Vulnerability detection

New in version 3.2.0.

This capability can be used to detect applications that are known to be vulnerable (affected by a CVE).

How it works

To be able to detect vulnerabilities, now agents are able to natively collect a list of installed applications, sending it periodically to the manager (where it is stored in local sqlite databases, one per agent). In addition, the manager builds a global vulnerabilities database, using public OVAL CVE repositories, using it later to cross correlate this information with agent's applications inventory data.

The global vulnerabilities database is created automatically, currently pulling data from the following repositories:

This database can be configured to be updated periodically, ensuring that the solution will check for the very latest CVEs.

Once the global vulnerabilty database (with the CVEs) is created, the detection process will look for vulnerable packages in the inventory databases (unique per agent). Alerts are generated when a CVE (Common Vulnerabilities and Exposures) affects a package that is known to be installed in one of the monitored servers.

Compatibility matrix

The following table shows the operating systems that the vulnerability detector currently supports (we are working in supporting new ones) and the OVAL configuration needed for each distribution:

Distribution

Versions

Configuration OVALs

Red Hat & CentOS

5

Red Hat 5 OVAL

6

Red Hat 6 OVAL

7

Red Hat 7 OVAL

Ubuntu

12

Ubuntu 12 OVAL

14

Ubuntu 14 OVAL

16

Ubuntu 16 OVAL

18

Ubuntu 18 OVAL

Debian

7

Debian 7 OVAL

8

Debian 8 OVAL

9

Debian 9 OVAL

Amazon Linux

1

Red Hat 7 OVAL

2

Use case: Running a vulnerability scan

The following example shows how to configure the necessary components to run the vulnerability detection process.

  1. Enable the agent module used to collect installed packages on the monitored system.

You can do this adding the following block of settings to your shared agent configuration file:

<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <packages>yes</packages>
</wodle>

Check Syscollector settings for more details.

  1. Enable the manager module used to detect vulnerabilities.

You can do this adding the following block of settings to your manager configuration file:

<wodle name="vulnerability-detector">
  <disabled>no</disabled>
  <interval>1m</interval>
  <run_on_start>yes</run_on_start>
  <feed name="ubuntu-18">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
  </feed>
</wodle>

Remember to restart the manager to apply changes: /var/ossec/bin/ossec-control restart

Check Vulnerability detector settings for more details.

The following fields are captured in every alert:

  • CVE: The CVE identifier for the corresponding vulnerability.

  • Title: Short description of the impact of vulnerability.

  • Severity: It specifies the impact of the vulnerability in terms of security.

  • Published: Date when the vulnerability was included in the official database.

  • Reference: URL of the official database website with extra information of the vulnerability.

  • Rationale: Broad description of the vulnerability.

  • State: This field informs if it exists a patch for the vulnerability (fixed) or instead, its state.

See below for examples of alerts:

** Alert 1532935655.161547: - vulnerability-detector,gdpr_IV_35.7.d,
2018 Jul 30 09:27:35 manager->vulnerability-detector
Rule: 23505 (level 10) -> 'CVE-2018-3693 on Ubuntu 18.04 LTS (bionic) - high.'
{"vulnerability":{"cve":"CVE-2018-3693","title":"CVE-2018-3693 on Ubuntu 18.04 LTS (bionic) - high.","severity":"High","published":"2018-07-10","updated":"2018-07-10","reference":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3693","state":"Pending confirmation","package":{"name":"firefox","version":"61.0.1+build1-0ubuntu0.18.04.1"}}}
vulnerability.cve: CVE-2018-3693
vulnerability.title: CVE-2018-3693 on Ubuntu 18.04 LTS (bionic) - high.
vulnerability.severity: High
vulnerability.published: 2018-07-10
vulnerability.updated: 2018-07-10
vulnerability.reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3693
vulnerability.state: Pending confirmation
vulnerability.package.name: firefox
vulnerability.package.version: 61.0.1+build1-0ubuntu0.18.04.1
** Alert 1532940902.384727: - vulnerability-detector,gdpr_IV_35.7.d,
2018 Jul 30 10:55:02 (agent) 10.0.15.32->vulnerability-detector
Rule: 23504 (level 7) -> 'RHSA-2018:1700: procps-ng security update (Important)'
{"vulnerability":{"cve":"CVE-2018-1126","title":"RHSA-2018:1700: procps-ng security update (Important)","severity":"Medium","published":"2018-05-17","updated":"2018-05-17","reference":"https://access.redhat.com/security/cve/CVE-2018-1126","state":"Fixed","package":{"name":"procps-ng","version":"3.3.10-16.el7","cvss3":"4.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L","patch":"RHSA-2018:1700-01","condition":"less than 0:3.3.10-17.el7_5.2"}}}
vulnerability.cve: CVE-2018-1126
vulnerability.title: RHSA-2018:1700: procps-ng security update (Important)
vulnerability.severity: Medium
vulnerability.published: 2018-05-17
vulnerability.updated: 2018-05-17
vulnerability.reference: https://access.redhat.com/security/cve/CVE-2018-1126
vulnerability.state: Fixed
vulnerability.package.name: procps-ng
vulnerability.package.version: 3.3.10-16.el7
vulnerability.package.cvss3: 4.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
vulnerability.package.patch: RHSA-2018:1700-01
vulnerability.package.condition: less than 0:3.3.10-17.el7_5.2

The following image shows a vulnerability alert on Kibana: