Rocky Linux 9.7 Support: Allocator Module Update

by Alex Johnson 49 views

In the ever-evolving landscape of cybersecurity, staying current with the latest operating systems is crucial for maintaining a robust security posture. This article delves into the plan to support the new Rocky Linux 9.7 OS within the Wazuh ecosystem, focusing specifically on updating the allocator module. Rocky Linux 9.7 brings with it various improvements and security enhancements, and ensuring Wazuh's compatibility is paramount for users who rely on it for threat detection, incident response, and compliance.

Understanding the Importance of OS Support

Operating system support is a cornerstone of any security solution. When a new OS is released, it often includes updates to system libraries, kernel functionalities, and security protocols. For a security platform like Wazuh, which relies heavily on interacting with the underlying OS to collect logs, monitor file integrity, and detect vulnerabilities, ensuring compatibility is not just a matter of convenience—it's a matter of security. Without proper support, Wazuh might not be able to collect the necessary data, leading to blind spots in your security coverage. Supporting new operating systems involves a multi-faceted approach, encompassing development, testing, and deployment considerations to ensure seamless integration and optimal performance.

The Role of the Allocator Module

The allocator module plays a critical role in Wazuh's infrastructure. It is responsible for provisioning and managing resources, including virtual machines and container images, which are essential for testing and deploying Wazuh components. Updating the allocator module to support Rocky Linux 9.7 ensures that Wazuh can be seamlessly deployed and tested on this new OS. This update is a prerequisite for other components of Wazuh to function correctly on Rocky Linux 9.7, making it a key step in the overall support process. This involves modifying the allocator to recognize Rocky Linux 9.7 and configure resources appropriately, addressing any compatibility issues that may arise. Furthermore, a properly updated allocator module facilitates the creation of testing environments, which are crucial for verifying Wazuh's functionality and stability on the new OS.

Plan for Rocky Linux 9.7 Support

Our plan to support Rocky Linux 9.7 is structured and comprehensive, covering various aspects of the Wazuh ecosystem. This plan is designed to ensure that all components of Wazuh, from the agent to the central components, work seamlessly with Rocky Linux 9.7. The support plan includes specific tasks for different teams, such as DevOps, QA, and development, each focusing on their respective areas of expertise. This collaborative approach ensures that all facets of compatibility are addressed, providing a holistic solution for Wazuh users.

Key Components of the Support Plan

  1. Testing and Quality Assurance (QA):
    • Testing Environment: Deploy Rocky Linux 9.7 in our testing environment, using virtual machines for each supported architecture (AMD64 & ARM64). If central components are not yet fully supported, a Debian 12 VM will be used for those components in the interim.
    • Comprehensive Testing Tasks: Execute a series of tests to validate Wazuh's functionality on Rocky Linux 9.7. This includes deploying Wazuh agents using the Wazuh dashboard one-liner feature, testing with IP addresses, FQDNs, agent names, and groups.
  2. Continuous Integration (CI) Updates:
    • JobFlow Testing: Test the JobFlow testing tool specifically for Rocky Linux 9.7.
    • Adding OS to JobFlow: Incorporate Rocky Linux 9.7 and its supported architectures into the JobFlow testing tool.
    • Release Templates: Add Rocky Linux 9.7 to the GitHub Deployability and Upgrade release templates to ensure smooth deployments and upgrades.
  3. DevOps Tasks:
    • Allocator Image Updates: Update the allocator images to include support for Rocky Linux 9.7. This is a crucial step in ensuring that Wazuh can be deployed and managed effectively on the new OS. The allocator image update involves modifying the configuration and scripts used to provision resources, ensuring they are compatible with Rocky Linux 9.7's specific requirements. This process often includes testing the updated images in a controlled environment before deploying them to production.
    • AMI, OVA, and Docker Images: Update or create new AMI (Amazon Machine Image), OVA (Open Virtual Appliance), and Docker images as needed to facilitate easy deployment of Wazuh on Rocky Linux 9.7. These images serve as pre-configured templates that simplify the setup process, reducing the time and effort required to get Wazuh up and running. Updating these images involves incorporating the latest Wazuh version, along with any necessary dependencies and configurations specific to Rocky Linux 9.7.
  4. CppServer, Indexer, and Dashboard:
    • Central Components Support: Add support for Rocky Linux 9.7 to the GitHub Actions package builder for CppServer, Indexer, and Dashboard.
    • Smoke Tests: Conduct smoke tests to ensure the packages work correctly, including installation, upgrade, and related functionalities. This involves deploying the packages on Rocky Linux 9.7 and verifying that key features function as expected. Smoke tests are designed to quickly identify any major issues that may prevent the system from operating correctly.
  5. Agent Support:
    • Package Testing: Perform smoke tests on the Wazuh agent package, including installation, upgrade, and tier-specific functionality.
    • Default Settings: Review and adapt default settings from previous versions to ensure optimal performance and compatibility with Rocky Linux 9.7. This includes adjusting configuration files and scripts to align with the new OS's specific parameters and requirements.
    • GitHub Actions: Add support for Rocky Linux 9.7 to the GitHub Actions package builder for the Wazuh agent.

DevOps Focus: Updating the Allocator Module

The DevOps team plays a pivotal role in this support plan, particularly in updating the allocator module. This involves several key steps to ensure that Wazuh can seamlessly provision and manage resources on Rocky Linux 9.7. The DevOps team's involvement is crucial for ensuring that the necessary infrastructure is in place to support Wazuh on Rocky Linux 9.7. This includes not only updating the allocator module but also ensuring that other deployment mechanisms, such as AMI, OVA, and Docker images, are compatible with the new OS.

