Test E2E Agent 5.0 Installation on macOS and Windows

[cborla]

Description

This issue aims to test the installation and configuration of Wazuh 5.0 agents on macOS and Windows platforms, ensuring proper functionality and evidence collection for stateful and stateless events.

---

Tasks

Server Setup

1. Server Installation and Setup

   • Document how the server environment is installed and initialized, including step-by-step instructions.
   • Provide evidence of the setup process (e.g., screenshots, commands used, logs).

2. Packages Used

   • List the packages used for Indexer, Server, and Dashboard.

3. Event Screens

   • Identify the specific screens in the Dashboard where stateful and stateless events can be viewed.
   • Include screenshots or descriptions of these screens for clarity.

---

Agent 5.0 (macOS and Windows)

1. Package Used

   • Specify the exact package used for the Wazuh agent on both macOS and Windows.

2. Installation Process

   • Document how the agent is installed, including step-by-step instructions for both platforms.

3. Agent Configuration

   • Provide details on how to configure the agent after installation.

4. Server Registration

   • Document how to register the agent with the server.
   • Include steps to validate the connection and verify the agent's registration with the server.

5. Event Evidence

   • Collect and provide evidence of events generated by the agent, ensuring proper functionality for stateful and stateless events.

---

Deliverables

• Complete documentation of the server setup and agent installation processes.
• Evidence of successful installation and configuration steps (e.g., screenshots, commands used, logs).
• Clear instructions for validating the connection between the agent and server.
• Screenshots or logs demonstrating stateful and stateless event generation.

[nbertoldo]

Agent 5.0 macOS installation

1. Package used

• wazuh-agent_5.0.0-0_intel64_8481b026e.pkg

2. Installation Process

Install wazuh-agent package:

sh-3.2# installer -pkg wazuh-agent_5.0.0-0_intel64_8481b026e.pkg -target /
installer: Package name is wazuh-agent_5.0.0-0_intel64_8481b026e
installer: Installing at base path /
installer: The install was successful.

Load the service:

sh-3.2# launchctl bootstrap system /Library/LaunchDaemons/com.wazuh.agent.plist

Verify the service is running:

sh-3.2# launchctl print system/com.wazuh.agent
system/com.wazuh.agent = {
	active count = 1
	path = /Library/LaunchDaemons/com.wazuh.agent.plist
	type = LaunchDaemon
	state = running

	program = /Library/Application Support/Wazuh agent.app/bin/wazuh-agent
	arguments = {
		/Library/Application Support/Wazuh agent.app/bin/wazuh-agent
	}

	working directory = /Library/Application Support/Wazuh agent.app/bin

	stdout path = /var/log/wazuh-output.log
	stderr path = /var/log/wazuh-error.log
	default environment = {
		PATH => /usr/bin:/bin:/usr/sbin:/sbin
	}

	environment = {
		XPC_SERVICE_NAME => com.wazuh.agent
	}

	domain = system
	minimum runtime = 10
	exit timeout = 5
	runs = 1
	pid = 87950
	immediate reason = speculative
	forks = 7
	execs = 1
	initialized = 1
	trampolined = 1
	started suspended = 0
	proxy started suspended = 0
	last exit code = (never exited)

	spawn type = daemon (3)
	jetsam priority = 40
	jetsam memory limit (active) = (unlimited)
	jetsam memory limit (inactive) = (unlimited)
	jetsamproperties category = daemon
	jetsam thread limit = 32
	cpumon = default
	probabilistic guard malloc policy = {
		activation rate = 1/1000
		sample rate = 1/0
	}

	properties = keepalive | runatload | inferred program
}

3. Agent Configuration

Edit wazuh-agent.yml to set the server URL:

sh-3.2# cat /Library/Application\ Support/Wazuh\ agent.app/etc/wazuh-agent.yml 
agent:
  thread_count: 4
  server_url: https://54.211.158.194:27000
  retry_interval: 30s
  verification_mode: none # TODO: change this setting to full
events:
  batch_interval: 10s
  batch_size: 1MB
inventory:
  enabled: true
  interval: 3m
  scan_on_start: true
  hardware: true
  system: true
  networks: true
  packages: true
  ports: true
  ports_all: true
  processes: true
  hotfixes: true
logcollector:
  enabled: false
  localfiles:
    - /var/log/auth.log
  reload_interval: 1m
  read_interval: 500ms

