestamp":"2022-07-20T09:44:05.419+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":20,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310245.331688","full_log":"File '/test_fim_report/test_fim_report.txt' added\nMode: realtime\n","syscheck":{"path":"/test_fim_report/test_fim_report.txt","mode":"realtime","size_after":"4","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"9cd599a3523898e6a12e13ec787da50a","sha1_after":"389cc6b7ae5a659383eab5dfc253764eccf84732","sha256_after":"7aa7a5359173d05b63cfd682e3c38487f3cb4f7f1d60659fe59fab1505977d4c","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:44:05","inode_after":774148,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"} Modify {"timestamp":"2022-07-20T09:44:25.277+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":12,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310265.343771","full_log":"File '/test_fim_report/test_fim_report.txt' modified\nMode: realtime\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '4' to '23'\nOld modification time was: '1658310245', now it is '1658310265'\nOld inode was: '774148', now it is '774149'\nOld md5sum was: '9cd599a3523898e6a12e13ec787da50a'\nNew md5sum is : '95c428a28d5634e485e63c6e38c86ead'\nOld sha1sum was: '389cc6b7ae5a659383eab5dfc253764eccf84732'\nNew sha1sum is : '0a4e72679ce2bbf5907d91c2b713d99f2c8a9f0e'\nOld sha256sum was: '7aa7a5359173d05b63cfd682e3c38487f3cb4f7f1d60659fe59fab1505977d4c'\nNew sha256sum is : '5a93405a9e5b232f16a8bac6c38ab5a88084183db0a498d0bc0b5fc9de2dd494'\n","syscheck":{"path":"/test_fim_report/test_fim_report.txt","mode":"realtime","size_before":"4","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"9cd599a3523898e6a12e13ec787da50a","md5_after":"95c428a28d5634e485e63c6e38c86ead","sha1_before":"389cc6b7ae5a659383eab5dfc253764eccf84732","sha1_after":"0a4e72679ce2bbf5907d91c2b713d99f2c8a9f0e","sha256_before":"7aa7a5359173d05b63cfd682e3c38487f3cb4f7f1d60659fe59fab1505977d4c","sha256_after":"5a93405a9e5b232f16a8bac6c38ab5a88084183db0a498d0bc0b5fc9de2dd494","uname_after":"root","gname_after":"root","mtime_before":"2022-07-20T09:44:05","mtime_after":"2022-07-20T09:44:25","inode_before":774148,"inode_after":774149,"diff":"1c1\n< new\n---\n> testing report_changes\n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} Remove {"timestamp":"2022-07-20T09:44:54.206+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":9,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310294.357065","full_log":"File '/test_fim_report/test_fim_report.txt' deleted\nMode: realtime\n","syscheck":{"path":"/test_fim_report/test_fim_report.txt","mode":"realtime","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"95c428a28d5634e485e63c6e38c86ead","sha1_after":"0a4e72679ce2bbf5907d91c2b713d99f2c8a9f0e","sha256_after":"5a93405a9e5b232f16a8bac6c38ab5a88084183db0a498d0bc0b5fc9de2dd494","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:44:25","inode_after":774149,"event":"deleted"},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"} WUI: 2.3. Inventory of files 🟢3. Windows 🟢Added the following configuration to test whodata and report_changes: <directories whodata="yes">C:\Windows\testfim</directories>
<directories report_changes="yes" realtime="yes">C:\Windows\testfimreport</directories> Agent restarted. 3.1. whodata 🟢The audit information was properly added to the alerts. Add {"timestamp":"2022-07-20T09:52:29.977+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":23,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310749.383688","full_log":"File 'c:\\windows\\testfim\\testfimwhodata.txt' added\nMode: whodata\n","syscheck":{"path":"c:\\windows\\testfim\\testfimwhodata.txt","mode":"whodata","size_after":"7","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"08986fb9059ed98b356daa00a6ba618b","sha1_after":"26e3c6510938577e33e1ad5d29fd403ac38be60e","sha256_after":"5f5d43a37cd2fcecc8e9f07901c26074af4afdff0d42e271aa7254c86654f817","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:52:24","event":"added","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"3432","name":"C:\\Windows\\System32\\dllhost.exe"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
Modify {"timestamp":"2022-07-20T09:53:31.983+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":16,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310811.384936","full_log":"File 'c:\\windows\\testfim\\testfimwhodata.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '7' to '19'\nOld modification time was: '1658310744', now it is '1658310800'\nOld md5sum was: '08986fb9059ed98b356daa00a6ba618b'\nNew md5sum is : '383fe686dd5afb8712cd9f78a89c6214'\nOld sha1sum was: '26e3c6510938577e33e1ad5d29fd403ac38be60e'\nNew sha1sum is : '53c7f9771e3683fcf371ad06c6443c1f4d433dd1'\nOld sha256sum was: '5f5d43a37cd2fcecc8e9f07901c26074af4afdff0d42e271aa7254c86654f817'\nNew sha256sum is : 'f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9'\n","syscheck":{"path":"c:\\windows\\testfim\\testfimwhodata.txt","mode":"whodata","size_before":"7","size_after":"19","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_before":"08986fb9059ed98b356daa00a6ba618b","md5_after":"383fe686dd5afb8712cd9f78a89c6214","sha1_before":"26e3c6510938577e33e1ad5d29fd403ac38be60e","sha1_after":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha256_before":"5f5d43a37cd2fcecc8e9f07901c26074af4afdff0d42e271aa7254c86654f817","sha256_after":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_before":"2022-07-20T09:52:24","mtime_after":"2022-07-20T09:53:20","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"3696","name":"C:\\Windows\\System32\\dllhost.exe"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}
Remove {"timestamp":"2022-07-20T09:54:03.969+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":10,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310843.386728","full_log":"File 'c:\\windows\\testfim\\testfimwhodata.txt' deleted\nMode: whodata\n","syscheck":{"path":"c:\\windows\\testfim\\testfimwhodata.txt","mode":"whodata","size_after":"19","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"383fe686dd5afb8712cd9f78a89c6214","sha1_after":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha256_after":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:53:20","event":"deleted","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"2372","name":"C:\\Windows\\System32\\dllhost.exe"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}
