Wazuh Microsoft server 2016 vulnerability scan not working

[Suresh_ Kumar_J]

Hi all,

Thanks for the wonderful application Wazuh.

I installed wazuh and added agents as per documentation.

I enabled vulnerability detector

But the Scan happened only once. After that it should run every 6 hours as per the ossec.conf file but it's not happening.

Anyone please resolve the issue

Thanks in advance 

[Olusegun Adenrele Oyebo]

Hello Suresh,

Thank you for using Wazuh!

It seems you're referring to the  <min_full_scan_interval> tag which is configured in the ossec.conf file in the Wazuh manager server and is by default set to 6hours. Please note that this option means the time during which a full scan will not be performed even if the database of the vulnerability is updated. When the time expires, a full scan will be performed only if the CVEs database has changed i.e. there has to be an update in the CVEs database for a full scan to be done. You can check the below links as reference:

• https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/scan-types.html
• https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/scan-types.html#scan-types

I hope this provided clarity. Do not hesitate to reach out again if you have any other query.

Best Regards.

[Suresh_ Kumar_J]

Hi Olusegun, 

Sorry for the late reply. I am new to wazuh. Thanks for the comments. Just to clarify. 

1. So, the wazuh server requires constant internet connection, so when the CVE database updates it will get reflected into my server right?

2. Are there any specific sites or ports I need to allow into my server or is it better to keep open for all internet connections?Currently I blocked internet connection to the server via firewall, only I allowed SMTP.  Because the whole point of installing wazuh is for safety, I am asking this question. Currently my server is in Ubuntu 22 version. Please help me, to keep the best practice. I am ready to provide more details if needed...

Thanks in advance

Suresh Kumar Jeyaraj

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/39c93549-05be-42ee-b010-a58eae54b808n%40googlegroups.com.

[Olusegun Adenrele Oyebo]

Hello Suresh,

Sorry for the late response.

1. So, the wazuh server requires constant internet connection, so when the CVE database updates it will get reflected into my server right? Yes, the Wazuh server needs internet access to download vulnerability updates and the updates will be downloaded to the Wazuh server.
   
   

1. Are there any specific sites or ports I need to allow into my server or is it better to keep open for all internet connections?Currently I blocked internet connection to the server via firewall, only I allowed SMTP.  Because the whole point of installing wazuh is for safety, I am asking this question. Currently my server is in Ubuntu 22 version. Please help me, to keep the best practice. I am ready to provide more details if needed.

1.  If you have concerns with regards to giving open internet access to your Wazuh server, you can make use of the offline updater which keeps your vulnerability feeds updated. The steps involve downloading the specific vulnerability files and configuring the Wazuh server to locate them. You can find the feeds in custom location compressed in gz or bzip2 or decompressed in XML or JSON, depending on the original format of the feed. The configurations are all set in the Wazuh server /var/ossec/etc/ossec.conf file.

For example, to perform an offline update of the Windows MSU, you must get the feed from msu-updates.json.gz and place it in a user-defined repository.
<provider name="msu">
   <enabled>yes</enabled>
   <url>http://local_repo/msu-updates.json.gz</url>
   <update_interval>1h</update_interval>
</provider>

If you want to update locally, set the path of the downloaded files using a POSIX regular expression, for example:
<provider name="msu">
   <enabled>yes</enabled>
   <path>/local_path/msu-updates\.json\.gz$</path>
   <update_interval>1h</update_interval>
</provider>

Also note that after making a change in the /var/ossec/etc/ossec.conf file, you have to restart the Wazuh manager service for the change to take effect with command systemctl restart wazuh-manager.

You can also check the below link on how you can configure the /var/ossec/etc/ossec.conf file to pull feeds for Canonical, Debian, Red Hat,etc.

• https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html

I hope this provided clarity. Do not hesitate to reach out again if you have any other query

Best Regards.

[Suresh_ Kumar_J]

Hi Olusegun,

Can you please respond to the above query... Thanks in advance 

[Olusegun Adenrele Oyebo]

Hello Suresh, 

Sorry for the late reponse. I responded to your query on 21st of January, but for some reasons you didn't see it. Kindly find below my responses:

1. So, the wazuh server requires constant internet connection, so when the CVE database updates it will get reflected into my server right? Yes, the Wazuh server needs internet access to download vulnerability updates and the updates will be downloaded to the Wazuh server.
   
   

1. Are there any specific sites or ports I need to allow into my server or is it better to keep open for all internet connections?Currently I blocked internet connection to the server via firewall, only I allowed SMTP.  Because the whole point of installing wazuh is for safety, I am asking this question. Currently my server is in Ubuntu 22 version. Please help me, to keep the best practice. I am ready to provide more details if needed.
   
   If you have concerns with regards to giving open internet access to your Wazuh server, you can make use of the offline updater which keeps your vulnerability feeds updated. The steps involve downloading the specific vulnerability files and configuring the Wazuh server to locate them. You can find the feeds in custom location compressed in gz or bzip2 or decompressed in XML or JSON, depending on the original format of the feed. The configurations are all set in the Wazuh server /var/ossec/etc/ossec.conf file.
   

For example, to perform an offline update of the Windows MSU, you must get the feed from msu-updates.json.gz and place it in a user-defined repository.

<provider name="msu">

   <enabled>yes</enabled>

   <url>http://local_repo/msu-updates.json.gz</url>

   <update_interval>1h</update_interval>

</provider>

If you want to update locally, set the path of the downloaded files using a POSIX regular expression, for example:

<provider name="msu">

   <enabled>yes</enabled>

   <path>/local_path/msu-updates\.json\.gz$</path>

   <update_interval>1h</update_interval>

</provider>

Also note that after making a change in the /var/ossec/etc/ossec.conf file, you have to restart the Wazuh manager service for the change to take effect with command systemctl restart wazuh-manager.

You can also check the below link on how you can configure the /var/ossec/etc/ossec.conf file to pull feeds for Canonical, Debian, Red Hat,etc.

• https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html

I hope this provided clarity. Do not hesitate to reach out again if you have any other query

Best Regards.

[Suresh_ Kumar_J]

Thanks Olusegun for your support. I will definitely try your suggestions.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9082bd61-c73a-4023-af28-1ac4d93098e0n%40googlegroups.com.