Vulnerabilities report

Julio Aguilera

unread,

Dec 7, 2022, 4:10:29 AM12/7/22

to Wazuh mailing list

Hi All,

I need to generate a report about active vulnerabilities of all my agents, i can see active vulnerabilities if i select agent by agent, but i need a report of all.

How can i do this report, any suggestions?

Chema Martinez

unread,

Dec 7, 2022, 4:31:33 AM12/7/22

to Wazuh mailing list

Hi JCaguilerat,

Unfortunately, right now the only option to generate reports from the vulnerability scanner and others components such as SCA, is agent by agent.

We are aware of this limitation and this is currently being discussed with the team in several open issues:

#1577: this issue is about combining reports
#3664: this is the same request as yours but for the active configuration of each agent
#4431: here the request is to reimplement the global dashboard that was removed in 4.2.0. It was removed because the vulnerability scanner was redesigned for 4.2.0, storing the vulnerability report for each agent in databases to keep track of the status, instead of triggering the full report for every scan in form of alerts. We are aware that the global dashboard was useful for many users so we will try to reinclude it ASAP.

I recommend you open a new issue in that repository with your use case and your feature request, so the team can include it in the UI roadmap. In addition, don't hesitate to ask if you have further doubts.

As a workaround, you may include any external integration/script that obtains the vulnerability report directly from the agents' databases, which are located in the Wazuh managers. If you are interested in this solution I can provide more details.

Kind regards,

Chema.

Lorenzo Miguel Elguea Fernandez

unread,

Dec 7, 2022, 10:02:33 AM12/7/22

to Julio Aguilera, Wazuh mailing list

Hi, i make a code in Java using Wazuh API.

First, get all agents and for each agent, show vulnerabilities.

https://github.com/lelguea/Wazu

Greetings From Mexico

Lorenzo Elguea Fernández
Director de Ciberseguridad UP

. . . . . . . . . . . . . . . . . . . . . . . . . . .

Transformación Digital

Intercampus - CDMX
lel...@up.edu.mx
T. 55 5482 1666

Ext. 5500

up.edu.mx
TWITTER | FACEBOOK | INSTAGRAM | LINKEDIN

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/911f9f01-c883-4bf6-82fb-6633825541ffn%40googlegroups.com.

^{AVISO DE
PRIVACIDAD: Las instituciones pertenecientes al Sistema UP-IPADE
utilizarán cualquier dato personal expuesto en el presente correo
electrónico, única y exclusivamente para cuestiones académicas,
administrativas, de comunicación, o bien para las finalidades expresadas
en cada asunto en concreto, esto en cumplimiento con la Ley Federal de
Protección de Datos Personales en Posesión de los Particulares. Para
mayor información acerca del tratamiento y de los derechos que puede
hacer valer, usted puede acceder al aviso de privacidad integral a
través de nuestras páginas de Internet: www.up.edu.mx / prepaup.up.edu.mx / www.ipade.mx / www.ipadealumni.com.mx
La información contenida en este correo es privada y confidencial, dirigida exclusivamente a su destinatario. Si usted no es el destinatario del mismo debe destruirlo y notificar al remitente absteniéndose de obtener copias, ni difundirlo por ningún sistema, ya que está prohibido y goza de la protección legal de las comunicaciones.}

moosemaimer

unread,

Dec 7, 2022, 10:04:05 AM12/7/22

to Wazuh mailing list

I wrote a Python script that returns a summary of the vulnerabilities of all the agents, you can try it out. Replace the login information with the IP and credentials for your server:

# Configuration
protocol = 'https'
host = 'XXX.XXX.XXX.XXX' # Supply server address
port = 55000
user = 'username' # Supply API credentials
password = 'password'

vuln_dash.py

Aykhan Huseynli

unread,

Jan 16, 2023, 3:36:14 PM1/16/23

to Wazuh mailing list

Thanks for providing such a great script. I tested it and it runs perfectly fine. However, is there any way to retrieve info about all of the agents regardless of their status? Right now it filters active agents only. And also is there a simple way to see Agent ID, Agent name, Package, Vulnerability and severity at one line?

I'd be glad if you provided some tips. Have a nice day!

Best,

Raphael Pepi

unread,

Jan 16, 2023, 10:20:31 PM1/16/23

to Wazuh mailing list

Has this had any updates or refinements since October?

moosemaimer

unread,

Jan 17, 2023, 10:23:18 AM1/17/23

to Wazuh mailing list

I've made a few changes to the script... if you wanted to get results for all the agents regardless of their status, you could change line 118 to be

login_endpoint = f"agents/?status=active,pending,never_connected,disconnected&select=id,name{group}"

I could look into adding a "long" command that would return all the information for every vulnerability on each agent.

vuln_dash.py

moosemaimer

unread,

Jan 17, 2023, 10:52:26 AM1/17/23

to Wazuh mailing list

OK that didn't take long, the program now has a --long option that returns all the vulnerabilities, ordered by agent, as a CSV.

vuln_dash.py

Aykhan Huseynli

unread,

Jan 17, 2023, 11:59:27 AM1/17/23

to Wazuh mailing list

Thank you for your quick response and for making the changes to the script. I appreciate the addition of the "long" command, it will be very helpful in understanding the overall situation across the agents.

PS
I need to learn python asap :)

Anil Guruvadeyar

unread,

Jul 9, 2023, 2:42:56 AM7/9/23

to Wazuh mailing list

Dear Sir,

I am new in Wazuh. Can anyone guide me how I use this code and where. Please guide if possible.

Thanks

moosemaimer

unread,

Jul 10, 2023, 2:40:12 PM7/10/23

to Wazuh mailing list

So this has had a substantial rework into a script which prints on the terminal, a script that uses a GUI, and a common library. The library file needs to be edited with the server's IP and the login for your manager (the default for an unmodified install would be user=wazuh:pw=wazuh), and you need the requests, urllib3, and matplotlib libraries installed in Python >=3.10 in order to run it. I recommend running it on Windows as not to mess with the system Python on a Linux machine, unless you want to create a venv. You need an install of Python, install the libraries with python -m pip install requests urllib3 matplotlib, and then run the program from the command line as python -m vuln_dash.py or python -m vuln_gui.py.

vuln.zip

moosemaimer

unread,

Jul 11, 2023, 9:51:34 AM7/11/23

to Wazuh mailing list

Scratch that, you can either run python -m vuln_dash or python vuln_dash.py

Kudret ÇAĞLAYAN

unread,

Aug 7, 2023, 10:41:47 AM8/7/23

to Wazuh mailing list

Hello, Can you help me to write the server configurations in the last script you shared?

10 Temmuz 2023 Pazartesi tarihinde saat 21:40:12 UTC+3 itibarıyla moosemaimer şunları yazdı:

moosemaimer

unread,

Aug 8, 2023, 9:21:19 AM8/8/23

to Wazuh mailing list

In the file vuln_lib.py in the section marked #Configuration, fill out the following fields with the information for your server:

host = 'XXX.XXX.XXX.XXX' # this is the manager's IPv4 address

user = 'XXX' # this is the login for the Wazuh API, not the Elastic/Opensearch user

password = 'XXX'

Eventually that section will be removed from the program and a different mechanism used to store&retrieve credentials, just as soon as I can decide on a reasonably user-friendly and secure library.

Salma BERHIL

unread,

Sep 14, 2023, 10:17:59 AM9/14/23

to Wazuh | Mailing List

can someone please provide a screenshot of what this script return ?

moosemaimer

unread,

Sep 15, 2023, 9:56:19 AM9/15/23

to Wazuh | Mailing List

The terminal-based application returns results like this:

F:\python\vuln_dash>python vuln_dash.py -n firefox

List of agent IDs and number of vulnerabilities on each:

Agent Crit High Medium Low Untr. Total Name
000 0 15 5 2 0 22 XXXXX
001 0 0 0 0 0 0 XXXXX
004 0 3 7 1 0 11 XXXXX
005 0 0 0 0 0 0 XXXXX
007 3 16 18 1 0 38 XXXXX

