Offline Update

If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the vulnerability feeds updated. You can fetch the database files from your local environment or network. The steps include downloading the specific vulnerability files and configuring the Wazuh server to locate them. You can find feeds in a custom location compressed in gz or bzip2 or decompressed in XML or JSON, depending on the original format of the feed. The configuration examples in this section are all set in the Wazuh server /var/ossec/etc/ossec.conf file.

Canonical

To perform an offline update of the Canonical feeds, you must download the corresponding OVAL files.

OS

Files

Jammy

com.ubuntu.jammy.cve.oval.xml.bz2

Focal

com.ubuntu.focal.cve.oval.xml.bz2

Bionic

com.ubuntu.bionic.cve.oval.xml.bz2

Xenial

com.ubuntu.xenial.cve.oval.xml.bz2

Trusty

com.ubuntu.trusty.cve.oval.xml.bz2

To fetch the vulnerability feeds from a user-defined repository, the configuration must be similar to the following.

<provider name="canonical">
   <enabled>yes</enabled>
   <os url="http://local_repo/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
   <os url="http://local_repo/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
   <os url="http://local_repo/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
   <os url="http://local_repo/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
   <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path. To achieve it, use the path attribute as this example shows.

<provider name="canonical">
   <enabled>yes</enabled>
   <os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
   <os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
   <os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
   <os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
   <update_interval>1h</update_interval>
</provider>

Debian

Currently, the module fetches the Debian vulnerabilities from two different sources.

  • OVAL file for each supported Debian version.

  • JSON feed with global information about the affected packages for each distribution.

Note

Both sources are necessary for the proper functioning of the scanner. Below are the steps to configure each source for the offline update.

Debian OVAL feed

To perform an offline update of Debian OVAL feeds, you must download the appropriate files.

OS

Files

Buster

oval-definitions-buster.xml.bz2

Bullseye

oval-definitions-bullseye.xml.bz2

Bookworm

oval-definitions-bookworm.xml.bz2

To update the vulnerability feed from a user-defined repository, use a configuration similar to the following.

<provider name="debian">
   <enabled>yes</enabled>
   <os url="http://local_repo/oval-definitions-buster.xml.bz2">buster</os>
   <os url="http://local_repo/oval-definitions-bullseye.xml.bz2">bullseye</os>
   <os url="http://local_repo/oval-definitions-bookworm.xml.bz2">bookworm</os>
   <update_interval>1h</update_interval>
</provider>

To use a local feed file, add the path attribute accompanying the os option as follows.

<provider name="debian">
   <enabled>yes</enabled>
   <os path="/local_path/oval-definitions-buster.xml.bz2">buster</os>
   <os path="/local_path/oval-definitions-bullseye.xml.bz2">bullseye</os>
   <os path="/local_path/oval-definitions-bookworm.xml.bz2">bookworm</os>
   <update_interval>1h</update_interval>
</provider>

Debian Security Tracker JSON feed

To perform an offline update, you must download the corresponding file.

OS

Files

ALL

Debian Security Tracker JSON

To update the vulnerability feeds from a user-defined repository, use a configuration similar to the following.

<provider name="debian">
   <enabled>yes</enabled>
   <url>http://local_repo/security_tracker_local.json</url>
   <update_interval>1h</update_interval>
</provider>

To use a local feed file, use the path attribute.

<provider name="debian">
   <enabled>yes</enabled>
   <path>/local_path/security_tracker_local.json</path>
   <update_interval>1h</update_interval>
</provider>

Red Hat

The Vulnerability Detector module currently fetches the Red Hat vulnerabilities from two different sources. Each supported Red Hat version has:

  • OVAL file

  • JSON feed

These sources have global information about the affected packages for each distribution.

Note

Both sources are necessary for the proper functioning of the scanner. Below is the procedure to configure each source for an offline update.

RedHat OVAL feeds

To do an offline update of the RedHat OVAL feeds, you must download the corresponding files.

OS

Files

5

com.redhat.rhsa-RHEL5.xml.bz2

6

rhel-6-including-unpatched.oval.xml.bz2

7

rhel-7-including-unpatched.oval.xml.bz2

8

rhel-8-including-unpatched.oval.xml.bz2

9

rhel-9-including-unpatched.oval.xml.bz2

To fetch the vulnerability feeds from a user-defined repository, use a configuration similar to the following.

<provider name="redhat">
   <enabled>yes</enabled>
   <os url="http://local_repo/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
   <os url="http://local_repo/rhel-6-including-unpatched.oval.xml.bz2">6</os>
   <os url="http://local_repo/rhel-7-including-unpatched.oval.xml.bz2">7</os>
   <os url="http://local_repo/rhel-8-including-unpatched.oval.xml.bz2">8</os>
   <os url="http://local_repo/rhel-9-including-unpatched.oval.xml.bz2">9</os>
   <update_interval>1h</update_interval>
</provider>

Alternatively, the feeds can be loaded from a local path. To achieve this, use the path attribute as this example shows.

