Issue with vulnerability scanner on custom SLES-15

[Sergey E.]

Good day, team!

Got an issue on wazuh vulnerability scan for custom Linux made on SLES-15.
sqlite3 /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = <AGENTID>;" gave me "Custom Linux|15"


Steps:
1) Update wazuh server master and workers to 4.4.0
2) Install on custom linux wazuh agent 4.3.3 - required(
3) Added "os allow" to suse provider

    <provider name="suse">
<enabled>yes</enabled>
<os allow="Custom Linux-15">15-server</os>
<os url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml">15-server</os>
<update_interval>1h</update_interval>
</provider>

4) CVE updated successfully:
(5400): Starting 'SUSE Linux Enterprise Server 15' database update.
(5430): The update of the 'SUSE Linux Enterprise Server 15' feed finished successfully.

5) SCA and Inventory are working fine too. But not vulnerability scanner, those custom servers are just ignored.

Will be grateful for any advices.

[Gabriel Emanuel Valenzuela]

Hi Sergey ! How are you ?

I think the problem is that it overwrites the configuration and stays with the second option, instead of taking the first one, possible to get the active configuration through this API request. Maybe adding the os-allow next to the url in the same tag, can solve the problem.
That is, the configuration to use would be:

 <provider name="suse">
<enabled>yes</enabled>

<os allow="Custom Linux-15", url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml" >15-server</os>
<update_interval>1h</update_interval>
</provider>

Let me do some tests to confirm and I'll get back as fast as I can. =)

If you need anything more, please don't dub to ask.

We're here to help. =) 

Have a nice day!

[Sergey E.]

Hi Gabriel, I'm fine/ You?

==================================================

So, after i've tried your recommendation get an error:

(5400): Starting 'SUSE Linux Enterprise Server 15' database update.

(5500): The 'SUSE Linux Enterprise Server 15' database could not be fetched.

<provider name="suse">
<enabled>yes</enabled>

        <os allow="Custom Linux-15" url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml" >15-server</os>
<update_interval>1h</update_interval>
</provider>

(comma is not needed in "os allow" cause of XML format error)

===================================================

Second check I've done adding:

<os allow="Custom Linux-15">8</os>

into "redhat"  provider and get those hosts scanned, but it's not recommended because of lots of "false-positives".

Any other ideas?

понедельник, 24 апреля 2023 г. в 20:03:29 UTC+3, Gabriel Emanuel Valenzuela:

[Sergey E.]

Gabriel,

For:

(5400): Starting 'SUSE Linux Enterprise Server 15' database update.

(5500): The 'SUSE Linux Enterprise Server 15' database could not be fetched.

It was my typo in  url link. Reconfigured all. Will test again.

вторник, 25 апреля 2023 г. в 17:47:52 UTC+3, Sergey E.:

[Gabriel Emanuel Valenzuela]

Hi Sergey ! How are you ? 

Sorry for my typo in the XML. Let me know if using the custom url fixed solves your problem. When you try with RH the package name will not match and you will get a lot of errors (false positive)

I'm here if you need any help =)

[Sergey E.]

Hi Gabriel, 

So the problem still the same with that new string (<os allow="Custom Linux-15" url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml" >15-server</os>)

1. CVE updated successfully.

2. But vulnerability scanner missing custom OS servers, they are just ignored.

3. <os allow="Custom Linux-15>8</os> works for RH, but cant be used.

вторник, 25 апреля 2023 г. в 21:59:59 UTC+3, Gabriel Emanuel Valenzuela:

[Gabriel Emanuel Valenzuela]

Hi Sergey,

Perfect, then let's see if removing the URL attribute and use the official CVE, that is, that the configuration looks like: <os allow="Custom Linux-15">15-server</os>

Please also check that you don't have a block that overwrites the 15-server block inside ossec.conf.

I will be testing locally, let me know if making these modifications fix the problem. I leave you this section of the documentation in case you use the XML locally for your configuration.

Whatever you need, I'm here to help. Have a nice day.

[Sergey E.]

Hi Gabriel,

By text:

--------------------------------

1) Perfect, then let's see if removing the URL attribute and use the official CVE, that is, that the configuration looks like: <os allow="Custom Linux-15">15-server</os>

Do you mean this configuration, will test it?

<provider name="suse">
<enabled>yes</enabled>
<os allow="Custom Linux-15">15-server</os>
<os url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml">15-server</os>
<update_interval>1h</update_interval>
</provider>

I can't use other type of CVE feed cause servers don't have internet connection.

---------------------------------

2) Please also check that you don't have a block that overwrites the 15-server block inside ossec.conf. 

I have 2 mentions of 15-server in config. Both of them are in SUSE block.

Have a nice day.

четверг, 27 апреля 2023 г. в 01:28:12 UTC+3, Gabriel Emanuel Valenzuela:

[Gabriel Emanuel Valenzuela]

Hi Sergey!, 

Perfect, remember that if you have two configuration lines of the same OS, you will always keep the last option (because it will be overwritten), so to make it functional, you must "merge" both lines, looking like this:

   <provider name="suse">
        <enabled>yes</enabled>
        <os allow="Custom Linux-15" url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml">15-server</os>
        <update_interval>1h</update_interval>
   </provider>

Using the url that is correct. I copied you last url.

That should apply a configuration where you have configured the offline update (with the url attribute) in addition to making the Custom Linux-15 support functional with the tag allow.

Besides that for SLES15 it should always work. In case it does not work for you, please let us know and we will debug the problem to check what may be happening in that case.

Whatever you need, I'm here to help. Have a nice day.

[Sergey E.]

Hi Gabriel,

If you return to 1 of my messages 3 days ago, you can see that I've already tried the "one string" method.

"So the problem is still the same with that new string (<os allow="Custom Linux-15" url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml" >15-server</os>)

1. CVE updated successfully.

2. But vulnerability scanners are missing custom OS servers, they are just ignored."

четверг, 27 апреля 2023 г. в 22:14:26 UTC+3, Gabriel Emanuel Valenzuela:

[Gabriel Emanuel Valenzuela]

Hi Sergey,

I apologize for my settings that did not work. Let me do some research to check for a problem on our end and I will get back with news as soon as I can.

Whatever you need, I'm here to help. Have a nice day.

[Sergey E.]

Hi Gabriel,

1) In addition, an agent info:

And here is  filter by agent ID in log (No info):

 

  

2) Used this config:

<provider name="suse">
        <enabled>yes</enabled>
        <os allow="Custom Linux-15" url="https://cvefeed.local/suse/suse.linux.enterprise.server.15.xml">15-server</os>
        <update_interval>1h</update_interval>
   </provider>

3) Inventory data for this host collected correctly (564 packages).

4) Suse provider was added in Wazun 4.4, not so long ago. May be it has some troubles with custom OS'es. 

пятница, 28 апреля 2023 г. в 02:30:26 UTC+3, Sergey E.:

[Gabriel Emanuel Valenzuela]

Hi Sergey ! How are you ?

First of all, thank you very much for informing us and after an investigation using a test manager and comparing the os allow behavior inside a SUSE OS and outside a SUSe OS, we have realized that hat the configuration to include unsupported systems in SUSE systems is not working correctly.

We have created an issue, Vulnerability Detector not include unsupported systems in SUSE #16976

And we are working on a fix, which can be found in this branch in case it is of interest to you.

We are reviewing and testing to merge this PR fix as soon as possible.

Again thank you very much, thanks to the contribution of the community Wazuh improves day by day.

Have a great week, and if you have any questions I am at your disposal.  =)

[Sergey E.]

Thank you,  Gabriel. Will follow links you provided.

понедельник, 8 мая 2023 г. в 14:43:58 UTC+3, Gabriel Emanuel Valenzuela:

[Sergey E.]

Hi Gabriel,

As far as I understand, this problem will not be fixed?

 According to Research about Vulnerability Detector not include unsupported systems in SUSE fix

среда, 10 мая 2023 г. в 19:47:53 UTC+3, Sergey E.:

[Gabriel Emanuel Valenzuela]

Hi Sergey ! How are you ? 

This issue is open and pending to merge soon in Wazuh, here is the pull request =) https://github.com/wazuh/wazuh/pull/16978

Unfortunally I don't have the exact date of release, but probably, will be very soon.

Best, 
Gabriel

[Sergey E.]

Im' fine, hope you too. 

Thank you for answer. Issue on Github was closed as  "not planned". And it confused me.

среда, 12 июля 2023 г. в 16:17:26 UTC+3, Gabriel Emanuel Valenzuela: