Release 4.3.7 - Release Candidate 1 - E2E UX tests - Configuration assessment

[matiasmoreno876]

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Modules tests information

Main release candidate issue	#14562
Main E2E UX test issue	#14614
Version	4.3.7
Release candidate #	RC1
Tag	v4.3.7-rc1
Previous modules tests issue	#14268

Installation procedure

• @Machi3mfl
• @matiasmoreno876
  • Wazuh Manager stack:Installation assistant on Amazon Linux 2
  • Wazuh Agent: Wazuh WUI one-liner deploy FQDN on Amazon Linux 2
• @Mayons95
  • Wazuh Manager stack:Step-by-step on Ubuntu 22.04
  • Wazuh Agent: https://documentation-dev.wazuh.com/4.3.7-rc/installation-guide/wazuh-agent/index.html on Ubuntu 22.04

Description

Validate issues reported from last E2E test

#5478
#13949
#14346

Validate changes from v4.3.0 to 4.3.7 (only if applies)

#13893
#13905
#13781
#13950

Validate documentation consistency

https://documentation-dev.wazuh.com/4.3.7-rc/user-manual/capabilities/sec-config-assessment/index.html

Validate use case

https://documentation-dev.wazuh.com/4.3.7-rc/user-manual/capabilities/sec-config-assessment/use-case.html

Check Wazuh Dasboard SCA scan results

Test report procedure

All test results must have one of the following statuses:

🟢	Test went as expected.
🔴	Test fails and must be addressed.
🟡	Test meet the goal but some improvements must be addressed for UX

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Conclusions

All tests have been executed and the results can be found in the issue updates.

Status	Test	Failure type	Notes
🟢	Validate documentation consistency	Functional
🟢	Validate issues reported from last E2E test	Documentation	Issue #5478 solved
🟢	Validate issues reported from last E2E test	Functional	Issue #13949 solved
⚪	Validate issues reported from last E2E test	Functional	Issue #14346 open
⚪	Validate changes from v4.3.0 to 4.3.6	Functional
⚪	Validate documentation consistency	Documentation
⚪	Validate documentation consistency	Functional
⚪	Validate use case	Documentation

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

• @vikman90

[Mayons95]

Server install

Wazuh Manager stack on Ubuntu 22.0.4 🟢

Indexer installation 🟢

Wazuh manager installation 🟢

Filebeat status: 🟢

Wazuh Dashboard 🟢

Agent install

Wazuh Agent on Ubuntu 22.0.4 🟢

Agent v4.3.7 installation 🟢

SCA

Changes from v4.3.0 to 4.3.7 ⚪

• Not performed

Wazuh Dashboard SCA scan results 🔴

There are not SCA alerts generated on SCA Dashboard for ubuntu 22.0.4.1, related issue: #14663
SCA - Module for Ubuntu 22.0.4.1

Use case: Getting an alert when a check changes its result value ⚪

• Not performed

[matiasmoreno876]

Prerequisites

Prepare Amazon Linux 2 environment

Steps to install Amazon Linux 2 on Virtual Box

Step 1

• To perform the installation in the first virtual machine we follow this guide: Run Amazon Linux 2 as a virtual machine on premises

Step 2

• Then, in order to obtain the second virtual machine, we are going to make a clone of it, we must take into account that when making the clone we are going to duplicate the same IP and the MAC addresses of the components, in order to solve this, make the clone with the following values

• Then to modify the ip address we modify the following file: sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0 and then perform restart: systemctl restart network for more information: How to configure a static IP address on CentOS 7 / RHEL 7

• At this moment we have the two virtual machines with the same host name, this will generate a problem when registering the agent, to modify the host name follow the next steps:

1. View hostname: hostnamectl status or hostname -f
2. Set new hostname:

# hostnamectl set-hostname geeklab    ## static
# hostnamectl set-hostname "Geeks LAB"   ## pretty

3. Then restart. For more information How to change hostname in CentOS/RHEL 7

Troubleshooting

Details

If inside the virtual machine you cannot connect to the internet try the following:

Configure the network from wifi to cable

Also try editing the following file

• sudo nano /etc/resolv.conf
• And add

nameserver   8.8.8.8
nameserver   8.8.4.4

• Then restart the vm

To connect using ssh:

Edit the sshd_config file

• sudo nano /etc/ssh/sshd_config
• Add the following values

PasswordAuthentication yes
ChallengeResponseAuthentication yes

• Save and restart sudo service sshd restart
• Try to connect through ssh ec2-user@192.168.100.60 . For more information How to run Amazon Linux 2 on premises (locally) as a VM

Error when trying to connect via ssh

• Error:

[user@hostname ~]$ ssh root@pong
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6e:45:f9:a8:af:38:3d:a1:a5:c7:76:1d:02:f8:77:00.
Please contact your system administrator.
Add correct host key in /home/hostname /.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:4
RSA host key for pong has changed and you have requested strict checking.
Host key verification failed.

• Solutions run: ssh-keygen -R <host> for example ssh-keygen -R 192.168.3.10. For more information ssh remote host identification has changed

Server install

Wazuh Manager stack on Amazon Linux 2 🟢

Indexer installation 🟢

Wazuh manager installation 🟢

Filebeat status: 🟢

Wazuh Dashboard 🟢

Agent install

Wazuh Agent on Amazon Linux 2 🟢

Agent v4.3.7 installation 🟢

For this test we used the one liner command provided by the wazuh dasboard WUI:

• It was necessary to modify the command because the URL provided for the version 4.3.7 is located on the pre-release state:
  - Provided:
  sudo WAZUH_MANAGER='wazuhmanager.com' WAZUH_AGENT_GROUP='default' yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.7-1.x86_64.rpm
  - Used:
  sudo WAZUH_MANAGER='wazuhmanager.com' WAZUH_AGENT_GROUP='default' yum install https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.3.7-1.x86_64.rpm

SCA Amazon Linux 2

Changes from v4.3.0 to 4.3.7 🟢

Improve and update SCA documentation 🟢

Ensure sticky bit is set on all world-writable directories. 🟢

Test references

• Remove sticky bits from the /tmp directory:

chmod -t /tmp

• Check expected SCA alert is generated

Ensure iptables are flushed with nftables 🟢

• Install nftables

[root@vm_hostname_agent ec2-user]# yum install nftables
Failed to set locale, defaulting to C
Loaded plugins: langpacks, priorities, update-motd
amzn2-core                                                                                                                                                              | 3.7 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package nftables.x86_64 1:0.9.0-14.amzn2.0.1 will be installed
--> Processing Dependency: libnftnl.so.11(LIBNFTNL_11)(64bit) for package: 1:nftables-0.9.0-14.amzn2.0.1.x86_64
--> Processing Dependency: libnftnl.so.11()(64bit) for package: 1:nftables-0.9.0-14.amzn2.0.1.x86_64
--> Running transaction check
---> Package libnftnl.x86_64 0:1.1.5-4.amzn2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================================================
 Package                                    Arch                                     Version                                                Repository                                    Size
===============================================================================================================================================================================================
Installing:
 nftables                                   x86_64                                   1:0.9.0-14.amzn2.0.1                                   amzn2-core                                   252 k
Installing for dependencies:
 libnftnl                                   x86_64                                   1.1.5-4.amzn2                                          amzn2-core                                    75 k

Transaction Summary
===============================================================================================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 327 k
Installed size: 895 k
Is this ok [y/d/N]: y
Downloading packages:
(1/2): libnftnl-1.1.5-4.amzn2.x86_64.rpm                                                                                                                                |  75 kB  00:00:01     
(2/2): nftables-0.9.0-14.amzn2.0.1.x86_64.rpm                                                                                                                           | 252 kB  00:00:01     
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                          172 kB/s | 327 kB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libnftnl-1.1.5-4.amzn2.x86_64                                                                                                                                               1/2 
  Installing : 1:nftables-0.9.0-14.amzn2.0.1.x86_64                                                                                                                                        2/2 
  Verifying  : libnftnl-1.1.5-4.amzn2.x86_64                                                                                                                                               1/2 
  Verifying  : 1:nftables-0.9.0-14.amzn2.0.1.x86_64                                                                                                                                        2/2 

Installed:
  nftables.x86_64 1:0.9.0-14.amzn2.0.1                                                                                                                                                         

Dependency Installed:
  libnftnl.x86_64 0:1.1.5-4.amzn2                                                                                                                                                              

Complete!

