1 利用wazuh对系统进行漏洞检测扫描
Wazuh 能够使用漏洞检测器模块检测安装在代理上的应用程序中的漏洞
此软件审计是通过集成由 Canonical、Debian、Red Hat、Arch Linux、ALAS(Amazon Linux 公告安全)、Microsoft 和国家漏洞数据库索引的漏洞源来执行的。
参考官网的解读,Wazuh 有三种不同类型的扫描。
(1)基线:漏洞检测器会在您首次启用模块时触发此扫描类型。漏洞检测器会对操作系统和安装的每个软件包进行全面扫描。它会创建 CVE清单并针对每个漏洞生成警报。
(2)全面扫描full scan:漏洞检测器会扫描此扫描类型中安装的每个软件包和操作系统。它仅在配置min_full_scan_interval过期且 CVE
数据库包含新信息时运行。因此,当漏洞清单中有任何更新/更改时,Wazuh 会生成警报。
(3)部分扫描Partial scan:漏洞检测器仅扫描新软件包。因此,当 CVE 清单有任何更新/更改时,Wazuh 会生成警报。
所以
min_full_scan_interval设置通过不频繁运行完整扫描来保护管理器性能,尤其是当管理器收到许多漏洞源更新时。代理漏洞清单中的每个漏洞都处于三种不同的状态:
VALID:表示该漏洞仍然存在于系统中。
待定:全面扫描正在进行中,需要确认漏洞。
已过时:表示系统中不再存在该漏洞。当任何漏洞进入此状态时,漏洞检测器会生成删除警报。
PS:我在扫描结果中看漏洞的状态,并无上面几个状态,反而是data.vulnerability.status为active,solved
2 Wazuh配置
2.1. agent端配置
vi /var/ossec/etc/ossec.conf
no 1h yes
2.2. server端配置
(1)配置
根据自己的操作系统类型, 开启相应的 yes块
vi /var/ossec/etc/ossec.conf 或者直接在页面编辑 managentment–>configuration
<vulnerability-detector><enabled>yes</enabled><interval>180d</interval><min_full_scan_interval>180d</min_full_scan_interval><run_on_start>no</run_on_start><!-- Ubuntu OS vulnerabilities --><provider name="canonical"><enabled>yes</enabled><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.focal.cve.oval.xml.bz2">focal</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os><update_interval>180d</update_interval></provider><!-- RedHat OS vulnerabilities --><provider name="redhat"><enabled>yes</enabled><os path="/var/ossec/etc/scanfeeds/redhetfeed/rhel-7-including-unpatched.oval.xml.bz2">7</os><path>/var/ossec/etc/rh-feed/redhat-feed[[:digit:]]\+\.json$</path><update_interval>180d</update_interval></provider><!-- Windows OS vulnerabilities --><provider name="msu"><enabled>yes</enabled><path>/var/ossec/etc/scanfeeds/windowsfeed/msu-updates\.json\.gz$</path><update_interval>672h</update_interval></provider><!-- Aggregate vulnerabilities --><provider name="nvd"><enabled>yes</enabled><path>/var/ossec/etc/nvd-feed/nvd-feed[[:digit:]]\{4\}\.json\.gz$</path><update_from_year>2010</update_from_year><update_interval>672h</update_interval></provider></vulnerability-detector>
重新启动管理器以应用更改:
systemctl restart wazuh-manager
(2)检测是否配置成功
查看日志
sudotail-n1000 /var/ossec/logs/ossec.log|grep vulnerability
sudotail-f /var/ossec/logs/ossec.log
更新feed的配置日志如下
2024/07/24 07:42:57 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2024/07/24 07:43:25 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully.
2024/07/24 07:43:25 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2024/07/24 07:43:30 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'JSON Red Hat Enterprise Linux' feed finished successfully.
2024/07/24 07:43:30 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2024/07/24 07:59:51 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2024/07/24 07:59:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2024/07/24 08:00:07 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
发现ubunt的feed加载失败,报错如下:
ERROR: (5502): Could not load the CVE OVAL for'TRUSTY'.'XMLERR: Attribute '?' has no value.'
解决方案参考:https://github.com/wazuh/wazuh/issues/20573
该错误是由于 Canonical 在 OVAL 开头添加了以下行而导致的,从而导致其无法正确解析 feed,将离线下载的feed解压 并删除第一行,命令如下:
mkdir custom-ubuntu-ovals-fixed
cd custom-ubuntu-ovals-fixed
curl-SO https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
curl-SO https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
curl-SO https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
curl-SO https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
curl-SO https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2
bzip2-d com.ubuntu.*
sed-i'/<?xml version="1.0" ?>/d' com.ubuntu.*
然后修改feed配置文件如下,而不是bz的:
<provider name="canonical"><enabled>yes</enabled><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.jammy.cve.oval.xml">jammy</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.focal.cve.oval.xml">focal</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.bionic.cve.oval.xml">bionic</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.xenial.cve.oval.xml">xenial</os><os path="/var/ossec/etc/scanfeeds/ubuntuscanplugin/com.ubuntu.trusty.cve.oval.xml">trusty</os><update_interval>180d</update_interval></provider>
然后重启管理器:systemctl restart wazuh-manager
再检查日志,可以看到更新Feed成功。
2024/07/24 09:28:44 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Trusty' database update.
2024/07/24 09:29:10 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Trusty' feed finished successfully.
2024/07/24 09:29:10 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2024/07/24 09:29:42 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Xenial' feed finished successfully.
2024/07/24 09:29:42 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2024/07/24 09:30:25 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2024/07/24 09:31:15 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2024/07/24 09:31:15 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Jammy' database update.
随机可以看到开始扫描的日志如下:
2024/07/24 08:00:07 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2024/07/24 08:00:17 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2024/07/24 08:00:17 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '000'2024/07/24 08:00:17 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '001' vulnerabilities.
2024/07/24 08:00:18 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '001'
2.3 查看报告
(1)查看漏洞
查看dashboard:agent–>Vulnerabilities就可以看到扫描的漏洞报告。但是这种方式只能查看某个主机的漏洞,如果想查看所有主机的漏洞报告,可以查看discover–索引wazuh-alerts-*–》筛选 “rule.groups”: “vulnerability-detector”。或者直接使用Dev tools查看数据。
GET /wazuh-alerts-*/_search
{"track_total_hits": true,
"query":{"term":{"rule.groups":"vulnerability-detector"}}}
(2)导出漏洞
wazuh可以从discover中导出csv格式的漏洞,但是最高只能导出1w条,看网上参考ES的可以改配置,由于wazuh使用opensearch没找到改配置教程,因此使用脚本去导出,脚本如下:https://github.com/m01ly/wazuh/blob/main/exportvulnerability.py
(3)分析漏洞结果
查看每个主机的漏洞,通过detect time可以看到,每次增加的漏洞是增量,且通过"data.vulnerability.status"字段去判断漏洞的状态,
active:表示漏洞存在
solved:表示漏洞被修复。
如果机器不存在了,但是漏洞仍然在,怎么搞?
版权归原作者 m01ly 所有, 如有侵权,请联系我们删除。