Configuring Wazuh OpenSCAP Integration

Today we will look at integrating Wazuh and OpenSCAP. This will allow us to view our scan results under a unified console in ELK. We can also generate more detailed reports via command line.

Deploying OpenSCAP to Wazuh Agents

First step towards Wazuh OpenSCAP integration is deploying OpenSCAP to systems with the wazuh agent.

Install OpenSCAP on Ubuntu

apt-get install -y libopenscap8 xsltproc

Grab the newest OVAL OpenSCAP XML Files. (Go here for latest)

wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip

Install unzip

apt install -y unzip

Unzip, move, and cleanup OVAL OpenSCAP scan XML files

We are downloading the latest OVAL templates and placing them in Wazuh’s /wodles/oscap directory. This is where the few out of the box templates that come with wazuh are stored. However we needed more up to date templates 🙂

unzip scap-security-guide-0.1.43-oval-510.zip 
cp -r scap-security-guide-0.1.43-oval-5.10/* /var/ossec/wodles/oscap/content/
rm -r scap-security-guide-0.1.43-oval-5.10/
rm scap-security-guide-0.1.43-oval-510.zip 

Restart Wazuh Agent

systemctl restart wazuh-agent

Configure Centralized Scan from Wazuh Manager

Now we must enable OpenSCAP on all over our agents. Instead of going to each agent and manually changing the configuration file. We are going to do it from the Wazuh Manager

Edit agent.conf on Wazuh Manager

nano /var/ossec/etc/shared/default/agent.conf   


Between <agent_config> and </agent_config> we need to add our OpenSCAP configuration. If this is your first time touching this file, it will look like this:

<agent_config>

  <!-- Shared agent configuration here -->

</agent_config>


We want to add the following:

  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <content type="oval" path="ssg-ubuntu1804-ds.xml">
   </content>
</wodle>

So now our file will look like this:

<agent_config>

  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <content type="oval" path="ssg-ubuntu1804-ds.xml">
   </content>
</wodle>



</agent_config>


Restart Wazuh Manager

systemctl restart wazuh-manager

Restart all the agents from Wazuh Manager

/var/ossec/bin/agent_control -R -a

Check ELK for OpenSCAP results

Your agents should start initiating their scans. We should be able to take a look at the OpenSCAP area of Wazuh dashboard and see results starting to come in.

Check Wazuh Logs for full alerts


Here is an example of some alerts generated from failed tests:


1 Points


One thought on “Configuring Wazuh OpenSCAP Integration”

Leave a Reply

Your email address will not be published. Required fields are marked *