Scanning unsupported systems

The Vulnerability Detector module supports a comprehensive list of operating systems natively. However, the module doesn't have a natively predefined feed for every existing operating system. Operating systems without a predefined feed are unsupported systems. Examples of unsupported operating systems are Linux Mint and Oracle Linux. To scan unsupported operating systems, you must configure the Vulnerability Detector module to use the existing feeds of supported operating systems. You can do this using the allow option. The allow option indicates that the module can scan an unsupported operating system with the configured feed.

This section explains how to extend support for unsupported operating systems.

Warning

This configuration can lead to false positives. The OS vendor of the unsupported operating system handles the package management and security patching independently of the configured feed.

Checking the registered name of the operating system

The registered name of the operating system on which you have installed the Wazuh agent is the name in the Wazuh database. The operating system registered name may differ from what you expect. You can check the name using the steps below.

  1. Generate a JSON Web Token (JWT) for authenticating to the Wazuh server by running the following command. The default API credentials are wazuh:wazuh.

    # TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://<MANAGER_IP>:55000/security/user/authenticate?raw=true")
    

    Run the command echo $TOKEN to confirm that the token was successfully generated. You should get an output like this:

    eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjQzMDExMjQ0LCJleHAiOjE2NDMwMTIxNDQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.Ad6zOZvx0BEV7K0J6s3pIXAXTWB-zdVfxaX2fotLfZMQkiYPMkwDaQHUFiOInsWJ_7KZV3y2BbhEs9-kBqlJAMvMAD0NDBPhEQ2qBd_iutZ7QWZECd6eYfIP83xGqH9iqS7uMI6fXOKr3w4aFV13Q6qsHSUQ1A-1LgDnnDGGaqF5ITYo
    
  2. Run the following command to use the Wazuh RESTful API endpoint GET /agents:

    # curl -k -X GET "https://localhost:55000/agents?pretty=true&agents_list=<AGENT_ID>&select=os.name,os.major" -H  "Authorization: Bearer $TOKEN"
    

    Where <AGENT_ID> is the agent ID whose operating system we want to check, for example 005.

    {
       "data": {
          "affected_items": [{"os": {"major": "7", "name": "Oracle Linux Server"}, "id": "005"}],
          "total_affected_items": 1,
          "total_failed_items": 0,
          "failed_items": [],
       },
       "message": "All selected agents information was returned",
       "error": 0,
    }
    

    Alternatively run the following command to check the database manually:

    # sqlite3 /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = <AGENTID>;"
    

    Where <AGENTID> is the ID of the agent whose operating system we want to check, for example 5.

    Oracle Linux Server|7
    

    You need the name and major operating system version to configure the Vulnerability Detector.

Configuring Vulnerability Detector to include unsupported systems

Use the format OS_name-OS_major with the allow attribute to include the operating system. Add a list of systems separated by commas to include more than one operating system.

For example, if you want to scan PopOS 18 and Linux Mint 19 using the Ubuntu 18 (Bionic) feed, use:

<provider name="canonical">
    <enabled>yes</enabled>
    <os allow="Linux Mint-19,Pop!_OS-18">bionic</os>
    <update_interval>1h</update_interval>
</provider>

To scan Kali Linux 2023 using the Debian 10 (Buster) vulnerability feed, use:

<provider name="debian">
    <enabled>yes</enabled>
    <os allow="Kali GNU/Linux-2023">buster</os>
    <update_interval>1h</update_interval>
</provider>

You can also scan other operating systems using the Redhat vulnerability feed. Alternatively, you can use a substring of the operating system extracted from the agent in the second step. For this reason, you see Oracle Linux instead of Oracle Linux Server.

<provider name="redhat">
   <enabled>yes</enabled>
   <os allow="Oracle Linux-7">7</os>
   <update_interval>1h</update_interval>
   <update_from_year>2010</update_from_year>
</provider>