Vulnerability detector for RockyLinux

[Carlos Lopez]

Hi all,

I am trying to activate vulnerability detector for RockyLinux using CVE and RedHat as a providers but it does not seen to work … Is RockyLinux planned to be supported in future releases for vulnerability detector?

Best regards,
C. L. Martinez

[moosemaimer]

Add the following to your ossec.conf on the manager, for whichever major versions you're running:

<!-- RedHat OS vulnerabilities -->

<provider name = "redhat">

  <enabled>yes</enabled>

  <os>5</os>

  <os>6</os>

  <os>7</os>

  <os>8</os>

  <os>9</os>

  <os allow="Rocky Linux-8">8</os>

  <os allow="Rocky Linux-9">9</os>

  <update_interval>1h</update_interval>

</provider>

[Marcel Kemp]

Hi Carlos,

As moosemaimer comments, that would be the way to configure Vulnerability Detector to try to detect Rocky Linux vulnerabilities, as it is an unsupported system, as explained in the documentation:

• Offline Update - Vulnerability Detector

The problem is that Vulnerability Detector only trusts the vendors we consider official (CentOS and RHEL). 

So even if you allow Rocky Linux OS in the configuration, if the vendor is different from those, Wazuh will not correctly scan the vulnerability with OVAL, and will simply try to match the packages with the NVD.

In this issue, you can read much more in-depth about this issue and why it is so complex: Issue #12437
Specifically, this comment indicates the problem of false positives: Comment reasons
And here you can find a workaround: Workaround

On the other hand, we do not yet have an issue to officially support the Rocky Linux OS, as their official vulnerability feed is still very limited. In the future, when they offer a better vulnerability feed, we will be able to use it as OVAL to officially support it.

• https://wiki.rockylinux.org/rocky/errata/
  
• https://errata.build.resf.org/

If you want, you can open an issue to track the official Vulnerability Detector support for Rocky Linux.

And if you have any questions, don't hesitate to ask.