Offline Update

If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the vulnerability feeds updated. You can fetch the database files from your local environment or network. The steps include downloading the specific vulnerability files and configuring the Wazuh server to locate them. You can find feeds in a custom location compressed in gz or bzip2 or decompressed in XML or JSON, depending on the original format of the feed. The configuration examples in this section are all set in the Wazuh server /var/ossec/etc/ossec.conf file.

Canonical

To perform an offline update of the Canonical feeds, you must download the corresponding OVAL files.

OS

Files

Jammy

com.ubuntu.jammy.cve.oval.xml.bz2

Focal

com.ubuntu.focal.cve.oval.xml.bz2

Bionic

com.ubuntu.bionic.cve.oval.xml.bz2

Xenial

com.ubuntu.xenial.cve.oval.xml.bz2

Trusty

com.ubuntu.trusty.cve.oval.xml.bz2

To fetch the vulnerability feeds from a user-defined repository, the configuration must be similar to the following.

<provider name="canonical">
   <enabled>yes</enabled>
   <os url="http://local_repo/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
   <os url="http://local_repo/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
   <os url="http://local_repo/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
   <os url="http://local_repo/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
   <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path. To achieve it, use the path attribute as this example shows.

<provider name="canonical">
   <enabled>yes</enabled>
   <os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
   <os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
   <os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
   <os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
   <update_interval>1h</update_interval>
</provider>

Debian

Currently, the module fetches the Debian vulnerabilities from two different sources.

  • OVAL file for each supported Debian version.

  • JSON feed with global information about the affected packages for each distribution.

Note

Both sources are necessary for the proper functioning of the scanner. Below are the steps to configure each source for the offline update.

Debian OVAL feed

To perform an offline update of Debian OVAL feeds, you must download the appropriate files.

OS

Files

Bullseye

oval-definitions-bullseye.xml

Buster

oval-definitions-buster.xml

To update the vulnerability feed from a user-defined repository, use a configuration similar to the following.

<provider name="debian">
   <enabled>yes</enabled>
   <os url="http://local_repo/oval-definitions-bullseye.xml">bullseye</os>
   <os url="http://local_repo/oval-definitions-buster.xml">buster</os>
   <update_interval>1h</update_interval>
</provider>

To use a local feed file, add the path attribute accompanying the os option as follows.

<provider name="debian">
   <enabled>yes</enabled>
   <os path="/local_path/oval-definitions-bullseye.xml">bullseye</os>
   <os path="/local_path/oval-definitions-buster.xml">buster</os>
   <update_interval>1h</update_interval>
</provider>

Debian Security Tracker JSON feed

To perform an offline update, you must download the corresponding file.

OS

Files

ALL

Debian Security Tracker JSON

To update the vulnerability feeds from a user-defined repository, use a configuration similar to the following.

<provider name="debian">
   <enabled>yes</enabled>
   <url>http://local_repo/security_tracker_local.json</url>
   <update_interval>1h</update_interval>
</provider>

To use a local feed file, use the path attribute.

<provider name="debian">
   <enabled>yes</enabled>
   <path>/local_path/security_tracker_local.json</path>
   <update_interval>1h</update_interval>
</provider>

Red Hat

The Vulnerability Detector module currently fetches the Red Hat vulnerabilities from two different sources. Each supported Red Hat version has:

  • OVAL file

  • JSON feed

These sources have global information about the affected packages for each distribution.

Note

Both sources are necessary for the proper functioning of the scanner. Below is the procedure to configure each source for an offline update.

RedHat OVAL feeds

To do an offline update of the RedHat OVAL feeds, you must download the corresponding files.

OS

Files

5

com.redhat.rhsa-RHEL5.xml.bz2

6

rhel-6-including-unpatched.oval.xml.bz2

7

rhel-7-including-unpatched.oval.xml.bz2

8

rhel-8-including-unpatched.oval.xml.bz2

9

rhel-9-including-unpatched.oval.xml.bz2

To fetch the vulnerability feeds from a user-defined repository, use a configuration similar to the following.

<provider name="redhat">
   <enabled>yes</enabled>
   <os url="http://local_repo/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
   <os url="http://local_repo/rhel-6-including-unpatched.oval.xml.bz2">6</os>
   <os url="http://local_repo/rhel-7-including-unpatched.oval.xml.bz2">7</os>
   <os url="http://local_repo/rhel-8-including-unpatched.oval.xml.bz2">8</os>
   <os url="http://local_repo/rhel-9-including-unpatched.oval.xml.bz2">9</os>
   <update_interval>1h</update_interval>
</provider>

Alternatively, the feeds can be loaded from a local path. To achieve this, use the path attribute as this example shows.

<provider name="redhat">
   <enabled>yes</enabled>
   <os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
   <os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
   <os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
   <os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
   <os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
   <update_interval>1h</update_interval>
</provider>

Red Hat Security Data JSON feed

To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides an update script that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.

How to use the update script

  1. Create a directory for the feeds.

    # mkdir /local_path/rh-feed
    
  2. Run the script indicating the target path.

    # ./rh-generator.sh /local_path/rh-feed
    

    The script might output an error message like the following.

    Page download failed (504), retrying...
    

    The error message indicates that the Red Hat servers may be temporarily unavailable to you. Regardless, the script keeps trying to finish the download until it acquires the full feed.

Finally, the feed is in a succession of numbered files whose names follow the format redhat-feed<number>.json. To update locally, you must set the path of those files with a regular expression such as the following.

<provider name="redhat">
    <enabled>yes</enabled>
    <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
    <update_interval>1h</update_interval>
</provider>

If you want to upload these files to a local server, they must follow the same numeric sequence that the script downloaded them in. To indicate the numerical range, you must indicate their position with the [-] tag helped by the start and end attributes. For example, use the following configuration if the previous script returned 15 files.

<provider name="redhat">
   <enabled>yes</enabled>
   <url start="1" end="15">http://local_repo/rh-feed/redhat-feed[-].json</url>
   <update_interval>1h</update_interval>
</provider>

Arch

To perform an offline update of the Arch feed, download the corresponding JSON file.

OS

Files

Rolling

all.json

To fetch the vulnerability feed from a user-defined repository; configure your Wazuh server in a similar way as shown in this example.

<provider name="arch">
   <enabled>yes</enabled>
   <url>http://local_repo/security.archlinux.org/issues/all.json</url>
   <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path, and you must set it with a POSIX regular expression as shown in this example.

<provider name="arch">
   <enabled>yes</enabled>
   <path>/local_path/all\.json$</path>
   <update_interval>1h</update_interval>
</provider>

ALAS

The module currently fetches vulnerability feeds for Amazon Linux systems from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, you must download them from the corresponding Wazuh repository.

OS

Files

Amazon Linux

alas.json.gz

Amazon Linux 2

alas2.json.gz

Then, place them accordingly in the custom location.

<provider name="alas">
   <enabled>yes</enabled>
   <os url="http://local_repo/updates_amazon-linux.json.gz">amazon-linux</os>
   <os url="http://local_repo/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
   <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path with the path attribute, as shown in this example.

<provider name="alas">
   <enabled>yes</enabled>
   <os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
   <os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
   <update_interval>1h</update_interval>
</provider>

SUSE

Currently, the SUSE Linux vulnerabilities are fetched from one OVAL file for each supported SUSE Linux version.

OS

Files

SLES 11

suse.linux.enterprise.server.11.xml

SLED 11

suse.linux.enterprise.desktop.11.xml

SLES 12

suse.linux.enterprise.server.12.xml

SLED 12

suse.linux.enterprise.desktop.12.xml

SLES 15

suse.linux.enterprise.server.15.xml

SLED 15

suse.linux.enterprise.desktop.15.xml

Feeds can be fetched from a custom repository using the url attribute for each supported OS, as shown in this example:

