Vulnerability detection

Wazuh detects vulnerabilities in the applications installed on monitored endpoints using the Vulnerability Detector module. It performs a software audit by building a global vulnerability database from vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. Wazuh cross-correlates these feeds with data from the endpoint application inventory.

The Vulnerability Detector module helps to implement the following HIPAA section:

  • Security Management Process §164.308(a)(1) - Risk Analysis: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

    This section of the HIPAA standard requires identifying risks and vulnerabilities affecting systems containing healthcare information.

    The Wazuh Vulnerability Detector module assists in meeting aspects of this HIPAA section. The Vulnerability Detector module scans an endpoint for vulnerable applications/packages and missing OS updates. Refer to the vulnerability detection section of our documentation for more details on configuring vulnerability scans.

Use case: Detect vulnerabilities

In this use case, you configure Wazuh to detect vulnerabilities on an Ubuntu 20.04 endpoint (bionic) with the following steps:

  1. Modify the highlighted lines in the Wazuh server configuration file (/var/ossec/etc/ossec.conf) using a text editor. This enables vulnerability detection for the specific OS version (in this case Ubuntu bionic):

     <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <run_on_start>yes</run_on_start>
    <provider name="canonical">
       <enabled>yes</enabled>
       <os>bionic</os>
       <update_interval>1h</update_interval>
    </provider>
 </vulnerability-detector>

  2. Restart the Wazuh server to apply the changes:

    # systemctl restart wazuh-manager

    The Vulnerability Detector module runs scans on startup when run_on_start is enabled or periodically (defined by interval). After the scan, you can view the results on the Wazuh dashboard, which includes information about vulnerable packages on the monitored endpoint. In this case, the vim software installed on the endpoint has vulnerabilities. You can also see the date and time of the most recent vulnerability scan.

    When you select any of the vulnerabilities, the dashboard shows an overview of the issues detected and their status on the agent.