New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 4.3.7 - Release Candidate 1 - E2E UX tests - Vulnerability Detector #14683

Closed

10 tasks done

sultanovich opened this issue Aug 17, 2022 · 6 comments

Closed

10 tasks done

Release 4.3.7 - Release Candidate 1 - E2E UX tests - Vulnerability Detector #14683

sultanovich opened this issue Aug 17, 2022 · 6 comments

Assignees

Labels

release test/4.3.7

Member

sultanovich commented Aug 17, 2022 •

edited by jesuslinares

Description

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information


Test name	Vulnerability detection
Category	Vulnerability detection
Deployment option	Quickstart
Main release issue	#14614
Release candidate #	RC1

Components	Instalation	OS
Wazuh Indexer	Quickstart	Amazon Linux 2
Wazuh Dashboard	Quickstart	Amazon Linux 2
Wazuh Server	Quickstart	Amazon Linux 2
Wazuh agent	Installation from sources	Amazon Linux, Arch Linux, CentOS, Ubuntu, Windows

Tasks

Use the new UI for vulnerabilities.

Install vulnerable package to force an alert.

Patch or uninstall vulnerable packe to force a "solved" alert.

References

Color	Status
🟢	All tests passed successfully
🟡	All tests passed but there are some warnings
🔴	Some tests have failures or errors
🔵	Test execution in progress
⚫	To Do
🟠	Jenkins provision fails
🟣	All skipped

Conclusions 🟢

Comment

Auditors' validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.

sultanovich added team/cloud release test/4.3.7 labels

sultanovich self-assigned this

sultanovich mentioned this issue

Release 4.3.7 - Release Candidate 1 - E2E UX tests #14614

Closed

1 task

Member Author

sultanovich commented Aug 18, 2022

General Setting in the manager

Configure ossec.conf file required.

Configuration to test Amazon Linux

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
  <enabled>yes</enabled>
  <os>amazon-linux</os>
  <os>amazon-linux-2</os>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test CentOS

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
  <enabled>yes</enabled>
  <os>5</os>
  <os>6</os>
  <os>7</os>
  <os>8</os>
  <os>9</os>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test Ubuntu

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
  <enabled>yes</enabled>
  <os>trusty</os>
  <os>xenial</os>
  <os>bionic</os>
  <os>focal</os>
  <os>jammy</os>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test Windows

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configuration to test Arch Linux

The <vulnerability-detector> must have:

<enabled>yes</enabled>
<interval>30s</interval>
<min_full_scan_interval>1m</min_full_scan_interval>
<run_on_start>yes</run_on_start>

<!-- Arch OS vulnerabilities -->
<provider name="arch">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Windows OS vulnerabilities -->
<provider name="msu">
  <enabled>yes</enabled>
  <update_interval>1h</update_interval>
</provider>

<!-- Aggregate vulnerabilities -->
<provider name="nvd">
  <enabled>yes</enabled>
  <update_from_year>2017</update_from_year>
  <update_interval>1h</update_interval>
</provider>

Configure local_internal_option.conf file with:

wazuh_modules.debug=2
monitord.rotate_log=0
Connect the agent with the manager.
Start the Wazuh manager and agent.
Verify that each module works successfully with /var/ossec/bin/wazuh-control status command:

Manager

wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Agent

wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Member Author

sultanovich commented Aug 18, 2022 •

edited

Fresh Install: Patch the vulnerable package to force a "solved" alert. 🟢

Patch the vulnerable package to force a "solved" alert. 🟢

Amazon Linux

The openssl alert generated is shown on Dashboard.

Patch the vulnerable package to force a "solved" alert.

yum install openssl
Restart the agent
The alert solved generated is shown on Dashboard.

Centos

The curl alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum install curl
Restart the agent
The alert solved generated is shown on Dashboard.

Ubuntu

The curl alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

apt install curl
Restart the agent
The alert solved generated is shown on Dashboard.

Windows

The Mozilla Firefox alert generated is shown on Dashboard.
Update the vulnerable package to force a "solved" alert.
Restart the agent
The alert solved generated is shown on Dashboard.

