Skip to main content

Wazuh 漏洞掃描功能

  因 Wazuh 有支援可以利用已收集到系統漏洞訊息跟現行系統做掃描,以下可以啟用該模組做操作使用

運行環境


  環境都是在 「Proxmox VE 」 虛擬系統上架設,都是以 「 LXC 」模式為主,除非有特殊狀況會告知使用 「 VM 」 模式

  • 系統環境: Ubuntu 22.04
  • Web 服務: Nginx 1.23

安裝過程


安裝 Web 服務

  看是要直接在 Wazuh 站台或者另外啟用一台執行檔案下載

mkdir -p /var/www/wazuh/os
chown -R nginx:nginx /var/www/wazuh
  • 下載離線檔案 cd /var/www/wazuh/
# 下載 Debian 系列漏洞清單檔案
wget https://www.debian.org/security/oval/oval-definitions-bullseye.xml
wget https://www.debian.org/security/oval/oval-definitions-buster.xml

# 下載 Debian 的安全資料Json檔
wget https://security-tracker.debian.org/tracker/data/json -O security_tracker_local.json

# 下載 RHEL 系列漏洞清單檔案
wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2

# 下載Ubuntu 漏洞清單檔案
wget https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2

# 下載微軟漏洞清單檔案
wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

# 下載Redhat的安全資料Json檔
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
chmod +x ./*.sh
mkdir redhat
./rh-generator.sh redhat/

# 下載NVD的安全資料庫(CVE)
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
chmod +x ./*.sh
mkdir nvd
 ./nvd-generator.sh 2010 nvd/
  • nginx 設定檔 vim /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    #access_log  /var/log/nginx/host.access.log  main;

    root /var/www/wazuh;

    location / {
#        root   /usr/share/nginx/html;
#        index  index.html index.htm;
         autoindex on;
         autoindex_exact_size off;
         autoindex_localtime on;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
  • 重啟 nginx 服務
systemctl restart nginx
啟用漏洞掃描功能

  • 在 Wazuh 設定檔裡面設定掃描模組 vim /var/ossec/etc/ossec.conf
<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os url="http://您所架設的 Nginx 站台位置/rhel-6-including-unpatched.oval.xml.bz2">7</os>
      <os url="http://您所架設的 Nginx 站台位置/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <os url="http://您所架設的 Nginx 站台位置/rhel-8-including-unpatched.oval.xml.bz2">8</os>
      <os url="http://您所架設的 Nginx 站台位置/rhel-9-including-unpatched.oval.xml.bz2">9</os>
      # 這一段是要看您當時所下載好的最後一個檔案代號是多少如果是 redhat-feed30.json 那您的 end 要填寫 30
      <url start="1" end="25">http://您所架設的 Nginx 站台位置/redhat/redhat-feed[-].json</url>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <url>http://您所架設的 Nginx 站台位置/msu-updates.json.gz</url>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <url start="2010" end="2023">http://您所架設的 Nginx 站台位置/nvd/nvd-feed[-].json.gz</url>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>
  • 重新啟動 Wazuh 服務 systemctl restart wazuh-manager.service

  • 設定共享代理設定 vim /var/ossec/etc/shared/default/agent.conf

<wodle name="syscollector">
  <disabled>yes</disabled>
  <interval>1h</interval>
  <os>yes</os>
  <packages>yes</packages>
</wodle>
定期更新漏洞清單檔

  • 用腳本方式定期更新漏洞清單檔
#!/bin/bash
cd /var/www/wazuh/

# 下載 Debian 系列漏洞清單檔案
wget -N https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2
wget -N https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2
wget -N https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2

# 下載 Debian 的安全資料Json檔
wget -N https://security-tracker.debian.org/tracker/data/json -O security_tracker_local.json

# 下載 Ubuntu 漏洞清單檔案
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.noble.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2

# 下載 RHEL 7/8/9 漏洞清單
wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2

# 下載微軟漏洞清單檔案
wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

# 下載Redhat的安全資料Json檔
/bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat

# 下載NVD的安全資料庫(CVE)
/bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd

# 重設該目錄權限
chown -R nginx:nginx /var/www/wazuh

補充說明


備註





參考相關網頁