/var/ossec/etc/shared/agent.conf - Invalid element in the configuration: 'wodle'
4,461 views
Skip to first unread message
Aleksandr Zaldak
Feb 27, 2017, 4:52:14 PM2/27/17
to Wazuh mailing list
Hi Guys,
just can't setup SCAP for client check (server seems to be OK). Once I include the code (see below) into /var/ossec/etc/shared/agent.conf :
<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-centos7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="ssg-rhel7-cpe-oval.xml"/>
</wodle>
I get
...
2017/02/27 21:47:10 ossec-logcollector(1230): ERROR: Invalid element in the configuration: 'wodle'.
2017/02/27 21:47:10 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
Started ossec-logcollector...
2017/02/27 21:47:10 ossec-syscheckd(1230): ERROR: Invalid element in the configuration: 'wodle'.
2017/02/27 21:47:10 ossec-syscheckd(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
2017/02/27 21:47:10 ossec-syscheckd(1230): ERROR: Invalid element in the configuration: 'wodle'.
2017/02/27 21:47:10 ossec-syscheckd(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
Started ossec-syscheckd...
I'm starting to thing maybe I'm putting this in a wring place ? Also, do clients/agents need oscap packages installed, or only server needs it actually ?
Thanks!
0x2a
Feb 28, 2017, 6:56:37 AM2/28/17
to Wazuh mailing list
Hi,
may I ask which version of wazuh you are using?
Wodles/oscap support was added in v2.0 which hasn't been released yet. (https://github.com/wazuh/wazuh master branch)
all wazuh agents need the openscap-scanner package installed, with at least version 1.2.4 for OVAL version 5.11 (which is used in the current configuration checks bundled with wazuh)
may I ask which version of wazuh you are using?
Wodles/oscap support was added in v2.0 which hasn't been released yet. (https://github.com/wazuh/wazuh master branch)
all wazuh agents need the openscap-scanner package installed, with at least version 1.2.4 for OVAL version 5.11 (which is used in the current configuration checks bundled with wazuh)
Aleksandr Zaldak
Feb 28, 2017, 8:17:56 AM2/28/17
to Wazuh mailing list
Hi,
Wazuh v2.0 #Server side via CHANGELOG.md. Master brunch
ossec-agentd -V #Agent side
OSSEC HIDS v2.9.0 - Trend Micro Inc.
OSSEC HIDS v2.9.0 - Trend Micro Inc.
oscap -V #Agent side + Server side
OpenSCAP command line tool (oscap) 1.2.10
Copyright 2009--2016 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
File do present in the /usr/share/xml/scap/ssg folder. I also tried <wodle> inside the <rootcheck> clause too btw (for the sake of troubleshooting) and without filtering by OS, and using a full to xml file path /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml instead of ssg-centos7-ds.xml.
Below is my /var/ossec/etc/shared/agent.conf
<agent_config os="Linux">
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle>
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>7200</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-centos7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
<frequency>360</frequency>
</localfile>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
</active-response>
</agent_config>
Once I push this to agent, or just restart agent with existing config, I get
2017/02/28 13:17:15 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
Started ossec-logcollector...
2017/02/28 13:17:15 ossec-syscheckd(1230): ERROR: Invalid element in the configuration: 'wodle'.
2017/02/28 13:17:15 ossec-syscheckd(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
Started ossec-syscheckd...
Thank you
0x2a
Feb 28, 2017, 9:31:10 AM2/28/17
to Wazuh mailing list
Hi,
you need to use the Wazuh agent, not ossec agent:
ossec-agentd -V
Wazuh v2.0 - Wazuh Inc.
rpm packages are available in the repo:
https://github.com/wazuh/wazuh-documentation/blob/new_template/source/installation_guide/installing-agents/wazuh_agent_rpm.rst
keep in mind that wazuh 2.0 is not officially released yet, so these are not officially "stable" packages but rather "beta" (altough I have not encountered major issues yet).
you need to use the Wazuh agent, not ossec agent:
ossec-agentd -V
Wazuh v2.0 - Wazuh Inc.
rpm packages are available in the repo:
https://github.com/wazuh/wazuh-documentation/blob/new_template/source/installation_guide/installing-agents/wazuh_agent_rpm.rst
keep in mind that wazuh 2.0 is not officially released yet, so these are not officially "stable" packages but rather "beta" (altough I have not encountered major issues yet).
Aleksandr Zaldak
Feb 28, 2017, 4:28:29 PM2/28/17
to Wazuh mailing list
Installed, so far looking promising. Waiting for scan results... But Local service restart, neither remote restart so far didn't produce any SCAP results, Nothing in logs too. Let's wait though...
Note
in repo >> after the install in agent.conf, it should be <content type="xccdf" path="ssg-centos7-ds.xml">, not <content type="xccdf" path="ssg-centos-7-ds.xml">, no ? As this is default oscap install file.
Any ETA for Windows build btw?
Great work guys!
Thank you!!!
