OpenSCAP no data has been collected.
338 views
Skip to first unread message
Luke Lee
Mar 4, 2019, 3:16:12 AM3/4/19
to Wazuh mailing list
Dear all, I am trying to configure this "OpenSCAP" module. Based on the manual, I have completed the settings and configuration.
Unfortunately there wasn't any data has been collected when we go to the OpenSCAP tab. Where should I look for logs and how would I troubleshoot this issue? Thanks.
Alberto Marín
Mar 4, 2019, 7:04:22 AM3/4/19
to Wazuh mailing list
Hi Luke,
by default, the policy files included in Wazuh are valid for the following OS:
- Debian 8
- Debian 9
- RedHat/Centos 6
- RedHat/Centos 7
- Fedora 24
- Ubuntu 14.04
- Ubuntu 16.04
If your OS is in the list above, maybe the module is not working as expected. In this case an error/warning should be logged in the ossec.log file.
Hope this helps.
For any other question or additional information please don't hesitate to contact us.
Best regards.
by default, the policy files included in Wazuh are valid for the following OS:
- Debian 8
- Debian 9
- RedHat/Centos 6
- RedHat/Centos 7
- Fedora 24
- Ubuntu 14.04
- Ubuntu 16.04
If your OS is in the list above, maybe the module is not working as expected. In this case an error/warning should be logged in the ossec.log file.
Hope this helps.
For any other question or additional information please don't hesitate to contact us.
Best regards.
Luke Lee
Mar 5, 2019, 2:44:01 AM3/5/19
to Wazuh mailing list
Hi,
I found one issue on this openSCAP. Please refer to the error msg. How should I resolve this ?
Alberto Marín
Mar 5, 2019, 2:46:22 PM3/5/19
to Wazuh mailing list
Hi Luke,
this error is related to the policy file for OpenSCAP. The XML files for OpenSCAP are included during the installation automatically. The installation script detects the OS version and adds the correct configuration in the ossec.conf file and also the XML file.
For example, in a Centos 7 system, the configuration should be:
and the policy file:
Anyway, you can download the XML files from this URL if you need other policy files: https://github.com/wazuh/wazuh/tree/master/wodles/oscap/content
Best regards.
this error is related to the policy file for OpenSCAP. The XML files for OpenSCAP are included during the installation automatically. The installation script detects the OS version and adds the correct configuration in the ossec.conf file and also the XML file.
For example, in a Centos 7 system, the configuration should be:
<wodle name="open-scap"> <disabled>yes</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-centos-7-ds.xml"> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile> </content> </wodle>and the policy file:
[root@centos7 ~]# ls -la /var/ossec/wodles/oscap/content/total 12480drwxr-x---. 2 root ossec 33 Mar 5 20:36 .drwxr-x---. 3 root ossec 101 Mar 5 20:36 ..-rw-r-----. 1 root ossec 12775951 Mar 5 20:36 ssg-centos-7-ds.xmlAnyway, you can download the XML files from this URL if you need other policy files: https://github.com/wazuh/wazuh/tree/master/wodles/oscap/content
Best regards.
Luke Lee
Mar 5, 2019, 8:11:40 PM3/5/19
to Wazuh mailing list
Hi Alberto,
May I know the first configuration is done on the host server where Wazuh server is? My host server is Ubuntu 16.04.5. How should I do that? Is it correct if I do the following.
How about the agents server, do I need to make any changes?
<wodle name="open-scap"> <disabled>yes</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">Luke Lee
Mar 5, 2019, 9:07:24 PM3/5/19
to Wazuh mailing list
For sharing, its working on my Wazuh server already:
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
<profile>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</profile>
<profile>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</profile>
<profile>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</profile>
<profile>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</profile>
</content>
Luke Lee
Mar 7, 2019, 3:27:34 AM3/7/19
to Wazuh mailing list
Hi all,
I faced some difficulties when I try to configure on the agent (Ubuntu 14.04). In the configure file includes the following:
<content type="oval" path="/var/ossec/wodles/oscap/content/cve-debian-oval.xml"/> While I realized there is no such file in the directory. (cve-debian-oval.xml). -- where can I download this file.
Secondly, from Wazuh portal there is no data shown. What is the problem? Kindly advise.
Alberto Marín
Apr 22, 2019, 5:39:56 AM4/22/19
to Wazuh mailing list
Hi Luke,
sorry for the late response.
The OpenSCAP configuration for Ubuntu 14.04 should be the following:
sorry for the late response.
The OpenSCAP configuration for Ubuntu 14.04 should be the following:
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-ubuntu-1404-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>The file cve-debian-oval.xml was removed and replaced by a new specific version for Debian 7 and Debian 8.
Best regards.
On Monday, March 4, 2019 at 9:16:12 AM UTC+1, Luke Lee wrote:
Reply all
Reply to author
Forward
0 new messages