本文的源于领导的一句问句,Wazuh能监控PG数据库的漏洞么?然后结合实际环境搭建了一套环境进行了测试。
结论是:能,然而并不能。

使用操作系统官方软件库

  1. 安装数据库

    1
    2
    3
    yum makecache
    # 系统自带版本为10
    yum install -y postgresql postgresql-server
  2. 启动数据库

    1
    2
    3
    # 启动服务
    postgresql-setup initdb
    systemctl enable postgresql.service --now
  3. 执行漏洞检测

    postgresql

使用数据库官方软件库

  1. 安装数据库
    1
    2
    3
    4
    5
    6
    # 安装PG官方源
    yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
    # 更新源,时间较长,需要确认添加那个版本PG,我们以12版本为例
    yum makecache
    # 安装数据库
    yum install -y postgresql12 postgresql12-server
  2. 启动数据库
    1
    2
    3
    4
    5
    6
    7
    # 创建目录
    mkdir -p /var/lib/pgsql/12/data/
    chown postgres:postgres /var/lib/pgsql/12/ -R

    # 启动服务
    postgresql-12-setup initdb
    systemctl enable postgresql-12.service --now
  3. 执行漏洞检测
  • none
  • none
  • none

问题所在

Wazuh使用软件包名或者KB名来进行对比,对于RPM系发行版就是访问rpminfo数据库来进行对比。
以postgresql为例

  1. Redhat官方漏洞库

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    # redhat官方的漏洞库中是有postgresql12的漏洞的
    <criterion comment="Module postgresql:12 is enabled" test_ref="oval:com.redhat.cve:tst:202120229037"/>
    <criterion comment="postgresql-plperl is installed" test_ref="oval:com.redhat.cve:tst:202120229001"/>
    <criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229002"/>
    <criterion comment="postgresql-server-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229007"/>
    <criterion comment="postgresql-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229008"/>
    <criterion comment="postgresql-plpython3 is installed" test_ref="oval:com.redhat.cve:tst:202120229009"/>
    <criterion comment="postgresql-plpython3 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229010"/>
    <criterion comment="postgresql is installed" test_ref="oval:com.redhat.cve:tst:202120229011"/>
    <criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229012"/>
    <criterion comment="postgresql-static is installed" test_ref="oval:com.redhat.cve:tst:202120229013"/>
    <criterion comment="postgresql-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229014"/>
    <criterion comment="postgresql-upgrade is installed" test_ref="oval:com.redhat.cve:tst:202120229015"/>
    <criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229016"/>
    <criterion comment="postgresql-docs is installed" test_ref="oval:com.redhat.cve:tst:202120229017"/>
    <criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229018"/>
    <criterion comment="postgresql-contrib is installed" test_ref="oval:com.redhat.cve:tst:202120229019"/>
    <criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229020"/>
    <criterion comment="postgresql-pltcl is installed" test_ref="oval:com.redhat.cve:tst:202120229023"/>
    <criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229024"/>
    <criterion comment="postgresql-test-rpm-macros is installed" test_ref="oval:com.redhat.cve:tst:202120229025"/>
    <criterion comment="postgresql-test-rpm-macros is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229026"/>
    <criterion comment="postgresql-debugsource is installed" test_ref="oval:com.redhat.cve:tst:202120229029"/>
    <criterion comment="postgresql-debugsource is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229030"/>
    <criterion comment="postgresql-server is installed" test_ref="oval:com.redhat.cve:tst:202120229031"/>
    <criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229032"/>
    <criterion comment="postgresql-upgrade-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229033"/>
    <criterion comment="postgresql-upgrade-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229034"/>

    vuln

  2. PG官方包的名称

    1
    2
    3
    4
    [sujx@postgresql ~]$ rpm -qa |grep postgresql
    postgresql12-12.7-2PGDG.rhel8.x86_64
    postgresql12-libs-12.7-2PGDG.rhel8.x86_64
    postgresql12-server-12.7-2PGDG.rhel8.x86_64

结论

postgresql12 ≠ postgresql,所以wazuh使用redhat的OVAL文件可以搜出redhat打包的postgresql的漏洞,其他就不可以。