Vulnerability detection

Wazuh uses the Vulnerability Detection module to identify vulnerabilities in applications and operating systems running on endpoints.

This use case shows how Wazuh detects unpatched Common Vulnerabilities and Exposures (CVEs) in the monitored endpoint.

For more information on this capability, check the vulnerability detection section of the documentation.

Infrastructure

Endpoint

Description

Debian 12

The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Linux endpoint.

Configuration

The Vulnerability Detection module is enabled by default. You can perform the following steps on the Wazuh server to ensure that the Wazuh Vulnerability Detection module is enabled and properly configured.

  1. Open the /var/ossec/etc/ossec.conf file on the Wazuh server. Check the following settings.

    • Vulnerability Detection is enabled.

      <vulnerability-detection>
         <enabled>yes</enabled>
         <index-status>yes</index-status>
         <feed-update-interval>60m</feed-update-interval>
      </vulnerability-detection>
      
    • The indexer connection is properly configured.

      By default, the indexer settings have one host configured. It's set to 0.0.0.0 as highlighted below.

      <indexer>
        <enabled>yes</enabled>
        <hosts>
          <host>https://0.0.0.0:9200</host>
        </hosts>
        <ssl>
          <certificate_authorities>
            <ca>/etc/filebeat/certs/root-ca.pem</ca>
          </certificate_authorities>
          <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
          <key>/etc/filebeat/certs/filebeat-key.pem</key>
        </ssl>
      </indexer>
      

      Replace 0.0.0.0 with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.

      Ensure the Filebeat certificate and key name match the certificate files in /etc/filebeat/certs.

      If you have a Wazuh indexer cluster, add a <host> entry for each one of your nodes. For example, in a two-nodes configuration:

      <hosts>
        <host>https://10.0.0.1:9200</host>
        <host>https://10.0.0.2:9200</host>
      </hosts>
      

      Vulnerability detection prioritizes reporting to the first node in the list. It switches to the next node in case it's not available.

  2. If you made changes to the configuration, restart the Wazuh manager.

    $ sudo systemctl restart wazuh-manager
    

Test the configuration

Note

The time it takes to detect vulnerabilities depends on the interval value for Syscollector configured in the ossec.conf file. To reduce the waiting times in this test, check System inventory capability configuration.

  1. Install a vulnerable version of Vim such as 2:9.0.1378-2 or earlier in the Debian endpoint. Wait for syscollector to run a new scan.

  2. Remove the Vim package to fix the vulnerability. Wait for syscollector to run a new scan.

Visualize the alerts

You can visualize the detected vulnerabilities in the Wazuh dashboard. To see a list of active vulnerabilities, go to Vulnerability Detection and select Inventory. Add a filter in the search bar to query all active vulnerabilities for the Vim package.

  • package.name:vim

To see vulnerability alerts for the last system inventory scan, switch to Events. Add filters in the search bar to query vulnerability alerts for Vim.

  • Active vulnerability alerts – data.vulnerability.package.name: vim AND data.vulnerability.status:Active

  • Solved vulnerability alerts – data.vulnerability.package.name: vim AND data.vulnerability.status:Solved