List of results by severity:

230 Medium
186 High
27 Critical
21 Low

Total number detected: 4

List of results by name:

198 Mozilla Firefox (x64 en-US), less than 117.0
117 Mozilla Firefox (x64 en-US), less than 116.0
117 Mozilla Firefox (x64 en-US), less than 115.0
12 firefox, Package less than 102.15.0-1.el7_9
9 firefox, Package less than 102.14.0-1.el7_9
9 Mozilla Firefox (x64 en-US), less than 115.0.2
1 firefox, Package unfixed
1 expat, Package less than 2.1.0-12.el7

Total number detected: 8

List of results by cve:

19 CVE-2023-4585
19 CVE-2023-4584
19 CVE-2023-4583
<...>

Total number detected: 40

F:\python\vuln_dash>python vuln_dash.py -n firefox --long
Agent,Name,Package,Severity,CVE,Condition
000,"XXXXX","firefox",High,CVE-2022-3266,"Package unfixed"
000,"XXXXX","firefox",High,CVE-2023-4045,"Package less than 102.14.0-1.el7_9"
000,"XXXXX","firefox",High,CVE-2023-4046,"Package less than 102.14.0-1.el7_9"
000,"XXXXX","firefox",High,CVE-2023-4047,"Package less than 102.14.0-1.el7_9"
000,"XXXXX","firefox",High,CVE-2023-4048,"Package less than 102.14.0-1.el7_9"
000,"XXXXX","firefox",High,CVE-2023-4049,"Package less than 102.14.0-1.el7_9"

And this is the result of the GUI program with the default of 10 returns:

Message has been deleted

moosemaimer

unread,

Sep 15, 2023, 10:50:23 AM9/15/23

to Wazuh | Mailing List

Yes, you just have to install Python on that machine. https://www.python.org/

On Friday, September 15, 2023 at 10:32:54 AM UTC-4 Salma BERHIL wrote:

is there a way to use this script on a windows machine that have access to wazuh plateform ?

Message has been deleted

Arjun Joshi

unread,

Feb 14, 2024, 7:17:33 AM2/14/24

to Wazuh | Mailing List

What about updates like Windows 10 or Wazuh Agent? Whenever we add space, it throws an error and if we don't add space, the .py runs but it can't find it.

moosemaimer

unread,

Feb 14, 2024, 9:18:11 AM2/14/24

to Wazuh | Mailing List

The API is incredibly finicky with spaces, even testing in the console on the server if I query GET vulnerability/xxx&search="windows" I get hits for "Windows 7", but &search"windows 7" returns nothing. I'm not sure why, but if you use the vuln_dash.py console script and put the query in quotes, like python vuln_dash.py -n "Windows 7" it does work.

moosemaimer

unread,

Feb 14, 2024, 12:07:22 PM2/14/24

to Wazuh | Mailing List

So in doing some testing, I found if a query with a space is the last thing in the request, it doesn't work; but if you have anything after that it parses correctly. So, in the file vuln_lib.py, if you change line 94 to be login_endpoint= f"?limit=10000{filters}&select=cve,name,severity,condition" you can use queries with spaces. Maybe some kind of issue with the tokenizer in the API, I couldn't say.

Arjun Joshi

unread,

Feb 19, 2024, 1:13:56 AM2/19/24

to Wazuh | Mailing List

Hey, thank you for your response and yes searching it in double quotes works. I tested it and it runs. So, I have one more question, when we currently run the vuln_dash.py file, we get the results :

This is fine, if we have less than 200 machines on Wazuh server, but if there are let's say around 5000 machines then this can become a tedious task, is it possible for you to give a different format here, for example something like :

List of agent IDs and number of vulnerabilities on each:

Agent Crit High Medium Low Untr. Total Name IP FIREFOX MSOFFICE WAZUH-AGENT WINDOWS 10
000 0 15 5 2 0 22 XXXXX XXXX 2 5 1 25
001 0 0 0 0 0 0 XXXXX XXXX 0 4 0 7
004 0 3 7 1 0 11 XXXXX XXXX 5 4 9 6
005 0 0 0 0 0 0 XXXXX XXXX 10 3 12 2
007 3 16 18 1 0 38 XXXXX XXXX 2 2 13 3

Where even the vulnerabilities are shown in the main table alongside the machines, all vulnerabilities in one command? And list of results by CVE is not required for such a amount of machines. And if there is a way to change the format of the List of results by name? Do you get what I'm trying to convey here?

moosemaimer

unread,

Feb 20, 2024, 9:39:18 AM2/20/24

to Wazuh | Mailing List

How many results would be too many, though? If there were 100 or 1000 or whatever package names in the list, would you want the results to have 1000 columns? And how would it format when the name is something like "Microsoft Visual Studio 2010 Tools For Office Runtime (x64)"?

All of this is basically a stopgap measure now since 4.8 is going to have a reworked module that allows visualizing all the agents at once again.

Arjun Joshi

unread,

Feb 23, 2024, 4:18:06 AM2/23/24

to Wazuh | Mailing List

Yeah, I understand that and also wazuh 4.8 adds these features. But we just took a huge downtime to upgrade the server to 4.7 and I don't think we can do it again for a long time, as there are over 4300 machines. Regarding the format issues when there is something like Microsoft Visual Studio 2010 Tools For Office Runtime, I get that, but with so many machines, it would still take less time to go through multiple columns and we mostly get basic stuff like macOS or windows 10, chrome, firefox etc
So, I mean if you can think about it and if you can help me out, it would be of great help.

moosemaimer

unread,

Feb 27, 2024, 12:29:45 PM2/27/24

to Wazuh | Mailing List

OK, by adding the columnar package (which must be added with pip install columnar) I have put together a version of the file with a '--full' option. It compiles all the data into a table with counts for each package. There are a variety of options that can be tweaked for the display method, I just went with what seems to work. Highly recommend redirecting output to a text file, and then opening it with a competent editor like Notepad++.

vuln_dash_with_full.py

moosemaimer

unread,

Feb 27, 2024, 12:39:58 PM2/27/24

to Wazuh | Mailing List

Scratch that, I didn't like the random nature of the table, so now the results are in alphabetical order.

vuln_dash_with_full.py

Abhi

unread,

Feb 28, 2024, 5:27:46 AM2/28/24

to Wazuh | Mailing List

Hi All,

Looking for consolidated list of all CVEs associated with very agent along with "DATE FIRST REPORTED" and "DATE LAST SEEN" for each CVE on the asset/agent. Has anyone been able to explore getting these details. It would be really helpful if someone could advise. Thanks in advance

Thanks!

moosemaimer

unread,

Mar 1, 2024, 2:11:58 PM3/1/24

to Wazuh | Mailing List

BUGFIX

Program would crash if an agent reported 0 vulnerabilities (i.e. when filtering), will now correctly return a list of all 0s.

vuln_dash_with_full.py

Commercial League

unread,

Mar 14, 2024, 11:26:09 AM3/14/24

to Wazuh | Mailing List

Hi,

I am trying to run this vuln_dash_with_full.py on windows machine and I was wondering how to install vuln_lib because of the error:

Error: ensure necessary modules are installed: No module named 'vuln_lib'

Is it part of some package or standalone file?

Thank you in advance,

Nikolay

moosemaimer

unread,

Mar 15, 2024, 10:20:19 AM3/15/24

to Wazuh | Mailing List

That was a modified version of part of a package, attached here. Instructions for use are in the README.

vuln_lib.zip

Arjun Joshi

unread,

Apr 11, 2024, 7:25:09 AM4/11/24

to Wazuh | Mailing List

Hi, I ran the vuln_dash_with_full file and I have installed columnar, here are the results :

