=== Wazuh on FreeBSD

Links: +
link:https://wazuh.com[Wazuh] URL: link:https://wazuh.com[]

Contact: José Alonso Cárdenas Márquez <[email protected]> +
Contact: Jesús Daniel Colmenares Oviedo <[email protected]>

Wazuh is a free and open source platform used for threat prevention, detection, and response.
It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.

Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents.
Besides, Wazuh has been fully integrated with the Elastic Stack or OpenSearch Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts.

A lot has happened this quarter.
Numerous improvements and bug fixes to enhance FreeBSD's support with this excellent XDR/SIEM and security platform.

* We have created a repository on GitHub to centralize the work and reduce patches in the manager and the agent.
Links: link:https://github.com/alonsobsd/wazuh-freebsd[Repository], link:https://cgit.freebsd.org/ports/commit/?id=b1f52980fe0a34ccaa674408c92869aec9aac4fe[b1f5298]
* Python bundle has been updated to 3.11.15.
Link: link:https://cgit.freebsd.org/ports/commit/?id=c941e5b33dea22c240b2b0bb53dd191bb1e8da4a[c941e5b]
* An issue that prevented wazuh-manager from starting when the MYSQL option was enabled has been fixed.
Link: link:https://cgit.freebsd.org/ports/commit/?id=c941e5b33dea22c240b2b0bb53dd191bb1e8da4a[c941e5b]
* A parsing issue in sysinfo's `getPorts()` function has been fixed.
Link: link:https://cgit.freebsd.org/ports/commit/?id=35fcd6a4cc00bedfe350da9503d4d09d3e914006[35fcd6a]
* Support for FreeBSD has been added to asyncinotify library that prevents Wazuh API starting correctly.
Link: link:https://cgit.freebsd.org/ports/commit/?id=35fcd6a4cc00bedfe350da9503d4d09d3e914006[35fcd6a]
* Now Wazuh uses OpenSearch Dashboards 2.19.4.
Link: link:https://cgit.freebsd.org/ports/commit/?id=b1f52980fe0a34ccaa674408c92869aec9aac4fe[b1f5298]
* sysinfo module can now obtain users and groups information.
Link: link:https://cgit.freebsd.org/ports/commit/?id=e9cebac52c06bab51b406304d7e5a6397fddec77[e9cebac]
* An issue between the agent and the manager that prevented a successful active state for TCP connections has been fixed, and now this protocol is the default instead of UDP.
Link: link:https://cgit.freebsd.org/ports/commit/?id=055d5c96c56d8cc876451ccb9b0eb80bcac8d72a[055d5c9], link:https://cgit.freebsd.org/ports/commit/?id=508a8c8d4b9b836cc1effee7b5f462a53c644501[508a8c8]
* FreeBSD SCA, decoders and rules files were updated, fixing conflict issues.
Links: link:https://cgit.freebsd.org/ports/commit/?id=055d5c96c56d8cc876451ccb9b0eb80bcac8d72a[055d5c9], link:https://cgit.freebsd.org/ports/commit/?id=508a8c8d4b9b836cc1effee7b5f462a53c644501[508a8c8]
* A problem with Python scripts in the manager prevented their correct execution when the `CRYPTOGRAPHY_OPENSSL_NO_LEGACY` environment variable is not set.
Link: link:https://cgit.freebsd.org/ports/commit/?id=8bd6c77634f475a0ff31bda46b4c04f91fa74d79[8bd6c77]
* The sysinfo's `getSerialNumber()` function has been improved, so the manager and the agent can now use the `kern.hostuuid` sysctl to uniquely identify devices.
Link: link:https://cgit.freebsd.org/ports/commit/?id=284813ec0382a2bfe5b2e74a3081a67599d3155d[284813e]
* An issue in wazuh-modulesd has been fixed that caused a SIGSEGV while decompressing the vulnerability detection database and accesses to an unitialized structure.
Link: link:https://cgit.freebsd.org/ports/commit/?id=d3c13b6b24ec7d9be58f0ebd3a2c7d0a2e7b7d79[d3c13b6]
* An issue in the agent has been fixed that caused a "permission error" due to an incorrect owner in the [.filename]#etc/clients.keys# file.
Link: link:https://cgit.freebsd.org/ports/commit/?id=c74ab75450040f0367851979ff46cd64d74d6a1f[c74ab75]
* package:security/wazuh-server[] switched from beats7 to beats8.
Link: link:https://cgit.freebsd.org/ports/commit/?id=ce6831e12ecbcdbce6a1b4fb2988b9663e370a78][ce6831e]
* Fixed a segmentation fault in wazuh-modulesd when man:pkg[8] is not installed on the system and sysinfo's `getPackages()` function is trying to obtain information about installed packages.
Now this function has been reimplemented to use SQLite.
Link: link:https://cgit.freebsd.org/ports/commit/?id=ff957155fa2a7ee01ceeec45b1fb75d80f856c58[ff95715], link:https://cgit.freebsd.org/ports/commit/?id=a4242bfeafc2dd423cf145060abb9b5562958c72[a4242bf]
* Apply man:dos2unix[1] to Wazuh API's [.filename]#api.yaml# file.
Link: link:https://cgit.freebsd.org/ports/commit/?id=a4242bfeafc2dd423cf145060abb9b5562958c72[a4242bf]
* An issue with wazuh-apid has been fixed that prevents it to start correctly, marking itself as DOWN, when `security.bsd.see_other_{u,g}ids` is set to `0`.
Link: link:https://cgit.freebsd.org/ports/commit/?id=c86d3fc116b3437ff3351e8e886926175aaec2b1[c86d3fc]
* A page has been created on the FreeBSD wiki to centralize the work we have done and what remains to be done.
Link: link:https://wiki.FreeBSD.org/Wazuh[Wiki]

Makejails for Wazuh has been improved and now mimics the official Dockerfiles, so users familiar with it can easily deploy all Wazuh components using link:https://github.com/DtxdF/AppJail[AppJail] and link:https://github.com/DtxdF/director[Director]:

* link:https://github.com/AppJail-makejails/wazuh-manager[wazuh-manager]
* link:https://github.com/AppJail-makejails/wazuh-agent[wazuh-agent]
* link:https://github.com/AppJail-makejails/wazuh-indexer[wazuh-indexer]
* link:https://github.com/AppJail-makejails/wazuh-certs-tool[wazuh-certs-tool]
* link:https://github.com/AppJail-makejails/wazuh-dashboard[wazuh-dashboard]

This also adds cluster-mode infrastructure for Makejails.

Vulnerability detection is not yet implemented in FreeBSD, but link:https://github.com/DtxdF/serpico[Serpico] has been developed to address this deficiency.
Serpico is a security scanner for FreeBSD packages and releases that compares versions against a list of versions marked as vulnerable and displays vulnerability information in a compact JSON format for easy analysis with other security tools.
The package includes rules for Wazuh and a dashboard that can be easily installed via the web-UI or the OpenSearch Dashboards API.

Current version: 4.14.3