Ensure <indexer> config is present in ossec.conf after upgrade via rpm #2711

jftuduri · 2023-12-20T15:55:35Z

Related issue
Closes #2706

Description

This PR modifies the rpm generation script to ensure that after an upgrade the ossec.conf file contains the Indexer configuration section.
If the existing ossec.conf does not have an Indexer configuration section then the default Indexer configuration is appended at the end of ossec.conf as part of a new <ossec_conf> block.
If the existing ossec.conf does have an Indexer configuration then no changes are done to the ossec.conf.

Results

Package generation

The package has been generated by running

./generate_rpm_package.sh -b dev-14153-vulndet-refactor -t manager -a x86_64 -j 8 --packages-branch dev-2706-fix-rpm-upgrade-config-failure

$ sha256sum wazuh-manager-4.8.0-1.x86_64.rpm 
69f0f941283e6d2e4802f433603e4696bb83ee639b8cb7e61a831aa45b4f6fa9  wazuh-manager-4.8.0-1.x86_64.rpm

Fresh install

Installation

[root@vagrant ~]# sha256sum wazuh-manager-4.8.0-1.x86_64.rpm 
69f0f941283e6d2e4802f433603e4696bb83ee639b8cb7e61a831aa45b4f6fa9  wazuh-manager-4.8.0-1.x86_64.rpm
[root@vagrant ~]# rpm -i wazuh-manager-4.8.0-1.x86_64.rpm 
[root@vagrant ~]# rpm -qi wazuh-manager 
Name        : wazuh-manager
Version     : 4.8.0
Release     : 1
Architecture: x86_64
Install Date: jue 21 dic 2023 18:56:12 UTC
Group       : System Environment/Daemons
Size        : 728482375
License     : GPL
Signature   : (none)
Source RPM  : wazuh-manager-4.8.0-1.src.rpm
Build Date  : jue 21 dic 2023 18:27:47 UTC
Build Host  : c8ee650f117d
Relocations : (not relocatable)
Packager    : Wazuh, Inc <[email protected]>
Vendor      : Wazuh, Inc <[email protected]>
URL         : https://www.wazuh.com/
Summary     : Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
Description :
Wazuh helps you to gain security visibility into your infrastructure by monitoring
hosts at an operating system and application level. It provides the following capabilities:
log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring

Service start and status

[root@vagrant ~]# systemctl daemon-reload
[root@vagrant ~]# systemctl enable wazuh-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service.
[root@vagrant ~]# systemctl start wazuh-manager
[root@vagrant ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since jue 2023-12-21 18:59:42 UTC; 6s ago
  Process: 5867 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─5926 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5968 /var/ossec/bin/wazuh-authd
           ├─5978 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5981 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5984 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5994 /var/ossec/bin/wazuh-db
           ├─6019 /var/ossec/bin/wazuh-execd
           ├─6034 /var/ossec/bin/wazuh-analysisd
           ├─6079 /var/ossec/bin/wazuh-syscheckd
           ├─6100 /var/ossec/bin/wazuh-remoted
           ├─6136 /var/ossec/bin/wazuh-logcollector
           ├─6187 /var/ossec/bin/wazuh-monitord
           ├─6197 /var/ossec/bin/wazuh-modulesd
           └─6858 rpm -q iptables-services

dic 21 18:59:36 vagrant env[5867]: Started wazuh-analysisd...
dic 21 18:59:37 vagrant env[5867]: Started wazuh-syscheckd...
dic 21 18:59:38 vagrant env[5867]: Started wazuh-remoted...
dic 21 18:59:39 vagrant env[5867]: Started wazuh-logcollector...
dic 21 18:59:39 vagrant env[5867]: Started wazuh-monitord...
dic 21 18:59:39 vagrant env[5867]: 2023/12/21 18:59:39 wazuh-modulesd:router: INFO: Loaded router module.
dic 21 18:59:39 vagrant env[5867]: 2023/12/21 18:59:39 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
dic 21 18:59:40 vagrant env[5867]: Started wazuh-modulesd...
dic 21 18:59:42 vagrant env[5867]: Completed.
dic 21 18:59:42 vagrant systemd[1]: Started Wazuh manager.