• Flush iptables and ip6tables rules

iptables -F
ip6tables -F

• Check that control pass
  

Ensure XD/NX support is enabled. 🟢

Issue Ref

• Disable the XD/NX support

grubby --update-kernel=ALL --args="noexec=off"

• Reboot the host
• Ensure new kernel parameters are correct:

[ec2-user@vm_hostname_agent ~]$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.14.287-215.504.amzn2.x86_64 root=UUID=b647fd93-92f7-450a-ba02-44a44bfb8999 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 noexec=off

• Run SCA scan and check that check 20529 do not update as failed.

[root@vm_hostname_agent ec2-user]# journalctl | grep "protection: active" 
Aug 23 13:19:19 localhost kernel: NX (Execute Disable) protection: active
Aug 23 13:27:00 localhost kernel: NX (Execute Disable) protection: active
Aug 23 13:29:34 localhost kernel: NX (Execute Disable) protection: active
Aug 23 13:36:01 localhost kernel: NX (Execute Disable) protection: active
Aug 23 14:10:54 localhost kernel: NX (Execute Disable) protection: active
Aug 23 15:54:15 localhost kernel: NX (Execute Disable) protection: active
Aug 23 17:22:33 localhost kernel: NX (Execute Disable) protection: active

[root@vm_hostname_agent ec2-user]# journalctl -k --boot | grep "protection: "
Aug 23 20:18:15 localhost kernel: NX (Execute Disable) protection: disabled by kernel command line option

• Enable the XD/NX support

grubby --update-kernel=ALL --args="noexec=on"

• Reboot the host
• Ensure new kernel parameters are correct:

[ec2-user@vm_hostname_agent ~]$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.14.287-215.504.amzn2.x86_64 root=UUID=b647fd93-92f7-450a-ba02-44a44bfb8999 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 noexec=on

• And verify

[root@vm_hostname_agent ec2-user]#  journalctl -k | grep "protection: active"
Aug 23 20:40:39 localhost kernel: NX (Execute Disable) protection: active
[root@vm_hostname_agent ec2-user]# journalctl -k --boot | grep "protection: "
Aug 23 20:40:39 localhost kernel: NX (Execute Disable) protection: active

• We try to corrupt the output of the journalctl command

sudo sh -c "journalctl | grep "protection: " | tail -1"

[root@vm_hostname_agent ec2-user]# sudo sh -c "journalctl | grep "protection: " | tail -1"
Aug 23 13:19:19 localhost kernel: NX (Execute Disable) protection: active
Aug 23 13:27:00 localhost kernel: NX (Execute Disable) protection: active
Aug 23 13:29:34 localhost kernel: NX (Execute Disable) protection: active
Aug 23 13:36:01 localhost kernel: NX (Execute Disable) protection: active
Aug 23 14:10:54 localhost kernel: NX (Execute Disable) protection: active
Aug 23 15:54:15 localhost kernel: NX (Execute Disable) protection: active
Aug 23 17:22:33 localhost kernel: NX (Execute Disable) protection: active
Aug 23 20:13:32 localhost kernel: NX (Execute Disable) protection: disabled by kernel command line option
Aug 23 20:18:15 localhost kernel: NX (Execute Disable) protection: disabled by kernel command line option
Aug 23 20:40:39 localhost kernel: NX (Execute Disable) protection: active
Aug 23 20:43:36 vm_hostname_agent sudo[4050]: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/sh -c journalctl | grep protection:  | tail -1

• Reboot the host (to run the SCA scan again)

• And Verify
  

[Mayons95]

SCA Amazon Linux 2

Amazon Linux - Use case: Getting an alert when a check changes its result value 🟢

• First Scan Alert

• First Summary

• Alerts on dashboard

• Scan after enabling PermitRootLogin:

• Use case comments

1. After execute the command:

 sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

the Alert was displayed but the result is failed.