【wazuh】设置漏洞扫描feed
1 利用wazuh对系统进行漏洞检测扫描Wazuh 能够使用漏洞检测器模块检测安装在代理上的应用程序中的漏洞
此软件审计是通过集成由 Canonical、Debian、Red Hat、Arch Linux、ALAS(Amazon Linux 公告安全)、Microsoft 和国家漏洞数据库索引的漏洞源来执行的。
参考官网的解读,Wazuh 有三种不同范例的扫描。
(1)基线:漏洞检测器会在您首次启用模块时触发此扫描范例。漏洞检测器会对操作系统和安装的每个软件包进行全面扫描。它会创建 CVE清单并针对每个漏洞生成警报。
(2)全面扫描full scan:漏洞检测器会扫描此扫描范例中安装的每个软件包和操作系统。它仅在设置min_full_scan_interval过期且 CVE
数据库包罗新信息时运行。因此,当漏洞清单中有任何更新/更改时,Wazuh 会生成警报。
(3)部分扫描Partial scan:漏洞检测器仅扫描新软件包。因此,当 CVE 清单有任何更新/更改时,Wazuh 会生成警报。
以是
min_full_scan_interval设置通过不频繁运行完备扫描来掩护管理器性能,尤其是当管理器收到许多漏洞源更新时。代理漏洞清单中的每个漏洞都处于三种不同的状态:
VALID:表现该漏洞仍然存在于系统中。
待定:全面扫描正在进行中,需要确认漏洞。
已过时:表现系统中不再存在该漏洞。当任何漏洞进入此状态时,漏洞检测器会生成删除警报。
PS:我在扫描结果中看漏洞的状态,并无上面几个状态,反而是data.vulnerability.status为active,solved
2 Wazuh设置
官网文档见https://documentation.wazuh.com/4.4/user-manual/capabilities/vulnerability-detection/offline-update.html#arch
2.1. agent端设置
vi /var/ossec/etc/ossec.conf
no 1h yes 2.2. server端设置
(1)设置
根据自己的操作系统范例, 开启相应的 yes块
vi /var/ossec/etc/ossec.conf 或者直接在页面编辑 managentment–>configuration
<vulnerability-detector>
<enabled>yes</enabled>
<interval>180d</interval>
<min_full_scan_interval>180d</min_full_scan_interval>
<run_on_start>no</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>180d</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os path="/var/ossec/etc/scanfeeds/redhetfeed/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<path>/var/ossec/etc/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
<update_interval>180d</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<path>/var/ossec/etc/scanfeeds/windowsfeed/msu-updates\.json\.gz$</path>
<update_interval>672h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<path>/var/ossec/etc/nvd-feed/nvd-feed[[:digit:]]\{4\}\.json\.gz$</path>
<update_from_year>2010</update_from_year>
<update_interval>672h</update_interval>
</provider>
</vulnerability-detector>
重新启动管理器以应用更改:
systemctl restart wazuh-manager
(2)检测是否设置乐成
查看日志
sudo tail -n 1000 /var/ossec/logs/ossec.log|grep vulnerability
sudo tail -f /var/ossec/logs/ossec.log
更新feed的设置日志如下
2024/07/24 07:42:57 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2024/07/24 07:43:25 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully.
2024/07/24 07:43:25 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2024/07/24 07:43:30 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'JSON Red Hat Enterprise Linux' feed finished successfully.
2024/07/24 07:43:30 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2024/07/24 07:59:51 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2024/07/24 07:59:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2024/07/24 08:00:07 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
发现ubunt的feed加载失败,报错如下:
ERROR: (5502): Could not load the CVE OVAL for 'TRUSTY'. 'XMLERR: Attribute '?' has no value.'
解决方案参考:https://github.com/wazuh/wazuh/issues/20573
该错误是由于 Canonical 在 OVAL 开头添加了以下行而导致的,从而导致其无法正确解析 feed,将离线下载的feed解压 并删除第一行,下令如下:
mkdir custom-ubuntu-ovals-fixed
cd custom-ubuntu-ovals-fixed
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2
bzip2 -d com.ubuntu.*
sed -i '/<?xml version="1.0" ?>/d' com.ubuntu.*
然后修改feed设置文件如下,而不是bz的:
<provider name="canonical">
<enabled>yes</enabled>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.jammy.cve.oval.xml">jammy</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.focal.cve.oval.xml">focal</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.bionic.cve.oval.xml">bionic</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.xenial.cve.oval.xml">xenial</os>
<os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.trusty.cve.oval.xml">trusty</os>
<update_interval>180d</update_interval>
</provider>
然后重启管理器:systemctl restart wazuh-manager
再检查日志,可以看到更新Feed乐成。
2024/07/24 09:28:44 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Trusty' database update.
2024/07/24 09:29:10 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Trusty' feed finished successfully.
2024/07/24 09:29:10 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2024/07/24 09:29:42 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Xenial' feed finished successfully.
2024/07/24 09:29:42 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2024/07/24 09:30:25 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2024/07/24 09:31:15 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2024/07/24 09:31:15 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Jammy' database update.
随机可以看到开始扫描的日志如下:
2024/07/24 08:00:07 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2024/07/24 08:00:17 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2024/07/24 08:00:17 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '000'
2024/07/24 08:00:17 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '001' vulnerabilities.
2024/07/24 08:00:18 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '001'
2.3 查看报告
(1)查看漏洞
查看dashboard:agent–>Vulnerabilities就可以看到扫描的漏洞报告。但是这种方式只能查看某个主机的漏洞,如果想查看全部主机的漏洞报告,可以查看discover–索引wazuh-alerts-*–》筛选 “rule.groups”: “vulnerability-detector”。或者直接使用Dev tools查看数据。
GET /wazuh-alerts-*/_search
{
"track_total_hits": true,
"query": {
"term": {
"rule.groups": "vulnerability-detector"
}
}
}
(2)导出漏洞
wazuh可以从discover中导出csv格式的漏洞,但是最高只能导出1w条,看网上参考ES的可以改设置,由于wazuh使用opensearch没找到改设置教程,因此使用脚本去导出,脚本如下:https://github.com/m01ly/wazuh/blob/main/exportvulnerability.py
(3)分析漏洞结果
查看每个主机的漏洞,通过detect time可以看到,每次增长的漏洞是增量,且通过"data.vulnerability.status"字段去判断漏洞的状态,
active:表现漏洞存在
solved:表现漏洞被修复。
如果呆板不存在了,但是漏洞仍然在,怎么搞?
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]