How it works

To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Also, the Wazuh server builds a global vulnerability database from publicly available CVE repositories. It uses this database to cross-correlate this information with the application inventory data of the agent:

1. Start SQLite and open the vulnerability database using the following command.

   # sqlite3 /var/ossec/queue/vulnerabilities/cve.db
   

2. List the tables in the database using the following command.

   sqlite> .tables
   

3. Retrieve the data in a table by running the following command.

   sqlite> select * from <table>;
   

The Wazuh server automatically creates the global vulnerability database with data from the following repositories:

• https://canonical.com: Used to pull CVEs for Ubuntu Linux distributions.

• https://www.redhat.com: Used to pull CVEs for Red Hat and CentOS Linux distributions.

• https://www.debian.org: Used to pull CVEs for Debian Linux distributions.

• https://security.archlinux.org: Used to pull CVEs for Arch Linux distributions.

• https://nvd.nist.gov: Used to pull CVEs from the National Vulnerability Database.

• https://feed.wazuh.com: Used to pull Microsoft Security Updates (MSU) and ALAS feeds. The feeds contain CVE and patch information for Microsoft products and Amazon Linux. They use the Microsoft Update Catalog and the Amazon Linux Security Center as sources of information. Wazuh parses and formats the data before uploading them to the Wazuh feed.

Wazuh updates this database on a regular basis, ensuring the solution checks for the latest CVEs. You can configure the update interval.

Once the Vulnerability Detector module has created the global vulnerability database containing the CVEs, the detection process looks for vulnerable packages in the inventory databases. These inventories are unique to each agent. A package is labeled as vulnerable when its version matches those within the affected range of a CVE. Alerts show the results, and the module stores the findings in a per-agent vulnerability inventory. This inventory contains the current state of every agent and includes vulnerabilities that have been detected and not resolved. Users can query the inventory to check for alerts and vulnerability information.

For Microsoft Windows systems and specific Microsoft products, the Vulnerability Detector has the hotfixes option in the syscollector settings on the Wazuh agent. Using this option enables the module to detect packages that the user has patched. When the Vulnerability Detector detects a patch, it uses the information provided by Microsoft to decide if the patch has resolved the CVEs. Then, it removes them from the list of vulnerabilities.

Alert generation

The Vulnerability Detector generates alerts during the baseline scan for every detected vulnerability. You can see this workflow in the diagram below.

The Vulnerability Detector also generates alerts when it detects new vulnerabilities or when users fix identified vulnerabilities.