Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set the default RHEL 5 feed URL to feed.wazuh.com #18142

Merged
merged 2 commits into from Jul 31, 2023
Merged

Set the default RHEL 5 feed URL to feed.wazuh.com #18142

merged 2 commits into from Jul 31, 2023

Conversation

vikman90
Copy link
Member

@vikman90 vikman90 commented Jul 28, 2023
edited

Related issue
Closes #17732

Since yesterday, RHEL 5 (v1) feed URL started failing with a 404 error:

https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL5.xml.bz2

However, the archive file has a different format:

https://access.redhat.com/security/data/archive/oval_v1_20230706.tar.gz

In response to this, we have decided to upload a mirror of com.redhat.rhsa-RHEL5.xml.bz2 to our feed:

https://feed.wazuh.com/vulnerability-detector/RHEL/5/com.redhat.rhsa-RHEL5_v1.xml.bz2

So, this PR aims to update the default URL to the mirror.

In other words, this configuration in version 4.5.1 and later:

<ossec_config>
  <vulnerability-detector>
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
    </provider>
  </vulnerability-detector>
</ossec_config>

It behaves the same as this other on 4.5.0 and before:

<ossec_config>
  <vulnerability-detector>
    <provider name="redhat">
      <enabled>yes</enabled>
      <os url="https://feed.wazuh.com/vulnerability-detector/RHEL/5/com.redhat.rhsa-RHEL5_v1.xml.bz2">5</os>
    </provider>
  </vulnerability-detector>
</ossec_config>

Logs

Settings

 
<ossec_config>
  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>
</ossec_config>

Before this change

2023/07/28 12:24:04 wazuh-modulesd[83050] url.c:152 at wurl_get(): DEBUG: CURL ERROR: The requested URL returned error: 404 Not Found

After this change

2023/07/28 12:25:26 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:5233 at wm_vuldet_check_feed(): INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.
2023/07/28 12:25:26 wazuh-modulesd:download[83870] wm_download.c:231 at wm_download_dispatch(): DEBUG: Downloading 'https://feed.wazuh.com/vulnerability-detector/RHEL/5/com.redhat.rhsa-RHEL5_v1.xml.bz2' to 'tmp/req-1296681585'
2023/07/28 12:25:26 wazuh-modulesd:download[83870] wm_download.c:251 at wm_download_dispatch(): DEBUG: Download of 'https://feed.wazuh.com/vulnerability-detector/RHEL/5/com.redhat.rhsa-RHEL5_v1.xml.bz2' finished.
2023/07/28 12:25:26 wazuh-modulesd[83870] url.c:424 at wurl_request_uncompress_bz2_gz(): DEBUG: File from URL 'https://feed.wazuh.com/vulnerability-detector/RHEL/5/com.redhat.rhsa-RHEL5_v1.xml.bz2' was successfully uncompressed into 'tmp/vuln-temp'
2023/07/28 12:25:26 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:4970 at wm_vuldet_fetch_oval(): DEBUG: (5407): The feed 'Red Hat Enterprise Linux 5' is outdated. Fetching the last version.
2023/07/28 12:25:26 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:4747 at wm_vuldet_oval_process(): DEBUG: (5411): Starting preparse step of feed 'RHEL5'
2023/07/28 12:25:26 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:4752 at wm_vuldet_oval_process(): DEBUG: (5412): Starting parse step of feed 'RHEL5'
2023/07/28 12:25:27 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:4894 at wm_vuldet_index_feed(): DEBUG: (5414): Refreshing 'Red Hat Enterprise Linux 5' databases.
2023/07/28 12:25:27 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:3273 at wm_vuldet_insert(): DEBUG: (5415): Inserting vulnerabilities.
2023/07/28 12:25:27 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:3343 at wm_vuldet_insert(): DEBUG: (5419): Inserting Red Hat Enterprise Linux 5 vulnerabilities section.
2023/07/28 12:25:27 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:3444 at wm_vuldet_insert(): DEBUG: (5422): Inserting 'Red Hat Enterprise Linux 5' vulnerabilities references.
2023/07/28 12:25:28 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:3497 at wm_vuldet_insert(): DEBUG: (5423): Inserting 'Red Hat Enterprise Linux 5' vulnerabilities conditions.
2023/07/28 12:25:28 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:3571 at wm_vuldet_insert(): DEBUG: (5424): Inserting 'Red Hat Enterprise Linux 5' vulnerabilities package names.
2023/07/28 12:25:28 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:4900 at wm_vuldet_index_feed(): DEBUG: (5427): Refresh of 'Red Hat Enterprise Linux 5' database finished.
2023/07/28 12:25:28 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:4911 at wm_vuldet_index_feed(): DEBUG: remove(tmp/vuln-temp.bz2): No such file or directory
2023/07/28 12:25:28 wazuh-modulesd:vulnerability-detector[83870] wm_vuln_detector.c:5256 at wm_vuldet_check_feed(): INFO: (5430): The update of the 'Red Hat Enterprise Linux 5' feed finished successfully.

Affected components

  • wazuh-modulesd / Vulnerability Detector.

@vikman90 vikman90 self-assigned this Jul 28, 2023
@vikman90 vikman90 linked an issue Jul 28, 2023 that may be closed by this pull request
Red Hat OVAL and Data Stream (DS) v1 deprecation announcement #17732
Closed
3 tasks
mateocervilla

This comment was marked as outdated.

Sign in to view

mateocervilla
mateocervilla approved these changes Jul 28, 2023
View reviewed changes
Copy link
Contributor

@mateocervilla mateocervilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@vikman90 vikman90 merged commit 21171f8 into 4.5.1 Jul 31, 2023
58 of 59 checks passed
@vikman90 vikman90 deleted the 17732-change-rhel5-url branch July 31, 2023 07:44
This was referenced Jul 31, 2023
Merged
Closed
@roronoasins roronoasins mentioned this pull request Aug 7, 2023
Closed
@Rebits Rebits mentioned this pull request Aug 16, 2023
Closed
@verdx verdx mentioned this pull request Aug 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mateocervilla mateocervilla mateocervilla approved these changes

Assignees

@vikman90 vikman90

Labels
feed module/vulnerability detector type/change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Red Hat OVAL and Data Stream (DS) v1 deprecation announcement
2 participants
@vikman90 @mateocervilla