open-scap / oscap wodle isn't present in v4 ?

560 views
Skip to first unread message

Michael Mansour

unread,
Feb 3, 2021, 10:46:34 PM2/3/21
to Wazuh mailing list

Hi,

I'm new to Wazuh and spending some time on it to understand and know my way around.

I went through the process of installing Wazuh on CentOS 7, with wazuh manager separate from elastic search and kibana.

Details in About are:

App version: 4.0.4
App revision: 4016
Install date: Feb 1, 2021 2:13:04 PM

I configured the vulnerability scan item, which reports things like "openvpn" affected by CVE-2020-7224 etc. But all patches from upstream (Red Hat) have been applied and because Red Hat back port fixes, it's impossible this package is affected by this particular vulnerability.

So to get an accurate view of actual vulnerability on a server, OVAL/SCAP data is required. This brings me to OpenSCAP.

In trying to install OpenSCAP using the information on v4:
it simply doesn't work. Tracking down the reason (after debugging etc) is simple, no wodle exists either on the Wazuh server (via wazuh-manager-4.0.4-1.x86_64 RPM) or on the wazuh-agent (via wazuh-agent-4.0.4-1.x86_64).

On the Wazuh server:

# ll /var/ossec/wodles/
total 0
drwxr-x---. 2 root ossec 37 Feb  1 14:00 aws
drwxr-x---. 2 root ossec 45 Feb  1 14:00 azure
drwxr-x---. 2 root ossec 53 Feb  1 14:00 docker
drwxr-x---. 2 root ossec 75 Feb  1 14:00 gcloud

On the Wazuh agent:

# ll /var/ossec/wodles/
total 0
drwxr-x--- 2 root ossec 20 Feb  1 15:48 aws
drwxr-x--- 2 root ossec 28 Feb  1 15:48 docker
drwxr-x--- 2 root ossec 58 Feb  1 15:48 gcloud

Why has this been missed?

Is it intentional? is it in another package? why doesn't the doc page speak of it?

My intention is to go here:


and pull those files down, add them to the directories above and try restarting the agents.

The error of "Internal error" is received when following the on-line instructions because (after debug) the .py files don't exist.

I also figured out that in the Wazuh Manager GUI -> Settings you have to enable "OpenSCAP" toggle to see the OpenSCAP menu in the GUI. This should also be mentioned in the docs.

Please advise if I've gotten anything wrong in the above.

Thank you.

Michael.

victor...@wazuh.com

unread,
Feb 4, 2021, 11:46:17 AM2/4/21
to Wazuh mailing list

Hi Michael,
We have been working in your issue and seems like there is a problem with the National Vulnerability Database.
Wazuh Vulnerability Detector module first checks if the package comes from a known vendor like Redhat or, in this case, CentOS.
If the package comes from an external vendor, as it is in this case (Fedora Project), Wazuh goes to NVD: https://nvd.nist.gov/vuln.

  [root@centos7 rules]# rpm -qa --queryformat '%{NAME}-%{VERSION}-%{ RELEASE}.%{ARCH} %{VENDOR}\n' | grep openvpn 
  openvpn-2.4.10-1.el7.x86_64 Fedora Project

NVD is giving Wazuh wrong information, the CVE-2020-7224 stands for the package “Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Window” not for the real installed package openvpn-2.4.10-1.el7.x86_64.

To fix this issue with NVD, you could try to install OpenVPN from their website https://openvpn.net/openvpn-client-for-linux/.

The OpenSCAP issue that you are reporting it is a documentation mistake from our part and we are working to fix it as soon as possible. You can keep track of the issue here: https://github.com/wazuh/wazuh-documentation/issues/3357.

Hope it helps!

Regards,
Víctor.

Reply all
Reply to author
Forward
0 new messages