Configuring and running scans

Running vulnerability scans in Wazuh requires enabling the Vulnerability Detector module and setting the configuration for the scan. The Wazuh server has the Vulnerability Detector module disabled by default when you install it, while the Wazuh agent has Syscollector enabled by default. The following steps show how to configure the vulnerability detection components:

  1. Add the following block of settings to your shared agent configuration file. You can find the file at /var/ossec/etc/shared/default/agent.conf on the Wazuh server. You can also configure these options in each agent ossec.conf configuration file:

    <wodle name="syscollector">
       <disabled>no</disabled>
       <interval>1h</interval>
       <os>yes</os>
       <packages>yes</packages>
       <hotfixes>yes</hotfixes>
    </wodle>
    
  2. Enable the Vulnerability Detector module in the Wazuh server configuration file at /var/ossec/etc/ossec.conf. Set the value for the <enabled> tag to yes for the Vulnerability Detector module and every operating system you intend to scan. We have added a sample below:

    <vulnerability-detector>
       <enabled>yes</enabled>
       <interval>5m</interval>
       <min_full_scan_interval>6h</min_full_scan_interval>
       <run_on_start>yes</run_on_start>
    
       <!-- Ubuntu OS vulnerabilities -->
       <provider name="canonical">
          <enabled>yes</enabled>
          <os>trusty</os>
          <os>xenial</os>
          <os>bionic</os>
          <os>focal</os>
          <os>jammy</os>
          <update_interval>1h</update_interval>
       </provider>
    
       <!-- Debian OS vulnerabilities -->
       <provider name="debian">
          <enabled>yes</enabled>
          <os>buster</os>
          <os>bullseye</os>
          <update_interval>1h</update_interval>
       </provider>
    
       <!-- RedHat OS vulnerabilities -->
       <provider name="redhat">
          <enabled>yes</enabled>
          <os>5</os>
          <os>6</os>
          <os>7</os>
          <os>8</os>
          <os>9</os>
          <update_interval>1h</update_interval>
       </provider>
    
       <!-- Amazon Linux OS vulnerabilities -->
       <provider name="alas">
          <enabled>yes</enabled>
          <os>amazon-linux</os>
          <os>amazon-linux-2</os>
          <update_interval>1h</update_interval>
       </provider>
    
       <!-- Arch OS vulnerabilities -->
       <provider name="arch">
          <enabled>yes</enabled>
          <update_interval>1h</update_interval>
       </provider>
    
       <!-- Windows OS vulnerabilities -->
       <provider name="msu">
          <enabled>yes</enabled>
          <update_interval>1h</update_interval>
       </provider>
    
       <!-- Aggregate vulnerabilities -->
       <provider name="nvd">
          <enabled>yes</enabled>
          <update_from_year>2010</update_from_year>
          <update_interval>1h</update_interval>
       </provider>
    </vulnerability-detector>
    
  3. Restart the manager to apply the changes.

    # systemctl restart wazuh-manager
    
    # service wazuh-manager restart
    

The Vulnerability Detector generates logs in the Wazuh server that trigger alerts. Every alert contains the following fields:

  • CVE: The Common Vulnerabilities and Exposures identifier for the corresponding vulnerability.

  • Title: Short description of the impact of the vulnerability.

  • Rationale: Broad description of the vulnerability.

  • Severity: Impact of the vulnerability in terms of security.

  • Package: Information about the affected package, including why the package is marked as vulnerable.

  • Published: Date when the feed added the vulnerability.

  • Updated: Date of the last vulnerability update.

  • CWE: The Common Weakness Enumeration reference.

  • CVSS: Vulnerability assessment according to the Common Vulnerability Scoring System (versions 2 and 3).

  • Advisories IDs: Red Hat security advisories.

  • References: URLs with extra information on the vulnerability.

  • Bugzilla references: Links to the references of the vulnerability in Bugzilla.

You can see an alert sample below showing the fields with vulnerability data:

"data": {
      "vulnerability": {
        "severity": "High",
        "package": {
          "condition": "Package unfixed",
          "name": "rpm-common",
          "source": "rpm",
          "version": "4.14.2.1+dfsg1-1build2",
          "architecture": "amd64"
        },
        "references": [
          "https://bugzilla.redhat.com/show_bug.cgi?id=1964114",
          "https://github.com/rpm-software-management/rpm/pull/1919",
          "https://bugzilla.suse.com/show_bug.cgi?id=1157880",
          "https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef22c1aecf3a9c033",
          "https://access.redhat.com/security/cve/CVE-2021-35938",
          "https://rpm.org/wiki/Releases/4.18.0",
          "https://nvd.nist.gov/vuln/detail/CVE-2021-35938",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35938",
          "https://ubuntu.com/security/CVE-2021-35938"
        ],
        "cve_version": "4.0",
        "assigner": "secalert@redhat.com",
        "published": "2022-08-25",
        "cwe_reference": "CWE-59",
        "title": "CVE-2021-35938 affects rpm-common",
        "type": "PACKAGE",
        "rationale": "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
        "cve": "CVE-2021-35938",
        "cvss": {
          "cvss3": {
            "base_score": "7.800000",
            "vector": {
              "user_interaction": "none",
              "integrity_impact": "high",
              "scope": "unchanged",
              "confidentiality_impact": "high",
              "availability": "high",
              "attack_vector": "local",
              "access_complexity": "low",
              "privileges_required": "low"
            }
          }
        },
        "updated": "2022-08-31",
        "status": "Active"
      }
    },
    "rule": {
      "firedtimes": 458,
      "mail": false,
      "level": 10,
      "pci_dss": [
        "11.2.1",
        "11.2.3"
      ],
      "tsc": [
        "CC7.1",
        "CC7.2"
      ],
      "description": "CVE-2021-35938 affects rpm-common",
      "groups": [
        "vulnerability-detector"
      ],
      "id": "23505",
      "gdpr": [
        "IV_35.7.d"
      ]
    },
    "location": "vulnerability-detector",
    "decoder": {
      "name": "json"
    },
    "id": "1664242144.7029312",
    "timestamp": "2022-09-27T04:29:04.491+0300"
  },
  "fields": {
    "data.vulnerability.published": [
      "2022-08-25T00:00:00.000Z"
    ],
    "data.vulnerability.updated": [
      "2022-08-31T00:00:00.000Z"
    ],
    "timestamp": [
      "2022-09-27T01:29:04.491Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@opensearch-dashboards-highlighted-field@010@/opensearch-dashboards-highlighted-field@"
    ],
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@localhost.localdomain@/opensearch-dashboards-highlighted-field@"
    ],
    "rule.groups": [
      "@opensearch-dashboards-highlighted-field@vulnerability-detector@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1664242144491
  ]
}

You can see the inventory of all the vulnerable packages installed for a particular agent by clicking on the Vulnerabilities module on the WUI and selecting the agent.

Here you can see what certain fields of the alert look like on the dashboard: