Vulnerability detection

Wazuh uses the Vulnerability Detector module to identify vulnerabilities in applications and operating systems running on endpoints.

This use case shows how Wazuh detects unpatched Common Vulnerabilities and Exposures (CVEs) in the monitored endpoint.

For more information on this capability, check the vulnerability detection section of the documentation.

Infrastructure

Endpoint

Description

Ubuntu 22.04

The vulnerability detection module scans this Linux endpoint for vulnerabilities in its operating system and installed applications.

Windows 11

The vulnerability detection module scans this Windows endpoint for vulnerabilities in its operating system and installed applications.

Configuration

Perform the following steps on the Wazuh server to enable the Wazuh Vulnerability Detector module.

  1. Enable the Vulnerability Detector module in the /var/ossec/etc/ossec.conf file on the Wazuh server:

    <ossec_config>
      <vulnerability-detector>
        <enabled>yes</enabled>
        <interval>5m</interval>
        <min_full_scan_interval>6h</min_full_scan_interval>
        <run_on_start>yes</run_on_start>
    
        <!-- Ubuntu OS vulnerabilities -->
        <provider name="canonical">
        <enabled>yes</enabled>
        <os>trusty</os>
        <os>xenial</os>
        <os>bionic</os>
        <os>focal</os>
        <os>jammy</os>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- Debian OS vulnerabilities -->
        <provider name="debian">
        <enabled>yes</enabled>
        <os>buster</os>
        <os>bullseye</os>
        <os>bookworm</os>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- RedHat OS vulnerabilities -->
        <provider name="redhat">
        <enabled>yes</enabled>
        <os>5</os>
        <os>6</os>
        <os>7</os>
        <os>8</os>
        <os allow="CentOS Linux-8">8</os>
        <os>9</os>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- Windows OS vulnerabilities -->
        <provider name="msu">
        <enabled>yes</enabled>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- Aggregate vulnerabilities -->
        <provider name="nvd">
        <enabled>yes</enabled>
        <update_interval>1h</update_interval>
        </provider>
      </vulnerability-detector>
    </ossec_config>
    
  2. Restart the Wazuh manager to apply the configuration changes:

    $ sudo systemctl restart wazuh-manager
    

Test the configuration

You don’t have to perform any action. The Wazuh server creates a CVE database in /var/ossec/queue/vulnerabilities/cve.db. It performs vulnerability detection scans periodically for applications and operating systems on each monitored endpoint.

Note

Depending on the user's network, it takes time to download the vulnerability database. And also more time to scan for vulnerable packages on the monitored endpoint.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability detector module, select an agent and click on any vulnerability.

  • Windows

  • Ubuntu