Unable to get CISCAT scan report

[Yawple]

Hi all,

I am facing an issue with th ciscat part of wazuh.

My architecture is the following:

A central wazuh manager 3.8.2, installed on CentOS 7

Several remote wazuh agent 3.8.2 installed on CentOS 7 server

An elasticsearch 6.6.0. server installed on CentOS 7

A kibana server 6.6.0 server installed on CentOS 7

Before doing a ciscat deployment on all of my CentOS7 server I tested on one.

java-1.8.0-openjdk is installed on the agent.

the Wazuh config fof ciscat is the following:

<wodle name="cis-cat">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre/bin</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>

    <content type="xccdf" path="benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.2.0-xccdf.xml">
    <profile>xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server</profile>
  </content>
  </wodle>

I have a ciscat account, and downloaded the ciscat tool. I put the files in /var/ossec/wodles/ciscat.

Access right on ciscat folder is the following:

drwx------. 9 root ossec      166 28 avril 17:32 .
drwxr-x---. 6 root ossec       58 28 avril 17:46 ..
drwxr-xr-x. 2 root ossec     4096 28 avril 17:32 benchmarks
-rw-------. 1 root ossec     2273 28 avril 17:32 CIS-CAT.BAT
-rw-------. 1 root ossec 13585789 28 avril 17:32 CISCAT.jar
-rwx------. 1 root ossec      795 28 avril 17:32 CIS-CAT.sh
drwxr-xr-x. 3 root ossec       19 28 avril 17:32 custom
drwxr-xr-x. 2 root ossec      164 28 avril 17:32 docs
drwxr-xr-x. 3 root ossec     8192 28 avril 17:32 lib
drwxr-xr-x. 5 root ossec      114 28 avril 17:32 misc
drwxr-xr-x. 2 root ossec     4096 28 avril 17:32 sce
drwxr-xr-x. 6 root ossec      103 28 avril 17:32 third-party-content

the scan is running well I have an xml file generated in /var/tmp/ossec

-rw-r--r--. 1 root ossec 2551737  5 mai   18:53 ciscat-tmp.xml

but in the log file I have this issue:

2019/05/05 18:53:14 wazuh-modulesd:ciscat: INFO: Scan finished successfully. File: /var/ossec/wodles/ciscat/benchmarks/CIS_CentOS_Linux_7_Benchmark_v2.2.0-xccdf.xml
2019/05/05 18:53:15 wazuh-modulesd:ciscat: ERROR: (1226): Error reading XML file '/var/ossec/tmp/ciscat-tmp.xml': XMLERR: Element not opened. (line 31233).
2019/05/05 18:53:18 wazuh-modulesd:ciscat: INFO: Evaluation finished.
2019/05/05 19:01:11 wazuh-modulesd:oscap: ERROR: Timeout expired executing 'ssg-centos-7-ds.xml'.
2019/05/05 19:01:11 wazuh-modulesd:oscap: INFO: Evaluation finished.

In the Wazuh app in kibana I only have the Scan result evolution visualization updated with "fail" information

I did not find any solution in this group nor wazuh website. it seems the report is running well but the agent could not access the file :/

Do you have an idea ?

Thanx

Yawp

[Chema Martinez]

Hi Yawple,

As I can see in your configuration and logs, the setup is correct and the scan is running fine.

The problem seems to appear whit the format the results are being printed in XML format. On my environment, it works fine for a CentOS 7 agent with the following particularities:

- The benchmark policy I have for CentOS 7 is CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml (not 2.2.0).

- The CIS-CAT version is 3.0.43:

CIS-CAT Build Information - 3.0.43 (10/23/2017 20:14 PM)

Java Version - 1.8.0_212

Java Installation Directory - /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre

System OS: Linux 64-bit

Probably, something related to one of the points listed before is causing this issue. I would request you some information that it is very important to find out the problem:

- The version of the CIS-CAT pro tool you are using. It can be consulted by running the following command:

# /var/ossec/wodles/ciscat/CIS-CAT.sh -v

- The file ciscat-tmp.xml obtained when running the scan.

Best regards,

Chema.

Chema Martinez IT Security Engineer  The Open Source Security Platform

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ca9af4d5-657b-4a69-a7c7-a868d38cb1cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Yawple]

Hi Chema

here the information:

CIS-CAT Build Information - 3.0.55 (01/17/2019 21:38 PM)

Java Version - 1.8.0_212
Java Installation Directory - /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre
System OS: Linux 64-

bit
CIS-CAT Terminated Successfully.

attached file was anonymized ;)

Version is different from your ciscat tool :/

Thanks for your help

yawple

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Chema Martinez]

Hi Yawple,

Thanks to the attached report I have found what is happening in the XML parser. It has been opened an issue in the Wazuh repository to solve it for the next released version  (https://github.com/wazuh/wazuh/issues/3256).

To sum up, it seems the benchmark CIS_CentOS_Linux_7_Benchmark_v2.2.0-xccdf.xml is not compatible with the XML parser of the Wazuh agent.

While the issue is solved, I would recommend you to use the benchmark CIS_CentOS_Linux_7_Benchmark_v2.1.1-xccdf.xml which works properly.

Sorry for the inconvenience.

Best regards,

Chema.

Chema Martinez IT Security Engineer  The Open Source Security Platform

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ca9af4d5-657b-4a69-a7c7-a868d38cb1cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3314d937-c3be-4776-aece-2a094fe3f80e%40googlegroups.com.

[Yawple]

Hi Chema

thank you for this information and the update on the next version :)

  I cannot find on CIS website (member part) the CIS CAT tool verison 3.0.43 with this benchmark version :/ I found 3.0.30 (with an older benchmark), 3.0.55, 3.0.56, 3.0.57 ...(with the 2.2.0 benchmark)

 I will wait

Yawple

Le lundi 6 mai 2019 12:50:29 UTC+2, Chema Martinez a écrit :

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.