How to enable SCA scans on some distros

[J J Sloan]

Hello,

Thanks for a better ossec than ossec.  Now that I've fully migrated, I have a question about SCA scans. I poked around in ossec.conf but didn't see a definite answer.

The wazuh agents page shows SCA scans for the rhel, centos and debian hosts, but for the virtuozzo hosts there is only this:

"You dont have SCA scans in this agent.

Check your agent settings to generate scans."

Virtuozzo is an rhel derivative, so I'd expect the same type of scan setup as on rhel, centos or oracle Linux. Is there a way to use e.g. a centos 7 profile to scan virtuozzo 7?

J J 

[J J Sloan]

Or, how to enable at least a generic Linux scan, using the distribution independent Linux benchmark, for those distros that don't have an specific CIS benchmark assigned?

J J 

[J J Sloan]

I see that this morning's update of the wazuh agent on the virtuozzo hosts included a new scan file in /var/ossec/ruleset/sca/ 

Big thanks to the awesome developers/maintainers.

J J 

[J J Sloan]

As it turns out, the problem is not yet solved.

On virtuozzo (rhel derivative) hosts, there's a file /var/ossec/ruleset/sca/cis_rhel7_linux.yml

In ossec.conf, there's this section:

<config-profile>virtuozzo, virtuozzo7</config-profile>

I've created cis_virtuozzo7_linux.yml in /var/ossec/ruleset/sca as a symlink to cis_rhel7_linux.yml

However, the wazuh manager states:

"You dont have SCA scans in this agent.

Check your agent settings to generate scans."

What might I do to enable the SCA scans?

J J 

[Alberto Rodriguez]

Hello J J Sloan

  Sorry for the late response. Let me help on this:

  

As you can see, it's possible to have the SCA scan available for Virtuozzo. The steps:

1. Create a custom policy file. I copied the file `/var/ossec/ruleset/sca/cis_centos7_linux.yml` from the Wazuh manager. I edited the file and replaced CentOS 7 by Virtuozzo 7. In addition to this, I changed the line: 
       - 'f:/etc/system-release -> r:^CentOS && r:release 7'
   by
       - 'f:/etc/system-release -> r:^Virtuozzo && r:release 7'
   
   Attached you will find the file. 
   
   
2. Follow the documentation section How to share policy files and configuration with the Wazuh agents. Basically, you need to copy in the /var/ossec/etc/shared/<agent_group>` folder the yml file, change ownership to ossec:ossec, add a configuration to agent.conf described in the documentation, and add a setting to Agents `/var/ossec/etc/local_internal_options.conf` file. 

The Wazuh manager will send the configuration to agents and you will be able to see in the agent's log: 

2021/03/10 13:18:21 sca: INFO: Starting evaluation of policy: '/var/ossec/etc/shared/cis_virtuozzo7_linux.yml'
2021/03/10 13:18:31 sca: INFO: Evaluation finished for policy '/var/ossec/etc/shared/cis_virtuozzo7_linux.yml'

Please, let me know if you have any questions. 

Regards, 

Alberto R

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9e91bfcb-a970-4c5e-80bf-7e6813f31776n%40googlegroups.com.

--

Alberto Rodriguez CICD TL  The Open Source Security Platform

* This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. Any dissemination, copying or distribution to third parties without the express consent of the sender is strictly prohibited. If you have received this message in error, please delete it immediately and notify the sender. Thank you for your collaboration.

[J J Sloan]

Thanks Alberto,

Your response was very helpful.

Note - in my case, I had to add the following as line 27 of cis_virtuozzo7_linux.yml

- 'f:/etc/system-release -> r:^OpenVZ && r:release 7'

Now all the hosts are getting SCAs

J J