Vulnerability scan shows no vulnerabilities in openSUSE Leap

[ricardoklein]

I am new to Wazuh, testing it to monitor security on openSUSE Leap 15.5.
The server is running on Debian 12, which despite not listed as supported, works like a charm (maybe because of the fact it is compatible with ubuntu).

I was able to enable the vulnerability scan for openSUSE Leap by adding <os allow="openSUSE Leap-15">15-server</os> to the default block for SUSE in the vulnerability scan configuration at the /var/etc/ossec.conf file on my wazuh server:

    <!-- SUSE OS vulnerabilities -->
    <provider name="suse">
      <enabled>yes</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <os allow="openSUSE Leap-15">15-server</os>
      <update_interval>1h</update_interval>
    </provider>

While I can see the vulnerability scans are happening, no vulnerabilities are reported in Wazuh:

And, the machine has some vulnerabilities, like for example:

zypper list-patches --category security | grep 876
Update repository with updates from SUSE Linux Enterprise 15 | openSUSE-SLE-15.5-2024-876 | security | important | ---         | needed | -     | Security update for sudo

Which is connected to suse-su-20240876-1 and CVE-2023-42465.

I am not opening a bug report or issue yet, because I suspect I did something wrong in the setup and want to be sure it is not my fault before opening an issue. Both the agent and server are running v4.7.3

[MiguelazoDS]

Hi @ricardoklein,

OpenSUSE is not officially supported that's why it is expected to have some false negatives and positives, as far as I can see the scan is working but for this case, the vulnerability for sudo is reported as "resolved" according to SUSE feed https://www.suse.com/security/cve/CVE-2023-42465.html. Debian 12 is officially supported since 4.6.0, we do not need to use "allow os".

[ricardoklein]

Hi @MiguelazoDS ,

thanks for replying.
Yes, on Debian the situation is "ok", as I saw that it is supported already.

For openSUSE, well, I understand that the issue has a solution from the provider, I can apply the fix, but I haven't on purpose to keep the vulnerability there, and see if Wazuh was going to complain about it.
From the link you posted, it says that on openSUSE Leap 15.5 the issue is solved on sudo >= 1.9.12p1-150500.7.10.1 while I have here still sudo-1.9.12p1-150500.7.7.1.x86_64:

localhost:~ # rpm -qa | grep sudo
sudo-1.9.12p1-150500.7.7.1.x86_64
sudo-plugin-python-1.9.12p1-150500.7.7.1.x86_64

If you take only the package version, you will see also that they are the same for SUSE Linux Enterprise Server 15 SP5 and openSUSE Leap 15.5. This should make it "easy to support" as the detection methods are exactly the same between both openSUSE Leap and SUSE Enterprise 15 SP5, which is already supported by Wazuh.

Do you (or anyone reading this thread) know if this is not supported because of a technical reason or some decision made by the project owners?
Because I can offer my help testing this, and I know some folks from the openSUSE community whom I can ask some questions if anything is needed.

ps.: I am still not discarding the possibility I did some mistake in the config, if what I described in the first post is wrong for openSUSE Leap 15, I did my best following the available documentation I found. If there is any other way to set this up, please let me know.

[MiguelazoDS]

Hi @ricardoklein,

The main reason it was added native support only for Suse is that the feeds listed here https://www.suse.com/support/security/oval/ are only available for that OS, OpenSUSE seems to not have its own OVAL where we can correlate the CVEs with the installed packages. Maybe we have some source now to get those CVEs for opensuse.

I don't see there's something wrong with your config. and I think you're right about this

From the link you posted, it says that on openSUSE Leap 15.5 the issue is solved on sudo >= 1.9.12p1-150500.7.10.1 while I have here still sudo-1.9.12p1-150500.7.7.1.x86_64.

I would be nice if you can get some logs during the scan for that CVE (or any other similar) to check what the scan is considering during the correlation.

To enable debug logs

echo "wazuh_modules.debug=2" >> /var/ossec/etc/local_internal_options.conf

and restart the manager after that.

In the meantime I'll be doing some tests too.

[MiguelazoDS]

Well the configuration is correct

2024/04/04 18:37:55 wazuh-modulesd[135921] wmodules-vuln-detector.c:1009 at wm_vuldet_add_allow_os(): DEBUG: 'openSUSE Leap-15' successfully added to the monitored OS list.

But there's something beyond weird with the OVAL or the correlation

2024/04/04 18:42:32 wazuh-modulesd:vulnerability-detector[136959] wm_vuln_detector.c:2508 at wm_vuldet_linux_oval_vulnerabilities(): DEBUG: (5590): No vulnerabilities could
 be found in the OVAL for agent '001'

That's why we do not see vulnerabilities

Also, I have to mention, that the vulnerability detector will suffer a full refactor soon (#14153), and probably we won't be adding new patches to the legacy scanner, but let me keep looking at this.

[ricardoklein]

Hi @MiguelazoDS ,

Thanks for taking a look into it. So, my assumption was "correct" when I expected that since the package names/versions were the same, it should be working, right?
As I said, I am no developer, but if you need help testing it, just let me know what to do and I am here for it.

[MiguelazoDS]

Hi @ricardoklein,

After discussing this with the team, we found that it is not compatible. The scan discards all vulnerabilities during a preliminary scan to determine if the OS is affected by the scanned packages since it does not detect information for SLED15 (or SLES15)
It seems that openSUSE and SUSE enterprise are less related than I thought.
Sorry for the inconvenience and the delay. We are also working in the new vulnerability scan for OpenSUSE because is a tricky case.

[ricardoklein]

@MiguelazoDS ,

No problem at all, I can understand that it is challenging, specially after reading the info about the vulnerability scanner you provided earlier. I hope it is less work than initially predicted.

Again, if you need help from the openSUSE community, I may be able to ping some people and find the answers you need, just let me know and I will help with all I can.

I think you can close this ticket here, or, add it as another sub-task for the vulnerability scanner refactor.

Thanks again for all the time you invested on this.

[MiguelazoDS]

Thanks for your time also, and for contacting us!