From e6c82f69c5f9ff4d98e7a4f397d90d573b4f626d Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Fri, 3 Oct 2025 15:30:58 -0300 Subject: [PATCH] Remove OSquery occurrences --- .../deploying-with-ansible/reference.rst | 6 +- .../use-cases/threat-hunting.rst | 2 - source/release-notes/release-3-7-0.rst | 2 +- .../capabilities/system-inventory/index.rst | 1 - .../capabilities/system-inventory/osquery.rst | 267 ------------------ .../reference/centralized-configuration.rst | 1 - .../reference/daemons/wazuh-modulesd.rst | 4 - .../reference/ossec-conf/index.rst | 3 - .../reference/ossec-conf/wodle-osquery.rst | 159 ----------- .../ruleset/ruleset-xml-syntax/rules.rst | 14 - 10 files changed, 4 insertions(+), 455 deletions(-) delete mode 100644 source/user-manual/capabilities/system-inventory/osquery.rst delete mode 100644 source/user-manual/reference/ossec-conf/wodle-osquery.rst diff --git a/source/deployment-options/deploying-with-ansible/reference.rst b/source/deployment-options/deploying-with-ansible/reference.rst index 70d19ad8d2..948259d0a1 100644 --- a/source/deployment-options/deploying-with-ansible/reference.rst +++ b/source/deployment-options/deploying-with-ansible/reference.rst @@ -224,7 +224,7 @@ Wazuh Manager | | **Variable**: ``wazuh_manager_osquery`` -| **Description**: Configures the :doc:`wodle` item named ``osquery`` from ``ossec.conf``. +| **Description**: Configures the wodle item named ``osquery`` from ``ossec.conf``. | **Default values**: .. code-block:: yaml @@ -1039,7 +1039,7 @@ Wazuh Agent | | **Variable**: ``wazuh_agent_osquery`` -| **Description**: Configures the :doc:`wodle` item named ``osquery`` from ``ossec.conf``. +| **Description**: Configures the wodle item named ``osquery`` from ``ossec.conf``. | **Default values**: .. code-block:: yaml @@ -1056,7 +1056,7 @@ Wazuh Agent | | **Variable**: ``wazuh_agent_syscollector`` -| **Description**: Configures the :doc:`wodle ` item named ``syscollector`` from ``ossec.conf``. +| **Description**: Configures the wodle item named ``syscollector`` from ``ossec.conf``. | **Default values**: .. code-block:: yaml diff --git a/source/getting-started/use-cases/threat-hunting.rst b/source/getting-started/use-cases/threat-hunting.rst index f82de16704..20a59fa18b 100644 --- a/source/getting-started/use-cases/threat-hunting.rst +++ b/source/getting-started/use-cases/threat-hunting.rst @@ -90,8 +90,6 @@ Some third-party solutions that Wazuh integrates with to aid threat hunting are: - **URLHaus**: `Integrating URLHaus by abuse.ch `__ with Wazuh amplifies threat intelligence capabilities, empowering users to proactively detect and block malicious URLs in real-time. -- **osquery**: Wazuh provides a module for managing the osquery tool from the Wazuh agents. The osquery module allows security analysts to configure and collect information generated by the osquery. It provides an extra layer for threat hunting capabilities such as configuration management, data collection, custom alerts based on osquery query results, and SQL-like syntax queries. - - **MISP**: We can enrich Wazuh alerts by automating identifications of IOCs and integrating MISP with Wazuh. Wazuh integrates with other tools that aid threat hunting beyond the above-mentioned. It supports third-party integrations for threat intelligence platforms, SIEMs, and messaging platforms using APIs and other integration methods. diff --git a/source/release-notes/release-3-7-0.rst b/source/release-notes/release-3-7-0.rst index ea2151799a..abf33eec5d 100644 --- a/source/release-notes/release-3-7-0.rst +++ b/source/release-notes/release-3-7-0.rst @@ -156,7 +156,7 @@ The Wazuh app for Kibana includes new features and interface redesigns to make u - Get the current manager/agent configuration on the redesigned tabs. - Added support for multiple groups feature. - The :doc:`Amazon AWS ` tab has been redesigned to include better visualizations and the module configuration. - - The new :doc:`Osquery ` extension shows scans results from this Wazuh module. + - The new Osquery extension shows scans results from this Wazuh module. - Added a new selector to check the cluster nodes’ status and logs on the *Management > Status/Logs* tabs. - Several bugfixes, performance improvements, and compatibility with the latest Elastic Stack version. diff --git a/source/user-manual/capabilities/system-inventory/index.rst b/source/user-manual/capabilities/system-inventory/index.rst index 6678e46563..bc98f1ddbc 100644 --- a/source/user-manual/capabilities/system-inventory/index.rst +++ b/source/user-manual/capabilities/system-inventory/index.rst @@ -27,4 +27,3 @@ Users can generate system inventory reports from the Wazuh dashboard, which can available-inventory-fields compatibility-matrix using-syscollector-information-to-trigger-alerts - osquery \ No newline at end of file diff --git a/source/user-manual/capabilities/system-inventory/osquery.rst b/source/user-manual/capabilities/system-inventory/osquery.rst deleted file mode 100644 index b1d6bf069c..0000000000 --- a/source/user-manual/capabilities/system-inventory/osquery.rst +++ /dev/null @@ -1,267 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: Osquery exposes operating system data. Learn how to explore this data with Wazuh in this section of the Wazuh documentation. - -Osquery -======= - -Wazuh module that allows managing the Osquery tool from the Wazuh agents. It allows setting the Osquery configuration and collecting the information generated by Osquery to send it to the manager, generating the corresponding alerts if necessary. - -- `How it works`_ -- `Configuration`_ -- `Alert examples`_ - -How it works ------------- -Osquery can be used to expose an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. - -Below you can see some examples of the queries you can make: - -List all the local users of the machine. - -.. code-block:: sql - - SELECT * FROM users; - -Get the process name, port, and PID, for processes listening on all interfaces. - -.. code-block:: sql - - SELECT DISTINCT processes.name, listening_ports.port, processes.pid - FROM listening_ports JOIN processes USING (pid) - WHERE listening_ports.address = '0.0.0.0'; - -Check the processes that have a deleted executable. - -.. code-block:: sql - - SELECT * FROM processes WHERE on_disk = 0; - -A complete list of all the available tables can be found `here `_. - -Configuration -------------- - -You need a working Osquery installation in your system. See `downloads page `_ for details. - -Red Hat, CentOS and Fedora: - -- For some distributions, you might need to install ``yum-utils`` first. - -.. code-block:: console - - # curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery - # yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo - # yum-config-manager --enable osquery-s3-rpm-repo - # yum install osquery - -Debian and Ubuntu based Linux distributions: - -.. code-block:: console - - # export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B - # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY - # add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' - # apt-get update - # apt-get install osquery - - -Once installed, you will need a configuration file for Osquery. If you don't have any, you can use the following one provided by Osquery: - -.. code-block:: console - - # cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf - -Or you can copy our custom configuration in ``/etc/osquery/osquery.conf``: - -.. code-block:: json - - { - "options": { - "config_plugin": "filesystem", - "logger_plugin": "filesystem", - "utc": "true" - }, - - "schedule": { - "system_info": { - "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", - "interval": 3600 - }, - "high_load_average": { - "query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';", - "interval": 900, - "description": "Report if load charge is over 70 percent." - }, - "low_free_memory": { - "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;", - "interval": 1800, - "description": "Free RAM is under 10%." - } - }, - - "packs": { - "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf", - "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf", - "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf", - "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf", - "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", - "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf" - } - } - -After this enable and start the osquery Daemon: - -.. code-block:: console - - systemctl enable osqueryd - systemctl start osqueryd - -And the osquery module must be enabled for the agents where the osquery is running by adding: - -.. code-block:: xml - - - -To their ``/var/ossec/etc/ossec.conf`` file or through :doc:`centralized configuration ` - -.. note:: - More options may be specified as shown in the :doc:`osquery configuration reference ` - -As you can see in this sample configuration, ``system_info``, ``high_load_average`` and ``low_free_memory`` queries will be executed every hour. - -Furthermore, this