Vulnerability Detector - Oracle Linux Server 8
765 views
Skip to first unread message
JB
Dec 1, 2023, 7:02:27 AM12/1/23
to Wazuh | Mailing List
Good afternoon team,
I hope week well. :)
I have a question about the vulnerability detector. I notice that the Oracle Linux Server 7 version scans are performed but in the 8 version it is not so.
Does anyone know the cause? You should upgrade to version 4.7 of wazuh to perform the scans. I provide the configuration I have and the links to review information.
I hope week well. :)
I have a question about the vulnerability detector. I notice that the Oracle Linux Server 7 version scans are performed but in the 8 version it is not so.
Does anyone know the cause? You should upgrade to version 4.7 of wazuh to perform the scans. I provide the configuration I have and the links to review information.
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-6">6</os>
<os allow="Oracle Linux-8">8</os>
<update_interval>1h</update_interval>
</provider>
Link
Scanning unsupported systems - Vulnerability detection (wazuh.com)
Thanks in advance
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-6">6</os>
<os allow="Oracle Linux-8">8</os>
<update_interval>1h</update_interval>
</provider>
Link
Scanning unsupported systems - Vulnerability detection (wazuh.com)
Thanks in advance
Daniel Sappa
Dec 3, 2023, 8:00:36 AM12/3/23
to Wazuh | Mailing List
Hi JB!
I was reviewing reports and it seems there should be no problems. Next week I will consult with the rest of the team.
In the meantime, could you check the logs to see any messages that give us a clue about this?
Regarding updating, it is always a good idea to have the wazuh installation updated to the latest version.
In the meantime, could you check the logs to see any messages that give us a clue about this?
Regarding updating, it is always a good idea to have the wazuh installation updated to the latest version.
JB
Dec 4, 2023, 6:41:26 AM12/4/23
to Wazuh | Mailing List
Thank you for your response Daniel!! :)
In a new review I notice that the Oracle Linux Server version 7 computers also no longer show vulnerability detections :(
In a new review I notice that the Oracle Linux Server version 7 computers also no longer show vulnerability detections :(
I use the following commands to see the possible errors but there are not
- grep vulnerability-detector: /var/ossec/logs/ossec.log
- systemctl status wazuh-manager
I also use the following expression to check the OS
- sqlite3 /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = [agent number];"
Result --> Oracle Linux Server|7
do I have to change anything in the following configuration?
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-6">6</os>
<os allow="Oracle Linux-8">8</os>
<update_interval>1h</update_interval>
</provider>
Link
Scanning unsupported systems - Vulnerability detection (wazuh.com)
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-6">6</os>
<os allow="Oracle Linux-8">8</os>
<update_interval>1h</update_interval>
</provider>
Link
Scanning unsupported systems - Vulnerability detection (wazuh.com)
Thanks in advance
Daniel Sappa
Dec 4, 2023, 9:16:47 AM12/4/23
to Wazuh | Mailing List
Well, this makes more sense!
The thing is that Oracle Linux is not an OS. still supported.
You can, as you have been doing, try to use Scanning unsupported systems, but it does not guarantee that it will work correctly.
You can, as you have been doing, try to use Scanning unsupported systems, but it does not guarantee that it will work correctly.
JB
Dec 4, 2023, 10:24:49 AM12/4/23
to Wazuh | Mailing List
Hello Daniel again,
In the last answer I did not explain myself well. I put more context:
3 days ago in the configuration of the ossec.conf file the following configuration was put.
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-6">6</os>
<os allow="Oracle Linux-8">8</os>
<update_interval>1h</update_interval>
</provider>
The vulnerability detector worked for Oracle Linux Server 7.9 version but not for later versions.
Today I have noticed that the vulnerability detection has been stopped on Oracle Linux Server 7.9 agents, and I do not understand the cause ... since the configuration has not been changed again, and no errors appear in this regard.
In the last answer I did not explain myself well. I put more context:
3 days ago in the configuration of the ossec.conf file the following configuration was put.
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-7">7</os>
<os allow="Oracle Linux-6">6</os>
<os allow="Oracle Linux-8">8</os>
<update_interval>1h</update_interval>
</provider>
Today I have noticed that the vulnerability detection has been stopped on Oracle Linux Server 7.9 agents, and I do not understand the cause ... since the configuration has not been changed again, and no errors appear in this regard.
In summary, The vulnerability detector detected the 7.9 version 3 days ago but not the 8.8. And today it does not detect anything.
Is there any solution to this?
Thanks in advance
Is there any solution to this?
Thanks in advance
Daniel Sappa
Dec 14, 2023, 7:55:51 AM12/14/23
to Wazuh | Mailing List
As I had mentioned previously, the behavior may not be as expected because of not being an S.O. officially supported.
However, you can try to obtain some more information about what is happening, for this, you can enable the wazuh-modulesd log by adding the following:
or you are simply modifying the /var/ossec/etc/internal_options.conf file in the corresponding line.
After restarting the manager, an extra log will be generated that can clarify what is happening.
However, you can try to obtain some more information about what is happening, for this, you can enable the wazuh-modulesd log by adding the following:
to the file /var/ossec/etc/local_internal_options.conf:
wazuh_modules.debug=2
or you are simply modifying the /var/ossec/etc/internal_options.conf file in the corresponding line.
After restarting the manager, an extra log will be generated that can clarify what is happening.
JB
Dec 14, 2023, 8:42:07 AM12/14/23
to Wazuh | Mailing List
Hi Daniel,
Thanks for the indication. this is the log output I can provide
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'Oracle Linux-8' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: '/home/ubuntu/cve_oracle/rhel-8-including-unpatched.oval.xml.bz2' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 8'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'CentOS Linux-8' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'CentOS Linux-7' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (7) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 8'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'RedHat-8' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 7'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'RedHat-7' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (7) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 8'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: 'none' | Url: '/home/ubuntu/cve_oracle/rhel-8-including-unpatched.oval.xml.bz2' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:753 at wm_vuldet_read_provider(): DEBUG: Added jredhat feed. Interval: 3600s | Multi path: '/home/ubuntu/rh-feed/redhat-feed[[:digit:]]\+\.json$' | Multi url: 'none' | Update since: 1999 | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: '/home/ubuntu/cve_oracle/rhel-8-including-unpatched.oval.xml.bz2' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 8'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'CentOS Linux-8' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'CentOS Linux-7' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (7) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 8'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'RedHat-8' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 7'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:1005 at wm_vuldet_add_allow_os(): DEBUG: 'RedHat-7' successfully added to the monitored OS list.
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (7) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:409 at wm_vuldet_set_feed_version(): DEBUG: Duplicate OVAL configuration for 'redhat 8'
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:695 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 3600s | Path: 'none' | Url: '/home/ubuntu/cve_oracle/rhel-8-including-unpatched.oval.xml.bz2' | Timeout: 300s
2023/12/14 14:28:36 wazuh-modulesd[179127] wmodules-vuln-detector.c:753 at wm_vuldet_read_provider(): DEBUG: Added jredhat feed. Interval: 3600s | Multi path: '/home/ubuntu/rh-feed/redhat-feed[[:digit:]]\+\.json$' | Multi url: 'none' | Update since: 1999 | Timeout: 300s
Ossec.conf
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux-8" path="/home/ubuntu/cve_oracle/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<path>/home/ubuntu/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
<os allow="CentOS Linux-8">8</os>
<os allow="CentOS Linux-7">7</os>
<os allow="RedHat-8">8</os>
<os allow="RedHat-7">7</os>
<update_interval>1h</update_interval>
</provider>
<path>/home/ubuntu/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
<os allow="CentOS Linux-8">8</os>
<os allow="CentOS Linux-7">7</os>
<os allow="RedHat-8">8</os>
<os allow="RedHat-7">7</os>
<update_interval>1h</update_interval>
</provider>
Any details to consider, please?
Thanks in advance
Daniel Sappa
Dec 15, 2023, 9:12:42 AM12/15/23
to Wazuh | Mailing List
I'm realizing that the configuration you are using is not entirely correct.
Please note that both Centos and RedHat are supported OS,
In this case, only the reference to Oracle 8 should exist.
Furthermore, in the case of Oracle 8, the use of the path could be affecting Cento and RedHat in case this file does not comply with the standard, therefore you must be sure that this file is valid.
Please note that both Centos and RedHat are supported OS,
therefore they should not be added to this list, in fact,
this causes the previous configurations to be overwritten.
In this case, only the reference to Oracle 8 should exist.
Furthermore, in the case of Oracle 8, the use of the path could be affecting Cento and RedHat in case this file does not comply with the standard, therefore you must be sure that this file is valid.
Finally, I remind you that Oracle 8 is not a supported OS, and optimal behavior is not guaranteed.
JB
Dec 27, 2023, 5:09:24 AM12/27/23
to Wazuh | Mailing List
Good morning Daniel,
thank you very much for the information. This problem is now solved. Great!
But I have another related question. For Ubuntu systems (jammy) is there any special configuration to be done? due to with <os>jammy</os> it doesn't work.
if it is done by local path... how to update the file?
thank you very much for the information. This problem is now solved. Great!
But I have another related question. For Ubuntu systems (jammy) is there any special configuration to be done? due to with <os>jammy</os> it doesn't work.
if it is done by local path... how to update the file?
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/home/ubuntu/com.ubuntu.focal.cve.oval.xml.bz2">jammy</os>
<update_interval>1h</update_interval>
</provider>
thanks in advance :) and merry christmas
<provider name="canonical">
<enabled>yes</enabled>
<os path="/home/ubuntu/com.ubuntu.focal.cve.oval.xml.bz2">jammy</os>
<update_interval>1h</update_interval>
</provider>
thanks in advance :) and merry christmas
Message has been deleted
JB
Dec 27, 2023, 6:32:32 AM12/27/23
to Wazuh | Mailing List
Hi team again,
This is the real path, the previous one was an error --> <os path="/home/ubuntu/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
The following message appears in the logs. The agent is a ubuntu 22.04.3 (jammy) --> WARNING: (5575): Unavailable vulnerability data for the agent 'xxxx' OS. Skipping it.
This is the real path, the previous one was an error --> <os path="/home/ubuntu/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
The following message appears in the logs. The agent is a ubuntu 22.04.3 (jammy) --> WARNING: (5575): Unavailable vulnerability data for the agent 'xxxx' OS. Skipping it.
Any ideas to resolve this problem?
Thanks in advance
JB
Jan 8, 2024, 11:00:32 AM1/8/24
to Wazuh | Mailing List
Good evening and happy new year!!
Do you have any update on the subject, please?
Thanks in advance
JB
Jan 23, 2024, 6:23:11 AM1/23/24
to Wazuh | Mailing List
Solved. Thanks for your time :)
Reply all
Reply to author
Forward
0 new messages