<provider name="suse">
    <enabled>yes</enabled>
    <os url="http://local_repo/suse.linux.enterprise.server.11.xml">11-server</os>
    <os url="http://local_repo/suse.linux.enterprise.desktop.11.xml">11-desktop</os>
    <os url="http://local_repo/suse.linux.enterprise.server.12.xml">12-server</os>
    <os url="http://local_repo/suse.linux.enterprise.desktop.12.xml">12-desktop</os>
    <os url="http://local_repo/suse.linux.enterprise.server.15.xml">15-server</os>
    <os url="http://local_repo/suse.linux.enterprise.desktop.15.xml">15-desktop</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, they also can be loaded from a local path as follows:

<provider name="suse">
    <enabled>yes</enabled>
    <os path="/local_path/suse.linux.enterprise.server.11.xml">11-server</os>
    <os path="/local_path/suse.linux.enterprise.desktop.11.xml">11-desktop</os>
    <os path="/local_path/suse.linux.enterprise.server.12.xml">12-server</os>
    <os path="/local_path/suse.linux.enterprise.desktop.12.xml">12-desktop</os>
    <os path="/local_path/suse.linux.enterprise.server.15.xml">15-server</os>
    <os path="/local_path/suse.linux.enterprise.desktop.15.xml">15-desktop</os>
    <update_interval>1h</update_interval>
</provider>

National Vulnerability Database

To perform an offline update of the National Vulnerability Database, you must request its feed stating a starting year. Wazuh provides an update script that automates the process of downloading the feed and checking for server downtime.

How to use the update script

  1. Create a directory for the feeds.

    # mkdir /local_path/nvd-feed
    
  2. Run the script setting the starting year, of which the earliest is 2002, and the target path.

    # nvd-generator.sh 2002 /local_path/nvd-feed
    

    The script may output an error message like the following.

    Page download failed (504), retrying...
    

    The error message indicates that the National Vulnerability Database servers may be temporarily unavailable to you. The script keeps trying to finish the download until it acquires the full feed.

Finally, the feed is in numbered files whose names follow the format nvd-feed<number>.json.gz. You must extract the compressed files to be able to use them. To update locally, you must set the path of those files with a regular expression as shown below.

<provider name="nvd">
    <enabled>yes</enabled>
    <path>/local_path/nvd-feed/nvd-feed[[:digit:]]\{4\}\.json\.gz$</path>
    <update_interval>1h</update_interval>
</provider>

If you want to upload these files to a local server, they must follow the same numeric sequence that the script downloaded them in. To indicate the numerical range, you must indicate their position with the [-] tag helped by the start and end attributes. For example, you can use the configuration below if the files are from 2015 to 2020.

<provider name="nvd">
   <enabled>yes</enabled>
   <url start="2015" end="2019">http://local_repo/nvd-feed[-].json.gz</url>
   <update_interval>1h</update_interval>
</provider>

MSU

To perform an offline update of the MSU, you must get the feed from msu-updates.json.gz (sha256) and place it in a user-defined repository.

<provider name="msu">
   <enabled>yes</enabled>
   <url>http://local_repo/msu-updates.json.gz</url>
   <update_interval>1h</update_interval>
</provider>

To update locally, you have to set the path of the downloaded files with a POSIX regular expression as such:

<provider name="msu">
   <enabled>yes</enabled>
   <path>/local_path/msu-updates\.json\.gz$</path>
   <update_interval>1h</update_interval>
</provider>

Sample Configuration

<ossec_config>
  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
        <enabled>yes</enabled>
        <os path="/local_path/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
        <os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
        <os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
        <os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
        <os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
        <enabled>yes</enabled>
        <os path="/local_path/oval-definitions-bullseye.xml">bullseye</os>
        <os path="/local_path/oval-definitions-buster.xml">buster</os>
        <path>/local_path/security_tracker_local.json</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
        <enabled>yes</enabled>
        <os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
        <os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
        <os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
        <os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
        <os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
        <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
        <enabled>yes</enabled>
        <path>/local_path/all\.json$</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
        <enabled>yes</enabled>
        <os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
        <os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
        <enabled>yes</enabled>
        <path>/local_path/msu-updates\.json\.gz$</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
        <enabled>yes</enabled>
        <path>/local_path/nvd-feed/nvd-feed[[:digit:]]\{4\}\.json\.gz$</path>
        <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>
</ossec_config>