Offline Update

If the manager does not directly connect to the Internet, it is possible to keep the vulnerability feeds updated by fetching the database files from your local environment or network. To achieve this, specific vulnerability files must be downloaded and Wazuh configured to locate them.

When the Vulnerability Detector fetches feeds from a custom location, they can be compressed in gz or bzip2, or decompressed in XML or JSON, depending on the original format of the feed.

Canonical

To perform an offline update of the Canonical feeds, you must download the corresponding OVAL files:

OS

Files

Jammy

com.ubuntu.jammy.cve.oval.xml.bz2

Focal

com.ubuntu.focal.cve.oval.xml.bz2

Bionic

com.ubuntu.bionic.cve.oval.xml.bz2

Xenial

com.ubuntu.xenial.cve.oval.xml.bz2

Trusty

com.ubuntu.trusty.cve.oval.xml.bz2

To fetch the vulnerability feeds from an alternative repository, the configuration is similar to the following:

<provider name="canonical">
    <enabled>yes</enabled>
    <os url="http://local_repo/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
    <os url="http://local_repo/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
    <os url="http://local_repo/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
    <os url="http://local_repo/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
    <os url="http://local_repo/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, the feeds can be loaded from a local path. To achieve it, the path attribute is available as this example shows:

<provider name="canonical">
    <enabled>yes</enabled>
    <os path="/local_path/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
    <os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
    <os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
    <os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
    <os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
    <update_interval>1h</update_interval>
</provider>

Debian

Currently, the Debian vulnerabilities are fetched from two different sources. One OVAL file for each supported Debian version, and a JSON feed with global information of the affected packages for each distribution.

Note

Both sources are necessary for the proper functioning of the scanner. How to configure each of them for an offline update is described below.

  • Debian OVAL feed

To perform an offline update of Debian OVAL feeds, you must download the corresponding files:

OS

Files

Bullseye

oval-definitions-bullseye.xml

Buster

oval-definitions-buster.xml

Stretch

oval-definitions-stretch.xml

In order to use a local feed file, just use the path attribute accompanying the os option as follows:

<provider name="debian">
    <enabled>yes</enabled>
    <os path="/local_path/oval-definitions-bullseye.xml">bullseye</os>
    <os path="/local_path/oval-definitions-buster.xml">buster</os>
    <os path="/local_path/oval-definitions-stretch.xml">stretch</os>
    <update_interval>1h</update_interval>
</provider>

In order to update the vulnerability feeds from an alternative repository, the configuration is similar to the following:

<provider name="debian">
    <enabled>yes</enabled>
    <os url="http://local_repo/oval-definitions-bullseye.xml">bullseye</os>
    <os url="http://local_repo/oval-definitions-buster.xml">buster</os>
    <os url="http://local_repo/oval-definitions-stretch.xml">stretch</os>
    <update_interval>1h</update_interval>
</provider>
  • Debian Security Tracker JSON feed

To perform an offline update, you must download the corresponding file:

OS

Files

ALL

Debian Security Tracker JSON

In order to use a local feed file, just use the path option which must be indicated by a POSIX regular expression:

<provider name="debian">
    <enabled>yes</enabled>
    <path>/local_path/security_tracker_local\.json$</path>
    <update_interval>1h</update_interval>
</provider>

In order to update the vulnerability feeds from an alternative repository, the configuration is similar to the following:

<provider name="debian">
    <enabled>yes</enabled>
    <url>http://local_repo/security_tracker_local.json</url>
    <update_interval>1h</update_interval>
</provider>

Red Hat

Currently, the Red Hat vulnerabilities are fetched from two different sources. One OVAL file for each supported Red Hat version, and a JSON feed with global information of the affected packages for each distribution.

Note

Both sources are necessary for the proper functioning of the scanner, how to configure each of them for an offline update is described below.

  • Red Hat OVAL feed

To perform an offline update of the RedHat OVAL feeds, you must download the corresponding files:

OS

Files

5

com.redhat.rhsa-RHEL5.xml.bz2

6

rhel-6-including-unpatched.oval.xml.bz2

7

rhel-7-including-unpatched.oval.xml.bz2

8

rhel-8-including-unpatched.oval.xml.bz2

9

rhel-9-including-unpatched.oval.xml.bz2

To fetch the vulnerability feeds from an alternative repository, the configuration is similar to the following:

<provider name="redhat">
    <enabled>yes</enabled>
    <os url="http://local_repo/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
    <os url="http://local_repo/rhel-6-including-unpatched.oval.xml.bz2">6</os>
    <os url="http://local_repo/rhel-7-including-unpatched.oval.xml.bz2">7</os>
    <os url="http://local_repo/rhel-8-including-unpatched.oval.xml.bz2">8</os>
    <os url="http://local_repo/rhel-9-including-unpatched.oval.xml.bz2">9</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, the feeds can be loaded from a local path. To achieve it, the path attribute is available as this example shows:

<provider name="redhat">
    <enabled>yes</enabled>
    <os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
    <os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
    <os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
    <os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
    <os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
    <update_interval>1h</update_interval>
</provider>
  • Red Hat Security Data JSON feed

To perform an offline update, you must make requests to its API to get the feed pages starting from a specified date. You can find a script that automates the process of downloading and controls the API downtime in wazuh/tools/vulnerability-detector/rh-generator.sh.

The script will download all the CVE data since the year 1999 by default. It is recomended to not change the starting year to complete the vulnerabilities database.

How to use the update script

  1. Create a directory to download the feed.

# mkdir /local_path/rh-feed
  1. Run the script indicating the target path.

# ./rh-generator.sh /local_path/rh-feed

It is possible that the script will output error messages like the following:

Page download failed (504), retrying...

This indicates that the Red Hat servers may be temporarily unavailable to you. The script will continue trying to finish the download until it acquires the full feed.

Finally, you will have the feed divided into a succession of numbered files whose names follow the format redhat-feed<number>.json. To update locally, the path to those files must be indicated by a POSIX regular expression such as the following:

<provider name="redhat">
    <enabled>yes</enabled>
    <path>/local_path/rh-feed/redhat-feed[[:digit:]]+\.json$</path>
    <update_interval>1h</update_interval>
</provider>

If you want to upload these files to a local server, they must follow the same numerical sequence in the link and indicate their position with the [-] tag helped by the start and end attributes to indicate the numerical range. For example, if the previous script has returned 15 files, the configuration would look like this:

<provider name="redhat">
    <enabled>yes</enabled>
    <url start="1" end="15">http://local_repo/rh-feed/redhat-feed[-].json</url>
    <update_interval>1h</update_interval>
</provider>

Arch

To perform an offline update of the Arch feed, download the corresponding JSON file:

OS

Files

Rolling

all.json

To fetch the vulnerability feed from an alternative repository, configure your manager in a similar way as shown in this example:

<provider name="arch">
    <enabled>yes</enabled>
    <url>http://local_repo/security.archlinux.org/all.json</url>
    <update_interval>1h</update_interval>
</provider>

Alternatively, the feeds can be loaded from a local path and must be indicated by a POSIX regular expression as shown in this example:

<provider name="arch">
    <enabled>yes</enabled>
    <path>/local_path/all\.json$</path>
    <update_interval>1h</update_interval>
</provider>

ALAS

The vulnerability feeds for Amazon Linux systems are currently fetched from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, they first have to be downloaded from the corresponding Wazuh repository:

OS

Files

Amazon Linux

alas.json.gz

Amazon Linux 2

alas2.json.gz

Then, they need to be placed accordingly in the custom location.

<provider name="alas">
    <enabled>yes</enabled>
    <os url="http://local_repo/updates_amazon-linux.json.gz">amazon-linux</os>
    <os url="http://local_repo/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, the feeds can be loaded from a local path with the path attribute, as shown in this example:

<provider name="alas">
    <enabled>yes</enabled>
    <os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
    <os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
    <update_interval>1h</update_interval>
</provider>

National Vulnerability Database

To perform an offline update of the National Vulnerability Database, you must make requests to its feed from the desired date. You can find a script that automates the process of downloading and controls the server downtime in wazuh/tools/vulnerability-detector/nvd-generator.sh.

How to use the the update script

  1. Create a directory to download the feed.

# mkdir /local_path/nvd-feed
  1. Run the script indicating the starting year from which the vulnerabilities will be downloaded (minimum is 2002) and the target path.

# nvd-generator.sh 2002 /local_path/nvd-feed

It is possible that the script will output error messages like the following:

Page download failed (504), retrying...

This indicates that the National Vulnerability Database servers may be temporarily unavailable to you. The script will continue trying to finish the download until it acquires the full feed.

Finally, you will have the feed divided into a succession of numbered files whose name follows the format nvd-feed<year>.json.gz. To update locally, the path to those files must be indicated by a POSIX regular expression as such:

<provider name="nvd">
    <enabled>yes</enabled>
    <path>/local_path/nvd-feed[[:digit:]]\{4\}\.json\.gz$</path>
    <update_interval>1h</update_interval>
</provider>

If you want to upload these files to a local server, they must follow the same numerical sequence in the link and indicate their position with the [-] tag helped by the start and end attributes to indicate the numerical range. For example, if you have the files from 2015 to 2020, the configuration would look like this:

<provider name="nvd">
    <enabled>yes</enabled>
    <url start="2015" end="2019">http://local_repo/nvd-feed[-].json.gz</url>
    <update_interval>1h</update_interval>
</provider>

MSU

New in version 4.0.0.

The Microsoft Software Update feed update is now handled by the Wazuh manager instead of being provided with the package. To perform an offline update of the MSU, it has to be obtained from https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz and locate it in an alternative repository:

<provider name="msu">
    <enabled>yes</enabled>
    <url>http://local_repo/msu-updates.json.gz</url>
    <update_interval>1h</update_interval>
</provider>

To update locally, the path to those files must be indicated by a POSIX regular expression as such:

<provider name="msu">
    <enabled>yes</enabled>
    <path>/local_path/msu-updates\.json\.gz$</path>
    <update_interval>1h</update_interval>
</provider>