4. Server Registration

Register the agent:

sh-3.2# /Library/Application\ Support/Wazuh\ agent.app/bin/wazuh-agent --register-agent --user wazuh --password wazuh --url https://54.211.158.194:55000 --verification-mode none
Starting wazuh-agent registration
wazuh-agent registered

Check agent logs:

sh-3.2# cat /var/log/wazuh-error.log
[2025-01-24 10:50:59.654] [wazuh-agent] [info] [INFO] [process_options_unix.cpp:24] [StartAgent] Starting wazuh-agent
[2025-01-24 10:51:00.473] [wazuh-agent] [info] [INFO] [communicator.cpp:28] [SendAuthenticationRequest] Successfully authenticated with the manager.
[2025-01-24 10:51:00.475] [wazuh-agent] [info] [INFO] [inventory.cpp:19] [Start] Inventory module started.
[2025-01-24 10:51:00.475] [wazuh-agent] [info] [INFO] [logcollector.cpp:28] [Start] Logcollector module is disabled.
[2025-01-24 10:51:00.476] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:972] [SyncLoop] Module started.
[2025-01-24 10:51:00.476] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:955] [Scan] Starting evaluation.
[2025-01-24 10:51:01.747] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:967] [Scan] Evaluation finished.

5. Event Evidence

Go to Menu -> Discover:

Stateful events

Hardware

Select wazuh-states-inventory-hardware index pattern:

{
  "_index": "wazuh-states-inventory-hardware",
  "_id": "4c44873a0745a1a0666865abc5e13b7ccfc57c5f",
  "_version": 53,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-24T21:03:39.588Z",
    "host": {
      "cpu": {
        "cores": 2,
        "name": "Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz",
        "speed": 3192
      },
      "memory": {
        "free": 1448104,
        "total": 4194304,
        "used": {
          "percentage": 66
        }
      }
    },
    "observer": {
      "serial_number": "H2WF603JPJJ9"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-24T21:03:39.588Z"
    ]
  },
  "sort": [
    1737752619588
  ]
}

System

Select wazuh-states-inventory-system index pattern:

{
  "_index": "wazuh-states-inventory-system",
  "_id": "d83906096cf1becc70479dbe8856c160a00fa24e",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:17:51.686Z",
    "host": {
      "architecture": "x86_64",
      "hostname": "idr-1983-sonoma-14-3145",
      "os": {
        "full": "Sonoma",
        "kernel": "23E224",
        "name": "macOS",
        "platform": "darwin",
        "type": "Darwin",
        "version": "14.4.1"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "sort": [
    1737659871686
  ]
}

Stateless events

Package installed

Select wazuh-alerts-* index pattern:

Add filter for field event.action is package-installed:

{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "QRaZlJQBUiKAykr1qQWs",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "package-installed",
      "category": [
        "package"
      ],
      "created": "2025-01-23T19:17:51.686Z",
      "reason": "Package Safari (version 17.4.1) was installed",
      "type": [
        "installation"
      ]
    },
    "package": {
      "architecture": "",
      "description": "com.apple.Safari",
      "installed": null,
      "name": "Safari",
      "path": "/Applications/Safari.app/Contents/Info.plist",
      "size": null,
      "type": "pkg",
      "version": "17.4.1"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@package-installed@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

Network updated

Add filter for field event.action is network-interface-updated:

{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "eBbemZQBUiKAykr1pza0",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "network-interface-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "host.network.ingress.bytes",
        "host.network.ingress.packets",
        "host.network.egress.bytes",
        "host.network.egress.packets"
      ],
      "created": "2025-01-24T19:51:19.793Z",
      "reason": "Network interface en0 updated",
      "type": [
        "change"
      ]
    },
    "host": {
      "ip": [
        "10.211.55.224"
      ],
      "mac": "00:1c:42:54:cd:0c",
      "network": {
        "egress": {
          "bytes": 8853504,
          "drops": 0,
          "errors": 0,
          "packets": 98922,
          "previous": {
            "bytes": 8829952,
            "packets": 98836
          }
        },
        "ingress": {
          "bytes": 1388224512,
          "drops": 0,
          "errors": 0,
          "packets": 967885,
          "previous": {
            "bytes": 1388198912,
            "packets": 967796
          }
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [
        "10.211.55.255"
      ],
      "dhcp": null,
      "gateway": [
        "10.211.55.1"
      ],
      "metric": null,
      "netmask": [
        "255.255.255.0"
      ],
      "protocol": null,
      "type": "ipv4"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "en0"
        }
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-24T19:51:19.793Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@network-interface-updated@/opensearch-dashboards-highlighted-field@"
    ]
  }
}