Scan vulnerabilities on unsupported systems

There are many operating systems derived from others that Vulnerability Detector supports to which compatibility of vulnerability feeds could be extended, such as Linux Mint and Oracle Linux. However, those distributions are not scanned by default since there are not pre-defined feeds for them.

For these cases, Vulnerability Detector incorporates the allow option, which it is possible to indicate which of the operating systems are compatible with any of the configured feeds.

This guide will explain how to extend compatibility with an unsupported OS.

Warning

This configuration can lead to false positives since each OS vendor handles the package management and security patching by their own.

  1. Check the registered name of the agent’s operating system.

It is possible that the registered name of the system does not match the expected one. Therefore, this information can be checked as follows:

  1. Using the Wazuh RESTful API endpoint GET /agents:

# curl -k -X GET "https://localhost:55000/agents?pretty=true&agents_list=005&select=os.name,os.major" -H  "Authorization: Bearer $TOKEN"

Where 005 is the ID of the agent whose operating system we want to check.

{
    "data": {
        "affected_items": [{"os": {"major": "7", "name": "Oracle Linux Server"}, "id": "005"}],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents information was returned",
    "error": 0,
}
  1. Checking the database manually:

# sqlite3 /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = 5;"

Where 5 is the ID of the agent whose operating system we want to check.

Oracle Linux Server|7

These values are the name of the operating system and the major version we will need to configure Vulnerability Detector.

  1. Configure Vulnerability Detector to allow the systems.

It is necessary to include the operating system using the allow attribute followed by the corresponding feed, following the syntax: “OS name-major version”. To include more than one system, just add a list of systems separated by commas.

For example, if we want to force the compatibility of Ubuntu 16 (Xenial) feed with PopOS 16, and Ubuntu 18 (Bionic) with Linux Mint 19 and Pop OS 18, we will use:

<provider name="canonical">
  <enabled>yes</enabled>
  <os allow="Pop!_OS-16">xenial</os>
  <os allow="Linux Mint-19,Pop!_OS-18">bionic</os>
  <update_interval>1h</update_interval>
</provider>

The same for other providers such as Redhat:

<provider name="redhat">
    <enabled>yes</enabled>
    <os allow="Oracle Linux-7">7</os>
    <update_interval>1h</update_interval>
    <update_from_year>2010</update_from_year>
</provider>

Note

Note that we can use a substring of the operating system extracted from the agent in step 1. For this reason, in the example Oracle Linux has been used instead of Oracle Linux Server.