This is a notification of a potential security issue in the Wazuh Windows agent. If you do not use Wazuh, then you can disregard this notification.
Summary
Version 3.13 of the Windows Wazuh agent installs with incorrect permissions on ossec.conf which could allow users to escalate privileges. However, most users configure that Wazuh agent using the Wazuh Agent Manager utility which then sets the permissions correctly. If you don't use the Wazuh Agent Manager utility for configuration, then you may need to manually fix the permissions on ossec.conf. For more information, please see https://github.com/Security-Onion-Solutions/securityonion/discussions/9390. Thanks to jakko10 for notifying us of this issue.
Discussion
First, it's important to note that Wazuh is an optional component of Security Onion and does not have to be enabled. Furthermore, the issue exists in the Windows agent itself and not the Wazuh server that runs on the Security Onion node. Finally, most users configure the Wazuh agent using the Wazuh Agent Manager which sets the permissions correctly.
If you are using Wazuh and have deployed the agent to Windows machines without using the Wazuh Agent Manager, then you may want to manually change the permissions on the ossec.conf file.
Unrelated to this issue, we plan to remove Wazuh in Security Onion 2.4. Therefore, you may want to take this opportunity to switch to a different endpoint agent like Winlogbeat:
https://docs.securityonion.net/en/2.3/beats.html
Questions
If you have any questions, please start a new discussion at https://securityonion.net/discuss.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.