Sca checks for Almalinux|Rockylinux
2,274 views
Skip to first unread message
Davide Bozzelli
Oct 20, 2021, 12:51:13 PM10/20/21
to Wazuh mailing list
Hi
On there OS scan checks (centos8|rhel8) does not work.
What is the besy way to config it ?
Thx
--
Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT
Got problems with Linux? - Be RooT
Jose Cruz Lopez
Oct 21, 2021, 2:44:19 AM10/21/21
to Wazuh mailing list
Hello,
We are aware that some of our SCA checks are outdated and some of the checks can contain failures, we're working on it to fix it as soon as possible, you can track the changes in this issue: https://github.com/wazuh/wazuh/issues/9694
As you can see in this issue, the RHEL8 SCA has been updated recently, to change the SCA in your agent, you have to go to /var/ossec/ruleset/sca/ and remove the one that appears there and add the updated one with the same name, after this, you have to restart the agent and the new SCA should be running.
The way to update the SCA policies is to head to https://www.cisecurity.org/cis-benchmarks/ and find the one you want to update, we just go check by check and add it to the file. We know this process can be a bit difficult, so if you want to open an issue regarding this we will give it more priority than if no one requires it. If you choose to open the issue we'll be very thankful if you add the threatintell label and if you could indicate the checks that fail.
Thank you for your feedback!
If you have any further questions, please do not hesitate to ask!
Best regards.
buzz...@gmail.com
Oct 21, 2021, 10:41:15 AM10/21/21
to Wazuh mailing list
Hi
The strange thing is that tha policy is being loaded and then skipped:
021/10/21 16:40:40 sca: INFO: Module started.
2021/10/21 16:40:40 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_centos8_linux.yml'
2021/10/21 16:40:40 sca: INFO: Starting Security Configuration Assessment scan.
2021/10/21 16:40:40 wazuh-modulesd:syscollector: INFO: Module started.
2021/10/21 16:40:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/10/21 16:40:40 wazuh-modulesd:control: INFO: Starting control thread.
2021/10/21 16:40:40 sca: INFO: Skipping policy '/var/ossec/ruleset/sca/cis_centos8_linux.yml': 'Check Centos 8 family platform'
2021/10/21 16:40:40 sca: INFO: Security Configuration Assessment scan finished. Duration: 0 seconds.
2021/10/21 16:40:40 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2021/10/21 16:40:44 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
Sandra Ocando
Nov 5, 2021, 6:21:20 AM11/5/21
to buzz...@gmail.com, Wazuh mailing list
Hi buzzzola,
The SCA policies have requirements to determine if the policy should run or not, if your operating system is not listed in the requirements the policy is skipped. To run SCA on Rocky or AlmaLinux you may need to modify the policy requirements to include your operating system.
On your Wazuh agent modify /var/ossec/ruleset/sca/cis_centos8_linux.yml and include your operating system in the requirements, for example, to include AlmaLinux 8 you may add the following line in the requirements section:
requirements:
title: "Check Centos 8 family platform"
description: "Requirements for running the policy against CentOS 8 family."
condition: any
rules:
- 'f:/etc/redhat-release -> r:^Centos && r:release 8'
- 'f:/etc/redhat-release -> r:^AlmaLinux && r:release 8'
After modifying the policy, restart your Wazuh agent.
Let us know if you have more questions.
Best regards,
Sandra.
The SCA policies have requirements to determine if the policy should run or not, if your operating system is not listed in the requirements the policy is skipped. To run SCA on Rocky or AlmaLinux you may need to modify the policy requirements to include your operating system.
On your Wazuh agent modify /var/ossec/ruleset/sca/cis_centos8_linux.yml and include your operating system in the requirements, for example, to include AlmaLinux 8 you may add the following line in the requirements section:
requirements:
title: "Check Centos 8 family platform"
description: "Requirements for running the policy against CentOS 8 family."
condition: any
rules:
- 'f:/etc/redhat-release -> r:^Centos && r:release 8'
- 'f:/etc/redhat-release -> r:^AlmaLinux && r:release 8'
After modifying the policy, restart your Wazuh agent.
Let us know if you have more questions.
Best regards,
Sandra.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c1b3a2d9-5277-42e2-a4ca-6385a5fbd2dbn%40googlegroups.com.