Arch Linux

The sudo alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

pacman -Suy sudo
Restart the agent
The alert solved generated is shown on Dashboard.

Uninstall the vulnerable package to force a "solved" alert. 🟢

Amazon Linux

The git-core-doc alert generated is shown on Dashboard.
Uninstall the vulnerable package to force a "solved" alert.

yum remove git-core-doc
Restart the agent
The alert solved generated is shown on Dashboard.

CentOS

The openssh alert generated is shown on Dashboard.
Uninstall the vulnerable package to force a "solved" alert.

yum remove openssh
Restart the agent
The alert solved generated is shown on Dashboard.

Ubuntu

The git-man alert generated is shown on Dashboard.
Uninstall the vulnerable package to force a "solved" alert.

apt remove git-man
Restart the agent
The alert solved generated is shown on Dashboard.

Windows

The Mozilla Firefox alert generated is shown on Dashboard.

Remove the vulnerable package to force a "solved" alert.
Restart the agent
The alert solved generated is shown on Dashboard.

Arch Linux

The openssh alert generated is shown on Dashboard.
Remove the vulnerable package to force a "solved" alert.

pacman -Rs openssh
Restart the agent
The alert solved generated is shown on Dashboard.

jesuslinares transferred this issue from wazuh/wazuh-qa

Member Author

sultanovich commented Aug 18, 2022

Upgrade 4.3.6 to 4.3.7: Patch the vulnerable package to force a "solved" alert. 🟢

Upgrade Section

Check our manager with 4.3.7:

[root@ip-172-31-34-195 ~]# /var/ossec/bin/wazuh-control info -
v4.3.7
Check our agent with 4.3.6:

[root@b2f4d457af6a /]# /var/ossec/bin/wazuh-control info -v
v4.3.6
Check status to agent and manager

Manager:

[root@ip-172-31-34-195 ~]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
[root@ip-172-31-34-195 ~]#

Agent:

[root@b2f4d457af6a /]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
[root@b2f4d457af6a /]#

Upgrade the agent to 4.3.6
Verify the correct version was install:

[root@ip-172-31-34-195 ~]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.7"
WAZUH_REVISION="40319"
WAZUH_TYPE="server"
[root@ip-172-31-34-195 ~]#

[root@b2f4d457af6a /]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.7"
WAZUH_REVISION="40319"
WAZUH_TYPE="agent"
[root@b2f4d457af6a /]#

Restart manager and agent. Check status

Manager:

[root@ip-172-31-34-195 ~]# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
[root@ip-172-31-34-195 ~]#

Agent:

[root@b2f4d457af6a /]# /var/ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
[root@b2f4d457af6a /]#

Centos - Patch the vulnerable package to force a "solved" alert.

The alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum install curl
Restart the agent
The alert solved generated is shown on Dashboard.

Centos - Remove the vulnerable package to force a "solved" alert.

The alert generated is shown on Dashboard.
Patch the vulnerable package to force a "solved" alert.

yum remove openssh
Restart the agent
The alert solved generated is shown on Dashboard.

Member Author

sultanovich commented Aug 19, 2022

Conclusion

After testing the cases, we can visualize the generated and resolved alerts with the UI.
Also, we can see that once the vulnerable package is resolved, it disappears from the Inventory list.

Contributor

jesuslinares commented Aug 22, 2022 •

edited

The tests look good but the flow was:

fix package
restart agent
check

In the real world, a user fixes the vulnerable package (like curl) but the Wazuh agent is not restarted. I understand that the restart was performed in order to force the vulnerability scan, but I'm not sure if we are missing something due to this restart.

@vikman90 what do you think? do we need to add at least a test without restarting the agent? should we repeat all the tests?

Member

vikman90 commented Aug 22, 2022

Hi @jesuslinares, IMO we should approve this test as it has been executed like the previous one (wazuh/wazuh-qa#3106).

We will extend this case in future releases.

vikman90 closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment