Vulnerability Detector

Wazuh is able to detect vulnerabilities in the applications installed on the endpoints using the Vulnerability Detector module. This PoC shows specifically how Wazuh helps to detect if installed applications have unpatched Common Vulnerabilities and Exposures (CVE) in the monitored system.

For more information on this capability, check the Vulnerability Detection section of the documentation.

Configuration

Configure your environment as follows to test the PoC.

  1. Enable the vulnerability detector wodle in the /var/ossec/etc/ossec.conf file at the Wazuh manager.

    <ossec_config>
    <vulnerability-detector>
        <enabled>yes</enabled>
        <interval>5m</interval>
        <ignore_time>6h</ignore_time>
        <run_on_start>yes</run_on_start>
    
        <!-- Ubuntu OS vulnerabilities -->
        <provider name="canonical">
        <enabled>yes</enabled>
        <os>trusty</os>
        <os>xenial</os>
        <os>bionic</os>
        <os>focal</os>
        <os>jammy</os>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- Debian OS vulnerabilities -->
        <provider name="debian">
        <enabled>yes</enabled>
        <os>stretch</os>
        <os>buster</os>
        <os>bullseye</os>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- RedHat OS vulnerabilities -->
        <provider name="redhat">
        <enabled>yes</enabled>
        <os>5</os>
        <os>6</os>
        <os>7</os>
        <os>8</os>
        <os allow="Centos Linux-8">8</os>
        <os>9</os>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- Windows OS vulnerabilities -->
        <provider name="msu">
        <enabled>yes</enabled>
        <update_interval>1h</update_interval>
        </provider>
    
        <!-- Aggregate vulnerabilities -->
        <provider name="nvd">
        <enabled>yes</enabled>
        <update_from_year>2010</update_from_year>
        <update_interval>1h</update_interval>
        </provider>
    
    </vulnerability-detector>
    </ossec_config>
    
  2. Enable hotfixes and packages collection in the syscollector component. This is done in the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf at the monitored Windows endpoint.

    <wodle name="syscollector">
     <disabled>no</disabled>
     <interval>1h</interval>
     <scan_on_start>yes</scan_on_start>
     <hardware>yes</hardware>
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
     <hotfixes>yes</hotfixes>
     <ports all="no">yes</ports>
     <processes>yes</processes>
    </wodle>
    
  3. Enable software packages collection in the syscollector component of the Wazuh agent configuration file /var/ossec/etc/ossec.conf at the monitored Ubuntu 20 endpoint.

    <wodle name="syscollector">
     <disabled>no</disabled>
     <interval>1h</interval>
     <scan_on_start>yes</scan_on_start>
     <hardware>yes</hardware>
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
    </wodle>
    

Steps to generate the alerts

No action is required. A CVE database is created in /var/ossec/queue/vulnerabilities/cve.db at the Wazuh manager. Vulnerability scans are performed periodically on the applications for each monitored endpoint.

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups:vulnerability-detector