Offline Update
If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the vulnerability feeds updated. You can fetch the database files from your local environment or network. The steps include downloading the specific vulnerability files and configuring the Wazuh server to locate them. You can find feeds in a custom location compressed in gz or bzip2 or decompressed in XML or JSON, depending on the original format of the feed. The configuration examples in this section are all set in the Wazuh server /var/ossec/etc/ossec.conf
file.
Canonical
To perform an offline update of the Canonical feeds, you must download the corresponding OVAL files.
OS |
Files |
---|---|
Jammy |
|
Focal |
|
Bionic |
|
Xenial |
|
Trusty |
To fetch the vulnerability feeds from a user-defined repository, the configuration must be similar to the following.
<provider name="canonical">
<enabled>yes</enabled>
<os url="http://local_repo/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os url="http://local_repo/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os url="http://local_repo/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os url="http://local_repo/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, you can load the feeds from a local path. To achieve it, use the path
attribute as this example shows.
<provider name="canonical">
<enabled>yes</enabled>
<os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
Debian
Currently, the module fetches the Debian vulnerabilities from two different sources.
OVAL file for each supported Debian version.
JSON feed with global information about the affected packages for each distribution.
Note
Both sources are necessary for the proper functioning of the scanner. Below are the steps to configure each source for the offline update.
Debian OVAL feed
To perform an offline update of Debian OVAL feeds, you must download the appropriate files.
OS |
Files |
---|---|
Buster |
|
Bullseye |
|
Bookworm |
To update the vulnerability feed from a user-defined repository, use a configuration similar to the following.
<provider name="debian">
<enabled>yes</enabled>
<os url="http://local_repo/oval-definitions-buster.xml.bz2">buster</os>
<os url="http://local_repo/oval-definitions-bullseye.xml.bz2">bullseye</os>
<os url="http://local_repo/oval-definitions-bookworm.xml.bz2">bookworm</os>
<update_interval>1h</update_interval>
</provider>
To use a local feed file, add the path
attribute accompanying the os
option as follows.
<provider name="debian">
<enabled>yes</enabled>
<os path="/local_path/oval-definitions-buster.xml.bz2">buster</os>
<os path="/local_path/oval-definitions-bullseye.xml.bz2">bullseye</os>
<os path="/local_path/oval-definitions-bookworm.xml.bz2">bookworm</os>
<update_interval>1h</update_interval>
</provider>
Debian Security Tracker JSON feed
To perform an offline update, you must download the corresponding file.
OS |
Files |
---|---|
ALL |
To update the vulnerability feeds from a user-defined repository, use a configuration similar to the following.
<provider name="debian">
<enabled>yes</enabled>
<url>http://local_repo/security_tracker_local.json</url>
<update_interval>1h</update_interval>
</provider>
To use a local feed file, use the path
attribute.
<provider name="debian">
<enabled>yes</enabled>
<path>/local_path/security_tracker_local.json</path>
<update_interval>1h</update_interval>
</provider>
Red Hat
The Vulnerability Detector module currently fetches the Red Hat vulnerabilities from two different sources. Each supported Red Hat version has:
OVAL file
JSON feed
These sources have global information about the affected packages for each distribution.
Note
Both sources are necessary for the proper functioning of the scanner. Below is the procedure to configure each source for an offline update.
RedHat OVAL feeds
To do an offline update of the RedHat OVAL feeds, you must download the corresponding files.
OS |
Files |
---|---|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
To fetch the vulnerability feeds from a user-defined repository, use a configuration similar to the following.
<provider name="redhat">
<enabled>yes</enabled>
<os url="http://local_repo/com.redhat.rhsa-RHEL5_v1.xml.bz2">5</os>
<os url="http://local_repo/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os url="http://local_repo/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os url="http://local_repo/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os url="http://local_repo/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, the feeds can be loaded from a local path. To achieve this, use the path
attribute as this example shows.
<provider name="redhat">
<enabled>yes</enabled>
<os path="/local_path/com.redhat.rhsa-RHEL5_v1.xml.bz2">5</os>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
Red Hat Security Data JSON feed
To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides an update script that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.
How to use the update script
Create a directory for the feeds.
# mkdir /local_path/rh-feed
Run the script indicating the target path.
# ./rh-generator.sh /local_path/rh-feed
The script might output an error message like the following.
Page download failed (504), retrying...
The error message indicates that the Red Hat servers may be temporarily unavailable to you. Regardless, the script keeps trying to finish the download until it acquires the full feed.
Finally, the feed is in a succession of numbered files whose names follow the format redhat-feed<number>.json
. To update locally, you must set the path of those files with a regular expression such as the following.
<provider name="redhat">
<enabled>yes</enabled>
<path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
<update_interval>1h</update_interval>
</provider>
If you want to upload these files to a local server, they must follow the same numeric sequence that the script downloaded them in. To indicate the numerical range, you must indicate their position with the [-]
tag helped by the start
and end
attributes. For example, use the following configuration if the previous script returned 15 files.
<provider name="redhat">
<enabled>yes</enabled>
<url start="1" end="15">http://local_repo/rh-feed/redhat-feed[-].json</url>
<update_interval>1h</update_interval>
</provider>
Arch
To perform an offline update of the Arch feed, download the corresponding JSON file.
OS |
Files |
---|---|
Rolling |
To fetch the vulnerability feed from a user-defined repository; configure your Wazuh server in a similar way as shown in this example.
<provider name="arch">
<enabled>yes</enabled>
<url>http://local_repo/security.archlinux.org/issues/all.json</url>
<update_interval>1h</update_interval>
</provider>
Alternatively, you can load the feeds from a local path, and you must set it with a POSIX regular expression as shown in this example.
<provider name="arch">
<enabled>yes</enabled>
<path>/local_path/all\.json$</path>
<update_interval>1h</update_interval>
</provider>
ALAS
The module currently fetches vulnerability feeds for Amazon Linux systems from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, you must download them from the corresponding Wazuh repository.
OS |
Files |
---|---|
Amazon Linux |
|
Amazon Linux 2 |
|
Amazon Linux 2022 |
|
Amazon Linux 2023 |
Then, place them accordingly in the custom location.
<provider name="alas">
<enabled>yes</enabled>
<os url="http://local_repo/updates_amazon-linux.json.gz">amazon-linux</os>
<os url="http://local_repo/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
<os url="http://local_repo/updates_amazon-linux-2022.json.gz">amazon-linux-2022</os>
<os url="http://local_repo/updates_amazon-linux-2023.json.gz">amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, you can load the feeds from a local path with the path
attribute, as shown in this example.
<provider name="alas">
<enabled>yes</enabled>
<os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
<os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
<os path="/local_path/updates_amazon-linux-2022.json.gz">amazon-linux-2022</os>
<os path="/local_path/updates_amazon-linux-2023.json.gz">amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
SUSE
Currently, the SUSE Linux vulnerabilities are fetched from one OVAL file for each supported SUSE Linux version.
OS |
Files |
---|---|
SLES 11 |
|
SLED 11 |
|
SLES 12 |
|
SLED 12 |
|
SLES 15 |
|
SLED 15 |
Feeds can be fetched from a custom repository using the url attribute for each supported OS, as shown in this example:
<provider name="suse">
<enabled>yes</enabled>
<os url="http://local_repo/suse.linux.enterprise.server.11.xml.gz">11-server</os>
<os url="http://local_repo/suse.linux.enterprise.desktop.11.xml.gz">11-desktop</os>
<os url="http://local_repo/suse.linux.enterprise.server.12.xml.gz">12-server</os>
<os url="http://local_repo/suse.linux.enterprise.desktop.12.xml.gz">12-desktop</os>
<os url="http://local_repo/suse.linux.enterprise.server.15.xml.gz">15-server</os>
<os url="http://local_repo/suse.linux.enterprise.desktop.15.xml.gz">15-desktop</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, they also can be loaded from a local path as follows:
<provider name="suse">
<enabled>yes</enabled>
<os path="/local_path/suse.linux.enterprise.server.11.xml.gz">11-server</os>
<os path="/local_path/suse.linux.enterprise.desktop.11.xml.gz">11-desktop</os>
<os path="/local_path/suse.linux.enterprise.server.12.xml.gz">12-server</os>
<os path="/local_path/suse.linux.enterprise.desktop.12.xml.gz">12-desktop</os>
<os path="/local_path/suse.linux.enterprise.server.15.xml.gz">15-server</os>
<os path="/local_path/suse.linux.enterprise.desktop.15.xml.gz">15-desktop</os>
<update_interval>1h</update_interval>
</provider>
AlmaLinux
Currently, the module fetches AlmaLinux vulnerabilities from one OVAL file for each supported AlmaLinux version.
OS |
Files |
---|---|
AlmaLinux 8 |
|
AlmaLinux 9 |
To fetch feeds from a custom repository you can use the url
attribute for each supported OS, as shown in this example:
<provider name="almalinux">
<enabled>yes</enabled>
<os url="http://local_repo/org.almalinux.alsa-8.xml">8</os>
<os url="http://local_repo/org.almalinux.alsa-9.xml">9</os>
<update_interval>1h</update_interval>
</provider>
Alternatively, you can load the feeds from a local path with the path
attribute, as shown in this example.
<provider name="almalinux">
<enabled>yes</enabled>
<os path="/local_path/org.almalinux.alsa-8.xml">8</os>
<os path="/local_path/org.almalinux.alsa-9.xml">9</os>
<update_interval>1h</update_interval>
</provider>
National Vulnerability Database
To perform an offline update of the National Vulnerability Database, you must get the feed from complete_nvd_feed.json.gz (sha256) and place it in a user-defined repository.
<provider name="nvd">
<enabled>yes</enabled>
<url>http://local_repo/complete_nvd_feed.json.gz</url>
<update_interval>1h</update_interval>
</provider>
To update locally, set the path of the downloaded files using a POSIX regular expression, for example:
<provider name="nvd">
<enabled>yes</enabled>
<path>/local_path/nvd-feed/complete_nvd_feed\.json\.gz$</path>
<update_interval>1h</update_interval>
</provider>
MSU
To perform an offline update of the MSU, you must get the feed from msu-updates.json.gz (sha256) and place it in a user-defined repository.
<provider name="msu">
<enabled>yes</enabled>
<url>http://local_repo/msu-updates.json.gz</url>
<update_interval>1h</update_interval>
</provider>
To update locally, set the path of the downloaded files using a POSIX regular expression, for example:
<provider name="msu">
<enabled>yes</enabled>
<path>/local_path/msu-updates\.json\.gz$</path>
<update_interval>1h</update_interval>
</provider>
Sample Configuration
<ossec_config>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/local_path/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
<os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os path="/local_path/oval-definitions-buster.xml.bz2">buster</os>
<os path="/local_path/oval-definitions-bullseye.xml.bz2">bullseye</os>
<os path="/local_path/oval-definitions-bookworm.xml.bz2">bookworm</os>
<path>/local_path/security_tracker_local.json</path>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os path="/local_path/com.redhat.rhsa-RHEL5_v1.xml.bz2">5</os>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>yes</enabled>
<path>/local_path/all\.json$</path>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE OS vulnerabilities -->
<provider name="suse">
<enabled>yes</enabled>
<os path="/local_path/suse.linux.enterprise.server.11.xml.gz">11-server</os>
<os path="/local_path/suse.linux.enterprise.desktop.11.xml.gz">11-desktop</os>
<os path="/local_path/suse.linux.enterprise.server.12.xml.gz">12-server</os>
<os path="/local_path/suse.linux.enterprise.desktop.12.xml.gz">12-desktop</os>
<os path="/local_path/suse.linux.enterprise.server.15.xml.gz">15-server</os>
<os path="/local_path/suse.linux.enterprise.desktop.15.xml.gz">15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>yes</enabled>
<os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
<os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
<os path="/local_path/updates_amazon-linux-2023.json.gz">amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
<!-- AlmaLinux OS vulnerabilities -->
<provider name="almalinux">
<enabled>yes</enabled>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<path>/local_path/msu-updates\.json\.gz$</path>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<path>/local_path/nvd-feed/complete_nvd_feed\.json\.gz$</path>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
</ossec_config>