使用Wazuh检测PostgreSQL漏洞
本文的源于领导的一句问句,Wazuh能监控PG数据库的漏洞么?然后结合实际环境搭建了一套环境进行了测试。
结论是:能,然而并不能。
使用操作系统官方软件库
安装数据库
1
2
3yum makecache
系统自带版本为10
yum install -y postgresql postgresql-server启动数据库
1
2
3# 启动服务
postgresql-setup initdb
systemctl enable postgresql.service --now执行漏洞检测
使用数据库官方软件库
- 安装数据库
1
2
3
4
5
6# 安装PG官方源
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
# 更新源,时间较长,需要确认添加那个版本PG,我们以12版本为例
yum makecache
# 安装数据库
yum install -y postgresql12 postgresql12-server - 启动数据库
1
2
3
4
5
6
7# 创建目录
mkdir -p /var/lib/pgsql/12/data/
chown postgres:postgres /var/lib/pgsql/12/ -R
# 启动服务
postgresql-12-setup initdb
systemctl enable postgresql-12.service --now - 执行漏洞检测
- none
- none
- none
问题所在
Wazuh使用软件包名或者KB名来进行对比,对于RPM系发行版就是访问rpminfo数据库来进行对比。
以postgresql为例
Redhat官方漏洞库
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28# redhat官方的漏洞库中是有postgresql12的漏洞的
<criterion comment="Module postgresql:12 is enabled" test_ref="oval:com.redhat.cve:tst:202120229037"/>
<criterion comment="postgresql-plperl is installed" test_ref="oval:com.redhat.cve:tst:202120229001"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229002"/>
<criterion comment="postgresql-server-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229007"/>
<criterion comment="postgresql-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229008"/>
<criterion comment="postgresql-plpython3 is installed" test_ref="oval:com.redhat.cve:tst:202120229009"/>
<criterion comment="postgresql-plpython3 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229010"/>
<criterion comment="postgresql is installed" test_ref="oval:com.redhat.cve:tst:202120229011"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229012"/>
<criterion comment="postgresql-static is installed" test_ref="oval:com.redhat.cve:tst:202120229013"/>
<criterion comment="postgresql-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229014"/>
<criterion comment="postgresql-upgrade is installed" test_ref="oval:com.redhat.cve:tst:202120229015"/>
<criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229016"/>
<criterion comment="postgresql-docs is installed" test_ref="oval:com.redhat.cve:tst:202120229017"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229018"/>
<criterion comment="postgresql-contrib is installed" test_ref="oval:com.redhat.cve:tst:202120229019"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229020"/>
<criterion comment="postgresql-pltcl is installed" test_ref="oval:com.redhat.cve:tst:202120229023"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229024"/>
<criterion comment="postgresql-test-rpm-macros is installed" test_ref="oval:com.redhat.cve:tst:202120229025"/>
<criterion comment="postgresql-test-rpm-macros is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229026"/>
<criterion comment="postgresql-debugsource is installed" test_ref="oval:com.redhat.cve:tst:202120229029"/>
<criterion comment="postgresql-debugsource is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229030"/>
<criterion comment="postgresql-server is installed" test_ref="oval:com.redhat.cve:tst:202120229031"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229032"/>
<criterion comment="postgresql-upgrade-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229033"/>
<criterion comment="postgresql-upgrade-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229034"/>
PG官方包的名称
1
2
3
4[sujx@postgresql ~]$ rpm -qa |grep postgresql
postgresql12-12.7-2PGDG.rhel8.x86_64
postgresql12-libs-12.7-2PGDG.rhel8.x86_64
postgresql12-server-12.7-2PGDG.rhel8.x86_64
结论
postgresql12 ≠ postgresql,所以wazuh使用redhat的OVAL文件可以搜出redhat打包的postgresql的漏洞,其他就不可以。
All articles on this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.
Related Articles
2022-03-01
SSSD服务主机脱域的处理
缘起近期,DBA报错多台CentOS7的主机无法使用域账号登陆,出现“Permission denied”的错误。确认域账号密码正确无误,使用root可登录,域账号就是无法登陆。由于CentOS7.3以后使用SSSD替换了winbind服务,所以尝试重启SSSD服务,但故障依旧。SSSD服务可以完成重启,但重启之后提示认证失败: 123456Mar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failedMar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failedMar 21 16:06:02 test.targetmachine.com sssd[krb5_child[40570]][40570]: Preauthentication failedMar 21 16:06:02 test.targetmachine.com...
2020-02-14
离线部署CDH6.3
部署练习的环境有六台主机,主机的配置是4核心4G内存(内存还是低了,建议8G起步): 主机名 IP地址 Elephant 192.168.174.184 Lion 192.168.174.185 Horse 192.168.174.186 Monkey 192.168.174.187 Tiger 192.168.174.188 环境准备 主机环境配置 按照各个主机配置修改相应值,下面以elephant为例: 123[root@localhost ~]# nmcli c m ens33 ipv4.method manual ipv4.addresses 192.168.174.184/24 ipv4.gateway 192.168.174.2 ipv4.dns 192.168.174.2[root@localhost ~]# nmcli c d ens33 && nmcli c u ens33[root@localhost ~]# hostnamectl set-hostname elephant 文件复制...
2019-12-19
使用脚本一键部署堡垒机
部门领导要求研究一下堡垒机的使用,所以花了两天时间研究了一下开源堡垒机的部署和使用。因为官方文档中有些已经有了部分错误,现在以官方的CentOS8版本的安装文档为蓝本把部署过程以脚本的形式备份一下。...
2019-09-09
建立本地RPM包仓库
随着国内使用Linux的氛围日渐浓郁,各个大厂的源也如雨后春笋一般纷纷出现,下载速度也是越来越快。不过,在我司内部因为安全制度的限制,生产环境是不能直接连接互联网的,因此需要建立本地的源服务器。 建立服务环境软件镜像需要通过HTTP/HTTPS环境来提供服务。 1234567891011121314151617181920212223# 系统更新yum update -y# 安装RPM相关包yum install -y zlib-devel openssl-devel gcc perl-devel pam-devel make autoconfyum install -y rpm-build unzip rsync createrepo# 安装HTTP服务器yum install -y httpd mod_security# 修改配置文件touch /etc/httpd/conf.d/repos.confcat>>/etc/httpd/conf.d/repos.conf<<EOFAlias /repos...
2019-08-09
升级CentOS8的OpenSSH版本
虽然说CentOS8的Openssl和OpenSSH的版本已经算是比较新的了,但是因为公司的信息安全建设的要求,在经过商业漏洞扫描软件扫描之后,还是需要进行升级操作(由于CentOS8的Openssl已经是比较新的1.1.1版本了,此次就不升级它了)。 安装包准备123456789101112131415161718192021222324252627282930# 配置编译环境cdyum update -yyum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -ymkdir -p ~/rpmbuild/{SOURCES,SPECS}# 下载安装包wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gzwget...
2019-06-14
内网搭建KMS服务器
在局域网环境中,我们可以使用开源的KMS服务来实现Windows系统和Office软件的激活工作。下面我们将在CentOS8之上来部署实施相关服务。 2019.01 摄于山西晋中·左权 环境部署1234567yum install -y epel-release gityum update -yyum install -y supervisordsystemctl enable supervisord --nowfirewall-cmd --permanent --add-port=1688/tcpfirewall-cmd --reload 拉取代码123456789101112131415cd /optgit clone https://github.com/SystemRage/py-kms.gitcat> /etc/supervisord.d/kms.ini <<EOF[program:kms]# command=python /opt/py-kms/py-kms/pykms_Server.py ...