scap missing info.
618 views
Skip to first unread message
Marcio Costa
May 8, 2017, 10:25:24 AM5/8/17
to Wazuh mailing list
Hello team.
I dont have any logs/information about SCAP and AUDIT in kibana/wazuh dashboard about manager and clients.
I have downloaded a new version of the file "ssg-centos-7-ds.xml", but without success.
Bellow my ossec.conf and a small part of the ossec.log
Thank you.
56 <wodle name="open-scap">
57 <disabled>no</disabled>
58 <timeout>1800</timeout>
59 <interval>1d</interval>
60 <scan-on-start>yes</scan-on-start>
61
62 <content type="xccdf" path="ssg-centos-7-ds.xml">
63 <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
64 <profile>xccdf_org.ssgproject.content_profile_common</profile>
65 </content>
66 </wodle>
2017/05/07 03:22:03 wazuh-modulesd:oscap: INFO: Module finished.
2017/05/07 03:22:05 wazuh-modulesd:oscap: INFO: Module started.
2017/05/07 03:22:05 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/07 03:22:05 wazuh-modulesd:oscap: WARN: Ignoring content 'ssg-centos-7-ds.xml' due to error (1).
2017/05/07 03:22:05 wazuh-modulesd:oscap: INFO: Evaluation finished.
2017/05/08 03:22:05 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/08 03:22:05 wazuh-modulesd:oscap: INFO: Evaluation finished.
2017/05/08 08:48:48 wazuh-modulesd:oscap: INFO: Module finished.
2017/05/08 08:48:50 wazuh-modulesd:oscap: INFO: Module started.
2017/05/08 08:48:50 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/08 08:48:50 wazuh-modulesd:oscap: WARN: Ignoring content 'ssg-centos-7-ds.xml' due to error (1).
2017/05/08 08:48:50 wazuh-modulesd:oscap: INFO: Evaluation finished.
2017/05/08 10:18:00 wazuh-modulesd:oscap: INFO: Module finished.
2017/05/08 10:18:02 wazuh-modulesd:oscap: INFO: Module started.
2017/05/08 10:18:02 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/08 10:18:02 wazuh-modulesd:oscap: WARN: Ignoring content 'ssg-centos-7-ds.xml' due to error (1).
2017/05/08 10:18:02 wazuh-modulesd:oscap: INFO: Evaluation finished.
2017/05/08 11:08:29 wazuh-modulesd:oscap: INFO: Module finished.
2017/05/08 11:08:30 wazuh-modulesd:oscap: INFO: Module started.
2017/05/08 11:08:30 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/08 11:08:30 wazuh-modulesd:oscap: WARN: Ignoring content 'ssg-centos-7-ds.xml' due to error (1).
2017/05/08 11:08:30 wazuh-modulesd:oscap: INFO: Evaluation finished.
[root]# ll ssg-centos-7-ds.xml
-rw-r--r--. 1 root root 8465036 Mai 8 11:08 ssg-centos-7-ds.xml
[root]# md5sum ssg-centos-7-ds.xml
f11f94e26a97377f2cf5ebaa00c2bc7d ssg-centos-7-ds.xml
0x2a
May 8, 2017, 11:11:37 AM5/8/17
to Wazuh mailing list
Hello,
what is the output of:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss
ssg-centos-7-ds.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common
ssg-centos-7-ds.xml
Is xsltproc installed?
regards,
0x2a
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/b040b72d-1dec-4d01-a0d1-25f411c925cb%40googlegroups.com
> [1].
> For more options, visit https://groups.google.com/d/optout.
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/wazuh/b040b72d-1dec-4d01-a0d1-25f411c925cb%40googlegroups.com?utm_medium=email&utm_source=footer
what is the output of:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss
ssg-centos-7-ds.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common
ssg-centos-7-ds.xml
Is xsltproc installed?
regards,
0x2a
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/b040b72d-1dec-4d01-a0d1-25f411c925cb%40googlegroups.com
> [1].
> For more options, visit https://groups.google.com/d/optout.
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/wazuh/b040b72d-1dec-4d01-a0d1-25f411c925cb%40googlegroups.com?utm_medium=email&utm_source=footer
Marcio Costa
May 8, 2017, 3:06:55 PM5/8/17
to Wazuh mailing list
Hello ! Below the output:
[root]# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss ssg-centos-7-ds.xml
This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Ensure Red Hat GPG Key Installed
Rule xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result pass
..
...
....
This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Ensure Red Hat GPG Key Installed
Rule xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result pass
..
...
....
[root]# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common ssg-centos-7-ds.xml
This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Ensure /var/log Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log
Result fail
.
..
...
[root]# xsltproc -version
Using libxml 20901, libxslt 10128 and libexslt 817
xsltproc was compiled against libxml 20901, libxslt 10128 and libexslt 817
libxslt 10128 was compiled against libxml 20901
libexslt 817 was compiled against libxml 20901
Thank you.
This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Ensure /var/log Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log
Result fail
.
..
...
[root]# xsltproc -version
Using libxml 20901, libxslt 10128 and libexslt 817
xsltproc was compiled against libxml 20901, libxslt 10128 and libexslt 817
libxslt 10128 was compiled against libxml 20901
libexslt 817 was compiled against libxml 20901
Thank you.
Santiago Bassett
May 9, 2017, 2:32:14 PM5/9/17
to Marcio Costa, Wazuh mailing list
Hi Marcio,
are you sure your system is a Centos 7 and not a RedHat or similar distribution? Could you please check the output of
cat /etc/system-release
cat /etc/redhat-release
cat /etc/centos-release
On the other hand, where did you download the "ssg-centos-7-ds.xml" file from?
Thanks!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1568ec2e-b428-4c07-a6b4-da195fc43bab%40googlegroups.com.
Jesus Linares
May 12, 2017, 5:03:29 AM5/12/17
to Wazuh mailing list, marc...@gmail.com
Hi Marcio,
2017/05/07 03:22:05 wazuh-modulesd:oscap: WARN: Ignoring content 'ssg-centos-7-ds.xml' due to error (1).
It seems there is an issue running the ssg-centos-7-ds.xml policy. Please, run wazuh-modulesd in debug mode and share here the output:
ps aux | grep ossec
pkill wazuh-modulesd
ps aux | grep ossec
/var/ossec/bin/wazuh-modulesd -fddIn the output you will see how the wodle calls the oscap script. Copy the command and execute it.
Output example for wazuh-modulesd -fdd:
2017/05/12 05:01:30 wazuh-modulesd:oscap: INFO: Module started.
2017/05/12 05:01:30 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/12 05:01:30 wazuh-modulesd:oscap: DEBUG: Launching command: /var/ossec/wodles/oscap/oscap.py --xccdf ssg-rhel-7-ds.xml --profiles xccdf_org.ssgproject.content_profile_pci-dss,xccdf_org.ssgproject.content_profile_common
2017/05/12 05:01:30 wazuh-modulesd:database: INFO: Module started.
2017/05/12 05:01:30 wazuh-modulesd:oscap: WARN: Ignoring content 'ssg-rhel-7-ds.xml' due to error (1).
2017/05/12 05:01:30 wazuh-modulesd:oscap: DEBUG: OUTPUT: oscap: ERROR: OpenSCAP not installed. Details: [Errno 2] No such file or directory.I hope it helps.
Regards.
Marcio Costa
May 12, 2017, 8:34:25 AM5/12/17
to Wazuh mailing list, marc...@gmail.com
Hello Jesus !
After installed the packages openscap-scanner + openscap on manager and agents, I have info showed in Wazuh dashboard.
Tks by the reply.
# /var/ossec/bin/wazuh-modulesd -fdd
2017/05/12 09:05:38 wazuh-modulesd: INFO: Process started.
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: SHOW_MODULE_OSCAP: ----
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Timeout: 1800
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Policies:
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: [ssg-centos-7-ds.xml]
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Profiles:
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Name: xccdf_org.ssgproject.content_profile_pci-dss
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Name: xccdf_org.ssgproject.content_profile_common
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: SHOW_MODULE_OSCAP: ----
2017/05/12 09:05:38 unset: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Module started.
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/12 09:05:38 wazuh-modulesd:oscap: DEBUG: Launching command: /var/ossec/wodles/oscap/oscap.py --xccdf ssg-centos-7-ds.xml --profiles xccdf_org.ssgproject.content_profile_pci-dss,xccdf_org.ssgproject.content_profile_common
2017/05/12 09:09:00 wazuh-modulesd:oscap: INFO: Evaluation finished.
After installed the packages openscap-scanner + openscap on manager and agents, I have info showed in Wazuh dashboard.
Tks by the reply.
# /var/ossec/bin/wazuh-modulesd -fdd
2017/05/12 09:05:38 wazuh-modulesd: INFO: Process started.
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: SHOW_MODULE_OSCAP: ----
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Timeout: 1800
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Policies:
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: [ssg-centos-7-ds.xml]
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Profiles:
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Name: xccdf_org.ssgproject.content_profile_pci-dss
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Name: xccdf_org.ssgproject.content_profile_common
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: SHOW_MODULE_OSCAP: ----
2017/05/12 09:05:38 unset: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Module started.
2017/05/12 09:05:38 wazuh-modulesd:oscap: INFO: Starting evaluation.
2017/05/12 09:05:38 wazuh-modulesd:oscap: DEBUG: Launching command: /var/ossec/wodles/oscap/oscap.py --xccdf ssg-centos-7-ds.xml --profiles xccdf_org.ssgproject.content_profile_pci-dss,xccdf_org.ssgproject.content_profile_common
2017/05/12 09:09:00 wazuh-modulesd:oscap: INFO: Evaluation finished.
Jesus Linares
May 12, 2017, 10:24:23 AM5/12/17
to Wazuh mailing list, marc...@gmail.com
Hi Marcio,
I'm glad to help. These are the requirements for OpenSCAP: https://documentation.wazuh.com/current/user-manual/capabilities/policy-monitoring/openscap/how-it-works.html#requirements.
Regards.
Reply all
Reply to author
Forward
0 new messages