search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.7k stars 1.64k forks source link

Scan vulnerabilities on unsupported systems: Discarded package 'xxx' from a third-party('xxx') for agent 'xxx' #12437

Open hustliyilin opened 2 years ago

hustliyilin commented 2 years ago
Wazuh version Component Install type Install method Platform
master Vulnerability detection Manager Packages/Sources Oracle Linux, Aliyun Linux, etc

At present, there are many os systems compatible with Redhat, such as Oracle Linux, Aliyun Linux, etc. Wazuh provides a user manual Scan vulnerabilities on unsupported systems to support scanning these systems with Redhat CVE feeds. However, when executed on these unsupported OS systems ( Oracle Linux, Aliyun Linux, etc), the log of Discarded package 'xxx' from a third-party('xxx') for agent 'xxx' will be found. 

Discarded package 'xxx' from a third-party('xxx') for agent `'xxx'

After analysis, it is found in the function wm_vuldet_linux_oval_vulnerabilities, the following codes will be executed to determine whether these packages vendors are Redhat or CentOS. 

        // We discard the package if its vendor is a external vendor.
        if (agents_it->dist == FEED_REDHAT && vendor && wm_vuldet_compare_vendors(vendor)) {
            mtdebug2(WM_VULNDETECTOR_LOGTAG, VU_PACKAGE_TP_SOURCE, package, vendor, scan_ctx->agent_id);
            continue;
        }

As far as I know, although Oracle Linux and Aliyun Linux are compatible with Redhat, they will also modify the vendors of the packages (no longer Redhat or CentOS). Therefore, if this judgment condition is not met, the subsequent wm_checks_package_vulnerability function can't be executed, so it is impossible to obtain the correct test results.

May I ask whether the judgment here is necessary? Do package vendors for these unsupported systems need to be manually added to the vu_vendor_list_redhat list? 

const char *vu_vendor_list_redhat[] = {
    "Red Hat, Inc.",
    "CentOS"
};

I would be very grateful if you could give some answers. Thanks a lot.

MarcelKemp commented 2 years ago

Hi @hustliyilin,

As you say, there are other OSs that are compatible with RedHat, however we must make sure that when adding such a vendor, no false positive is generated for any of the currently supported systems, nor for the new one to be added. So it would be necessary to perform a previous investigation to check that it correctly reports the vulnerabilities of RHEL's OVAL and that it does not affect any of the currently supported OSs.

PR where such a restriction was introduced to avoid false positives: https://github.com/wazuh/wazuh/pull/6611 And an example where false positives appeared in the issue: https://github.com/wazuh/wazuh/issues/6435

Still, even if vulnerabilities are discarded by OVAL, the NVD should normally match the different vulnerabilities for that package and check if the system is vulnerable or not.

Currently, I haven't found any workaround to avoid discarding vulnerabilities without modifying the source code, but if I find a possible workaround, I'll let you know.

And yes, if you want to test those OSes for OVAL vulnerabilities, then it would be necessary to add the exact vendor's name to the list and update Wazuh after it is compiled. Update by sources.

I hope this helps, and if you have any questions, don't hesitate to ask.

hustliyilin commented 2 years ago

Hi @hustliyilin,

As you say, there are other OSs that are compatible with RedHat, however we must make sure that when adding such a vendor, no false positive is generated for any of the currently supported systems, nor for the new one to be added. So it would be necessary to perform a previous investigation to check that it correctly reports the vulnerabilities of RHEL's OVAL and that it does not affect any of the currently supported OSs.

PR where such a restriction was introduced to avoid false positives: #6611 And an example where false positives appeared in the issue: #6435

Still, even if vulnerabilities are discarded by OVAL, the NVD should normally match the different vulnerabilities for that package and check if the system is vulnerable or not.

Currently, I haven't found any workaround to avoid discarding vulnerabilities without modifying the source code, but if I find a possible workaround, I'll let you know.

And yes, if you want to test those OSes for OVAL vulnerabilities, then it would be necessary to add the exact vendor's name to the list and update Wazuh after it is compiled. Update by sources.

I hope this helps, and if you have any questions, don't hesitate to ask.

Hi @MarcelKemp,

Thank you very much for your reply. I learn that these unsupported OSs can be supported through os allow in the /var/ossec/etc/ossec.conf. Taking the Redhat compatible OSs as an example, according to the following configuration, I can use Redhat's ovals to scan the CVE vulnerabilities of Alibaba Cloud Linux and Anolis OS. 

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os path="/root/Redhat-cve-feeds/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
      <os path="/root/Redhat-cve-feeds/rhel-6-including-unpatched.oval.xml.bz2">6</os>
      <os allow="Alibaba Cloud Linux-2,Anolis OS-7" path="/root/Redhat-cve-feeds/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os allow="Alibaba Cloud Linux-3,Anolis OS-8" path="/root/Redhat-cve-feeds/rhel-8-including-unpatched.oval.xml.bz2">8</os>
      <path>/root/Redhat-cve-feeds/redhat-feed.*json$</path>
      <update_interval>1h</update_interval>
    </provider>

But because

And these package vendors are not in vu_vendor_list_redhat, so it will jump the Redhat's OVAL checking during the CVE scanning(only scanning the NVD CVE feeds).

I rebuilt wazuh manually with the following modifications as you suggested, the test results are more accurate and have no effect on the existing CentOS and Redhat CVE scan results.

const char *vu_vendor_list_redhat[] = {
    "Red Hat, Inc.",
    "CentOS",
    // Alibaba
    "Alibaba",
    "Alibaba Cloud",
    "Koji",
    // Open Anolis
    "OpenAnolis Community"
};

If the os allow field is supported and configured in the /var/ossec/etc/ossec.conf file, it indicates that the user wants to scan CVEs of these unsupported OSs with Redhat's oval CVE feeds. Therefore, the case of os allow should be considered in the source codes of wazuh, instead of letting developers manually modify the vu_vendor_list_redhat above. Thanks again for your reply.

MarcelKemp commented 2 years ago

Hi again @hustliyilin,

Sorry for the delay, and thank you very much for all the information provided.

As you point out, if you add an OS through the allow field and also add the vendors of the package to the vu_vendor_list_redhat[] array, then after recompiling and manually installing Wazuh you can match the vulnerabilities of the RHEL OVAL to avoid many false positives in these unsupported OS.

Therefore, as soon as possible, we will take up the issue with a solution to this problem to be implemented by the team, such as the following:

This solution will probably be another field to add in the <os> configuration next to allow= in order to add an array of package vendors and add them to the RHEL OVAL exception next to the package vendors officially supported by Wazuh (vu_vendor_list_redhat[]).

As soon as the fix is available, I will let you know, so you can see the progress of the development.

If you want to contribute any ideas for the solution, it will be welcome. And if you have any questions about it, don't hesitate to ask.

hustliyilin commented 2 years ago

Hi again @hustliyilin,

Sorry for the delay, and thank you very much for all the information provided.

As you point out, if you add an OS through the allow field and also add the vendors of the package to the vu_vendor_list_redhat[] array, then after recompiling and manually installing Wazuh you can match the vulnerabilities of the RHEL OVAL to avoid many false positives in these unsupported OS.

Therefore, as soon as possible, I will create an issue proposing a solution to this problem to be implemented by the team.

This solution will probably be another field to add in the <os> configuration next to allow= in order to add an array of package vendors and add them to the RHEL OVAL exception next to the package vendors officially supported by Wazuh (vu_vendor_list_redhat[]).

As soon as I open the issue, I will let you know, so you can see the progress of the development.

If you want to contribute any ideas for the solution, it will be welcome. And if you have any questions about it, don't hesitate to ask.

Hi @MarcelKemp,

Thanks for your reply. The solution you provided looks good to me.

I will also pay attention to the progress of the development of this issue. In addition, I am willing to contribute to the wazuh community, such as testing, reporting bugs, and submitting patches.

Thanks again.

hustliyilin commented 2 years ago

vu_vendor_list

Hi again @MarcelKemp,

Thanks for your solution to this problem. Now, I have initiated a PR(#13060 ) based on the previously discussed solution to this problem. And my configuration in ossec.conf is the following,

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os path="/root/Redhat-cve-feeds/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
      <os path="/root/Redhat-cve-feeds/rhel-6-including-unpatched.oval.xml.bz2">6</os>
      <os allow="Alibaba Cloud Linux-2,Anolis OS-7" path="/root/Redhat-cve-feeds/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os allow="Alibaba Cloud Linux-3,Anolis OS-8" path="/root/Redhat-cve-feeds/rhel-8-including-unpatched.oval.xml.bz2" allow_package_vendors="Alibaba,Alibaba Cloud,Koji,OpenAnolis">8</os>
      <path>/root/Redhat-cve-feeds/redhat-feed.*json$</path>
      <update_interval>1h</update_interval>
    </provider>

I test OK in my OS(Alibaba Cloud Linux 3).

image

I would be very grateful if you could give some reviews. Thanks again, I look forward to your reply.

hustliyilin commented 2 years ago

vu_vendor_list

Hi again @MarcelKemp,

Thanks for your solution to this problem. Now, I have initiated a PR(#13060 ) based on the previously discussed solution to this problem. And my configuration in ossec.conf is the following,

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os path="/root/Redhat-cve-feeds/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
      <os path="/root/Redhat-cve-feeds/rhel-6-including-unpatched.oval.xml.bz2">6</os>
      <os allow="Alibaba Cloud Linux-2,Anolis OS-7" path="/root/Redhat-cve-feeds/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os allow="Alibaba Cloud Linux-3,Anolis OS-8" path="/root/Redhat-cve-feeds/rhel-8-including-unpatched.oval.xml.bz2" allow_package_vendors="Alibaba,Alibaba Cloud,Koji,OpenAnolis">8</os>
      <path>/root/Redhat-cve-feeds/redhat-feed.*json$</path>
      <update_interval>1h</update_interval>
    </provider>

I test OK in my OS(Alibaba Cloud Linux 3).

image

I would be very grateful if you could give some reviews. Thanks again, I look forward to your reply.

Hi @MarcelKemp ,

It has been a long time since your last reply, and now I have submitted the codes to solve this problem according to the discussed solution. This patch may be very important for OSs that Wazuh doesn't support (such as Alibaba Cloud Linux, etc.). I would be very grateful if you could give some reviews.

Thanks again, I look forward to your reply.

MarcelKemp commented 2 years ago

Hi @hustliyilin,

Thank you very much for your contribution! Your work is really appreciated.

I'm going to review the code and let you know some of the changes needed to merge it into the master branch.

Although in advance, as I have been able to quickly observe, at least a couple of things would be needed:

If you have any doubt about any point, just ask. When I review the code, I'll let you know about more necessary changes.

And again, thanks to you!

PS: Sorry for the delay

hustliyilin commented 2 years ago

Hi @hustliyilin,

Thank you very much for your contribution! Your work is really appreciated.

I'm going to review the code and let you know some of the changes needed to merge it into the master branch.

Although in advance, as I have been able to quickly observe, at least a couple of things would be needed:

If you have any doubt about any point, just ask. When I review the code, I'll let you know about more necessary changes.

And again, thanks to you!

PS: Sorry for the delay

Hi @MarcelKemp ,

Thank you very much for your review. At present, I have completed the modification and added the unit tests. And the results of unit tests look ok as shown in the following figure.

lQLPDhtmkQmgwlnNAajNAniwLFurr2dWALICeLfeGkACAA_632_424

I would be very grateful if you could give some reviews again. Thanks again, I look forward to your reply.

hustliyilin commented 2 years ago

It has been a long time since your last reply,

Hi @MarcelKemp ,

It has been a long time since your last reply. I would be very grateful if you could give more reviews again. Thanks again @MarcelKemp , I look forward to your reply.

lbethancourt-quantic commented 1 year ago

@hustliyilin @MarcelKemp Is there any update on this? Seems like a pretty fair solution to users that are willing to force scan the vulnerabilities of a RedHat based OS (like Oracle Linux in my case) can I expect this to come on any future Wazuh oficial release?

kbensch commented 6 months ago

Good morning I am aware this is some months later, but I am still unable to scan Oracle Linux Server. I currently have this code in the ossec.conf file:

    <provider name="redhat">
      <enabled>yes</enabled>
      <os allow="Oracle Linux Server-5" path="/opt/oval-data/rhel-5-including-unpatched.oval.xml.bz2">5</os>
      <os allow="Oracle Linux Server-6" path="/opt/oval-data/rhel-6-including-unpatched.oval.xml.bz2">6</os>
      <os allow="Oracle Linux Server-7" path="/opt/oval-data/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os allow="Oracle Linux Server-8" path="/opt/oval-data/rhel-8-including-unpatched.oval.xml.bz2">8</os>
      <os allow="Oracle Linux Server-9" path="/opt/oval-data/rhel-9-including-unpatched.oval.xml.bz2">9</os>
      <update_interval>1h</update_interval>
    </provider>

#    <!-- RedHat OS vulnerabilities -->
#    <provider name="redhat">
#      <enabled>yes</enabled>
#      <os>5</os>
#      <os>6</os>
#      <os>7</os>
#      <os>8</os>
#      <os>9</os>
#      <update_interval>1h</update_interval>
#    </provider>

I have also tried various different permutations of this and am still unseccessful. I get the following in the logs:

{
  "timestamp": "2024/04/25 09:47:57",
  "tag": "wazuh-modulesd:vulnerability-detector",
  "pid": 199033,
  "file": "wm_vuln_detector.c",
  "line": 6271,
  "routine": "wm_vuldet_collect_agents_to_scan",
  "level": "debug",
  "description": "(5485): Agent '007' has an unsupported OS: 'Oracle Linux Server'"
}

SOme help would be very much appreciated. I am sure there is something I am missing. Just can not find it.

THank you Kobus