Unable to parse Redhat OVAL feeds in 3.8.2
218 views
Skip to first unread message
joe ruwe
May 14, 2019, 9:35:47 PM5/14/19
to Wazuh mailing list
Hi,
When I upgraded to 3.8.2, it told me that my config was deprecated and that it could not parse the xml files and the vulnerability detection stopped returning results.
This thread outlined how to give wazuh vulnerability data to parse from https://access.redhat.com/labs/securitydataapi/cve.json, but there are several problems..
I had set up a feed of OVAL definitions on a http server in my production environment for Redhat.
<feed name="redhat-7"> <disabled>no</disabled> <update_interval>1h</update_interval> <url port="80">http://[host]/Red_Hat_Enterprise_Linux_7.xml</url> </feed> <feed name="redhat-6"> <disabled>no</disabled> <update_interval>1h</update_interval> <url port="80">http://[host]/Red_Hat_Enterprise_Linux_6.xml</url> </feed>When I upgraded to 3.8.2, it told me that my config was deprecated and that it could not parse the xml files and the vulnerability detection stopped returning results.
2019/05/15 00:44:53 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the feeds ended successfully.2019/05/15 00:44:54 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Red Hat Enterprise Linux database update...2019/05/15 00:44:54 wazuh-modulesd:vulnerability-detector: ERROR: (5491): The Red Hat Enterprise Linux feed couldn't be parsed.2019/05/15 00:44:54 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.2019/05/15 00:45:50 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the feeds ended successfully.2019/05/15 00:45:51 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the feeds ended successfully.2019/05/15 00:45:51 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.2019/05/15 00:45:52 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.2019/05/15 00:49:54 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the feeds ended successfully.2019/05/15 00:49:55 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Red Hat Enterprise Linux database update...2019/05/15 00:49:55 wazuh-modulesd:vulnerability-detector: ERROR: (5491): The Red Hat Enterprise Linux feed couldn't be parsed.2019/05/15 00:49:55 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.This thread outlined how to give wazuh vulnerability data to parse from https://access.redhat.com/labs/securitydataapi/cve.json, but there are several problems..
1) This data is inconsistent with the OVAL's risk ranking. The cve.json uses a low, moderate, important ranking and the OVAL data uses a Low, Moderate, High, Critical.
2) The cve.json feed does not contain all relevant CVEs. For example, the cve.json feed does not contain anything about https://access.redhat.com/security/cve/cve-2017-5461, but the OVAL files do.
I need a vulnerability feed that maintains consistency with previous versions and contains all CVE data in the official OVAL files. How do I get Wazuh to use proper OVAL feeds again?
Thanks!
--Joe
Message has been deleted
joe ruwe
May 14, 2019, 9:58:19 PM5/14/19
to Wazuh mailing list
I was able to get a full feed of the CVEs, I believe. Issue #2 doesn't look like it applies. However, the criticality rankings are still inconsistent as are the vulnerability names. I still would like to use OVAL feeds instead of the CVE api.
Message has been deleted
Eva Lopez
May 15, 2019, 5:33:56 AM5/15/19
to Wazuh mailing list
Hello Joe Ruwe,
If you want to use OVAL files you can use OpenSCAP. Wazuh integrate OpenSCAP as describe in our documentation: https://documentation.wazuh.com/current/user-manual/capabilities/policy-monitoring/openscap/index.html
An OpenSCAP scan in a Red Hat system can help you detect the necessity of a security patch, which may be associated with a set of vulnerabilities, but you don't know for sure which of these vulnerabilities affect your system.
Also, the configuration is deprecated. Now, exist only one red hat feed:
<feed name="redhat">
If you want to use OVAL files you can use OpenSCAP. Wazuh integrate OpenSCAP as describe in our documentation: https://documentation.wazuh.com/current/user-manual/capabilities/policy-monitoring/openscap/index.html
An OpenSCAP scan in a Red Hat system can help you detect the necessity of a security patch, which may be associated with a set of vulnerabilities, but you don't know for sure which of these vulnerabilities affect your system.
Since 3.8 the vulnerability-detector output shows the direct relationship between vulnerability (CVE) and package. It also incorporates the alert the related advisories. For this reason, the vulnerability detector only works with Red Hat Security Data API.
As described in the thread, you can generate the JSON file using feed-generator.sh.
Also, the configuration is deprecated. Now, exist only one red hat feed:
<feed name="redhat">
<disabled>no</disabled>
<update_interval>1h</update_interval>
<url port="80">http://[host]/rh-
feed.json</url>
</feed>
Kind regards, Eva
</feed>
Kind regards, Eva
Reply all
Reply to author
Forward
0 new messages