Open hustliyilin opened 2 years ago
Hi @hustliyilin,
As you say, there are other OSs that are compatible with RedHat
, however we must make sure that when adding such a vendor, no false positive is generated for any of the currently supported systems, nor for the new one to be added.
So it would be necessary to perform a previous investigation to check that it correctly reports the vulnerabilities of RHEL's OVAL and that it does not affect any of the currently supported OSs.
PR where such a restriction was introduced to avoid false positives: https://github.com/wazuh/wazuh/pull/6611 And an example where false positives appeared in the issue: https://github.com/wazuh/wazuh/issues/6435
Still, even if vulnerabilities are discarded by OVAL, the NVD should normally match the different vulnerabilities for that package and check if the system is vulnerable or not.
Currently, I haven't found any workaround to avoid discarding vulnerabilities without modifying the source code, but if I find a possible workaround, I'll let you know.
And yes, if you want to test those OSes for OVAL vulnerabilities, then it would be necessary to add the exact vendor's name to the list and update Wazuh after it is compiled. Update by sources.
I hope this helps, and if you have any questions, don't hesitate to ask.
Hi @hustliyilin,
As you say, there are other OSs that are compatible with
RedHat
, however we must make sure that when adding such a vendor, no false positive is generated for any of the currently supported systems, nor for the new one to be added. So it would be necessary to perform a previous investigation to check that it correctly reports the vulnerabilities of RHEL's OVAL and that it does not affect any of the currently supported OSs.PR where such a restriction was introduced to avoid false positives: #6611 And an example where false positives appeared in the issue: #6435
Still, even if vulnerabilities are discarded by OVAL, the NVD should normally match the different vulnerabilities for that package and check if the system is vulnerable or not.
Currently, I haven't found any workaround to avoid discarding vulnerabilities without modifying the source code, but if I find a possible workaround, I'll let you know.
And yes, if you want to test those OSes for OVAL vulnerabilities, then it would be necessary to add the exact vendor's name to the list and update Wazuh after it is compiled. Update by sources.
I hope this helps, and if you have any questions, don't hesitate to ask.
Hi @MarcelKemp,
Thank you very much for your reply. I learn that these unsupported OSs can be supported through os allow
in the /var/ossec/etc/ossec.conf
. Taking the Redhat
compatible OSs as an example, according to the following configuration, I can use Redhat's ovals to scan the CVE vulnerabilities of Alibaba Cloud Linux
and Anolis OS
.
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os path="/root/Redhat-cve-feeds/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/root/Redhat-cve-feeds/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os allow="Alibaba Cloud Linux-2,Anolis OS-7" path="/root/Redhat-cve-feeds/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os allow="Alibaba Cloud Linux-3,Anolis OS-8" path="/root/Redhat-cve-feeds/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<path>/root/Redhat-cve-feeds/redhat-feed.*json$</path>
<update_interval>1h</update_interval>
</provider>
But because
Alibaba Cloud Linux
are Alibaba
, Alibaba Cloud
, and Koji
; Anolis OS
is OpenAnoils Community
.And these package vendors are not in vu_vendor_list_redhat
, so it will jump the Redhat's OVAL checking during the CVE scanning(only scanning the NVD
CVE feeds).
I rebuilt wazuh manually with the following modifications as you suggested, the test results are more accurate and have no effect on the existing CentOS
and Redhat
CVE scan results.
const char *vu_vendor_list_redhat[] = {
"Red Hat, Inc.",
"CentOS",
// Alibaba
"Alibaba",
"Alibaba Cloud",
"Koji",
// Open Anolis
"OpenAnolis Community"
};
If the os allow
field is supported and configured in the /var/ossec/etc/ossec.conf
file, it indicates that the user wants to scan CVEs of these unsupported OSs with Redhat's oval CVE feeds. Therefore, the case of os allow
should be considered in the source codes of wazuh, instead of letting developers manually modify the vu_vendor_list_redhat
above. Thanks again for your reply.
Hi again @hustliyilin,
Sorry for the delay, and thank you very much for all the information provided.
As you point out, if you add an OS through the allow
field and also add the vendors of the package to the vu_vendor_list_redhat[]
array, then after recompiling and manually installing Wazuh you can match the vulnerabilities of the RHEL OVAL to avoid many false positives in these unsupported OS.
Therefore, as soon as possible, we will take up the issue with a solution to this problem to be implemented by the team, such as the following:
This solution will probably be another field to add in the
<os>
configuration next toallow=
in order to add an array of package vendors and add them to the RHEL OVAL exception next to the package vendors officially supported by Wazuh (vu_vendor_list_redhat[]
).
As soon as the fix is available, I will let you know, so you can see the progress of the development.
If you want to contribute any ideas for the solution, it will be welcome. And if you have any questions about it, don't hesitate to ask.
Hi again @hustliyilin,
Sorry for the delay, and thank you very much for all the information provided.
As you point out, if you add an OS through the
allow
field and also add the vendors of the package to thevu_vendor_list_redhat[]
array, then after recompiling and manually installing Wazuh you can match the vulnerabilities of the RHEL OVAL to avoid many false positives in these unsupported OS.Therefore, as soon as possible, I will create an issue proposing a solution to this problem to be implemented by the team.
This solution will probably be another field to add in the
<os>
configuration next toallow=
in order to add an array of package vendors and add them to the RHEL OVAL exception next to the package vendors officially supported by Wazuh (vu_vendor_list_redhat[]
).As soon as I open the issue, I will let you know, so you can see the progress of the development.
If you want to contribute any ideas for the solution, it will be welcome. And if you have any questions about it, don't hesitate to ask.
Hi @MarcelKemp,
Thanks for your reply. The solution you provided looks good to me.
I will also pay attention to the progress of the development of this issue. In addition, I am willing to contribute to the wazuh community, such as testing, reporting bugs, and submitting patches.
Thanks again.
vu_vendor_list
Hi again @MarcelKemp,
Thanks for your solution to this problem. Now, I have initiated a PR(#13060 ) based on the previously discussed solution to this problem. And my configuration in ossec.conf
is the following,
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os path="/root/Redhat-cve-feeds/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/root/Redhat-cve-feeds/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os allow="Alibaba Cloud Linux-2,Anolis OS-7" path="/root/Redhat-cve-feeds/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os allow="Alibaba Cloud Linux-3,Anolis OS-8" path="/root/Redhat-cve-feeds/rhel-8-including-unpatched.oval.xml.bz2" allow_package_vendors="Alibaba,Alibaba Cloud,Koji,OpenAnolis">8</os>
<path>/root/Redhat-cve-feeds/redhat-feed.*json$</path>
<update_interval>1h</update_interval>
</provider>
I test OK in my OS(Alibaba Cloud Linux 3
).
I would be very grateful if you could give some reviews. Thanks again, I look forward to your reply.
vu_vendor_list
Hi again @MarcelKemp,
Thanks for your solution to this problem. Now, I have initiated a PR(#13060 ) based on the previously discussed solution to this problem. And my configuration in
ossec.conf
is the following,<!-- RedHat OS vulnerabilities --> <provider name="redhat"> <enabled>yes</enabled> <os path="/root/Redhat-cve-feeds/com.redhat.rhsa-RHEL5.xml.bz2">5</os> <os path="/root/Redhat-cve-feeds/rhel-6-including-unpatched.oval.xml.bz2">6</os> <os allow="Alibaba Cloud Linux-2,Anolis OS-7" path="/root/Redhat-cve-feeds/rhel-7-including-unpatched.oval.xml.bz2">7</os> <os allow="Alibaba Cloud Linux-3,Anolis OS-8" path="/root/Redhat-cve-feeds/rhel-8-including-unpatched.oval.xml.bz2" allow_package_vendors="Alibaba,Alibaba Cloud,Koji,OpenAnolis">8</os> <path>/root/Redhat-cve-feeds/redhat-feed.*json$</path> <update_interval>1h</update_interval> </provider>
I test OK in my OS(
Alibaba Cloud Linux 3
).I would be very grateful if you could give some reviews. Thanks again, I look forward to your reply.
Hi @MarcelKemp ,
It has been a long time since your last reply, and now I have submitted the codes to solve this problem according to the discussed solution. This patch may be very important for OSs that Wazuh doesn't support (such as Alibaba Cloud Linux
, etc.). I would be very grateful if you could give some reviews.
Thanks again, I look forward to your reply.
Hi @hustliyilin,
Thank you very much for your contribution! Your work is really appreciated.
I'm going to review the code and let you know some of the changes needed to merge it into the master branch.
Although in advance, as I have been able to quickly observe, at least a couple of things would be needed:
First and foremost, as this change would really only affect the redhat provider, which is the only one that discards in the OVAL the OSs that are different from those found in the vu_vendor_list_redhat[]
list, then it would be necessary to apply the change to affect only this provider. And ideally, it would only add a new option in the allowed configuration for this single provider.
Condition where it is observed that it only affects the RedHat provider:
https://github.com/wazuh/wazuh/blob/1adc7ed09c7cc3a3fe9e87f091d580c53e0cffce/src/wazuh_modules/vulnerability_detector/wm_vuln_detector.c#L2295
And the second one, it is necessary to cover with unit tests all the new functions created.
If you have any doubt about any point, just ask. When I review the code, I'll let you know about more necessary changes.
And again, thanks to you!
PS: Sorry for the delay
Hi @hustliyilin,
Thank you very much for your contribution! Your work is really appreciated.
I'm going to review the code and let you know some of the changes needed to merge it into the master branch.
Although in advance, as I have been able to quickly observe, at least a couple of things would be needed:
- First and foremost, as this change would really only affect the redhat provider, which is the only one that discards in the OVAL the OSs that are different from those found in the
vu_vendor_list_redhat[]
list, then it would be necessary to apply the change to affect only this provider. And ideally, it would only add a new option in the allowed configuration for this single provider. Condition where it is observed that it only affects the RedHat provider: https://github.com/wazuh/wazuh/blob/1adc7ed09c7cc3a3fe9e87f091d580c53e0cffce/src/wazuh_modules/vulnerability_detector/wm_vuln_detector.c#L2295- And the second one, it is necessary to cover with unit tests all the new functions created.
If you have any doubt about any point, just ask. When I review the code, I'll let you know about more necessary changes.
And again, thanks to you!
PS: Sorry for the delay
Hi @MarcelKemp ,
Thank you very much for your review. At present, I have completed the modification and added the unit tests. And the results of unit tests look ok as shown in the following figure.
I would be very grateful if you could give some reviews again. Thanks again, I look forward to your reply.
It has been a long time since your last reply,
Hi @MarcelKemp ,
It has been a long time since your last reply. I would be very grateful if you could give more reviews again. Thanks again @MarcelKemp , I look forward to your reply.
@hustliyilin @MarcelKemp Is there any update on this? Seems like a pretty fair solution to users that are willing to force scan the vulnerabilities of a RedHat based OS (like Oracle Linux in my case) can I expect this to come on any future Wazuh oficial release?
Good morning I am aware this is some months later, but I am still unable to scan Oracle Linux Server. I currently have this code in the ossec.conf file:
<provider name="redhat">
<enabled>yes</enabled>
<os allow="Oracle Linux Server-5" path="/opt/oval-data/rhel-5-including-unpatched.oval.xml.bz2">5</os>
<os allow="Oracle Linux Server-6" path="/opt/oval-data/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os allow="Oracle Linux Server-7" path="/opt/oval-data/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os allow="Oracle Linux Server-8" path="/opt/oval-data/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os allow="Oracle Linux Server-9" path="/opt/oval-data/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
# <!-- RedHat OS vulnerabilities -->
# <provider name="redhat">
# <enabled>yes</enabled>
# <os>5</os>
# <os>6</os>
# <os>7</os>
# <os>8</os>
# <os>9</os>
# <update_interval>1h</update_interval>
# </provider>
I have also tried various different permutations of this and am still unseccessful. I get the following in the logs:
{
"timestamp": "2024/04/25 09:47:57",
"tag": "wazuh-modulesd:vulnerability-detector",
"pid": 199033,
"file": "wm_vuln_detector.c",
"line": 6271,
"routine": "wm_vuldet_collect_agents_to_scan",
"level": "debug",
"description": "(5485): Agent '007' has an unsupported OS: 'Oracle Linux Server'"
}
SOme help would be very much appreciated. I am sure there is something I am missing. Just can not find it.
THank you Kobus
At present, there are many os systems compatible with
Redhat
, such asOracle Linux
,Aliyun Linux
, etc.Wazuh
provides a user manual Scan vulnerabilities on unsupported systems to support scanning these systems withRedhat
CVE feeds. However, when executed on these unsupported OS systems (Oracle Linux
,Aliyun Linux
, etc), the log ofDiscarded package 'xxx' from a third-party('xxx') for agent 'xxx'
will be found.After analysis, it is found in the function
wm_vuldet_linux_oval_vulnerabilities
, the following codes will be executed to determine whether these packages vendors areRedhat
orCentOS
.As far as I know, although
Oracle Linux
andAliyun Linux
are compatible withRedhat
, they will also modify the vendors of the packages (no longerRedhat
orCentOS
). Therefore, if this judgment condition is not met, the subsequentwm_checks_package_vulnerability
function can't be executed, so it is impossible to obtain the correct test results.May I ask whether the judgment here is necessary? Do package vendors for these unsupported systems need to be manually added to the
vu_vendor_list_redhat
list?I would be very grateful if you could give some answers. Thanks a lot.