Steps to Update the Allocator Module

  1. Analyze Compatibility:
    • The first step is to thoroughly analyze Rocky Linux 9.7 to identify any compatibility issues with the current allocator module. This involves reviewing the OS's system libraries, kernel functionalities, and security protocols to pinpoint potential conflicts or areas that require modification.
  2. Modify Configuration:
    • Modify the allocator module's configuration files to recognize Rocky Linux 9.7. This includes adding the new OS to the list of supported platforms and configuring the necessary parameters for provisioning resources.
  3. Testing in a Controlled Environment:
    • Before deploying the updated module to the production environment, it's essential to test it in a controlled setting. This involves setting up a test environment that mirrors the production setup and running a series of tests to verify that the allocator module functions correctly.
  4. Deploying the Updated Module:
    • Once the testing phase is complete and any identified issues have been resolved, the updated allocator module can be deployed to the production environment. This process should be carefully managed to minimize any disruption to existing services.
  5. Monitoring and Maintenance:
    • After deployment, it's crucial to monitor the allocator module's performance to ensure it's functioning as expected. This involves tracking resource utilization, error rates, and other key metrics to identify any potential issues. Regular maintenance should also be performed to keep the module up-to-date and optimized.

Agent Testing and Validation

The Wazuh agent is a critical component of the platform, responsible for collecting data and enforcing security policies on the endpoints. Ensuring its compatibility with Rocky Linux 9.7 is paramount. The testing process involves a series of checks to validate the agent's core functionalities, including log collection, file integrity monitoring (FIM), system configuration assessment (SCA), and active response capabilities. These tests are conducted across different tiers to ensure that the agent performs optimally in various environments.

Requested Checks by Tier

The following checks are performed across different tiers to ensure comprehensive testing:

  • Tier 1: Critical systems requiring the highest level of security.
  • Tier 2: Important systems with standard security requirements.
  • Tier 3: Less critical systems with basic security needs.

The table below outlines the specific checks requested for each tier:

Tier 1 Tier 2 Tier 3 Result
Log collection - System events :white_circle: :white_circle: :white_circle:
Log collection - Log files :white_circle: :white_circle: :white_circle:
Log collection - Command execution :white_circle: :white_circle: :white_circle:
FIM - Scheduled :white_circle: :white_circle: :white_circle:
FIM - Realtime :white_circle: :black_circle: :black_circle:
FIM - Whodata :white_circle: :black_circle: :black_circle:
SCA :white_circle: :white_circle: :black_circle:
Inventory :white_circle: :white_circle: :white_circle:
Active response :white_circle: :white_circle: :black_circle:
Remote upgrade :white_circle: :black_circle: :black_circle:
Command monitoring :white_circle: :white_circle: :black_circle:
Wodles :white_circle: :black_circle: :black_circle:

Key:

  • :white_circle: Requested
  • :black_circle: Not requested
  • :green_circle: Completed with success
  • :red_circle: Completed with failures
  • :yellow_circle: Completed with known issues

Detailed Testing Scenarios

  1. Log Collection:
    • System Events: Verify that the agent can collect system events from Rocky Linux 9.7, including security logs, application logs, and system logs. This involves checking the agent's configuration to ensure it's properly configured to monitor the relevant log sources.
    • Log Files: Test the agent's ability to collect logs from specific files on Rocky Linux 9.7. This includes defining custom log formats and ensuring that the agent can parse the logs correctly.
    • Command Execution: Validate that the agent can collect logs generated by command executions on Rocky Linux 9.7. This involves configuring the agent to monitor specific commands and capture their output.
  2. File Integrity Monitoring (FIM):
    • Scheduled: Test the agent's ability to perform scheduled FIM checks on Rocky Linux 9.7. This involves configuring the agent to monitor specific files and directories and verifying that it can detect changes made to those files.
    • Realtime: Validate the agent's realtime FIM capabilities for Tier 1 systems. This involves ensuring that the agent can immediately detect and report changes made to monitored files.
    • Whodata: Test the agent's whodata functionality for Tier 1 systems. This involves verifying that the agent can identify the user and process that made changes to monitored files.
  3. System Configuration Assessment (SCA):
    • Test the agent's SCA capabilities on Rocky Linux 9.7. This involves running SCA policies to identify vulnerabilities and misconfigurations in the system.
  4. Inventory:
    • Verify that the agent can collect inventory data from Rocky Linux 9.7, including installed software, hardware information, and network configuration.
  5. Active Response:
    • Test the agent's active response capabilities on Rocky Linux 9.7. This involves configuring the agent to automatically respond to specific events, such as blocking an IP address after a failed login attempt.
  6. Remote Upgrade:
    • Validate the agent's remote upgrade functionality for Tier 1 systems. This involves testing the ability to remotely upgrade the agent to the latest version.
  7. Command Monitoring:
    • Test the agent's command monitoring capabilities on Rocky Linux 9.7. This involves configuring the agent to monitor specific commands and alert on their execution.
  8. Wodles:
    • Validate the functionality of Wodles (Wazuh modules) on Tier 1 systems. This involves testing specific Wodles, such as the VirusTotal integration, to ensure they function correctly on Rocky Linux 9.7.

Conclusion

Supporting new operating systems like Rocky Linux 9.7 is essential for maintaining a robust and up-to-date security posture. The plan outlined in this article provides a comprehensive roadmap for ensuring Wazuh's compatibility with Rocky Linux 9.7, with a particular focus on updating the allocator module and thoroughly testing the Wazuh agent. By following this plan, Wazuh users can confidently deploy and utilize the platform on Rocky Linux 9.7, leveraging its powerful security capabilities to protect their systems and data.

For more information on Wazuh and its capabilities, visit the official Wazuh website: https://wazuh.com/. Additionally, to gain further insights into operating system support and security best practices, refer to The Center for Internet Security (CIS).