Vulnerability detection

Wazuh is able to detect vulnerabilities in the applications installed on agents using the Vulnerability Detector module. This software audit is performed through the integration of vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. The vulnerability detection module can help meet the following PCI DSS requirements:

  • Requirement 6 - Develop and Maintain Secure Systems and Software: Actors with bad intentions can use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.

    The goal of this requirement is to ensure that systems and software have the appropriate security patches for discovered vulnerabilities to prevent compromise.

  • Requirement 11 - Test Security of Systems and Networks Regularly: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

    The goal of this requirement is to ensure that systems and networks are regularly tested to confirm their security status. These tests include penetration testing and vulnerability scans.

The Wazuh vulnerability detector module can help meet the above requirements by performing scans of the endpoint where the Wazuh agent is installed to detect new and existing vulnerabilities. Wazuh agent collects a list of installed applications and OS information, sending it periodically to the manager where it is cross-correlated with the manager global vulnerability database built from publicly available CVE repositories to determine what vulnerabilities exist on an endpoint. More details on configuring vulnerability scans can be found in the vulnerability detection section of the documentation.

Use cases

Below are some PCI DSS requirements use cases that can be met with the vulnerability detection module.

  • PCI DSS 6.3 requires that security vulnerabilities are identified and addressed. These security vulnerabilities can be identified by scheduling vulnerability scans with the vulnerability scan module. In this case, we want to detect vulnerabilities in packages installed on an Ubuntu 20.04 endpoint. We add the following block to the shared agent configuration file /var/ossec/etc/shared/default/agent.conf:

    <wodle name="syscollector">
       <disabled>no</disabled>
       <interval>1h</interval>
       <packages>yes</packages>
    </wodle>
    

    Modify the highlighted lines in the manager configuration file /var/ossec/etc/ossec.conf to enable vulnerability detection for the specific OS version, for example, Ubuntu bionic.

     <vulnerability-detector>
        <enabled>yes</enabled>
        <interval>5m</interval>
        <run_on_start>yes</run_on_start>
        <provider name="canonical">
           <enabled>yes</enabled>
           <os>bionic</os>
           <update_interval>1h</update_interval>
        </provider>
     </vulnerability-detector>
    

    Restart the manager to apply the changes.

    # systemctl restart wazuh-manager
    
    # service wazuh-manager restart
    

    After the scan is run, we can see the results on the Wazuh dashboard with the details of the vulnerable packages. In this case, we can see vulnerabilities in the openssh application.

    When we select any of the vulnerabilities, there is an overview of the issue detected and its status on the agent.

  • PCI DSS 11.3 requires that external and internal vulnerabilities are regularly identified, prioritized, and addressed. These vulnerabilities can be identified by performing vulnerability scans. The Wazuh vulnerability detector also supports the prioritization of vulnerabilities by providing details on the severity rating and the CVSS scores. From the vulnerability detector dashboard, it is possible to filter for vulnerabilities with a severity rating of critical to prioritize remediation.