3.2. report_changes 🟢Add {"timestamp":"2022-07-20T09:55:10.405+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":25,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310910.389218","full_log":"File 'c:\\windows\\testfimreport\\testfimreport.txt' added\nMode: realtime\n","syscheck":{"path":"c:\\windows\\testfimreport\\testfimreport.txt","mode":"realtime","size_after":"19","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"383fe686dd5afb8712cd9f78a89c6214","sha1_after":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha256_after":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:55:03","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
Modify {"timestamp":"2022-07-20T09:56:02.859+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":17,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310962.390359","full_log":"File 'c:\\windows\\testfimreport\\testfimreport.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '19' to '25'\nOld modification time was: '1658310903', now it is '1658310956'\nOld md5sum was: '383fe686dd5afb8712cd9f78a89c6214'\nNew md5sum is : 'a2e160ae1ad7e954cafe33ef06c96497'\nOld sha1sum was: '53c7f9771e3683fcf371ad06c6443c1f4d433dd1'\nNew sha1sum is : '0ffade3ee84f916c71e16d9e95aceaa1b3dd6cb9'\nOld sha256sum was: 'f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9'\nNew sha256sum is : '5621738a24045f4492637cac7b2c54955441f61af86e295ea873193a82420b7d'\n","syscheck":{"path":"c:\\windows\\testfimreport\\testfimreport.txt","mode":"realtime","size_before":"19","size_after":"25","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_before":"383fe686dd5afb8712cd9f78a89c6214","md5_after":"a2e160ae1ad7e954cafe33ef06c96497","sha1_before":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha1_after":"0ffade3ee84f916c71e16d9e95aceaa1b3dd6cb9","sha256_before":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","sha256_after":"5621738a24045f4492637cac7b2c54955441f61af86e295ea873193a82420b7d","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_before":"2022-07-20T09:55:03","mtime_after":"2022-07-20T09:55:56","diff":"< \n< modified\n---\n> \n> report changes\n","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} Remove {"timestamp":"2022-07-20T09:56:25.227+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":11,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310985.392098","full_log":"File 'c:\\windows\\testfimreport\\testfimreport.txt' deleted\nMode: realtime\n","syscheck":{"path":"c:\\windows\\testfimreport\\testfimreport.txt","mode":"realtime","size_after":"25","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"a2e160ae1ad7e954cafe33ef06c96497","sha1_after":"0ffade3ee84f916c71e16d9e95aceaa1b3dd6cb9","sha256_after":"5621738a24045f4492637cac7b2c54955441f61af86e295ea873193a82420b7d","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:55:56","event":"deleted"},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"} WUI: 3.3. Inventory of files 🟢 |
Proof of concept test 🟢Check that these use cases still work for the current release under test: Configuration 🟢Added configurations to the Ubuntu agent and Windows agent. Agents restarted properly. Query the alerts 🟢Steps to generate the alerts: Create, remove, or modify a file in the monitored directories. UBUNTU: files created, removed, and modified in
whodata working (/usr/bin) ✔️ tags working (/etc/cron.d) ✔️ recursion_level working (/home/ubuntu/example_home) ✔️ WINDOWS: file created, removed, and modified in
Alerts (JSON):
Alerts (WUI): |
Blogpost 🟡I have used the Ubuntu agent to replicate the use case. Check that this blog post is still valid for the current release under test (suggest changes otherwise): Step 1: Prepare the test environment 🟢
Agent configuration: <syscheck>
<directories check_all="yes" whodata="yes">/home/vagrant/test</directories>
</syscheck> Agent restarted and ransomware file downloaded:
The files have been downloaded:
And the alerts generated: Step 2: Simulating the attack 🟢
Wazuh successfully detected the events that are generated during the attack in this simulation. File deleted alert example: Monitoring Wazuh alerts and setting up triggers 🟡The blogpost uses Opendistro references instead of Opensearch. Already reported in wazuh/wazuh-documentation#5013. Apart from the already reported issue, the link https://opendistro.github.io/for-elasticsearch/features/alerting.html shown in the blog post shows an empty page. Apart from these issues, the monitor can be set easily in the OpenSearch Plugins > Alerting section of the WUI. Added events monitor preview: Monitor created and working (events added): Monitor created and working (events deleted): Monitors: |
The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.
Test information
Installation procedure
Wazuh indexer
Wazuh server
Wazuh dashboard
Wazuh agent (3 agents)
Test description
Test different FIM use cases for Windows, Linux, and macOS:
Check that these use cases still work for the current release under test:
https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html
Check that this blog post is still valid for the current release under test (suggest changes otherwise):
https://wazuh.com/blog/preventing-and-detecting-ransomware-with-wazuh/
Navigate through WUI - FIM section to ensure that data is accurate and updated when needed (inventory/alerts/dashboards)
Test report procedure
All test results must have one of the following statuses:
Any failing test must be appropriately addressed with a new issue, detailing the error and the possible cause.
An extended test results report must be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. The auditors can use this report to dig deeper into any possible failures and details.
Conclusions
All tests have been executed and the results can be found in the issue updates.
Auditors validation
The definition of done for this one is the validation of the conclusions and the test results from all auditors.
All checks from below must be accepted in order to close this issue.
The text was updated successfully, but these errors were encountered: