Wazuh 漏洞掃描功能
因 Wazuh 有支援可以利用已收集到系統漏洞訊息跟現行系統做掃描,以下可以啟用該模組做操作使用
運行環境
環境都是在 「Proxmox VE 」 虛擬系統上架設,都是以 「 LXC 」模式為主,除非有特殊狀況會告知使用 「 VM 」 模式
- 系統環境: Ubuntu 22.04
- Web 服務: Nginx 1.23
安裝過程
安裝 Web 服務
看是要直接在 Wazuh 站台或者另外啟用一台執行檔案下載
-
可以參考本站所提供的方式或者用系統預設的版本,Nginx 模組擴充 - Debian \ Ubuntu
-
安裝完後設定下載位置
mkdir -p /var/www/wazuh/os
chown -R nginx:nginx /var/www/wazuh
- 下載離線檔案
cd /var/www/wazuh/
# 下載 Debian 系列漏洞清單檔案
wget https://www.debian.org/security/oval/oval-definitions-bullseye.xml
wget https://www.debian.org/security/oval/oval-definitions-buster.xml
# 下載 Debian 的安全資料Json檔
wget https://security-tracker.debian.org/tracker/data/json -O security_tracker_local.json
# 下載 RHEL 系列漏洞清單檔案
wget https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
wget https://www.redhat.com/security/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2
# 下載Ubuntu 漏洞清單檔案
wget https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
wget https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2
# 下載微軟漏洞清單檔案
wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
# 下載Redhat的安全資料Json檔
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/rh-generator.sh
chmod +x ./*.sh
mkdir redhat
./rh-generator.sh redhat/
# 下載NVD的安全資料庫(CVE)
wget https://raw.githubusercontent.com/wazuh/wazuh/master/tools/vulnerability-detector/nvd-generator.sh
chmod +x ./*.sh
mkdir nvd
./nvd-generator.sh 2010 nvd/
- nginx 設定檔
vim /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name localhost;
#access_log /var/log/nginx/host.access.log main;
root /var/www/wazuh;
location / {
# root /usr/share/nginx/html;
# index index.html index.htm;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
- 重啟 nginx 服務
systemctl restart nginx
啟用漏洞掃描功能
- 在 Wazuh 設定檔裡面設定掃描模組
vim /var/ossec/etc/ossec.conf
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os url="http://您所架設的 Nginx 站台位置/rhel-6-including-unpatched.oval.xml.bz2">7</os>
<os url="http://您所架設的 Nginx 站台位置/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os url="http://您所架設的 Nginx 站台位置/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os url="http://您所架設的 Nginx 站台位置/rhel-9-including-unpatched.oval.xml.bz2">9</os>
# 這一段是要看您當時所下載好的最後一個檔案代號是多少如果是 redhat-feed30.json 那您的 end 要填寫 30
<url start="1" end="25">http://您所架設的 Nginx 站台位置/redhat/redhat-feed[-].json</url>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<url>http://您所架設的 Nginx 站台位置/msu-updates.json.gz</url>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<url start="2010" end="2023">http://您所架設的 Nginx 站台位置/nvd/nvd-feed[-].json.gz</url>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
-
重新啟動 Wazuh 服務 systemctl restart wazuh-manager.service
-
設定共享代理設定
vim /var/ossec/etc/shared/default/agent.conf
<wodle name="syscollector">
<disabled>yes</disabled>
<interval>1h</interval>
<os>yes</os>
<packages>yes</packages>
</wodle>
定期更新漏洞清單檔
- 用腳本方式定期更新漏洞清單檔
#!/bin/bash
cd /var/www/wazuh/
# 下載 Debian 系列漏洞清單檔案
wget -N https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2
wget -N https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2
wget -N https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2
# 下載 Debian 的安全資料Json檔
wget -N https://security-tracker.debian.org/tracker/data/json -O security_tracker_local.json
# 下載 Ubuntu 漏洞清單檔案
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.noble.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
wget -N https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2
# 下載 RHEL 7/8/9 漏洞清單
wget -N https://www.redhat.com/security/data/oval/v2/RHEL6/rhel-6-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
wget -N https://www.redhat.com/security/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2
# 下載微軟漏洞清單檔案
wget -N https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz
# 下載Redhat的安全資料Json檔
/bin/bash /var/www/wazuh/rh-generator.sh /var/www/wazuh/redhat
# 下載NVD的安全資料庫(CVE)
/bin/bash /var/www/wazuh/nvd-generator.sh 2010 /var/www/wazuh/nvd
# 重設該目錄權限
chown -R nginx:nginx /var/www/wazuh