使用Wazuh检测PostgreSQL漏洞
本文的源于领导的一句问句,Wazuh能监控PG数据库的漏洞么?然后结合实际环境搭建了一套环境进行了测试。
结论是:能,然而并不能。
使用操作系统官方软件库
安装数据库
yum makecache # 系统自带版本为10 yum install -y postgresql postgresql-server
启动数据库
# 启动服务 postgresql-setup initdb systemctl enable postgresql.service --now
执行漏洞检测
使用数据库官方软件库
- 安装数据库
# 安装PG官方源 yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm # 更新源,时间较长,需要确认添加那个版本PG,我们以12版本为例 yum makecache # 安装数据库 yum install -y postgresql12 postgresql12-server
- 启动数据库
# 创建目录 mkdir -p /var/lib/pgsql/12/data/ chown postgres:postgres /var/lib/pgsql/12/ -R # 启动服务 postgresql-12-setup initdb systemctl enable postgresql-12.service --now
- 执行漏洞检测
- none
- none
- none
问题所在
Wazuh使用软件包名或者KB名来进行对比,对于RPM系发行版就是访问rpminfo数据库来进行对比。
以postgresql为例
Redhat官方漏洞库
# redhat官方的漏洞库中是有postgresql12的漏洞的 <criterion comment="Module postgresql:12 is enabled" test_ref="oval:com.redhat.cve:tst:202120229037"/> <criterion comment="postgresql-plperl is installed" test_ref="oval:com.redhat.cve:tst:202120229001"/> <criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229002"/> <criterion comment="postgresql-server-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229007"/> <criterion comment="postgresql-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229008"/> <criterion comment="postgresql-plpython3 is installed" test_ref="oval:com.redhat.cve:tst:202120229009"/> <criterion comment="postgresql-plpython3 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229010"/> <criterion comment="postgresql is installed" test_ref="oval:com.redhat.cve:tst:202120229011"/> <criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229012"/> <criterion comment="postgresql-static is installed" test_ref="oval:com.redhat.cve:tst:202120229013"/> <criterion comment="postgresql-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229014"/> <criterion comment="postgresql-upgrade is installed" test_ref="oval:com.redhat.cve:tst:202120229015"/> <criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229016"/> <criterion comment="postgresql-docs is installed" test_ref="oval:com.redhat.cve:tst:202120229017"/> <criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229018"/> <criterion comment="postgresql-contrib is installed" test_ref="oval:com.redhat.cve:tst:202120229019"/> <criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229020"/> <criterion comment="postgresql-pltcl is installed" test_ref="oval:com.redhat.cve:tst:202120229023"/> <criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229024"/> <criterion comment="postgresql-test-rpm-macros is installed" test_ref="oval:com.redhat.cve:tst:202120229025"/> <criterion comment="postgresql-test-rpm-macros is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229026"/> <criterion comment="postgresql-debugsource is installed" test_ref="oval:com.redhat.cve:tst:202120229029"/> <criterion comment="postgresql-debugsource is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229030"/> <criterion comment="postgresql-server is installed" test_ref="oval:com.redhat.cve:tst:202120229031"/> <criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229032"/> <criterion comment="postgresql-upgrade-devel is installed" test_ref="oval:com.redhat.cve:tst:202120229033"/> <criterion comment="postgresql-upgrade-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202120229034"/>
PG官方包的名称
[sujx@postgresql ~]$ rpm -qa |grep postgresql postgresql12-12.7-2PGDG.rhel8.x86_64 postgresql12-libs-12.7-2PGDG.rhel8.x86_64 postgresql12-server-12.7-2PGDG.rhel8.x86_64
结论
postgresql12 ≠ postgresql,所以wazuh使用redhat的OVAL文件可以搜出redhat打包的postgresql的漏洞,其他就不可以。
All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.