Configuring Wazuh OpenSCAP Integration
Today we will look at integrating Wazuh and OpenSCAP. This will allow us to view our scan results under a unified console in ELK. We can also generate more detailed reports via command line.
Deploying OpenSCAP to Wazuh Agents
First step towards Wazuh OpenSCAP integration is deploying OpenSCAP to systems with the wazuh agent.
Install OpenSCAP on Ubuntu
apt-get install -y libopenscap8 xsltproc
Grab the newest OVAL OpenSCAP XML Files. (Go here for latest)
wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip
Install unzip
apt install -y unzip
Unzip, move, and cleanup OVAL OpenSCAP scan XML files
We are downloading the latest OVAL templates and placing them in Wazuh’s /wodles/oscap directory. This is where the few out of the box templates that come with wazuh are stored. However we needed more up to date templates 🙂
unzip scap-security-guide-0.1.43-oval-510.zip cp -r scap-security-guide-0.1.43-oval-5.10/* /var/ossec/wodles/oscap/content/ rm -r scap-security-guide-0.1.43-oval-5.10/ rm scap-security-guide-0.1.43-oval-510.zip
Restart Wazuh Agent
systemctl restart wazuh-agent
Configure Centralized Scan from Wazuh Manager
Now we must enable OpenSCAP on all over our agents. Instead of going to each agent and manually changing the configuration file. We are going to do it from the Wazuh Manager
Edit agent.conf on Wazuh Manager
nano /var/ossec/etc/shared/default/agent.conf
Between <agent_config> and </agent_config> we need to add our OpenSCAP configuration. If this is your first time touching this file, it will look like this:
<agent_config> <!-- Shared agent configuration here --> </agent_config>
We want to add the following:
<wodle name="open-scap"> <disabled>no</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start> <content type="oval" path="ssg-ubuntu1804-ds.xml"> </content> </wodle>
So now our file will look like this:
<agent_config> <wodle name="open-scap"> <disabled>no</disabled> <timeout>1800</timeout> <interval>1d</interval> <scan-on-start>yes</scan-on-start> <content type="oval" path="ssg-ubuntu1804-ds.xml"> </content> </wodle> </agent_config>
Restart Wazuh Manager
systemctl restart wazuh-manager
Restart all the agents from Wazuh Manager
/var/ossec/bin/agent_control -R -a
Check ELK for OpenSCAP results
Your agents should start initiating their scans. We should be able to take a look at the OpenSCAP area of Wazuh dashboard and see results starting to come in.

Check Wazuh Logs for full alerts
Here is an example of some alerts generated from failed tests:


Thanks for your helpful post!
I have a doubt with the use of Openscap in Wazuh; do yo know if it Is it possible to have useful information on OpenScap Dashboards?, such as checks that have failed? I can’t find a way to add this information in a graph, only through the Discover is it possible to see the details of each OpenScap check result. Thank you