configuration uses some default packs such as ``osquery-monitoring``, ``hardware-monitoring`` or ``ossec-rootkit`` among others. You can define your own packs and use them with this wodle. - -Alert examples --------------- -Sample alert in log format: - -.. code-block:: none - :class: output - - ** Alert 1532958886.437707: - osquery, - 2018 Jul 30 13:54:46 manager->osquery - Rule: 24010 (level 3) -> 'osquery data grouped' - {"name":"system_info","hostIdentifier":"manager","calendarTime":"Mon Jul 30 13:54:45 2018 UTC","unixTime":1532958885,"epoch":0,"counter":461,"columns":{"cgroup_namespace":"4026531835","cmdline":"","cwd":"/","disk_bytes_read":"0","disk_bytes_written":"0","egid":"0","euid":"0","gid":"0","ipc_namespace":"4026531839","mnt_namespace":"4026531840","name":"migration/0","net_namespace":"4026531957","nice":"0","on_disk":"-1","parent":"2","path":"","pgroup":"0","pid":"9","pid_namespace":"4026531836","resident_size":"","root":"/","sgid":"0","start_time":"0","state":"S","suid":"0","system_time":"2","threads":"1","total_size":"","uid":"0","user_namespace":"4026531837","user_time":"0","uts_namespace":"4026531838","wired_size":"0"},"action":"added"} - name: system_info - hostIdentifier: manager - calendarTime: Mon Jul 30 13:54:45 2018 UTC - unixTime: 1532958885 - epoch: 0 - counter: 461 - columns.cgroup_namespace: 4026531835 - columns.cmdline: - columns.cwd: / - columns.disk_bytes_read: 0 - columns.disk_bytes_written: 0 - columns.egid: 0 - columns.euid: 0 - columns.gid: 0 - columns.ipc_namespace: 4026531839 - columns.mnt_namespace: 4026531840 - columns.name: migration/0 - columns.net_namespace: 4026531957 - columns.nice: 0 - columns.on_disk: -1 - columns.parent: 2 - columns.path: - columns.pgroup: 0 - columns.pid: 9 - columns.pid_namespace: 4026531836 - columns.resident_size: - columns.root: / - columns.sgid: 0 - columns.start_time: 0 - columns.state: S - columns.suid: 0 - columns.system_time: 2 - columns.threads: 1 - columns.total_size: - columns.uid: 0 - columns.user_namespace: 4026531837 - columns.user_time: 0 - columns.uts_namespace: 4026531838 - columns.wired_size: 0 - -And the same alert in ``JSON`` format: - -.. code-block:: json - :class: output - - { - "timestamp": "2018-07-30T13:54:46.476+0000", - "rule": { - "level": 3, - "description": "osquery data grouped", - "id": "24010", - "firedtimes": 207, - "mail": false, - "groups": [ - "osquery" - ] - }, - "agent": { - "id": "000", - "name": "manager" - }, - "manager": { - "name": "manager" - }, - "id": "1532958886.437707", - "full_log": "{\"name\":\"system_info\",\"hostIdentifier\":\"manager\",\"calendarTime\":\"Mon Jul 30 13:54:45 2018 UTC\",\"unixTime\":1532958885,\"epoch\":0,\"counter\":461,\"columns\":{\"cgroup_namespace\":\"4026531835\",\"cmdline\":\"\",\"cwd\":\"/\",\"disk_bytes_read\":\"0\",\"disk_bytes_written\":\"0\",\"egid\":\"0\",\"euid\":\"0\",\"gid\":\"0\",\"ipc_namespace\":\"4026531839\",\"mnt_namespace\":\"4026531840\",\"name\":\"migration/0\",\"net_namespace\":\"4026531957\",\"nice\":\"0\",\"on_disk\":\"-1\",\"parent\":\"2\",\"path\":\"\",\"pgroup\":\"0\",\"pid\":\"9\",\"pid_namespace\":\"4026531836\",\"resident_size\":\"\",\"root\":\"/\",\"sgid\":\"0\",\"start_time\":\"0\",\"state\":\"S\",\"suid\":\"0\",\"system_time\":\"2\",\"threads\":\"1\",\"total_size\":\"\",\"uid\":\"0\",\"user_namespace\":\"4026531837\",\"user_time\":\"0\",\"uts_namespace\":\"4026531838\",\"wired_size\":\"0\"},\"action\":\"added\"}", - "decoder": { - "name": "json" - }, - "data": { - "action": "added", - "name": "system_info", - "hostIdentifier": "manager", - "calendarTime": "Mon Jul 30 13:54:45 2018 UTC", - "unixTime": "1532958885", - "epoch": "0", - "counter": "461", - "columns": { - "cgroup_namespace": "4026531835", - "cmdline": "", - "cwd": "/", - "disk_bytes_read": "0", - "disk_bytes_written": "0", - "egid": "0", - "euid": "0", - "gid": "0", - "ipc_namespace": "4026531839", - "mnt_namespace": "4026531840", - "name": "migration/0", - "net_namespace": "4026531957", - "nice": "0", - "on_disk": "-1", - "parent": "2", - "path": "", - "pgroup": "0", - "pid": "9", - "pid_namespace": "4026531836", - "resident_size": "", - "root": "/", - "sgid": "0", - "start_time": "0", - "state": "S", - "suid": "0", - "system_time": "2", - "threads": "1", - "total_size": "", - "uid": "0", - "user_namespace": "4026531837", - "user_time": "0", - "uts_namespace": "4026531838", - "wired_size": "0" - } - }, - "predecoder": { - "hostname": "manager" - }, - "location": "osquery" - } - -.. note:: - If more than