OpenSCAP - Can't see the results when I set the content to ssl-rhel-6-ds.xml

[lucas.v...@gmail.com]

Hello, 

I am not getting able to see the results of OpenSCAP when I use the path "ssl-rhel-6-ds.xml" in a agent (RHEL6). 

ossec.conf agent

The other content "cve-redhat-6-ds.xml" is running normally, and I can see all results. 

Can you guys help me in troubleshooting this problem? 

I see that the process start, but there are no results (fail/pass). 

[Victor Fernandez]

Hi Lucas,

I have tested this configuration:

<wodle name="open-scap">

  <disabled>no</disabled>

  <timeout>1800</timeout>

  <interval>1d</interval>

  <scan-on-start>yes</scan-on-start>

  <content type="xccdf" path="ssg-rhel-6-ds.xml">

    <profile>xccdf_org.ssgproject.content_profile_server</profile>

    <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>

  </content>

</wodle>

And I had these alerts:

** Alert 1507029105.37283: - ossec,rootcheck,

2017 Oct 03 13:11:45 (centos) any->rootcheck

Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'

Starting OpenSCAP scan. File: ssg-rhel-6-ds.xml.

title: Starting OpenSCAP scan.

file: ssg-rhel-6-ds.xml

** Alert 1507029138.37553: - oscap,oscap-report,pci_dss_2.2,

2017 Oct 03 13:12:18 (centos) any->wodle_open-scap

Rule: 81544 (level 9) -> 'OpenSCAP Report overview: Score less than 30'

oscap: msg: "xccdf-overview", scan-id: "0011506714679", content: "ssg-rhel-6-ds.xml", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-6", profile-id: "xccdf_org.ssgproject.content_profile_server", profile-title: "Server Baseline", score: "0.000000".

oscap.scan.id: 0011506714679

oscap.scan.content: ssg-rhel-6-ds.xml

oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_RHEL-6

oscap.scan.profile.id: xccdf_org.ssgproject.content_profile_server

oscap.scan.profile.title: Server Baseline

oscap.scan.score: 0.000000

** Alert 1507029139.38273: - oscap,oscap-report,pci_dss_2.2,

2017 Oct 03 13:12:19 (centos) any->wodle_open-scap

Rule: 81544 (level 9) -> 'OpenSCAP Report overview: Score less than 30'

oscap: msg: "xccdf-overview", scan-id: "0011506714695", content: "ssg-rhel-6-ds.xml", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-6", profile-id: "xccdf_org.ssgproject.content_profile_pci-dss", profile-title: "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6", score: "0.000000".

oscap.scan.id: 0011506714695

oscap.scan.content: ssg-rhel-6-ds.xml

oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_RHEL-6

oscap.scan.profile.id: xccdf_org.ssgproject.content_profile_pci-dss

oscap.scan.profile.title: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6

oscap.scan.score: 0.000000

** Alert 1507029139.39081: - ossec,rootcheck,

2017 Oct 03 13:12:19 (centos) any->rootcheck

Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'

Ending OpenSCAP scan. File: ssg-rhel-6-ds.xml.

title: Ending OpenSCAP scan.

file: ssg-rhel-6-ds.xml

This makes me think that the OpenSCAP module is working properly.

Now, we have score 0 (since I'm running the OpenSCAP tool in CentOS 7). But if we enabled archives (option <logall>) we'd see:

2017 Oct 03 13:12:18 (centos) any->wodle_open-scap oscap: msg: "xccdf-result", scan-id: "0011506714695", content: "ssg-rhel-6-ds.xml", title: "Ensure Insecure File Locking is Not Allowed", id: "xccdf_org.ssgproject.content_rule_no_insecure_locks_exports", result: "notselected", severity: "high", description: "By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports.", rationale: "Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user." references: "764 (http://iase.disa.mil/stigs/cci/Pages/index.aspx)", identifiers: "CCE-27167-6 (https://nvd.nist.gov/cce/index.cfm), DISA FSO RHEL-06-000309 (http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx)", oval-id: "", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-6", profile-id: "xccdf_org.ssgproject.content_profile_pci-dss", profile-title: "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6".

This log means that this check is not applicable to our system.

The not-selected checks match rule 81528, that is silenced by default (set to level 0). If you are interested in those events as alerts, you may add this configuration to /var/ossec/etc/rules/local_rules.xml:

<group name="oscap,">

  <rule id="81528" level="3" overwrite="yes">

      <if_sid>81520</if_sid>

      <field name="oscap.check.result">notselected</field>

      <description>OpenSCAP: $(oscap.check.title) (not selected)</description>

      <group>oscap-result,pci_dss_2.2,</group>

  </rule>

</group>

Apply this configuration by restarting the manager and then restart the agent to make it run a new OpenSCAP scan. So you will see alerts like this one:

** Alert 1507031991.2890381: - local,syslog,sshd,oscap-result,pci_dss_2.2,

2017 Oct 03 13:59:51 (centos) any->wodle_open-scap

Rule: 81528 (level 3) -> 'OpenSCAP: A process for prompt installation of OS updates must exist. (not selected)'

oscap: msg: "xccdf-result", scan-id: "0011506717786", content: "ssg-rhel-6-ds.xml", title: "A process for prompt installation of OS updates must exist.", id: "xccdf_org.ssgproject.content_rule_update_process", result: "notselected", severity: "low", description: "Procedures to promptly apply software updates must be established and executed. The Red Hat operating system provides support for automating such a process, by running the yum program through a cron job or by managing the system and its packages through the Red Hat Network or a Satellite Server.", rationale: "This is a manual inquiry about update procedure." references: "1232 (http://iase.disa.mil/stigs/cci/Pages/index.aspx)", identifiers: "", oval-id: "", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-6", profile-id: "xccdf_org.ssgproject.content_profile_pci-dss", profile-title: "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6".

oscap.scan.id: 0011506717786

oscap.scan.content: ssg-rhel-6-ds.xml

oscap.check.title: A process for prompt installation of OS updates must exist.

oscap.check.id: xccdf_org.ssgproject.content_rule_update_process

oscap.check.result: notselected

oscap.check.severity: low

oscap.check.description: Procedures to promptly apply software updates must be established and executed. The Red Hat operating system provides support for automating such a process, by running the yum program through a cron job or by managing the system and its packages through the Red Hat Network or a Satellite Server.

oscap.check.rationale: This is a manual inquiry about update procedure.

oscap.check.references: 1232 (http://iase.disa.mil/stigs/cci/Pages/index.aspx)

oscap.check.identifiers:

oscap.check.oval.id:

oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_RHEL-6

oscap.scan.profile.id: xccdf_org.ssgproject.content_profile_pci-dss

oscap.scan.profile.title: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6

Hope it help.

Best regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/add78d73-8097-4273-8663-548df1086690%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Victor M. Fernandez-Castro

IT Security Engineer

Wazuh Inc.