Running a vulnerability scan

The following example shows how to configure the necessary components to run the vulnerability detection process.

  1. Enable the agent module used to collect installed packages on the monitored system.

It can be done by adding the following block of settings to your shared agent configuration file:

<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <os>yes</os>
  <packages>yes</packages>
</wodle>

If you want to scan vulnerabilities in Windows agents, you will also have to add the hotfixes scan:

<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <os>yes</os>
  <packages>yes</packages>
  <hotfixes>yes</hotfixes>
</wodle>

These scans are enabled by default. For more information about the inventory module, check Syscollector settings.

  1. Enable the manager module used to detect vulnerabilities.

You can do this adding a block like the following to your manager configuration file:

<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <provider name="canonical">
    <enabled>yes</enabled>
    <os>bionic</os>
    <update_interval>1h</update_interval>
  </provider>
  <provider name="nvd">
    <enabled>yes</enabled>
    <update_from_year>2010</update_from_year>
    <update_interval>1h</update_interval>
  </provider>
</vulnerability-detector>

Remember to restart the manager to apply the changes:

  1. For Systemd:
# systemctl restart wazuh-manager
  1. For SysV Init:
# service wazuh-manager restart

Check Vulnerability detector settings for more details.

The following fields are included in every alert:

  • CVE: The Common Vulnerabilities and Exposures identifier for the corresponding vulnerability.
  • Title: Short description of the impact of vulnerability.
  • Rationale: Broad description of the vulnerability.
  • Severity: It specifies the impact of the vulnerability in terms of security.
  • Package: Information about the affected package. Including the reason why the package is marked as vulnerable.
  • Published: Date when the vulnerability was included in the official database.
  • Updated: Date of the last vulnerability update.
  • CWE: The Common Weakness Enumeration reference.
  • CVSS: Vulnerability assessment according to the Common Vulnerability Scoring System (versions 2 and 3).
  • Advisories IDs: Red Hat security advisories.
  • References: URLs with extra information on the vulnerability.
  • Bugzilla references: Links to the references of the vulnerability in Bugzilla.

Here, you can see a real alert where the explained fields are filled:

** Alert 1591945867.49829472: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,
2020 Jun 12 07:11:07 (Debian) any->vulnerability-detector
Rule: 23505 (level 10) -> 'CVE-2019-12735 affects vim'
vulnerability.package.name: vim
vulnerability.package.version: 2:8.0.0197-4+deb9u1
vulnerability.package.architecture: amd64
vulnerability.package.condition: Package less than 2:8.0.0197-4+deb9u2
vulnerability.cvss.cvss2.vector.attack_vector: network
vulnerability.cvss.cvss2.vector.access_complexity: medium
vulnerability.cvss.cvss2.vector.authentication: none
vulnerability.cvss.cvss2.vector.confidentiality_impact: complete
vulnerability.cvss.cvss2.vector.integrity_impact: complete
vulnerability.cvss.cvss2.vector.availability: complete
vulnerability.cvss.cvss2.base_score: 9.300000
vulnerability.cvss.cvss3.vector.attack_vector: local
vulnerability.cvss.cvss3.vector.access_complexity: low
vulnerability.cvss.cvss3.vector.privileges_required: none
vulnerability.cvss.cvss3.vector.user_interaction: required
vulnerability.cvss.cvss3.vector.scope: changed
vulnerability.cvss.cvss3.vector.confidentiality_impact: high
vulnerability.cvss.cvss3.vector.integrity_impact: high
vulnerability.cvss.cvss3.vector.availability: high
vulnerability.cvss.cvss3.base_score: 8.600000
vulnerability.cve: CVE-2019-12735
vulnerability.title: CVE-2019-12735
vulnerability.rationale: getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
vulnerability.severity: High
vulnerability.published: 2019-06-05
vulnerability.updated: 2019-06-13
vulnerability.cwe_reference: CWE-78
vulnerability.references: ["http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html", "http://www.securityfocus.com/bid/108724", "https://access.redhat.com/errata/RHSA-2019:1619", "https://access.redhat.com/errata/RHSA-2019:1774", "https://access.redhat.com/errata/RHSA-2019:1793", "https://access.redhat.com/errata/RHSA-2019:1947", "https://bugs.debian.org/930020", "https://bugs.debian.org/930024", "https://github.com/neovim/neovim/pull/10082", "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md", "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040", "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/", "https://seclists.org/bugtraq/2019/Jul/39", "https://seclists.org/bugtraq/2019/Jun/33", "https://security.gentoo.org/glsa/202003-04", "https://support.f5.com/csp/article/K93144355", "https://support.f5.com/csp/article/K93144355?utm_source=f5support&amp;utm_medium=RSS", "https://usn.ubuntu.com/4016-1/", "https://usn.ubuntu.com/4016-2/", "https://www.debian.org/security/2019/dsa-4467", "https://www.debian.org/security/2019/dsa-4487", "https://nvd.nist.gov/vuln/detail/CVE-2019-12735", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735"]
vulnerability.assigner: cve@mitre.org
vulnerability.cve_version: 4.0

Finally, here you can see how the highlighted fields of the alert look in the WUI:

Where you can also check the vulnerability dashboards to have an overview of your agents’ status.