The following example shows how to configure the necessary components to run the vulnerability detection process.
Enable the agent module used to collect installed packages on the monitored system.
It can be done by adding the following block of settings to your shared agent configuration file:
<wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <os>yes</os> <packages>yes</packages> </wodle>
If you want to scan vulnerabilities in Windows agents, you will also have to add the
<wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <os>yes</os> <packages>yes</packages> <hotfixes>yes</hotfixes> </wodle>
These scans are enabled by default. For more information about the inventory module, check Syscollector settings.
Enable the manager module used to detect vulnerabilities.
You can do this adding a block like the following to your manager configuration file:
<vulnerability-detector> <enabled>yes</enabled> <interval>5m</interval> <run_on_start>yes</run_on_start> <provider name="canonical"> <enabled>yes</enabled> <os>bionic</os> <update_interval>1h</update_interval> </provider> <provider name="nvd"> <enabled>yes</enabled> <update_from_year>2010</update_from_year> <update_interval>1h</update_interval> </provider> </vulnerability-detector>
Remember to restart the manager to apply the changes:
Check Vulnerability detector settings for more details.
The following fields are included in every alert:
CVE: The Common Vulnerabilities and Exposures identifier for the corresponding vulnerability.
Title: Short description of the impact of the vulnerability.
Rationale: Broad description of the vulnerability.
Severity: It specifies the impact of the vulnerability in terms of security.
Package: Information about the affected package. Including the reason why the package is marked as vulnerable.
Published: Date when the vulnerability was included in the official database.
Updated: Date of the last vulnerability update.
CWE: The Common Weakness Enumeration reference.
CVSS: Vulnerability assessment according to the Common Vulnerability Scoring System (versions 2 and 3).
Advisories IDs: Red Hat security advisories.
References: URLs with extra information on the vulnerability.
Bugzilla references: Links to the references of the vulnerability in Bugzilla.
Here, you can see a real alert where the explained fields are filled:
** Alert 1591945867.49829472: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2, 2020 Jun 12 07:11:07 (Debian) any->vulnerability-detector Rule: 23505 (level 10) -> 'CVE-2019-12735 affects vim' vulnerability.package.name: vim vulnerability.package.version: 2:8.0.0197-4+deb9u1 vulnerability.package.architecture: amd64 vulnerability.package.condition: Package less than 2:8.0.0197-4+deb9u2 vulnerability.cvss.cvss2.vector.attack_vector: network vulnerability.cvss.cvss2.vector.access_complexity: medium vulnerability.cvss.cvss2.vector.authentication: none vulnerability.cvss.cvss2.vector.confidentiality_impact: complete vulnerability.cvss.cvss2.vector.integrity_impact: complete vulnerability.cvss.cvss2.vector.availability: complete vulnerability.cvss.cvss2.base_score: 9.300000 vulnerability.cvss.cvss3.vector.attack_vector: local vulnerability.cvss.cvss3.vector.access_complexity: low vulnerability.cvss.cvss3.vector.privileges_required: none vulnerability.cvss.cvss3.vector.user_interaction: required vulnerability.cvss.cvss3.vector.scope: changed vulnerability.cvss.cvss3.vector.confidentiality_impact: high vulnerability.cvss.cvss3.vector.integrity_impact: high vulnerability.cvss.cvss3.vector.availability: high vulnerability.cvss.cvss3.base_score: 8.600000 vulnerability.cve: CVE-2019-12735 vulnerability.title: CVE-2019-12735 vulnerability.rationale: getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim. vulnerability.severity: High vulnerability.published: 2019-06-05 vulnerability.updated: 2019-06-13 vulnerability.cwe_reference: CWE-78 vulnerability.references: ["http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html", "http://www.securityfocus.com/bid/108724", "https://access.redhat.com/errata/RHSA-2019:1619", "https://access.redhat.com/errata/RHSA-2019:1774", "https://access.redhat.com/errata/RHSA-2019:1793", "https://access.redhat.com/errata/RHSA-2019:1947", "https://bugs.debian.org/930020", "https://bugs.debian.org/930024", "https://github.com/neovim/neovim/pull/10082", "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md", "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040", "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", "https://firstname.lastname@example.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/", "https://email@example.com/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/", "https://seclists.org/bugtraq/2019/Jul/39", "https://seclists.org/bugtraq/2019/Jun/33", "https://security.gentoo.org/glsa/202003-04", "https://support.f5.com/csp/article/K93144355", "https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_medium=RSS", "https://usn.ubuntu.com/4016-1/", "https://usn.ubuntu.com/4016-2/", "https://www.debian.org/security/2019/dsa-4467", "https://www.debian.org/security/2019/dsa-4487", "https://nvd.nist.gov/vuln/detail/CVE-2019-12735", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735"] vulnerability.assigner: firstname.lastname@example.org vulnerability.cve_version: 4.0
Finally, here you can see how the highlighted fields of the alert look in the WUI:
You can also check the Vulnerabilities dashboard, where you can select each agent to have an overview of its status.