Offline Update
If the manager does not have a direct connection to the Internet, it is possible to keep the vulnerability feeds updated by fetching the database files from your local environment or network. To achieve this, specific vulnerability files must be downloaded and Wazuh configured to locate them.
When the Vulnerability Detector fetches feeds from a custom location, they can be compressed in gz or bzip2, or decompressed in XML or JSON, depending on the original format of the feed.
Canonical
To perform an offline update of the Canonical feeds, you must download the corresponding OVAL files:
To fetch the vulnerability feeds from an alternative repository, the configuration is similar to the following:
<provider name="canonical">
<enabled>yes</enabled>
<os url="http://local_repo/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os url="http://local_repo/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os url="http://local_repo/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os url="http://local_repo/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, the feeds can be loaded from a local path. To achieve it, the path attribute is available as this example shows:
<provider name="canonical">
<enabled>yes</enabled>
<os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
Debian
Currently, the Debian vulnerabilities are fetched from two different sources. One OVAL file for each supported Debian version, and a JSON feed with global information of the affected packages for each distribution.
Note
Both sources are necessary for the proper functioning of the scanner, how to configure each of them for an offline update is described below.
Debian OVAL feed
To perform an offline update of Debian OVAL feeds, you must download the corresponding files:
OS |
Link |
|---|---|
Buster |
https://www.debian.org/security/oval/oval-definitions-buster.xml |
Stretch |
https://www.debian.org/security/oval/oval-definitions-stretch.xml |
In order to use a local feed file, just use the path attribute accompanying the os option as follows:
<provider name="debian">
<enabled>yes</enabled>
<os path="/local_path/oval-definitions-buster.xml">buster</os>
<os path="/local_path/oval-definitions-stretch.xml">stretch</os>
<update_interval>1h</update_interval>
</provider>
In order to update the vulnerability feeds from an alternative repository, the configuration is similar to the following:
<provider name="debian">
<enabled>yes</enabled>
<os url="http://local_repo/oval-definitions-buster.xml">buster</os>
<os url="http://local_repo/oval-definitions-stretch.xml">stretch</os>
<update_interval>1h</update_interval>
</provider>
Debian Security Tracker JSON feed
To perform an offline update, you must download the corresponding file:
OS |
Link |
|---|---|
ALL |
In order to use a local feed file, just use the path option:
<provider name="debian">
<enabled>yes</enabled>
<path>/local_path/security_tracker_local.json</path>
<update_interval>1h</update_interval>
</provider>
In order to update the vulnerability feeds from an alternative repository, the configuration is similar to the following:
<provider name="debian">
<enabled>yes</enabled>
<url>http://local_repo/security_tracker_local.json</url>
<update_interval>1h</update_interval>
</provider>
Red Hat
Currently, the Red Hat vulnerabilities are fetched from two different sources. One OVAL file for each supported Red Hat version, and a JSON feed with global information of the affected packages for each distribution.
Note
Both sources are necessary for the proper functioning of the scanner, how to configure each of them for an offline update is described below.
Red Hat OVAL feed
To perform an offline update of the RedHat OVAL feeds, you must download the corresponding files:
To fetch the vulnerability feeds from an alternative repository, the configuration is similar to the following:
<provider name="redhat">
<enabled>yes</enabled>
<os url="http://local_repo/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os url="http://local_repo/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os url="http://local_repo/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os url="http://local_repo/rhel-8-including-unpatched.oval.xml.bz2">7</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, the feeds can be loaded from a local path. To achieve it, the path attribute is available as this example shows:
<provider name="redhat">
<enabled>yes</enabled>
<os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<update_interval>1h</update_interval>
</provider>
Red Hat Security Data JSON feed
To perform an offline update, you must make requests to its API to get the feed pages starting from a specified date. You can find a script that automates the process of downloading and controls the API downtime in wazuh/tools/vulnerability-detector/rh-generator.sh.
The script will download all the CVE data since the year 1999 by default. It is recomended to not change the starting year to complete the vulnerabilities database.
How to use the update script
Create a directory to download the feed.
# mkdir /local_path/rh-feed
Run the script indicating the target path.
# ./rh-generator.sh /local_path/rh-feed
It is possible that the script will output error messages like the following:
Page download failed (504), retrying...
This indicates that the Red Hat servers may be temporarily unavailable to you. The script will continue trying to finish the download until it acquires the full feed.
Finally, you will have the feed divided into a succession of numbered files whose names follow the format redhat-feed<number>.json. To update locally, the path to those files must be indicated by a regular expression such as the following:
<provider name="redhat">
<enabled>yes</enabled>
<path>/local_path/rh-feed/redhat-feed.*json$</path>
<update_interval>1h</update_interval>
</provider>
If you want to upload these files to a local server, they must follow the same numerical sequence in the link and indicate their position with the [-] tag helped by the start and end attributes to indicate the numerical range. For example, if the previous script has returned 15 files, the configuration would look like this:
<provider name="redhat">
<enabled>yes</enabled>
<url start="1" end="15">http://local_repo/rh-feed/redhat-feed[-].json</url>
<update_interval>1h</update_interval>
</provider>
National Vulnerability Database
To perform an offline update of the National Vulnerability Database, you must make requests to its feed from the desired date. You can find a script that automates the process of downloading and controls the server downtime in wazuh/tools/vulnerability-detector/nvd-generator.sh.
How to use the the update script
Create a directory to download the feed.
# mkdir /local_path/nvd-feed
Run the script indicating the starting year from which the vulnerabilities will be downloaded (minimum is 2002) and the target path.
# nvd-generator.sh 2002 /local_path/nvd-feed
It is possible that the script will output error messages like the following:
Page download failed (504), retrying...
This indicates that the National Vulnerability Database servers may be temporarily unavailable to you. The script will continue trying to finish the download until it acquires the full feed.
Finally, you will have the feed divided into a succession of numbered files whose name follows format nvd-feed<number>.json.gz. Those files are compressed and should be extracted. To update locally, the path to those files must be indicated by a regular expression as such:
<provider name="nvd">
<enabled>yes</enabled>
<path>/local_path/nvd-feed.*json$</path>
<update_interval>1h</update_interval>
</provider>
If you want to upload these files to a local server, they must follow the same numerical sequence in the link and indicate their position with the [-] tag helped by the start and end attributes to indicate the numerical range. For example, if you have the files from 2015 to 2020, the configuration would look like this:
<provider name="nvd">
<enabled>yes</enabled>
<url start="2015" end="2019">http://local_repo/nvd-feed[-].json.gz</url>
<update_interval>1h</update_interval>
</provider>
MSU
New in version 4.0.0.
The Microsoft Software Update feed update is now handled by the Wazuh manager instead of being provided with the package. To perform an offline update of the MSU, it has to be obtained from https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz and locate it in an alternative repository:
<provider name="msu">
<enabled>yes</enabled>
<url>http://local_repo/msu-updates.json.gz</url>
<update_interval>1h</update_interval>
</provider>
Or in a local path:
<provider name="msu">
<enabled>yes</enabled>
<path>/local_path/msu-updates.json.gz</path>
<update_interval>1h</update_interval>
</provider>