=== Wazuh on FreeBSD Links: + link:https://wazuh.com[Wazuh] URL: link:https://wazuh.com[] Contact: José Alonso Cárdenas Márquez + Contact: Jesús Daniel Colmenares Oviedo Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack or OpenSearch Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts. A lot has happened this quarter. Numerous improvements and bug fixes to enhance FreeBSD's support with this excellent XDR/SIEM and security platform. * We have created a repository on GitHub to centralize the work and reduce patches in the manager and the agent. Links: link:https://github.com/alonsobsd/wazuh-freebsd[Repository], link:https://cgit.freebsd.org/ports/commit/?id=b1f52980fe0a34ccaa674408c92869aec9aac4fe[b1f5298] * Python bundle has been updated to 3.11.15. Link: link:https://cgit.freebsd.org/ports/commit/?id=c941e5b33dea22c240b2b0bb53dd191bb1e8da4a[c941e5b] * An issue that prevented wazuh-manager from starting when the MYSQL option was enabled has been fixed. Link: link:https://cgit.freebsd.org/ports/commit/?id=c941e5b33dea22c240b2b0bb53dd191bb1e8da4a[c941e5b] * A parsing issue in sysinfo's `getPorts()` function has been fixed. Link: link:https://cgit.freebsd.org/ports/commit/?id=35fcd6a4cc00bedfe350da9503d4d09d3e914006[35fcd6a] * Support for FreeBSD has been added to asyncinotify library that prevents Wazuh API starting correctly. Link: link:https://cgit.freebsd.org/ports/commit/?id=35fcd6a4cc00bedfe350da9503d4d09d3e914006[35fcd6a] * Now Wazuh uses OpenSearch Dashboards 2.19.4. Link: link:https://cgit.freebsd.org/ports/commit/?id=b1f52980fe0a34ccaa674408c92869aec9aac4fe[b1f5298] * sysinfo module can now obtain users and groups information. Link: link:https://cgit.freebsd.org/ports/commit/?id=e9cebac52c06bab51b406304d7e5a6397fddec77[e9cebac] * An issue between the agent and the manager that prevented a successful active state for TCP connections has been fixed, and now this protocol is the default instead of UDP. Link: link:https://cgit.freebsd.org/ports/commit/?id=055d5c96c56d8cc876451ccb9b0eb80bcac8d72a[055d5c9], link:https://cgit.freebsd.org/ports/commit/?id=508a8c8d4b9b836cc1effee7b5f462a53c644501[508a8c8] * FreeBSD SCA, decoders and rules files were updated, fixing conflict issues. Links: link:https://cgit.freebsd.org/ports/commit/?id=055d5c96c56d8cc876451ccb9b0eb80bcac8d72a[055d5c9], link:https://cgit.freebsd.org/ports/commit/?id=508a8c8d4b9b836cc1effee7b5f462a53c644501[508a8c8] * A problem with Python scripts in the manager prevented their correct execution when the `CRYPTOGRAPHY_OPENSSL_NO_LEGACY` environment variable is not set. Link: link:https://cgit.freebsd.org/ports/commit/?id=8bd6c77634f475a0ff31bda46b4c04f91fa74d79[8bd6c77] * The sysinfo's `getSerialNumber()` function has been improved, so the manager and the agent can now use the `kern.hostuuid` sysctl to uniquely identify devices. Link: link:https://cgit.freebsd.org/ports/commit/?id=284813ec0382a2bfe5b2e74a3081a67599d3155d[284813e] * An issue in wazuh-modulesd has been fixed that caused a SIGSEGV while decompressing the vulnerability detection database and accesses to an unitialized structure. Link: link:https://cgit.freebsd.org/ports/commit/?id=d3c13b6b24ec7d9be58f0ebd3a2c7d0a2e7b7d79[d3c13b6] * An issue in the agent has been fixed that caused a "permission error" due to an incorrect owner in the [.filename]#etc/clients.keys# file. Link: link:https://cgit.freebsd.org/ports/commit/?id=c74ab75450040f0367851979ff46cd64d74d6a1f[c74ab75] * package:security/wazuh-server[] switched from beats7 to beats8. Link: link:https://cgit.freebsd.org/ports/commit/?id=ce6831e12ecbcdbce6a1b4fb2988b9663e370a78][ce6831e] * Fixed a segmentation fault in wazuh-modulesd when man:pkg[8] is not installed on the system and sysinfo's `getPackages()` function is trying to obtain information about installed packages. Now this function has been reimplemented to use SQLite. Link: link:https://cgit.freebsd.org/ports/commit/?id=ff957155fa2a7ee01ceeec45b1fb75d80f856c58[ff95715], link:https://cgit.freebsd.org/ports/commit/?id=a4242bfeafc2dd423cf145060abb9b5562958c72[a4242bf] * Apply man:dos2unix[1] to Wazuh API's [.filename]#api.yaml# file. Link: link:https://cgit.freebsd.org/ports/commit/?id=a4242bfeafc2dd423cf145060abb9b5562958c72[a4242bf] * An issue with wazuh-apid has been fixed that prevents it to start correctly, marking itself as DOWN, when `security.bsd.see_other_{u,g}ids` is set to `0`. Link: link:https://cgit.freebsd.org/ports/commit/?id=c86d3fc116b3437ff3351e8e886926175aaec2b1[c86d3fc] * A page has been created on the FreeBSD wiki to centralize the work we have done and what remains to be done. Link: link:https://wiki.FreeBSD.org/Wazuh[Wiki] Makejails for Wazuh has been improved and now mimics the official Dockerfiles, so users familiar with it can easily deploy all Wazuh components using link:https://github.com/DtxdF/AppJail[AppJail] and link:https://github.com/DtxdF/director[Director]: * link:https://github.com/AppJail-makejails/wazuh-manager[wazuh-manager] * link:https://github.com/AppJail-makejails/wazuh-agent[wazuh-agent] * link:https://github.com/AppJail-makejails/wazuh-indexer[wazuh-indexer] * link:https://github.com/AppJail-makejails/wazuh-certs-tool[wazuh-certs-tool] * link:https://github.com/AppJail-makejails/wazuh-dashboard[wazuh-dashboard] This also adds cluster-mode infrastructure for Makejails. Vulnerability detection is not yet implemented in FreeBSD, but link:https://github.com/DtxdF/serpico[Serpico] has been developed to address this deficiency. Serpico is a security scanner for FreeBSD packages and releases that compares versions against a list of versions marked as vulnerable and displays vulnerability information in a compact JSON format for easy analysis with other security tools. The package includes rules for Wazuh and a dashboard that can be easily installed via the web-UI or the OpenSearch Dashboards API. Current version: 4.14.3