Testing 4.0.4-7.10.0

[Desvelao]

Wazuh	Elastic	Rev
4.0.4	7.10.0	4016

Description
Testing.

Test with browsers:

• Chrome
• Firefox
• Safari

Test with the theme:

• Light
• Dark

Checks:

• General checks
• ODFE 1.12.0
• X-Pack

[Desvelao]

General checks

Chrome

Filter checks (Modules)

• "Module/Dashboard -> Add rule.level:7 -> Go to Module/Events" Filters shouldn't change
• "Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Module/Events" Filters shouldn't change
• "Module/Dashboard -> Add rule.level:7 -> Go to Module/FIM/Dashboard" The filter "rule.level:7" is removed
• "Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Module/FIM/Dashboard" The filter "rule.level:7" persists
• "Module/Events -> Add rule.level:7 -> Go to Module/FIM/Dashboard" The filter "rule.level:7" is removed
• "Module/Events -> Add rule.level:7 and make it pinned -> Go to Module/FIM/Dashboard" The filter "rule.level:7" persists
• "Module/Events -> Add rule.level:7 -> Go to Module/Dashboard" Filters shouldn't change
• "Module/Events -> Add rule.level:7 and make it pinned -> Go to Module/Dashboard" Filters shouldn't change
• "Module/Dashboard -> Add rule.level:7 -> Go to Agent any Module/Dashboard" The filter "rule.level:7" is removed
• "Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Agent any Module/Dashboard" The filter "rule.level:7" persists
• "Agent any Module/Dashboard -> Add rule.level:7 -> Go to Agent any Module/Events" Filters shouldn't change
• "Agent any Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Agent any Module/Events" Filters shouldn't change
• "Agent any Module/Dashboard -> Add rule.level:7 -> Go to Agent FIM/Dashboard" The filter "rule.level:7" is removed
• "Agent any Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Agent FIM/Dashboard" The filter "rule.level:7" persists
• "Agent any Module/Events -> Add rule.level:7 -> Go to Agent FIM/Dashboard" The filter "rule.level:7" is removed
• "Agent any Module/Events -> Add rule.level:7 and make it pinned -> Go to Agent FIM/Dashboard" The filter "rule.level:7" persists
• "Agent any Module/Events -> Add rule.level:7 -> Go to Agent any Module/Dashboard" Filters shouldn't change
• "Agent any Module/Events -> Add rule.level:7 and make it pinned -> Go to Agent any Module/Dashboard" Filters shouldn't change
• "Agent any Module/Dashboard -> Add rule.level:7 -> Go to Module/Dashboard" The filter "rule.level:7" is removed
• "Agent any Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Module/FIM/Dashboard" The filter "rule.level:7" persists

Modules views

• Review that we are not showing non-applicable modules depending on the agent OS.
• Check the FIM table inside FIM is showing information properly.
• Check all SCA tables.

Query bar

• Simple search, example: "ssh".
• Left wildcard search, example: "*ssh".
• Right wildcard search, example: "ssh*".
• Both sides wildcard search, example: "*ssh*". (its slowness is a known issue)
• Filter search, example: "rule.level >= 10".
• Multiple queries, example "rule.level >= 10 and agent.name : "pop-os"".

Visualizations

• Click on the lens of a field to apply a filter.
• Using the mouse, select a period of time on a time-based visualization.
• Dashboards with no alerts for the selected time range should not be broken.
• Dashboards with no alerts for any time range should not be broken and should not show any toaster.
• See at least one time every visualization of every dashboard. None of the visualizations should be broken (obviously).

Events related checks

• View surrounding documents should work
• View single document should work
• View the source of a document should work
• New links to flyouts works
• New redirection should work.

Overview UI

• Check the settings modules tab for enabling/disabling extensions.
• Metrics for agents should show values (including 0 if there are no agents).
• F5 on the page should keep the selected extensions.
• If an extension is disabled, it should not appear in menus.

Reporting

• Should work with no custom filters.
• Using custom filters, the report must apply the custom filters.
• Using custom filters and custom query, the report must apply the custom filters and the custom query.
• Using a custom query, the report must apply the custom query.
• Generate a report for Inventory.

Management - Status

• Metrics for agents should show values (including 0 if there are no agents).
• If the cluster is enabled, it should show a node selector.
• If the cluster is enabled, it should show a button for restarting the cluster, it should restart it after pressing the button.
• If the cluster is enabled, changing node should refresh the view.
• Check that every daemon metric is consistent.
• If there are one or more agents, it should show the "Last registered agent" box next to the manager box.

Management home UI

• Should show two cards with the different sections

Management - Cluster

• The load time should be fast, with no timeouts.
• Timelions should show data.
• The Overview should show Top 5 nodes visualization and information about the cluster.
• The nodes list should show all nodes.
• The node detail should show Alerts over time visualization and information about the node.

Management - Logs

• If the cluster is enabled, it should show a node selector.
• If the cluster is enabled, changing the node should refresh the view.
• Daemon selector should filter the output by the selected daemon.
• Level selector should filter the output by the selected level.
• Descending sort should apply a descending sort.
• Search bar should filter the output.
• Play real-time should append new logs on the fly.
• Formatted should export the output in a file for downloading it.

Management - Reporting

• If there are no reports, the table should be empty.
• If there are reports, they should be downloadable and removable.

Management - Ruleset

• List rules.
• List custom rules.
• List decoders.
• List custom decoders.
• Edit custom rules.
• Edit custom decoders.
• List CDB lists.
• Create, update CDB lists.
• Click on file column values should open the file content.
• Click on a rule should open the rule details.
• Click on a decoder should open the decoder details.
• Click on a CDB list should open the CDB list details.

Management - Groups

• List groups.
• Search groups.
• Create groups.
• Remove a group.
• Add one agent to a group.
• Add more than one agent to a group.
• Remove an agent from a group.
• Remove more than one agent from a group.
• Edit group configuration.
• Export group details in PDF using granular options.
• Export group details in PDF with no granular options.
• "Formatted" should export the output for the different tables.
• Click on an agent should redirect to the agent view.

Management - Configuration

• Check that all sections are working as expected.
• Edit the "ossec.conf" using the Edit configuration link. Edit, Save, Restart a node, Change node should be working as expected.

DevTools

If admin mode is enabled:

• Check autocomplete is working for endpoint url suggestions
• Check autocomplete is working for endpoint parameters suggestions
• Check the request is working
• The history must be stored in the browser session storage.
• Malformed queries should show information messages about the error.
• The output should be the same as doing a direct "curl".
• The download button should show a tooltip and download the output JSON.

Agents preview

• If there are no agents yet, the interactive guide should appear.
• The status chart should be consistent.
• The status metrics should be consistent.
• Last registered agent and most active agent should show agents or "-" depending on the environment.
• All available selectors on the search bar should work.
• Complex searches with multiple filters should work.
• "Formatted" button should export the list, try it against 14.000 agents.
• Sort the table.
• Refresh the table using "Refresh"
• Check that links in rows are working.
• Add a new agent should open the interactive guide.
  • Changing OS should refresh the snippet.
  • Changing OS architecture should refresh the snippet.
  • Filling the IP should refresh the snippet.
  • Click on close should close the guide.
  • Click on the copy icon should copy the snippet.

Agent specific view UI

• The configuration can't be edited.
• Export the agent configuration in PDF using granular options.
• Export the agent configuration in PDF with no granular options.
• Check all the Inventory tables.
• Check the agent status indicator on top of the view.
• If a plugin is disabled or not compatible, it should not appear in More menu.

App menu

• Should be visible always, even if we change the state.
• Should show the index pattern.
• If there is more than one index pattern, show a list selector.
• Should show the selected API.
• If there is more than one API, show a list selector.
• Every link should redirect you to the right section.

Settings

• Change the index pattern.
• Edit app settings.
• Show app logs.
• Review the About section. Check the app version, Kibana version, app revision, and installation date values.

Firefox

Filter checks (Modules)