Davide Bozzelli
Nov 5, 2021, 6:40:47 AM11/5/21
to Sandra Ocando, Wazuh mailing list
Thx Sandra, it works perfectly !!!
Would be better to incorporate the changes in your official releases ?
If i update /var/ossec/ruleset/sca/cis_centos8_linux.yml on the manager will it uploaded on new agents deployment ?
Thx again
Sandra Ocando
Nov 8, 2021, 4:26:07 AM11/8/21
to Wazuh mailing list
Hello!
Updating /var/ossec/ruleset/sca/cis_centos8_linux.yml on the manager will not update it on new agents. To distribute a modified version you can use centralized configuration.
To deploy the new policy file to all your affected agents copy the file to a group where the agents are included, for example, the default group:
cp /var/ossec/ruleset/sca/cis_centos8_linux.yml.disabled /var/ossec/etc/shared/default/cis_centos8_linux_modified.yml
Modify the new policy /var/ossec/etc/shared/default/cis_centos8_linux_modified.yml to include your operating systems:
requirements:
title: "Check Centos 8 family platform"
description: "Requirements for running the policy against CentOS 8 family."
condition: any
rules:
- 'f:/etc/redhat-release -> r:^Centos && r:release 8'
- 'f:/etc/redhat-release -> r:^AlmaLinux && r:release 8'
Make sure the file is owned by the ossec user and group so it will be distributed using the centralized configuration:
chown ossec: /var/ossec/etc/shared/default/cis_centos8_linux_modified.yml
Add the following configuration to your group's centralized configuration, for example /var/ossec/etc/shared/default/agent.conf :
<sca>
<policies>
<policy>/var/ossec/etc/shared/cis_centos8_linux_modified.yml</policy>
</policies>
</sca>
The agents will receive the new configuration and automatically restart to apply it.
Enable sca.remote_commands to allow the execution of commands from SCA policies pushed from the manager in the shared configuration. Add sca.remote_commands=1 on each agent's /var/ossec/etc/local_internal_options.conf. For security reasons, this change has to be made locally on each agent.
Remove the old policy to avoid conflicts rm /var/ossec/ruleset/sca/cis_centos8_linux.yml. Restart the agent so the changes can take effect.
Regarding your first question, I think I'd be a good idea to modify the official policy to include these operating systems, feel free to open an issue in https://github.com/wazuh/wazuh/issues/new/choose so our development team will consider this change.
Best regards,
Sandra.
Updating /var/ossec/ruleset/sca/cis_centos8_linux.yml on the manager will not update it on new agents. To distribute a modified version you can use centralized configuration.
To deploy the new policy file to all your affected agents copy the file to a group where the agents are included, for example, the default group:
cp /var/ossec/ruleset/sca/cis_centos8_linux.yml.disabled /var/ossec/etc/shared/default/cis_centos8_linux_modified.yml
Modify the new policy /var/ossec/etc/shared/default/cis_centos8_linux_modified.yml to include your operating systems:
requirements:
title: "Check Centos 8 family platform"
description: "Requirements for running the policy against CentOS 8 family."
condition: any
rules:
- 'f:/etc/redhat-release -> r:^Centos && r:release 8'
- 'f:/etc/redhat-release -> r:^AlmaLinux && r:release 8'
chown ossec: /var/ossec/etc/shared/default/cis_centos8_linux_modified.yml
Add the following configuration to your group's centralized configuration, for example /var/ossec/etc/shared/default/agent.conf :
<sca>
<policies>
<policy>/var/ossec/etc/shared/cis_centos8_linux_modified.yml</policy>
</policies>
</sca>
The agents will receive the new configuration and automatically restart to apply it.
Enable sca.remote_commands to allow the execution of commands from SCA policies pushed from the manager in the shared configuration. Add sca.remote_commands=1 on each agent's /var/ossec/etc/local_internal_options.conf. For security reasons, this change has to be made locally on each agent.
Remove the old policy to avoid conflicts rm /var/ossec/ruleset/sca/cis_centos8_linux.yml. Restart the agent so the changes can take effect.
Regarding your first question, I think I'd be a good idea to modify the official policy to include these operating systems, feel free to open an issue in https://github.com/wazuh/wazuh/issues/new/choose so our development team will consider this change.
Best regards,
Sandra.
Reply all
Reply to author
Forward
0 new messages