<provider name="redhat">
   <enabled>yes</enabled>
   <os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
   <os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
   <os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
   <os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
   <os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
   <update_interval>1h</update_interval>
</provider>

Red Hat Security Data JSON feed

To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides an update script that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.

How to use the update script

  1. Create a directory for the feeds.

    # mkdir /local_path/rh-feed
    
  2. Run the script indicating the target path.

    # ./rh-generator.sh /local_path/rh-feed
    

    The script might output an error message like the following.

    Page download failed (504), retrying...
    

    The error message indicates that the Red Hat servers may be temporarily unavailable to you. Regardless, the script keeps trying to finish the download until it acquires the full feed.

Finally, the feed is in a succession of numbered files whose names follow the format redhat-feed<number>.json. To update locally, you must set the path of those files with a regular expression such as the following.

<provider name="redhat">
    <enabled>yes</enabled>
    <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
    <update_interval>1h</update_interval>
</provider>

If you want to upload these files to a local server, they must follow the same numeric sequence that the script downloaded them in. To indicate the numerical range, you must indicate their position with the [-] tag helped by the start and end attributes. For example, use the following configuration if the previous script returned 15 files.

<provider name="redhat">
   <enabled>yes</enabled>
   <url start="1" end="15">http://local_repo/rh-feed/redhat-feed[-].json</url>
   <update_interval>1h</update_interval>
</provider>

Arch

To perform an offline update of the Arch feed, download the corresponding JSON file.

OS

Files

Rolling

all.json

To fetch the vulnerability feed from a user-defined repository; configure your Wazuh server in a similar way as shown in this example.

<provider name="arch">
   <enabled>yes</enabled>
   <url>http://local_repo/security.archlinux.org/issues/all.json</url>
   <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path, and you must set it with a POSIX regular expression as shown in this example.

<provider name="arch">
   <enabled>yes</enabled>
   <path>/local_path/all\.json$</path>
   <update_interval>1h</update_interval>
</provider>

ALAS

The module currently fetches vulnerability feeds for Amazon Linux systems from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, you must download them from the corresponding Wazuh repository.

OS

Files

Amazon Linux

alas.json.gz

Amazon Linux 2

alas2.json.gz

Amazon Linux 2022

alas2022.json.gz

Amazon Linux 2023

alas2023.json.gz

Then, place them accordingly in the custom location.

<provider name="alas">
    <enabled>yes</enabled>
    <os url="http://local_repo/updates_amazon-linux.json.gz">amazon-linux</os>
    <os url="http://local_repo/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
    <os url="http://local_repo/updates_amazon-linux-2022.json.gz">amazon-linux-2022</os>
    <os url="http://local_repo/updates_amazon-linux-2023.json.gz">amazon-linux-2023</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path with the path attribute, as shown in this example.

<provider name="alas">
    <enabled>yes</enabled>
    <os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
    <os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
    <os path="/local_path/updates_amazon-linux-2022.json.gz">amazon-linux-2022</os>
    <os path="/local_path/updates_amazon-linux-2023.json.gz">amazon-linux-2023</os>
    <update_interval>1h</update_interval>
</provider>

SUSE

Currently, the SUSE Linux vulnerabilities are fetched from one OVAL file for each supported SUSE Linux version.

OS

Files

SLES 11

suse.linux.enterprise.server.11.xml.gz

SLED 11

suse.linux.enterprise.desktop.11.xml.gz

SLES 12

suse.linux.enterprise.server.12.xml.gz

SLED 12

suse.linux.enterprise.desktop.12.xml.gz

SLES 15

suse.linux.enterprise.server.15.xml.gz

SLED 15

suse.linux.enterprise.desktop.15.xml.gz

Feeds can be fetched from a custom repository using the url attribute for each supported OS, as shown in this example:

<provider name="suse">
    <enabled>yes</enabled>
    <os url="http://local_repo/suse.linux.enterprise.server.11.xml.gz">11-server</os>
    <os url="http://local_repo/suse.linux.enterprise.desktop.11.xml.gz">11-desktop</os>
    <os url="http://local_repo/suse.linux.enterprise.server.12.xml.gz">12-server</os>
    <os url="http://local_repo/suse.linux.enterprise.desktop.12.xml.gz">12-desktop</os>
    <os url="http://local_repo/suse.linux.enterprise.server.15.xml.gz">15-server</os>
    <os url="http://local_repo/suse.linux.enterprise.desktop.15.xml.gz">15-desktop</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, they also can be loaded from a local path as follows:

<provider name="suse">
    <enabled>yes</enabled>
    <os path="/local_path/suse.linux.enterprise.server.11.xml.gz">11-server</os>
    <os path="/local_path/suse.linux.enterprise.desktop.11.xml.gz">11-desktop</os>
    <os path="/local_path/suse.linux.enterprise.server.12.xml.gz">12-server</os>
    <os path="/local_path/suse.linux.enterprise.desktop.12.xml.gz">12-desktop</os>
    <os path="/local_path/suse.linux.enterprise.server.15.xml.gz">15-server</os>
    <os path="/local_path/suse.linux.enterprise.desktop.15.xml.gz">15-desktop</os>
    <update_interval>1h</update_interval>
</provider>

AlmaLinux

Currently, the module fetches AlmaLinux vulnerabilities from one OVAL file for each supported AlmaLinux version.

