Vulnerability Scanner & OpenSCAP are not working
1,031 views
Skip to first unread message
Utkarsh Bhargava
Sep 7, 2018, 8:12:29 AM9/7/18
to Wazuh mailing list
Vulnerability scanner and OpenSCAP wodels are not working on wazuh 3.6.
It's giving me errors like :
2018/09/07 17:15:35 wazuh-modulesd:oscap: WARNING: Ignoring content 'ssg-ubuntu-1604-ds.xml' due to error (127).
2018/09/07 17:31:44 wazuh-modulesd:oscap: DEBUG: Launching command: /var/ossec/wodles/oscap/oscap.py --xccdf ssg-debian-8-ds.xml --profiles xccdf_org.ssgproject.content_profile_pci-dss,xccdf_org.ssgproject.content_profile_common
2018/09/07 17:31:44 wazuh-modulesd:oscap: WARNING: Ignoring content 'ssg-debian-8-ds.xml' due to error (1).
2018/09/07 17:31:44 wazuh-modulesd:oscap: DEBUG: OUTPUT: oscap: ERROR: Profile "xccdf_org.ssgproject.content_profile_pci-dss" does not exist at "wodles/oscap/content/ssg-debian-8-ds.xml".
2018/09/07 17:15:35 wazuh-modulesd:oscap: WARNING: Ignoring content 'ssg-ubuntu-1604-ds.xml' due to error (127).
Please help
migue...@wazuh.com
Sep 7, 2018, 11:36:15 AM9/7/18
to Wazuh mailing list
Hi Utkarsh,
can you give us some more information?
It would help us to know what OS and specific configuration you are using, that way we can test it out.
Best regards.
can you give us some more information?
It would help us to know what OS and specific configuration you are using, that way we can test it out.
Best regards.
Utkarsh Bhargava
Sep 7, 2018, 11:52:24 PM9/7/18
to migue...@wazuh.com, Wazuh mailing list
I am using Ubuntu 16.04 Server as my wazuh 3.6 manager & api server.
Wazuh agents are installed on Debian 8 & Ubuntu 16.04 servers.
OpenSCAP Config:
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
Vulnerability Scanner Config:
<wodle name="vulnerability-detector">
<disabled>no</disabled>
<interval>1m</interval>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-16">
<disabled>no</disabled>
<path>cve-ubuntu-xenial-oval.xml</path>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
--You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.To post to this group, send email to wa...@googlegroups.com.Visit this group at https://groups.google.com/group/wazuh.To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f79fcd0b-f7eb-4bb4-b95e-6e60d3160e81%40googlegroups.com.For more options, visit https://groups.google.com/d/optout.
Chema Martinez
Sep 18, 2018, 7:19:16 AM9/18/18
to utk...@null.co.in, migue...@wazuh.com, Wazuh mailing list
Hi Utkarsh,
I have noticed an error on your OpenScap module configuration, the profile you are trying to run for the benchmark "ssg-ubuntu-1604-ds.xml" doesn't exist. It is a profile included for RHEL and CentOS benchmarks. You can check it out looking for available profiles for that benchmark file:
Replace that profile and it should work correctly.# cat ssg-ubuntu-1604-ds.xml | grep "xccdf_org.ssgproject.content_profile"<Profile id="xccdf_org.ssgproject.content_profile_common"><Profile id="xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal"><Profile id="xccdf_org.ssgproject.content_profile_anssi_np_nt28_average"><Profile id="xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive"><Profile id="xccdf_org.ssgproject.content_profile_anssi_np_nt28_high">
On the other hand, what issue are you experiencing with the Vulnerability detector? Could you be more descriptive on it?
Best regards,
Chema.
Chema Martinez | IT Engineer — Wazuh, Inc.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1536378359.local-1e8001d6-a5c4-v1.4.2-f587b7b7%40getmailspring.com.
Chema Martinez
Sep 18, 2018, 12:28:18 PM9/18/18
to utk...@null.co.in, Miguel Ruiz, Wazuh mailing list
Hi again Utkarsh,
I have set up a test environment to check if there exists any issue about the OpenSCAP module and the Vulnerability detector, to do this I have installed the Wazuh manager v3.6.1 on an Ubuntu 16.04.
To run the OpenSCAP module, here is my configuration:
<wodle name="open-scap"><disabled>no</disabled><timeout>1800</timeout><interval>1d</interval><scan-on-start>yes</scan-on-start><content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile></content></wodle>
After starting the manager, I get alerts about the report provided by OpenSCAP. That alerts could take a while (1-2 minutes), but after the scan is launched and results are processed we can see alerts as follows:
- Summary alert
** Alert 1537287046.48893: - oscap,oscap-report,pci_dss_2.2,2018 Sep 18 09:10:46 ubuntu->wodle_open-scapRule: 81542 (level 5) -> 'OpenSCAP Report overview: Score less than 80'oscap: msg: "xccdf-overview", scan-id: "0001537287045", content: "ssg-ubuntu-1604-ds.xml", benchmark-id: "xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Ubuntu Systems", score: "53.888885".oscap.scan.id: 0001537287045oscap.scan.content: ssg-ubuntu-1604-ds.xmloscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIALoscap.scan.profile.id: xccdf_org.ssgproject.content_profile_commonoscap.scan.profile.title: Common Profile for General-Purpose Ubuntu Systemsoscap.scan.score: 53.888885
- Particular check
** Alert 1537287046.38056: - oscap,oscap-result,pci_dss_2.2,2018 Sep 18 09:10:46 ubuntu->wodle_open-scapRule: 81531 (level 9) -> 'OpenSCAP: Enable the ntpd service (not passed)'oscap: msg: "xccdf-result", scan-id: "0001537287045", content: "ssg-ubuntu-1604-ds.xml", title: "Enable the ntpd service", id: "xccdf_org.ssgproject.content_rule_service_ntpd_enabled", result: "fail", severity: "high", description: "The ntpd service should be enabled.", rationale: "Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906." references: "AU-8(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 160 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), NT012(R03) (http://www.ssi.gouv.fr/administration/bonnes-pratiques/)", identifiers: "CCE- (https://nvd.nist.gov/cce/index.cfm)", oval-id: "oval:ssg-service_ntpd_enabled:def:1", benchmark-id: "xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Ubuntu Systems".oscap.scan.id: 0001537287045oscap.scan.content: ssg-ubuntu-1604-ds.xmloscap.check.title: Enable the ntpd serviceoscap.check.id: xccdf_org.ssgproject.content_rule_service_ntpd_enabledoscap.check.result: failoscap.check.severity: highoscap.check.description: The ntpd service should be enabled.oscap.check.rationale: Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.oscap.check.references: AU-8(1) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), 160 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), Req-10.4 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), NT012(R03) (http://www.ssi.gouv.fr/administration/bonnes-pratiques/)oscap.check.identifiers: CCE- (https://nvd.nist.gov/cce/index.cfm)oscap.check.oval.id: oval:ssg-service_ntpd_enabled:def:1oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIALoscap.scan.profile.id: xccdf_org.ssgproject.content_profile_commonoscap.scan.profile.title: Common Profile for General-Purpose Ubuntu Systems
These alerts have been collected from the alerts.log file, we get the same alerts in JSON format located at the file alerts.json file which are sent to Elasticsearch or Splunk if you have deployed one of them.
On the other hand, for the Vulnerability detector module we follow similar steps, ensure that the Syscollector module is enabled because of is the module which collects the packages inventory to be evaluated by Vuln-detector. My configuration for this purpose is the following one:
<!-- System inventory --><wodle name="syscollector"><disabled>no</disabled><interval>1h</interval><scan_on_start>yes</scan_on_start><hardware>yes</hardware><os>yes</os><network>yes</network><packages>yes</packages><ports all="no">yes</ports><processes>yes</processes></wodle>
<wodle name="vulnerability-detector"><disabled>no</disabled><interval>1m</interval><run_on_start>yes</run_on_start><feed name="ubuntu-16"><disabled>no</disabled>
<update_interval>1h</update_interval></feed><feed name="redhat-7"><disabled>yes</disabled><update_interval>1h</update_interval></feed><feed name="debian-9"><disabled>yes</disabled><update_interval>1h</update_interval></feed></wodle>
As you can see above, I only need the Ubuntu-16 ovals to get the vulnerable packages from this host.
After launching the manager, you can look for log messages from Vulnerability detector:
Finally, after the scan is finished, detected vulnerable packages generate alerts like this one:2018/09/18 09:10:45 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Ubuntu Xenial database update...2018/09/18 09:11:09 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.2018/09/18 09:11:15 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
I recommend you to check your configuration again and try to run the scans again.** Alert 1537287070.94231: - vulnerability-detector,gdpr_IV_35.7.d,2018 Sep 18 09:11:10 ubuntu->vulnerability-detectorRule: 23504 (level 7) -> 'CVE-2017-0855 on Ubuntu 16.04 LTS (xenial) - medium.'{"vulnerability":{"cve":"CVE-2017-0855","title":"CVE-2017-0855 on Ubuntu 16.04 LTS (xenial) - medium.","severity":"Medium","published":"2018-01-12","updated":"2018-01-12","reference":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0855","state":"Unfixed","package":{"name":"firefox","version":"54.0+build3-0ubuntu0.16.04.1","condition":"oval:com.ubuntu.xenial:tst:10"}}}vulnerability.cve: CVE-2017-0855vulnerability.title: CVE-2017-0855 on Ubuntu 16.04 LTS (xenial) - medium.vulnerability.severity: Mediumvulnerability.published: 2018-01-12vulnerability.updated: 2018-01-12vulnerability.reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0855vulnerability.state: Unfixedvulnerability.package.name: firefoxvulnerability.package.version: 54.0+build3-0ubuntu0.16.04.1vulnerability.package.condition: oval:com.ubuntu.xenial:tst:10
If you have more doubts, don't hesitate to ask us!
I hope it helps.
Chema Martinez | IT Engineer — Wazuh, Inc.
Reply all
Reply to author
Forward
0 new messages