one report with the same content is received, only one alert will be generated the first time. The rest will be discarded. diff --git a/source/user-manual/reference/centralized-configuration.rst b/source/user-manual/reference/centralized-configuration.rst index 88af67964e..bb1c2874f4 100644 --- a/source/user-manual/reference/centralized-configuration.rst +++ b/source/user-manual/reference/centralized-configuration.rst @@ -19,7 +19,6 @@ Agents can be configured remotely by using the ``agent.conf`` file. The followin - :doc:`Security Configuration Assessment <../capabilities/sec-config-assessment/index>` (**sca**) - :doc:`System inventory <../capabilities/system-inventory/index>` (**syscollector**) - :doc:`Avoid events flooding ` (**client_buffer**) -- :doc:`Configure osquery wodle ` (**wodle name="osquery"**) .. note:: When setting up remote commands in the shared agent configuration, **you must enable remote commands for Agent Modules**. This is enabled by adding the following line to the ``/var/ossec/etc/local_internal_options.conf`` file in the agent: diff --git a/source/user-manual/reference/daemons/wazuh-modulesd.rst b/source/user-manual/reference/daemons/wazuh-modulesd.rst index bde525e6e7..01fc7b0890 100644 --- a/source/user-manual/reference/daemons/wazuh-modulesd.rst +++ b/source/user-manual/reference/daemons/wazuh-modulesd.rst @@ -45,10 +45,6 @@ The wazuh-modulesd program manages the Wazuh modules described below. The Vulnerability Detector module detects applications that are known to be vulnerable (affected by a CVE). -.. topic:: Osquery wodle - - The Osquery wodle provides the user with an operating system instrumentation tool that makes low-level operating system analytics and monitoring both efficient and intuitive using SQL-based queries. For more information, read through the documentation for :doc:`osquery integration `. - .. topic:: SCA module The :ref:`SCA module ` allows users to check the system configuration against policy files to determine vulnerabilities and misconfigurations. diff --git a/source/user-manual/reference/ossec-conf/index.rst b/source/user-manual/reference/ossec-conf/index.rst index b14f1a02aa..596cf56be0 100644 --- a/source/user-manual/reference/ossec-conf/index.rst +++ b/source/user-manual/reference/ossec-conf/index.rst @@ -107,8 +107,6 @@ Wazuh can be installed in two ways: as a manager by using the "server/manager" i +---------------------------------------------------------------------+------------------------+ | :doc:`wodle name="docker-listener" ` | manager, agent | +---------------------------------------------------------------------+------------------------+ -| :doc:`wodle name="osquery" ` | manager, agent | -+---------------------------------------------------------------------+------------------------+ | :doc:`wodle name="syscollector" ` | manager, agent | +---------------------------------------------------------------------+------------------------+ | :doc:`gcp-pubsub ` | manager, agent | @@ -162,7 +160,6 @@ All of the above sections must be located within the top-level ``` wodle-s3 wodle-syscollector wazuh-db-config - wodle-osquery wodle-docker wodle-azure-logs wodle-agent-key-polling diff --git a/source/user-manual/reference/ossec-conf/wodle-osquery.rst b/source/user-manual/reference/ossec-conf/wodle-osquery.rst deleted file mode 100644 index e04c59d13d..0000000000 --- a/source/user-manual/reference/ossec-conf/wodle-osquery.rst +++ /dev/null @@ -1,159 +0,0 @@ -.. Copyright (C) 2015, Wazuh, Inc. - -.. meta:: - :description: Find out the configuration options of the osquery wodle. Learn more about it in this section of the Wazuh documentation. - -.. _wodle-osquery: - -wodle name="osquery" -========================== - -.. topic:: XML section name - - .. code-block:: xml - - - - -Configuration options of the osquery wodle. - -.. warning:: - Osquery is not installed by default. It is an open source software that you have to obtain for using this module. - - -Options -------- - -- `disabled`_ -- `run_daemon`_ -- `bin_path`_ -- `log_path`_ -- `config_path`_ -- `add_labels`_ -- `pack`_ - -+----------------------+-----------------------------+ -| Options | Allowed values | -+======================+=============================+ -| `disabled`_ | yes, no | -+----------------------+-----------------------------+ -| `run_daemon`_ | yes, no | -+----------------------+-----------------------------+ -| `bin_path`_ | Any valid path | -+----------------------+-----------------------------+ -| `log_path`_ | Any valid path | -+----------------------+-----------------------------+ -| `config_path`_ | Any valid path | -+----------------------+-----------------------------+ -| `add_labels`_ | yes, no | -+----------------------+-----------------------------+ -| `pack`_ | Any available pack | -+----------------------+-----------------------------+ - - -disabled -^^^^^^^^ - -Disable the osquery wodle. - -+--------------------+---------+ -| **Default value** | no | -+--------------------+---------+ -| **Allowed values** | yes, no | -+--------------------+---------+ - -run_daemon -^^^^^^^^^^ - -Makes the module run `osqueryd` as a subprocess or lets the module monitor the results log without running Osquery. - -+--------------------+---------+ -| **Default value** | yes | -+--------------------+---------+ -| **Allowed values** | yes, no | -+--------------------+---------+ - -bin_path -^^^^^^^^ - -Full path to the folder that contains the `osqueryd` executable. - -+-------------------------------+------------------------------------------------------+ -| **Default value on Linux** | Empty | -+-------------------------------+------------------------------------------------------+ -| **Default value on Windows** | C:\\Program Files\\osquery\\osqueryd | -+-------------------------------+------------------------------------------------------+ -| **Allowed values** | Any valid path | -+-------------------------------+------------------------------------------------------+ - -log_path -^^^^^^^^ - -Full path to the results log written by Osquery. - -+-------------------------------+-------------------------------------------------------+ -| **Default value on Linux** | /var/log/osquery/osqueryd.results.log | -+-------------------------------+-------------------------------------------------------+ -| **Default value on Windows** | C:\\Program Files\\osquery\\log\\osqueryd.results.log | -+-------------------------------+-------------------------------------------------------+ -| **Allowed values** | Any valid path | -+-------------------------------+-------------------------------------------------------+ - -config_path -^^^^^^^^^^^ - -Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. - -+-------------------------------+------------------------------------------------------+ -| **Default value on Linux** | /etc/osquery/osquery.conf | -+-------------------------------+------------------------------------------------------+ -| **Default value on Windows** | C:\\Program Files\\osquery\\osquery.conf | -+-------------------------------+------------------------------------------------------+ -| **Allowed values** | Any valid path | -+-------------------------------+------------------------------------------------------+ - -add_labels -^^^^^^^^^^ - -Add the agent labels defined as decorators. - -+--------------------+---------+ -| **Default value** | yes | -+--------------------+---------+ -| **Allowed values** | yes, no | -+--------------------+---------+ - -pack -^^^^ - -Add a query pack to the configuration. This option can be defined multiple times. - -+--------------------+---------------------------------+ -| **Default value** | Empty | -+--------------------+---------------------------------+ -| **Allowed values** | Path to pack configuration file | -+--------------------+---------------------------------+ - -Attributes: - -+----------+----------------------+ -| **name** | Name for this pack | -| +----------------+-----+ -| | Allowed values | Any | -+----------+----------------+-----+ - - -Example of configuration ------------------------- - -.. code-block:: xml - - - no - yes - /usr/bin - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - no - /path/to/custom_pack.conf - diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index 94e46d3bcd..9263596dad 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -1128,23 +1128,9 @@ The following components use a static location: +----------------------+------------------------+ | Docker integration | Wazuh-Docker | +----------------------+------------------------+ -| Osquery integration | osquery | -+----------------------+------------------------+ | SCA module | sca | +----------------------+------------------------+ -Example: - -.. code-block:: xml - :emphasize-lines: 2 - - - osquery$ - osquery message - - -This rule groups logs that come from the ``osquery`` location. - The attributes below are optional. +-------------+-----------------------------------------+-------------+---------------+