This is the documentation for Wazuh 3.2. Check out the docs for the latest version of Wazuh!

Configuration

  1. Basic usage
  2. Evaluate PCI-DSS compliance on RHEL7
  3. Auditing Security Vulnerabilities of Red Hat Products
  4. Overwriting the timeout
  5. Using profiles
  6. Using CPE dictionary
  7. Using IDs

Basic usage

To configure the options for OpenSCAP go to ossec.conf, or for more details about specific options, see the OpenSCAP section.

In this example, we configure Wazuh to run OpenSCAP each day, with a timeout of 30 minutes.

<wodle name="open-scap">
  <disabled>no</disabled>
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>

  <content type="xccdf" path="ssg-centos-7-ds.xml">
    <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
    <profile>xccdf_org.ssgproject.content_profile_common</profile>
  </content>
</wodle>

Evaluate PCI-DSS compliance on RHEL7

This section describes how to evaluate the Payment Card Industry Data Security Standard (PCI-DSS) compliance on Red Hat Enterprise Linux 7 agents.

Step 1: Configure agents

Each agent must be properly identified in order to know which policy and profile to execute.

Agent ossec.conf:

<client>
  <server-ip>10.0.1.4</server-ip>
  <config-profile>redhat7</config-profile>
</client>

Step 2: Configure manager

We want to execute the PCI-DSS profile of the SSG RH7 policy only on Red Hat 7 servers.

Manager shared/agent.conf:

<agent_config profile="redhat7">

  <wodle name="open-scap">
    <content type="xccdf" path="ssg-rhel7-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
    </content>
  </wodle>

</agent_config>

Step 3: Restart manager and agents

To apply the new configuration, restart the manager and agents:

# /var/ossec/bin/ossec-control restart
# /var/ossec/bin/agent_control -R -a

If you prefer, you can restart a specific agent with the option -u <id> where id is the agent’s id number.

Step 4: See alerts

When the evaluation is complete you will see the results as OSSEC alerts:

/var/ossec/logs/alerts/alerts.log

** Alert 1463752181.32768: - oscap,rule-result,pci_dss_2.2,
2016 May 20 13:49:41 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81529 (level 5) -> 'OpenSCAP rule failed (severity low).'
oscap: msg: "rule-result", id: "47T7_Qd08gm4y8TSoD53", policy: "ssg-rhel7-ds.xml", profile: "xccdf_org.ssgproject.content_profile_pci-dss", rule_id: "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout", result: "fail", title: "Set SSH Idle Timeout Interval", ident: "CCE-26611-4", severity: "low".
** Alert 1463752181.33254: - oscap,report-overview,pci_dss_2.2,
2016 May 20 13:49:41 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81542 (level 4) -> 'OpenSCAP Report overview: Score less than 80'
oscap: msg: "report-overview", id: "47T7_Qd08gm4y8TSoD53", policy: "ssg-rhel7-ds.xml", profile: "xccdf_org.ssgproject.content_profile_pci-dss", score: "56.835060" / "100.000000", severity of failed rules: "high": "1", "medium": "9", "low": "34", "n/a": "0".

Kibana

Note that each field is extracted to facilitate searches and analysis.

Step 5: Dashboards

Finally, you can explore all results using the OpenSCAP dashboards for Kibana.

Auditing Security Vulnerabilities of Red Hat Products

The Red Hat Security Response Team provides OVAL definitions for all vulnerabilities (identified by CVE name) that affect Red Hat Enterprise Linux 3, 4, 5, 6 and 7. This enables users to perform a vulnerability scan and diagnose whether a system is vulnerable or not.

Step 1: Configure agents

Each agent must be properly identified in order to know which policy and profile to execute.

Agent ossec.conf:

<client>
  <server-ip>10.0.1.4</server-ip>
  <config-profile>redhat7</config-profile>
</client>

Step 2: Configure manager

We want to execute the RedHat security policy only on Red Hat 7 servers.

Manager shared/agent.conf:

<agent_config profile="redhat7">

  <wodle name="open-scap">
    <content type="xccdf" path="com.redhat.rhsa-RHEL7.ds.xml"/>
  </wodle>

</agent_config>

Step 3: Restart manager and agents

To apply the new configuration, restart the manager and agents:

# /var/ossec/bin/ossec-control restart
# /var/ossec/bin/agent_control -R -a

If you prefer, you can restart a specific agent with option -u <id>.

Step 4: See alerts

When the evaluation is completed you will see the results as OSSEC alerts:

/var/ossec/logs/alerts/alerts.log

** Alert 1463757700.70731: mail  - oscap,rule-result,pci_dss_2.2,
2016 May 20 15:21:40 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81531 (level 9) -> 'OpenSCAP rule failed (severity high).'
oscap: msg: "rule-result", id: "I0iLEGFi4iTkxjnL9LWQ", policy: "com.redhat.rhsa-RHEL7.ds.xml", profile: "no-profiles", rule_id: "xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20160722", result: "fail", title: "RHSA-2016:0722: openssl security update (Important)", ident: "RHSA-2016-0722, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2842", severity: "high".
** Alert 1463757700.71339: - oscap,report-overview,pci_dss_2.2,
2016 May 20 15:21:40 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81540 (level 1) -> 'OpenSCAP Report overview.'
oscap: msg: "report-overview", id: "I0iLEGFi4iTkxjnL9LWQ", policy: "com.redhat.rhsa-RHEL7.ds.xml", profile: "no-profiles", score: "92.617447" / "100.000000", severity of failed rules: "high": "8", "medium": "14", "low": "0", "n/a": "0".

Kibana

Note that each field is extracted to facilitate searches and analysis.

Step 5: Dashboards

Finally, you can explore all scan results using the OpenSCAP dashboards for Kibana.

Overwriting the timeout

It is possible to overwrite the timeout for a specific evaluation:

<wodle name="open-scap">

    <timeout>1800</timeout>

    <content type="xccdf" path="ssg-centos-7-ds.xml">
        <timeout>120</timeout>
    </content>

    <content type="xccdf" path="ssg-centos-6-ds.xml"/>

</wodle>

Using profiles

We can limit the evaluation to only specific profiles of a policy:

<wodle name="open-scap">

    <content type="xccdf" path="ssg-centos-7-ds.xml">
        <profile>xccdf_org.ssgproject.content_profile_standard</profile>
        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
    </content>

    <content type="xccdf" path="ssg-centos-6-ds.xml"/>

</wodle>

Using CPE dictionary

You can also optionally specify the CPE dictionary file, which is used to determine which checks are relevant to specific platforms.

<wodle name="open-scap">

    <content type="xccdf" path=policy="ssg-centos-7-ds.xml">
        <cpe>file.xml</cpe>
    </content>

    <content type="xccdf" path="ssg-centos-6-ds.xml" />

</wodle>

Using IDs

You can select a specific ID of the datastream file:

<wodle name="open-scap">

    <content type="xccdf" path="ssg-centos-7-ds.xml">
        <datastream-id>id</datastream-id>
        <xccdf-id>id</xccdf-id>
    </content>

    <content type="xccdf" path="ssg-centos-6-ds.xml" />

</wodle>