automation Open Source OpenSCAP Ubuntu 18.04 wazuh

Configuring Wazuh OpenSCAP Integration

Joel Radon April 25, 2019

Today we will look at integrating Wazuh and OpenSCAP. This will allow us to view our scan results under a unified console in ELK. We can also generate more detailed reports via command line.

Deploying OpenSCAP to Wazuh Agents

First step towards Wazuh OpenSCAP integration is deploying OpenSCAP to systems with the wazuh agent.

Install OpenSCAP on Ubuntu

apt-get install -y libopenscap8 xsltproc

Grab the newest OVAL OpenSCAP XML Files. (Go here for latest)

wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip

Install unzip

apt install -y unzip

Unzip, move, and cleanup OVAL OpenSCAP scan XML files

We are downloading the latest OVAL templates and placing them in Wazuh’s /wodles/oscap directory. This is where the few out of the box templates that come with wazuh are stored. However we needed more up to date templates 🙂

unzip scap-security-guide-0.1.43-oval-510.zip 
cp -r scap-security-guide-0.1.43-oval-5.10/* /var/ossec/wodles/oscap/content/
rm -r scap-security-guide-0.1.43-oval-5.10/
rm scap-security-guide-0.1.43-oval-510.zip

Restart Wazuh Agent

systemctl restart wazuh-agent

Configure Centralized Scan from Wazuh Manager

Now we must enable OpenSCAP on all over our agents. Instead of going to each agent and manually changing the configuration file. We are going to do it from the Wazuh Manager

Edit agent.conf on Wazuh Manager

nano /var/ossec/etc/shared/default/agent.conf


Between <agent_config> and </agent_config> we need to add our OpenSCAP configuration. If this is your first time touching this file, it will look like this:

<agent_config>

  <!-- Shared agent configuration here -->

</agent_config>

We want to add the following:

  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <content type="oval" path="ssg-ubuntu1804-ds.xml">
   </content>
</wodle>

So now our file will look like this:

<agent_config>

  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <content type="oval" path="ssg-ubuntu1804-ds.xml">
   </content>
</wodle>



</agent_config>

Restart Wazuh Manager

systemctl restart wazuh-manager

Restart all the agents from Wazuh Manager

/var/ossec/bin/agent_control -R -a

Check ELK for OpenSCAP results

Your agents should start initiating their scans. We should be able to take a look at the OpenSCAP area of Wazuh dashboard and see results starting to come in.

Check Wazuh Logs for full alerts


Here is an example of some alerts generated from failed tests:


Tags:
1 Points
Previous Article

Next Article

2 thoughts on “Configuring Wazuh OpenSCAP Integration”

  1. Pingback: CIS Ubuntu Script to Automate Server Hardening - Cloud Security Life
  2. Guillermo says:
    March 11, 2020 at 1:46 pm

    Thanks for your helpful post!
    I have a doubt with the use of Openscap in Wazuh; do yo know if it Is it possible to have useful information on OpenScap Dashboards?, such as checks that have failed? I can’t find a way to add this information in a graph, only through the Discover is it possible to see the details of each OpenScap check result. Thank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *