Vulnerability detection
Wazuh is able to detect vulnerabilities in the applications installed on agents using the Vulnerability Detector module. This software audit is performed through the integration of vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. The vulnerability detection module helps to meet the following PCI DSS requirements:
Requirement 6 - Develop and Maintain Secure Systems and Software: Actors with bad intentions can use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.
The goal of this requirement is to ensure that systems and software have the appropriate security patches for discovered vulnerabilities to prevent compromise.
Requirement 11 - Test Security of Systems and Networks Regularly: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
The goal of this requirement is to ensure that systems and networks are regularly tested to confirm their security status. These tests include penetration testing and vulnerability scans.
The Wazuh vulnerability detector module helps to meet the above requirements. The Wazuh agent runs scans on the endpoint to detect vulnerabilities. It collects a list of installed applications and OS information and sends it periodically to the manager. The Wazuh manager compares this information with its global vulnerability database to determine what vulnerabilities exist on an endpoint. Wazuh builds this global vulnerability database from publicly available CVE repositories. You can find more details on configuring vulnerability scans in the vulnerability detection section of the documentation.
Use cases
Below are some PCI DSS requirements use cases that can be met with the vulnerability detection module:
PCI DSS 6.3 requires to identify and address security vulnerabilities. You can schedule scans with the vulnerability detector module to identify security vulnerabilities. For example, add the following block to the shared agent configuration file
/var/ossec/etc/shared/default/agent.confto detect vulnerabilities in packages installed on an Ubuntu 20.04 endpoint:<wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <packages>yes</packages> </wodle>
Modify the highlighted lines in the
/var/ossec/etc/ossec.confmanager configuration file to enable vulnerability detection for a specific OS version, for example, Ubuntu bionic:<vulnerability-detector> <enabled>yes</enabled> <interval>5m</interval> <run_on_start>yes</run_on_start> <provider name="canonical"> <enabled>yes</enabled> <os>bionic</os> <update_interval>1h</update_interval> </provider> </vulnerability-detector>
Restart the manager to apply the changes:
# systemctl restart wazuh-manager
# service wazuh-manager restart
Once the scan finishes, you can see the results on the Wazuh dashboard. They include details of vulnerable packages, for example, vulnerabilities in the
OpenSSHapplication.
When you select a specific vulnerability detected, the Wazuh dashboard shows an overview of the issue and its status on the agent.
PCI DSS 11.3 requires to identify, prioritize, and address external and internal vulnerabilities regularly. You can run scans to identify these vulnerabilities. The Wazuh vulnerability detector gives details on the severity rating and the CVSS scores. This helps to prioritize the vulnerabilities. From the vulnerability detector dashboard, you can filter by vulnerability severity rating to prioritize its remediation.