Fresh v4.8 ossec.conf

[root@vagrant ~]# cat /var/ossec/etc/ossec.conf 
<!--
  Wazuh - Manager - Default configuration for amzn 2
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>[email protected]</email_from>
    <email_to>[email protected]</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://0.0.0.0:9200</host>
    </hosts>
    <username>admin</username>
    <password>admin</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>192.168.31.1</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</ossec_config>

Upgrade from v4.7 to v4.8

Manager 4.7 installation

[root@vagrant ~]# rpm -i wazuh-manager-4.7.1-1.x86_64.rpm 
warning: wazuh-manager-4.7.1-1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 29111145: NOKEY
[root@vagrant ~]# systemctl daemon-reload
[root@vagrant ~]# systemctl enable wazuh-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-manager.service to /usr/lib/systemd/system/wazuh-manager.service.
[root@vagrant ~]# systemctl start wazuh-manager
[root@vagrant ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since jue 2023-12-21 19:04:43 UTC; 6s ago
  Process: 5822 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─5881 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5921 /var/ossec/bin/wazuh-authd
           ├─5939 /var/ossec/bin/wazuh-db
           ├─5953 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5956 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5959 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─5973 /var/ossec/bin/wazuh-execd
           ├─5989 /var/ossec/bin/wazuh-analysisd
           ├─6032 /var/ossec/bin/wazuh-syscheckd
           ├─6050 /var/ossec/bin/wazuh-remoted
           ├─6087 /var/ossec/bin/wazuh-logcollector
           ├─6126 /var/ossec/bin/wazuh-monitord
           ├─6178 /var/ossec/bin/wazuh-modulesd
           ├─6485 sh -c  yum check-updates --security | grep "No packages"
           ├─6487 /usr/bin/python /usr/bin/yum check-updates --security
           └─6488 grep No packages

dic 21 19:04:35 vagrant env[5822]: Started wazuh-execd...
dic 21 19:04:36 vagrant env[5822]: Started wazuh-analysisd...
dic 21 19:04:37 vagrant env[5822]: Started wazuh-syscheckd...
dic 21 19:04:38 vagrant env[5822]: Started wazuh-remoted...
dic 21 19:04:39 vagrant env[5822]: Started wazuh-logcollector...
dic 21 19:04:40 vagrant env[5822]: Started wazuh-monitord...
dic 21 19:04:41 vagrant env[5822]: Started wazuh-modulesd...
dic 21 19:04:43 vagrant env[5822]: Completed.
dic 21 19:04:43 vagrant systemd[1]: Started Wazuh manager.
dic 21 19:04:45 vagrant crontab[6427]: (root) LIST (root)

4.7 ossec.conf

[root@vagrant ~]# cat /var/ossec/etc/ossec.conf 
<!--
  Wazuh - Manager - Default configuration for amzn 2
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>[email protected]</email_from>
    <email_to>[email protected]</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>no</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <os>bookworm</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>no</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
      <enabled>no</enabled>
      <os>amazon-linux</os>
      <os>amazon-linux-2</os>
      <os>amazon-linux-2022</os>
      <os>amazon-linux-2023</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE OS vulnerabilities -->
    <provider name="suse">
      <enabled>no</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>no</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Alma Linux OS vulnerabilities -->
    <provider name="almalinux">
      <enabled>no</enabled>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>192.168.31.1</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</ossec_config>

Upgrade

[root@vagrant ~]# rpm --upgrade wazuh-manager-4.8.0-1.x86_64.rpm 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
[root@vagrant ~]# rpm -qi wazuh-manager 
Name        : wazuh-manager
Version     : 4.8.0
Release     : 1
Architecture: x86_64
Install Date: jue 21 dic 2023 19:09:23 UTC
Group       : System Environment/Daemons
Size        : 728482375
License     : GPL
Signature   : (none)
Source RPM  : wazuh-manager-4.8.0-1.src.rpm
Build Date  : jue 21 dic 2023 18:27:47 UTC
Build Host  : c8ee650f117d
Relocations : (not relocatable)
Packager    : Wazuh, Inc <[email protected]>
Vendor      : Wazuh, Inc <[email protected]>
URL         : https://www.wazuh.com/
Summary     : Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
Description :
Wazuh helps you to gain security visibility into your infrastructure by monitoring
hosts at an operating system and application level. It provides the following capabilities:
log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring

Status after upgrade

[root@vagrant ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since jue 2023-12-21 19:09:25 UTC; 1min 4s ago
  Process: 7726 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)

dic 21 19:09:25 vagrant systemd[1]: Starting Wazuh manager...
dic 21 19:09:25 vagrant env[7726]: 2023/12/21 19:09:25 wazuh-csyslogd: ERROR: (1230): Invalid element in the configuration: 'vulnerability-detector'.
dic 21 19:09:25 vagrant env[7726]: 2023/12/21 19:09:25 wazuh-csyslogd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
dic 21 19:09:25 vagrant env[7726]: 2023/12/21 19:09:25 wazuh-csyslogd: CRITICAL: (1202): Configuration error at 'etc/ossec.conf'.
dic 21 19:09:25 vagrant env[7726]: wazuh-csyslogd: Configuration error. Exiting
dic 21 19:09:25 vagrant systemd[1]: wazuh-manager.service: control process exited, code=exited status=1
dic 21 19:09:25 vagrant systemd[1]: Failed to start Wazuh manager.
dic 21 19:09:25 vagrant systemd[1]: Unit wazuh-manager.service entered failed state.
dic 21 19:09:25 vagrant systemd[1]: wazuh-manager.service failed.

Note

The error shown is related to the presence of the <vulnerability-detector>. This will be fixed on a different issue.

ossec.conf after upgrade, indexer config correctly appended

[root@vagrant ~]# cat /var/ossec/etc/ossec.conf
<!--
  Wazuh - Manager - Default configuration for amzn 2
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>[email protected]</email_from>
    <email_to>[email protected]</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>no</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <os>bookworm</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>no</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
      <enabled>no</enabled>
      <os>amazon-linux</os>
      <os>amazon-linux-2</os>
      <os>amazon-linux-2022</os>
      <os>amazon-linux-2023</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE OS vulnerabilities -->
    <provider name="suse">
      <enabled>no</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>no</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Alma Linux OS vulnerabilities -->
    <provider name="almalinux">
      <enabled>no</enabled>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>192.168.31.1</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <!--
  <active-response>
    active-response options here
  </active-response>
  -->

  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>

  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>

</ossec_config>

<ossec_config>
  <localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

</ossec_config>

<ossec_config>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://0.0.0.0:9200</host>
    </hosts>
    <username>admin</username>
    <password>admin</password>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>

</ossec_config>

Note

After manually removing the config block the manager starts correctly.

[root@vagrant ~]# nano /var/ossec/etc/ossec.conf
[root@vagrant ~]# systemctl start wazuh-manager
[root@vagrant ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since jue 2023-12-21 19:15:20 UTC; 5s ago
  Process: 7794 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─7853 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7854 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7857 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7860 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
           ├─7903 /var/ossec/bin/wazuh-authd
           ├─7920 /var/ossec/bin/wazuh-db
           ├─7946 /var/ossec/bin/wazuh-execd
           ├─7964 /var/ossec/bin/wazuh-analysisd
           ├─8008 /var/ossec/bin/wazuh-syscheckd
           ├─8027 /var/ossec/bin/wazuh-remoted
           ├─8062 /var/ossec/bin/wazuh-logcollector
           ├─8111 /var/ossec/bin/wazuh-monitord
           └─8155 /var/ossec/bin/wazuh-modulesd

dic 21 19:15:13 vagrant env[7794]: Started wazuh-analysisd...
dic 21 19:15:14 vagrant env[7794]: Started wazuh-syscheckd...
dic 21 19:15:15 vagrant env[7794]: Started wazuh-remoted...
dic 21 19:15:16 vagrant env[7794]: Started wazuh-logcollector...
dic 21 19:15:17 vagrant env[7794]: Started wazuh-monitord...
dic 21 19:15:17 vagrant env[7794]: 2023/12/21 19:15:17 wazuh-modulesd:router: INFO: Loaded router module.
dic 21 19:15:17 vagrant env[7794]: 2023/12/21 19:15:17 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
dic 21 19:15:18 vagrant env[7794]: Started wazuh-modulesd...
dic 21 19:15:20 vagrant env[7794]: Completed.
dic 21 19:15:20 vagrant systemd[1]: Started Wazuh manager.

tsarquis88

LGTM! Good work @jftuduri (and @kevin-mcm).

Tested with the dev-20952-handle-old-vd-config wazuh/wazuh branch, where the old VD configuration is handled.

