Scan vulnerabilities on unsupported systems

There are many operating systems derived from others that Vulnerability Detector supports to which compatibility of vulnerability feeds could be extended, such as Linux Mint and Oracle Linux. However, those distributions are not scanned by default since there are not pre-defined feeds for them.

For these cases, Vulnerability Detector incorporates the allow option, which it is possible to indicate which of the operating systems are compatible with any of the configured feeds.

This guide will explain how to force compatibility with an unsupported OS.

  1. Check the registered name of the agent's operating system.

It is possible that the registered name of the system does not match the expected one. Therefore, this information can be checked as follows:

  1. Using the Wazuh RESTful API

# curl -u foo:bar -k -X GET "https://127.0.0.1:55000/agents/005?pretty"

Where 005 is the ID of the agent whose operating system we want to check.

{
   "error": 0,
   "data": {
      "node_name": "node01",
      "status": "Active",
      "manager": "189b1440bc98",
      "os": {
         "arch": "x86_64",
         "major": "7",
         "minor": "6",
         "name": "Oracle Linux Server",
         "platform": "ol",
         "uname": "Linux |oraclelinux7 |4.14.35-1844.5.3.el7uek.x86_64 |#2 SMP Wed May 8 21:50:52 PDT 2019 |x86_64",
         "version": "7.6"
      },
      "group": [
         "default"
      ],
      "dateAdd": "2019-05-21 10:56:42",
      "mergedSum": "ccc51beb7d35c0fd7294b10f70675a1f",
      "name": "oraclelinux7",
      "ip": "10.0.2.15",
      "registerIP": "172.17.0.1",
      "configSum": "ab73af41699f13fdd81903b5f23d8d00",
      "version": "Wazuh v3.9.0",
      "id": "001",
      "lastKeepAlive": "2019-05-21 10:57:40"
   }
}

From these values, we need data.os.name and data.os.major.

  1. Checking manually the database

# sqlite3 /var/ossec/var/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = 5;"

Where 5 is the ID of the agent whose operating system we want to check.

Oracle Linux Server|7

These values are the name of the operating system and the major version we will need to configure Vulnerability Detector.

  1. Configure Vulnerability Detector to allow the systems.

The way the operating system is configured depends on whether we want to make it compatible with a single-provider or a multi-provider.

  1. Single-providers.

Supported for for Canonical and Debian feeds. It is necessary to include the operating system using the allow attribute followed by the corresponding feed, following the syntax: "OS name-major version". To include more than one system, just add a list of systems separated by commas.

For example, if we want to force the compatibility of Ubuntu 16 (Xenial) feed with PopOS 16, and Ubuntu 18 (Bionic) with Linux Mint 19 and Pop OS 18, we will use:

<provider name="canonical">
  <enabled>yes</enabled>
  <os allow="Pop!_OS-16">xenial</os>
  <os allow="Linux Mint-19,Pop!_OS-18">bionic</os>
  <update_interval>1h</update_interval>
</provider>

  1. Multi-providers.

This option is valid for the Red Hat feed, you need to include the operating system using the allow option following the syntax OS name-version major and the replaced_os attribute indicating the version of Red Hat the system will be compatible with. If we want to include more than one system, it can be added by a list separated by commas.

For example, to force the compatibility of the feed with Oracle Linux 6 and 7, handling them as Red Hat 6 and 7 respectively:

<provider name="redhat">
    <enabled>yes</enabled>
    <allow replaced_os="Red Hat-7">Oracle Linux-7</allow>
    <allow replaced_os="Red Hat-6">Oracle Linux-6</allow>
    <update_interval>1h</update_interval>
    <update_from_year>2010</update_from_year>
</provider>

Note

Note that we can use a substring of the operating system extracted from the agent in step 1. For this reason, in the example Oracle Linux has been used instead of Oracle Linux Server.