OS

Files

AlmaLinux 8

org.almalinux.alsa-8.xml

AlmaLinux 9

org.almalinux.alsa-9.xml

To fetch feeds from a custom repository you can use the url attribute for each supported OS, as shown in this example:

<provider name="almalinux">
    <enabled>yes</enabled>
    <os url="http://local_repo/org.almalinux.alsa-8.xml">8</os>
    <os url="http://local_repo/org.almalinux.alsa-9.xml">9</os>
    <update_interval>1h</update_interval>
</provider>

Alternatively, you can load the feeds from a local path with the path attribute, as shown in this example.

<provider name="almalinux">
    <enabled>yes</enabled>
    <os path="/local_path/org.almalinux.alsa-8.xml">8</os>
    <os path="/local_path/org.almalinux.alsa-9.xml">9</os>
    <update_interval>1h</update_interval>
</provider>

National Vulnerability Database

To perform an offline update of the National Vulnerability Database, you must get the feed from complete_nvd_feed.json.gz (sha256) and place it in a user-defined repository.

<provider name="nvd">
   <enabled>yes</enabled>
   <url>http://local_repo/complete_nvd_feed.json.gz</url>
   <update_interval>1h</update_interval>
</provider>

To update locally, set the path of the downloaded files using a POSIX regular expression, for example:

<provider name="nvd">
    <enabled>yes</enabled>
    <path>/local_path/nvd-feed/complete_nvd_feed\.json\.gz$</path>
    <update_interval>1h</update_interval>
</provider>

MSU

To perform an offline update of the MSU, you must get the feed from msu-updates.json.gz (sha256) and place it in a user-defined repository.

<provider name="msu">
   <enabled>yes</enabled>
   <url>http://local_repo/msu-updates.json.gz</url>
   <update_interval>1h</update_interval>
</provider>

To update locally, set the path of the downloaded files using a POSIX regular expression, for example:

<provider name="msu">
   <enabled>yes</enabled>
   <path>/local_path/msu-updates\.json\.gz$</path>
   <update_interval>1h</update_interval>
</provider>

Sample Configuration

<ossec_config>
  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
        <enabled>yes</enabled>
        <os path="/local_path/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
        <os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
        <os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
        <os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
        <os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
        <enabled>yes</enabled>
        <os path="/local_path/oval-definitions-buster.xml.bz2">buster</os>
        <os path="/local_path/oval-definitions-bullseye.xml.bz2">bullseye</os>
        <os path="/local_path/oval-definitions-bookworm.xml.bz2">bookworm</os>
        <path>/local_path/security_tracker_local.json</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
        <enabled>yes</enabled>
        <os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
        <os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
        <os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
        <os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
        <os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
        <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
        <enabled>yes</enabled>
        <path>/local_path/all\.json$</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE OS vulnerabilities -->
    <provider name="suse">
        <enabled>yes</enabled>
        <os path="/local_path/suse.linux.enterprise.server.11.xml.gz">11-server</os>
        <os path="/local_path/suse.linux.enterprise.desktop.11.xml.gz">11-desktop</os>
        <os path="/local_path/suse.linux.enterprise.server.12.xml.gz">12-server</os>
        <os path="/local_path/suse.linux.enterprise.desktop.12.xml.gz">12-desktop</os>
        <os path="/local_path/suse.linux.enterprise.server.15.xml.gz">15-server</os>
        <os path="/local_path/suse.linux.enterprise.desktop.15.xml.gz">15-desktop</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
        <enabled>yes</enabled>
        <os path="/local_path/updates_amazon-linux.json.gz">amazon-linux</os>
        <os path="/local_path/updates_amazon-linux-2.json.gz">amazon-linux-2</os>
        <os path="/local_path/updates_amazon-linux-2023.json.gz">amazon-linux-2023</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- AlmaLinux OS vulnerabilities -->
    <provider name="almalinux">
        <enabled>yes</enabled>
        <os>8</os>
        <os>9</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
        <enabled>yes</enabled>
        <path>/local_path/msu-updates\.json\.gz$</path>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
        <enabled>yes</enabled>
        <path>/local_path/nvd-feed/complete_nvd_feed\.json\.gz$</path>
        <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>
</ossec_config>