• "Module/Dashboard -> Add rule.level:7 -> Go to Module/Events" Filters shouldn't change
• "Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Module/Events" Filters shouldn't change
• "Module/Dashboard -> Add rule.level:7 -> Go to Module/FIM/Dashboard" The filter "rule.level:7" is removed
• "Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Module/FIM/Dashboard" The filter "rule.level:7" persists
• "Module/Events -> Add rule.level:7 -> Go to Module/FIM/Dashboard" The filter "rule.level:7" is removed
• "Module/Events -> Add rule.level:7 and make it pinned -> Go to Module/FIM/Dashboard" The filter "rule.level:7" persists
• "Module/Events -> Add rule.level:7 -> Go to Module/Dashboard" Filters shouldn't change
• "Module/Events -> Add rule.level:7 and make it pinned -> Go to Module/Dashboard" Filters shouldn't change
• "Module/Dashboard -> Add rule.level:7 -> Go to Agent any Module/Dashboard" The filter "rule.level:7" is removed
• "Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Agent any Module/Dashboard" The filter "rule.level:7" persists
• "Agent any Module/Dashboard -> Add rule.level:7 -> Go to Agent any Module/Events" Filters shouldn't change
• "Agent any Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Agent any Module/Events" Filters shouldn't change
• "Agent any Module/Dashboard -> Add rule.level:7 -> Go to Agent FIM/Dashboard" The filter "rule.level:7" is removed
• "Agent any Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Agent FIM/Dashboard" The filter "rule.level:7" persists
• "Agent any Module/Events -> Add rule.level:7 -> Go to Agent FIM/Dashboard" The filter "rule.level:7" is removed
• "Agent any Module/Events -> Add rule.level:7 and make it pinned -> Go to Agent FIM/Dashboard" The filter "rule.level:7" persists
• "Agent any Module/Events -> Add rule.level:7 -> Go to Agent any Module/Dashboard" Filters shouldn't change
• "Agent any Module/Events -> Add rule.level:7 and make it pinned -> Go to Agent any Module/Dashboard" Filters shouldn't change
• "Agent any Module/Dashboard -> Add rule.level:7 -> Go to Module/Dashboard" The filter "rule.level:7" is removed
• "Agent any Module/Dashboard -> Add rule.level:7 and make it pinned -> Go to Module/FIM/Dashboard" The filter "rule.level:7" persists

Modules views

• Review that we are not showing non-applicable modules depending on the agent OS.
• Check the FIM table inside FIM is showing information properly.
• Check all SCA tables.

Query bar

• Simple search, example: "ssh".
• Left wildcard search, example: "*ssh".
• Right wildcard search, example: "ssh*".
• Both sides wildcard search, example: "*ssh*". (its slowness is a known issue)
• Filter search, example: "rule.level >= 10".
• Multiple queries, example "rule.level >= 10 and agent.name : "pop-os"".

Visualizations

• Click on the lens of a field to apply a filter.
• Using the mouse, select a period of time on a time-based visualization.
• Dashboards with no alerts for the selected time range should not be broken.
• Dashboards with no alerts for any time range should not be broken and should not show any toaster.
• See at least one time every visualization of every dashboard. None of the visualizations should be broken (obviously).

Events related checks

• View surrounding documents should work
• View single document should work
• View the source of a document should work
• New links to flyouts works
• New redirection should work.

Overview UI

• Check the settings modules tab for enabling/disabling extensions.
• Metrics for agents should show values (including 0 if there are no agents).
• F5 on the page should keep the selected extensions.
• If an extension is disabled, it should not appear in menus.

Reporting

• Should work with no custom filters.
• Using custom filters, the report must apply the custom filters.
• Using custom filters and custom query, the report must apply the custom filters and the custom query.
• Using a custom query, the report must apply the custom query.
• Generate a report for Inventory.

Management - Status

• Metrics for agents should show values (including 0 if there are no agents).
• If the cluster is enabled, it should show a node selector.
• If the cluster is enabled, it should show a button for restarting the cluster, it should restart it after pressing the button.
• If the cluster is enabled, changing node should refresh the view.
• Check that every daemon metric is consistent.
• If there are one or more agents, it should show the "Last registered agent" box next to the manager box.

Management home UI

• Should show two cards with the different sections

Management - Cluster

• The load time should be fast, with no timeouts.
• Timelions should show data.
• The Overview should show Top 5 nodes visualization and information about the cluster.
• The nodes list should show all nodes.
• The node detail should show Alerts over time visualization and information about the node.

Management - Logs

• If the cluster is enabled, it should show a node selector.
• If the cluster is enabled, changing the node should refresh the view.
• Daemon selector should filter the output by the selected daemon.
• Level selector should filter the output by the selected level.
• Descending sort should apply a descending sort.
• Search bar should filter the output.
• Play real-time should append new logs on the fly.
• Formatted should export the output in a file for downloading it.

Management - Reporting

• If there are no reports, the table should be empty.
• If there are reports, they should be downloadable and removable.

Management - Ruleset

• List rules.
• List custom rules.
• List decoders.
• List custom decoders.
• Edit custom rules.
• Edit custom decoders.
• List CDB lists.
• Create, update CDB lists.
• Click on file column values should open the file content.
• Click on a rule should open the rule details.
• Click on a decoder should open the decoder details.
• Click on a CDB list should open the CDB list details.

Management - Groups

• List groups.
• Search groups.
• Create groups.
• Remove a group.
• Add one agent to a group.
• Add more than one agent to a group.
• Remove an agent from a group.
• Remove more than one agent from a group.
• Edit group configuration.
• Export group details in PDF using granular options.
• Export group details in PDF with no granular options.
• "Formatted" should export the output for the different tables.
• Click on an agent should redirect to the agent view.

Management - Configuration

• Check that all sections are working as expected.
• Edit the "ossec.conf" using the Edit configuration link. Edit, Save, Restart a node, Change node should be working as expected.

DevTools

If admin mode is enabled:

• Check autocomplete is working for endpoint url suggestions
• Check autocomplete is working for endpoint parameters suggestions
• Check the request is working
• The history must be stored in the browser session storage.
• Malformed queries should show information messages about the error.
• The output should be the same as doing a direct "curl".
• The download button should show a tooltip and download the output JSON.

Agents preview

• If there are no agents yet, the interactive guide should appear.
• The status chart should be consistent.
• The status metrics should be consistent.
• Last registered agent and most active agent should show agents or "-" depending on the environment.
• All available selectors on the search bar should work.
• Complex searches with multiple filters should work.
• "Formatted" button should export the list, try it against 14.000 agents.
• Sort the table.
• Refresh the table using "Refresh"
• Check that links in rows are working.
• Add a new agent should open the interactive guide.
  • Changing OS should refresh the snippet.
  • Changing OS architecture should refresh the snippet.
  • Filling the IP should refresh the snippet.
  • Click on close should close the guide.
  • Click on the copy icon should copy the snippet.

Agent specific view UI

• The configuration can't be edited.
• Export the agent configuration in PDF using granular options.
• Export the agent configuration in PDF with no granular options.
• Check all the Inventory tables.
• Check the agent status indicator on top of the view.
• If a plugin is disabled or not compatible, it should not appear in More menu.

App menu

• Should be visible always, even if we change the state.
• Should show the index pattern.
• If there is more than one index pattern, show a list selector.
• Should show the selected API.
• If there is more than one API, show a list selector.
• Every link should redirect you to the right section.

Settings

• Change the index pattern.
• Edit app settings.
• Show app logs.
• Review the About section. Check the app version, Kibana version, app revision, and installation date values.

Misc

• Test all settings from wazuh.yml.
• Kibana dark mode should work properly, all the app theme should be consistent with the dark theme of Kibana.

Backend Jobs

• Monitoring

  • Create wazuh-agent template
  • Indices are created. (The internal user needs permissions for manage this indices.)

• Statistics

  • Indices are created. (The internal user needs permissions to manage these indices.)

Infrastructure and others

• Installing the plugin using kibana-plugin install file:///wazuhapp.zip should work.
• Installing the plugin using kibana-plugin install https://plugin/url/wazuhapp.zip should work.

[Desvelao]

ODFE 1.12.0 checks

Index patterns creations

• alerts, monitoring and statistics index pattern should be created in the health check
  • Global tenant
  • Private tenant

RBAC

• Check the app works with the run_as host setting using the authentication context. Create a user and assign a specific role. For example, a user with the readonly Wazuh API role.
• Some sections can't be accessed without administrator role.

[Desvelao]

X-Pack checks

Index patterns creations

• alerts, monitoring and statistics index pattern should be created in the health check
  • Default space
  • Custom space

RBAC

• Check the app works with the run_as host setting using the authentication context. Create a user and assign a specific role. For example, a user with the readonly Wazuh API role.
• Some sections can't be accessed without administrator role.

[frankeros]

The table pagination doesn't work in SCA check list
When a page number is clicked.

Update:
PR to resolve: #2815

[frankeros]

The Kibana pop up should not be displayed

Update:
PR to resolve #2806

[frankeros]

When you try to change a rule or decoder and restart the cluster this happens

Update:
PR to resolve #2820

[s-ocando]

RBAC fails to provide access to specific agents

A user with access to a limited number of agents (2 out of 4) gets a correct agent count in the "Modules overview" page but can't access the Agents section (and in consequence can't see the agents summary or SCA information).

A very common use-case is to provide access to a group of agents to specific users associated with those endpoints (departments, MSSP customers, etc)

---

PR #2838

[jctello]

Related to what is mentioned here the Rows per page selector doesn't work (it's always stuck at 10 rows):

Update:
PR to resolve: #2815

[jctello]

Selecting Security configuration assessment breaks the formatting of the Modules directory in the drop-down menu.

I mean that the Auditing and Policy Monitoring section of modules gets moved to a second row below the Security information management section.

[frankeros]

RBAC fails to provide access to specific agents

@ s-ocando This is the current behavior for this section, we agree that an enhancement is needed, but we will work out of this issue in a future sprint.
Please feel free to open an enhancement issue with this approach.

Thanks for reporting!

Update:
It was tested in 4.0.3 4014, but it works on 4.0.4 4015

[s-ocando]

I'm attaching a gif to show the current RBAC behaviour (app version 4.0.4-7.9.1 revision 4015). A user is able to see the list of its allowed agents, at first is only able to see agent 001 and by adding permissions to read agent 002 it appears in its list after refreshing. This feature is currently malfunctioning in app 4.0.4-7.10.0 revision 4016.

[frankeros]

I'm attaching a gif to show the current RBAC behaviour (app version 4.0.4-7.9.1 revision 4015). A user is able to see the list of its allowed agents, at first is only able to see agent 001 and by adding permissions to read agent 002 it appears in its list after refreshing. This feature is currently malfunctioning in app 4.0.4-7.10.0 revision 4016.

You're right, we are working on this issue right now.
Thank you very much.

[frankeros]

Selecting Security configuration assessment breaks the formatting of the Modules directory in the drop-down menu.

@jctello I can't reproduce it in Chrome in any reasonable resolution

can you share what browser and resolution are you using to check it, please?

PR #2861

[jctello]

Selecting Security configuration assessment breaks the formatting of the Modules directory in the drop-down menu.

@jctello I can't reproduce it in Chrome in any reasonable resolution

can you share what browser and resolution are you using to check it, please?

Yes, this observed only on Firefox (I'm using 84.0.2) on Linux. It is not observed on Chromium (on Linux) or Firefox 83 on Windows.

[jctello]

The search functionality in file editor is gone. To reproduce go to Management > Configuration > Edit configuration, click on the text box and press Ctrl+F. On the previous version this would give a handy search box within the file.
Console output is:

GEThttps://192.168.40.4/app/ext-searchbox.js
[HTTP/1.1 200 OK 22ms]

The script from “https://192.168.40.4/app/ext-searchbox.js” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type. wazuh
Some cookies are misusing the recommended “SameSite“ attribute 2
Uncaught SyntaxError: expected expression, got '<' ext-searchbox.js:1
Uncaught TypeError: t is undefined
    exec https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    s https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    s https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    i https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    o https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    s https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    onreadystatechange https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    loadScript https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    loadModule https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    exec https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    a https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    _dispatchEvent https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    exec https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    $callKeyboardHandlers https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    onCommandKey https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    onCommandKey https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    l https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
    addCommandKeyListener https://192.168.40.4/35949/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380
kbn-ui-shared-deps.js:380:1175239

---

PR #2843

[Desvelao]

The Techniques container for the MITRE's Framework tab goes out of the window size. This could be happening in the Modules > PCI DSS GDPR HIPAA NIST 800-53 and TSC Controls' tabs too.

PR #2861

[Desvelao]

The statistics indices are being wrongly created with:

• 1 shard
• 1 replica
  Ignore the configuration.
  
  

This should be fixed here #2779, but it not working in my environment.

Fixed: #2858

[CPAlejandro]

I have found an error with styles using Open Distro.

PR #2865

[pablomarga]

Hi team! Testing the app I have found an error when you pinned a filter and then going to Agents section. When you return to any "Module" the dashboard is not displayed.

Grabacion.de.pantalla.2021-01-28.a.las.16.02.59.mov

PR #2864

[Desvelao]

Click in the rule details links don't add a filter in the Management > Rules search bar when access from Modules/any/Events

How to reproduce:

[frankeros]

We need to move the Wazuh menu upper in the Kibana menu

And set the wazuh-alerts-* as the default index pattern when it's created.

PR #2867

[jctello]

PDF reporting can reflect wrong filters as reported here: #2874