OS info:

# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)

Package generation:

% ./generate_rpm_package.sh -b dev-20952-handle-old-vd-config -t manager -a x86_64 -j 8 --packages-branch dev-2706-fix-rpm-upgrade-config-failure

Upgrade:

# rpm --upgrade ./wazuh-manager-4.8.0-1.x86_64.rpm 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew

Wazuh log after upgrade:

# cat /var/ossec/logs/ossec.log | grep "vulnerability"
2023/12/22 12:03:56 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 12:04:06 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 12:04:06 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2023/12/22 12:04:06 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module is disabled

Restart with VD enabled:

# cat /var/ossec/logs/ossec.log | grep "vulnerability"
2023/12/22 12:08:43 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2023/12/22 12:08:48 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 12:08:59 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 12:08:59 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2023/12/22 12:09:11 wazuh-modulesd:content-updater: INFO: Starting scheduled action for 'vulnerability_feed_manager'
2023/12/22 12:09:11 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started

kevin-mcm

LGTM!

Test

Environment

> cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="8.8"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Oracle Linux Server 8.8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:8:8:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"

wazuh-manager 4.7

> /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.7.1"
WAZUH_REVISION="40709"
WAZUH_TYPE="server"

Upgrade to v4.8

> rpm --upgrade ./wazuh-manager-4.8.0-1.x86_64.rpm
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew

> /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.0"
WAZUH_REVISION="40801"
WAZUH_TYPE="server"

> cat /var/ossec/logs/ossec.log | grep "vulnerability"
2023/12/22 18:01:41 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 18:01:47 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 18:01:47 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2023/12/22 18:01:47 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module is disabled

# Restart with VD enabled
> cat /var/ossec/logs/ossec.log | grep "vulnerability"
2023/12/22 18:04:28 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2023/12/22 18:04:31 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 18:04:36 wazuh-modulesd: WARNING: vulnerability-detector configuration is deprecated. Use vulnerability-detection instead.
2023/12/22 18:04:36 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2023/12/22 18:04:36 wazuh-modulesd:content-updater: INFO: Starting scheduled action for 'vulnerability_feed_manager'
2023/12/22 18:04:36 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started

sebasfalcone

LGTM!

Damian-Mangold

LGTM !

jftuduri changed the base branch from master to dev-14153-vulndet-refactor December 20, 2023 15:56

jftuduri marked this pull request as draft December 20, 2023 18:53

jftuduri changed the title ~~Ensure <indexer> config is present in ossec.conf after upgrade~~ Ensure <indexer> config is present in ossec.conf after upgrade via rpm Dec 20, 2023

Add indexer config to ossec.conf if missing, on upgrade

9ceb882

jftuduri force-pushed the dev-2706-fix-rpm-upgrade-config-failure branch from 6f361e0 to 9ceb882 Compare December 21, 2023 18:21

jftuduri marked this pull request as ready for review December 21, 2023 19:20

jftuduri self-assigned this Dec 21, 2023

jftuduri requested review from kevin-mcm, sebasfalcone, tsarquis88 and Damian-Mangold December 21, 2023 19:21

jftuduri mentioned this pull request Dec 21, 2023

Config failure when upgrading manager to v4.8 through a .rpm package #2706

Closed

tsarquis88 approved these changes Dec 22, 2023

View reviewed changes

kevin-mcm approved these changes Dec 22, 2023

View reviewed changes

sebasfalcone approved these changes Dec 22, 2023

View reviewed changes

Damian-Mangold approved these changes Dec 23, 2023

View reviewed changes

Damian-Mangold merged commit 8317813 into dev-14153-vulndet-refactor Dec 23, 2023
3 of 5 checks passed

Damian-Mangold deleted the dev-2706-fix-rpm-upgrade-config-failure branch December 23, 2023 03:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ensure <indexer> config is present in ossec.conf after upgrade via rpm #2711

Ensure <indexer> config is present in ossec.conf after upgrade via rpm #2711

jftuduri commented Dec 20, 2023 •

edited

Loading

tsarquis88 left a comment •

edited

Loading

kevin-mcm left a comment

sebasfalcone left a comment

Damian-Mangold left a comment

Ensure <indexer> config is present in ossec.conf after upgrade via rpm #2711

Ensure <indexer> config is present in ossec.conf after upgrade via rpm #2711

Conversation

jftuduri commented Dec 20, 2023 • edited Loading

Description

Results

Package generation

Fresh install

Upgrade from v4.7 to v4.8

tsarquis88 left a comment • edited Loading

Choose a reason for hiding this comment

kevin-mcm left a comment

Choose a reason for hiding this comment

Test

Upgrade to v4.8

sebasfalcone left a comment

Choose a reason for hiding this comment

Damian-Mangold left a comment

Choose a reason for hiding this comment

jftuduri commented Dec 20, 2023 •

edited

Loading

tsarquis88 left a comment •

edited

Loading