On Monday, 27 February 2017 21:52:14 UTC, Aleksandr Zaldak wrote:
Victor Fernandez
Feb 28, 2017, 7:54:05 PM2/28/17
to Wazuh mailing list
Hi Aleksandr,
Please take a look at the log with a command like:
tail -fn100 /var/ossec/logs/ossec.log | grep "wazuh-modulesd:oscap"
It will log any error related to the OpenSCAP module.
I doesn't understand your comment about the content path "ssg-centos7-ds.xml" since the file should be "ssg-centos-7-ds.xml" as appears at https://github.com/wazuh/wazuh/tree/master/wodles/oscap/content. Have you that file at folder /var/ossec/wodles/oscap/var/ossec/wodles/oscap/content?
Unfortunately, OpenSCAP scanner is not supported on Windows and we have no plan to build the integration for it at this moment.
Best regards,
Victor.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0be50bbc-3136-49e2-bc0f-71df3c5e94ca%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.
Aleksandr Zaldak
Mar 1, 2017, 4:07:23 AM3/1/17
to Wazuh mailing list
Hi Victor,
I meant /var/ossec/etc/ossec.conf on the agent side. It has ssg-centos-7-ds.xml defined. This file presents on the server only. Local/Agent file (as a result of installing scap-security-guide-0.1.30-3.el7.centos.0.3.noarch) is /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml (no -), which leads me to the fact that local file is not used in this scenario at all. And actually fails if used (just tested).
Speaking about Windows build, I was speaking about Wazuh-agent for Windows. In regards to SCAP and Windows, I think it's a potential (feature) limitation to choose OpenSCAP for SCAP functionality, mainly because it lacks Windows support. But, yes it does Linux pretty well. But then SCAPtimony middleware does it as well too. There is a separate topic for that, but essentially, CIS Benchmarks (from Security Benchmarks) provides xml files for both Linux and Windows, for fee of course. Nevertheless, one can use 3rd party providers for xmls files in the end then. Thereby Interpreters like OVALDI (legacy from oval.mitre.org ?) is more versatile really, no ?
I meant /var/ossec/etc/ossec.conf on the agent side. It has ssg-centos-7-ds.xml defined. This file presents on the server only. Local/Agent file (as a result of installing scap-security-guide-0.1.30-3.el7.centos.0.3.noarch) is /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml (no -), which leads me to the fact that local file is not used in this scenario at all. And actually fails if used (just tested).
Speaking about Windows build, I was speaking about Wazuh-agent for Windows. In regards to SCAP and Windows, I think it's a potential (feature) limitation to choose OpenSCAP for SCAP functionality, mainly because it lacks Windows support. But, yes it does Linux pretty well. But then SCAPtimony middleware does it as well too. There is a separate topic for that, but essentially, CIS Benchmarks (from Security Benchmarks) provides xml files for both Linux and Windows, for fee of course. Nevertheless, one can use 3rd party providers for xmls files in the end then. Thereby Interpreters like OVALDI (legacy from oval.mitre.org ?) is more versatile really, no ?
P.S.
I can see SCAP results in Kibana, This essentially makes Audit TAB potentially obsolete :)
Victor Fernandez
Mar 1, 2017, 3:57:17 PM3/1/17
to Wazuh mailing list
Hi Aleksandr,
The Wazuh Agent package should set the OpenSCAP configuration at file "/var/ossec/etc/ossec.conf" to use the SCAP content "ssg-centos-7-ds.xml", and install the corresponding file on /var/ossec/wodles/oscap/content/ssg-centos-7-ds.xml".
I tested it on CentOS 7, using the RPM packages. Please double check it and try to reinstall the agent:
yum erase wazuh-agentyum clean allyum install wazuh-agent
If the problem persists, please write back and confirm us your OS version and the steps that you are following so we could help you to solve this issue.
Regarding SCAP for Windows, we will study how to use more SCAP and OVAL interpreters like OVALdi. Thanks for the recommendation!
Best regards.
Aleksandr Zaldak
Mar 2, 2017, 6:30:26 AM3/2/17
to Wazuh mailing list
Indeed, on agent, there is /var/ossec/wodles/oscap/content/ssg-centos-7-ds.xml file! and apparently that's the one wazuh-agent uses.
The confusion was due open-scap installation files in: /usr/share/xml/scap/ssg/content/ too, which I assumed will be used for this :)
All good,
Marvelous work guys!
Jesus Linares
Mar 2, 2017, 12:28:49 PM3/2/17
to Wazuh mailing list
Hi Aleksandr,
we provide the SCAP content (ssg-centos-7-ds.xml) with Wazuh to prevent that the user from having to install SSG. Also, we centralice SCAP content from several projects in https://github.com/wazuh/wazuh-ruleset/tree/master/scap_content.
We will clarify this in the documentation.
Thank you for your feedback.
0x2a
Mar 3, 2017, 5:36:05 AM3/3/17
to Aleksandr Zaldak, Wazuh mailing list
0x2a
Mar 3, 2017, 5:36:05 AM3/3/17
to Wazuh mailing list
Reply all
Reply to author
Forward
0 new messages