Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AlmaLinux in Vulnerability Detector #16343

Merged
merged 25 commits into from Aug 10, 2023
Merged

Add support for AlmaLinux in Vulnerability Detector #16343

merged 25 commits into from Aug 10, 2023

Conversation

GabrielEValenzuela
Copy link
Member

@GabrielEValenzuela GabrielEValenzuela commented Mar 7, 2023
edited

Related issue
#10774

Description

This pull request adds the following features:

  • We have added support for the following OSs:

  • Functions have been created to assign AlmaLinux agents their corresponding OVAL feed when starting the Vulnerability scan, also parse the AlmaLinux feeds and insert the vulnerabilities in the DB. This functions have their corresponding UTs.

  • It has been observed that there is no specific CPE for AlmaLinux, so being a RHEL clone we will also rely on its CPEs.

Configuration options

The Vulnerability Detector configuration has been extended to support the added provider:

<vulnerability-detector>
    ...
<!-- AlmaLinux OS vulnerabilities -->
         <provider name="almalinux">
            <enabled>yes</enabled>
            <os>8</os>
            <os>9</os>
            <update_interval>1h</update_interval>
         </provider>
    ...
</vulnerability-detector>

Logs/Alerts example

Here we can see the logs when fetching the AlmaLinux feed:

2023/03/07 11:30:31 wazuh-modulesd:download[4489] wm_download.c:251 at wm_download_dispatch(): DEBUG: Download of 'https://security.almalinux.org/oval/org.almalinux.alsa-8.xml' finished.
2023/03/07 11:30:31 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:4861 at wm_vuldet_fetch_oval(): DEBUG: (5406): The feed 'AlmaLinux 8' is in its latest version.
2023/03/07 11:30:31 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:5176 at wm_vuldet_check_feed(): INFO: (5430): The update of the 'AlmaLinux 8' feed finished successfully.
2023/03/07 11:30:31 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:5153 at wm_vuldet_check_feed(): INFO: (5400): Starting 'AlmaLinux 9' database update.
2023/03/07 11:30:31 wazuh-modulesd:download[4489] wm_download.c:231 at wm_download_dispatch(): DEBUG: Downloading 'https://security.almalinux.org/oval/org.almalinux.alsa-9.xml' to 'tmp/vuln-temp'
2023/03/07 11:30:37 wazuh-modulesd:download[4489] wm_download.c:251 at wm_download_dispatch(): DEBUG: Download of 'https://security.almalinux.org/oval/org.almalinux.alsa-9.xml' finished.
2023/03/07 11:30:37 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:4861 at wm_vuldet_fetch_oval(): DEBUG: (5406): The feed 'AlmaLinux 9' is in its latest version.
2023/03/07 11:30:37 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:5176 at wm_vuldet_check_feed(): INFO: (5430): The update of the 'AlmaLinux 9' feed finished successfully.

Vulnerability log displayed during AlmaLinux 9 packages pre-scan and scan:

2023/03/07 11:35:16 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:2734 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5491): A baseline scan will be run on agent '001'
2023/03/07 11:35:16 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:5611 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software.
2023/03/07 11:35:16 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:2762 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities.
2023/03/07 11:35:16 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:2343 at wm_vuldet_linux_oval_vulnerabilities(): DEBUG: (5456): Analyzing OVAL vulnerabilities for agent '001'
2023/03/07 11:39:17 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:1587 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5468): The 'rpm' package (4.16.1.3-12.el9_0) from agent '001' is vulnerable to 'CVE-2021-35938'. Condition: 'Package less than 4.18.0'
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:1587 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5468): The 'rpm' package (4.16.1.3-12.el9_0) from agent '001' is vulnerable to 'CVE-2021-35939'. Condition: 'Package less than 4.18'
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:1618 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5482): A total of '87' vulnerabilities have been reported for agent '001' thanks to the 'NVD' feed.
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:1619 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5482): A total of '94' vulnerabilities have been reported for agent '001' thanks to the 'vendor' feed.
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:1621 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5469): A total of '163' vulnerabilities have been reported for agent '001'
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:1622 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5470): It took '230' seconds to 'report' vulnerabilities in agent '001'
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:2781 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001'
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:2782 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '243' seconds to 'scan' vulnerabilities in agent '001'
2023/03/07 11:39:19 wazuh-modulesd:vulnerability-detector[4489] wm_vuln_detector.c:8442 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.

The alert generated by the above vulnerability:

{
    "timestamp": "2023-03-07T11:39:14.963-0300",
    "rule": {
        "level": 13,
        "description": "CVE-2022-47629 affects libksba",
        "id": "23506",
        "firedtimes": 37,
        "mail": true,
        "groups": [
            "vulnerability-detector"
        ],
        "gdpr": [
            "IV_35.7.d"
        ],
        "pci_dss": [
            "11.2.1",
            "11.2.3"
        ],
        "tsc": [
            "CC7.1",
            "CC7.2"
        ]
    },
    "agent": {
        "id": "001",
        "name": "alma9_test",
        "ip": "192.168.0.177"
    },
    "manager": {
        "name": "localhost.localdomain"
    },
    "id": "1678199954.1503886",
    "decoder": {
        "name": "json"
    },
    "data": {
        "vulnerability": {
            "package": {
                "name": "libksba",
                "version": "1.5.1-4.el9",
                "architecture": "x86_64",
                "condition": "Package less than 1.5.1-6.el9_1"
            },
            "cvss": {
                "cvss3": {
                    "vector": {
                        "attack_vector": "network",
                        "access_complexity": "low",
                        "privileges_required": "none",
                        "user_interaction": "none",
                        "scope": "unchanged",
                        "confidentiality_impact": "high",
                        "integrity_impact": "high",
                        "availability": "high"
                    },
                    "base_score": "9.800000"
                }
            },
            "cve": "CVE-2022-47629",
            "title": "CVE-2022-47629 affects libksba",
            "rationale": "Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.",
            "severity": "Critical",
            "published": "2022-12-20",
            "updated": "2023-01-03",
            "cwe_reference": "CWE-190",
            "status": "Active",
            "type": "PACKAGE",
            "references": [
                "https://dev.gnupg.org/T6284",
                "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f61a5ea4e0f6a80fd4b28ef0174bee77793cf070",
                "https://www.debian.org/security/2022/dsa-5305",
                "https://lists.debian.org/debian-lts-announce/2022/12/msg00035.html",
                "https://security.gentoo.org/glsa/202212-07",
                "https://nvd.nist.gov/vuln/detail/CVE-2022-47629",
                "https://access.redhat.com/security/cve/CVE-2022-47629"
            ],
            "assigner": "cve@mitre.org",
            "cve_version": "4.0"
        }
    },
    "location": "vulnerability-detector"
}

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for Linux
    • Scan-build report
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
==4489== LEAK SUMMARY:
==4489==    definitely lost: 0 bytes in 0 blocks
==4489==    indirectly lost: 0 bytes in 0 blocks
==4489==      possibly lost: 4,368 bytes in 14 blocks
==4489==    still reachable: 397,409 bytes in 4,248 blocks
==4489==         suppressed: 0 bytes in 0 blocks
  • Dr. Memory
  • AddressSanitizer
  • Retrocompatibility with older Wazuh versions
  • Working on cluster environments
  • Configuration on demand reports new parameters
  • The data flow works as expected (agent-manager-api-app)
  • Added unit tests (for new features)
  • Stress test for affected components

@GabrielEValenzuela GabrielEValenzuela self-assigned this Mar 10, 2023
@GabrielEValenzuela GabrielEValenzuela marked this pull request as ready for review March 10, 2023 17:54
@MarcelKemp MarcelKemp linked an issue Mar 13, 2023 that may be closed by this pull request
Add support for AlmaLinux OS in Vulnerability Detector #10774
Closed
1 task
@damarisg damarisg mentioned this pull request Apr 24, 2023
Closed
10 tasks
@vikman90 vikman90 changed the base branch from master to 4.1 May 9, 2023 15:34
@vikman90 vikman90 changed the base branch from 4.1 to 4.5 May 9, 2023 15:34
This was referenced Jul 5, 2023
Closed
Closed
@MarcelKemp MarcelKemp mentioned this pull request Jul 20, 2023
Closed
5 tasks
@Leoquicenoz Leoquicenoz mentioned this pull request Jul 26, 2023
Closed
5 tasks
@Leoquicenoz Leoquicenoz mentioned this pull request Aug 2, 2023
Closed
5 tasks
@Dwordcito
Merge pull request #16081 from wazuh/15979-kernel-os-pkgs
7d1d1f2 
Generate OS and Kernel packages for AlmaLinux to match NVD vulnerabilities
@pereyra-m pereyra-m self-requested a review August 3, 2023 18:41
pereyra-m
pereyra-m approved these changes Aug 3, 2023
View reviewed changes
Copy link
Member

@pereyra-m pereyra-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

This was referenced Aug 8, 2023
Merged
Merged
Merged
Merged
@Leoquicenoz Leoquicenoz mentioned this pull request Aug 9, 2023
Closed
5 tasks
@Dwordcito Dwordcito merged commit f43b5ce into 4.6.0 Aug 10, 2023
59 checks passed
@Dwordcito Dwordcito deleted the 10774-alma-support branch August 10, 2023 00:52
@Leoquicenoz Leoquicenoz mentioned this pull request Aug 16, 2023
Closed
5 tasks
@MarcelKemp MarcelKemp mentioned this pull request Aug 23, 2023
Closed
5 tasks
@Leoquicenoz Leoquicenoz mentioned this pull request Aug 30, 2023
Closed
5 tasks
This was referenced Sep 6, 2023
Closed
Closed
@MarcelKemp MarcelKemp mentioned this pull request Sep 20, 2023
Closed
5 tasks
@Leoquicenoz Leoquicenoz mentioned this pull request Sep 27, 2023
Closed
5 tasks
@MarcelKemp MarcelKemp mentioned this pull request Oct 4, 2023
Closed
5 tasks
@MiguelazoDS MiguelazoDS mentioned this pull request Oct 11, 2023
Closed
2 tasks
@Leoquicenoz Leoquicenoz mentioned this pull request Oct 11, 2023
Closed
5 tasks
@MarcelKemp MarcelKemp mentioned this pull request Oct 18, 2023
Closed
5 tasks
@MarcelKemp MarcelKemp mentioned this pull request Oct 25, 2023
Closed
5 tasks
@MarcelKemp MarcelKemp mentioned this pull request Nov 2, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pereyra-m pereyra-m pereyra-m approved these changes

@MarcelKemp MarcelKemp Awaiting requested review from MarcelKemp

@Dwordcito Dwordcito Awaiting requested review from Dwordcito

Assignees

@GabrielEValenzuela GabrielEValenzuela

Labels
module/vulnerability detector
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for AlmaLinux OS in Vulnerability Detector
5 participants
@GabrielEValenzuela @pereyra-m @vikman90 @Dwordcito @mateocervilla