Common criteria 7.1

Use case: Monitoring a CentOS endpoint for vulnerabilities

Wazuh helps meet the common criteria CC7.1 by providing the Vulnerability Detection module. This module can uncover vulnerabilities in operating systems and installed applications. It performs a software audit by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.

In this use case, you can see how the Wazuh Vulnerability Detection module detects vulnerabilities on a CentOS 8 endpoint.

1. Edit the Wazuh server configuration file /var/ossec/etc/ossec.conf. Make sure the module is enabled.

   <vulnerability-detection>
     <enabled>yes</enabled>
     <index-status>yes</index-status>
     <feed-update-interval>60m</feed-update-interval>
   </vulnerability-detection>
   
   <indexer>
     <enabled>yes</enabled>
     <hosts>
       <host>https://0.0.0.0:9200</host>
     </hosts>
     <ssl>
       <certificate_authorities>
         <ca>/etc/filebeat/certs/root-ca.pem</ca>
       </certificate_authorities>
       <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
       <key>/etc/filebeat/certs/filebeat-key.pem</key>
     </ssl>
   </indexer>
   

2. If you made changes, restart the Wazuh manager to apply them:

   SystemdSysV init

   # systemctl restart wazuh-manager
   

3. Navigate to the Vulnerability Detection module from the Wazuh dashboard. Select the agent to view its discovered vulnerabilities.