Now let's say there is an agent called 'watch', based on the above format, the result looks like this:

| 000 | watch | 5 | 11 | 21 | 11 | 0 | 48 | 0 | 1 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 8 | 3 | 3 | 0 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 0 | 2 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
|-----|-----------------|-----|-----|------|-----|---------|-----|-------|--------|------|----------|--------|---------------|-------------------------|-----|----------|-----------|--------|-----------------|--------------|--------|---------|-----|-----|-----------------|--------|---------|---------|-----|----------------|-----|-------------------|-------------------------|--------|---------------------|------------|-----------------------|-------------------------|-----------|--------------------|-----------------|---------------|------------|------------|------------|-------------|------------|-------------|-----------|-----------|-------------|-------|-----------------|----------------------------|---------|-------|----------|-------------|-------|---------|-----------|-----------------|--------------|--------|----------|-------------|------|---------|---------------|---------|-----------------------------|-------|-------------------|--------|----------------|-------------|-----------------|----------------|----------|-------------|---------------------|---------------------------|---------------------|---------|-------|------------|----------------------|------------|-------------|-------------|------------|---------------|-------------|-------------|------------|--------------------|-------------------|-------|------------|---------|-----------|--------|------------|--------------|-----------|----------|-------|-----------|-----------|------------|--------|-----|---------------------------|------|--------------|--------------|-------------------|----------|----------------|-----|-------------------|----------------------|------------------|-------------------|------------------|-----|-----------|----------------------|---------|-----------------|--------------|-----------------|-----------------|----------------------|----------------|----------------|----------|------------|-----------|-----|----------|--------|----------|------|--------------|--------------|-----|-----|----------------|-------|--------|--------|-----------------------|---------------|-----------------|-------------|----------------|-----------------|-----------------------|-------------------------|------------------------|------------------|-----------|----------|---------|-----|--------------|--------------|-----------------|-------------------|--------|

While I want the format to be simple like :

Agent Crit High Medium Low Untr. Total Name IP FIREFOX MSOFFICE WAZUH-AGENT WINDOWS 10
000 0 15 5 2 0 22 XXXXX XXXX 2 5 1 25
001 0 0 0 0 0 0 XXXXX XXXX 0 4 0 7
004 0 3 7 1 0 11 XXXXX XXXX 5 4 9 6
005 0 0 0 0 0 0 XXXXX XXXX 10 3 12 2
007 3 16 18 1 0 38 XXXXX XXXX 2 2 13 3

I don't mind if there are many columns.

Arjun Joshi

unread,

Apr 11, 2024, 7:28:47 AM4/11/24

to Wazuh | Mailing List

*sorry, I don't mind many rows and columns

moosemaimer

unread,

Apr 11, 2024, 11:33:50 AM4/11/24

to Wazuh | Mailing List

The columnar package has a lot of options, like I mentioned, and that was just what I arrived at after a short amount of testing. The specific line in the program is:

table = columnar(results, headers, no_borders=False,
terminal_width=999999, justify='c')

If you want the output to be closer to that specific format, try setting no_borders=True and justify='l' and see if that works.

Arjun Joshi

unread,

Apr 22, 2024, 4:33:27 AM4/22/24

to Wazuh | Mailing List

Hey, thank you, it worked. Ummmmm, well I need to create a custom dashboard via Python, with all the elements being applied from the code above. I don't want to use the GUI from the code above, as it is not presentable. Custom dashboard via the code you have given, maybe using Matlab, something like : Screenshot 2024-04-22 140224.png

Emrah Uludag

unread,

May 30, 2024, 3:10:36 AM5/30/24

to Wazuh | Mailing List

Hello moosemaimer

In addition to the sca report, is there any chance that we can get an export that we can see in detail which rules I have shared below are failed passed? We need information about which rules we need to do when fixing servers.

Thanks for help.

22 Nisan 2024 Pazartesi tarihinde saat 11:33:27 UTC+3 itibarıyla Arjun Joshi şunları yazdı:

moosemaimer

unread,

Jun 7, 2024, 2:00:52 PM6/7/24

to Wazuh | Mailing List

I put together a script to gather SCA results, it writes output to a file in JSON format for analysis using a tool of your choice. Arguments are similar to the other script: a single group can be queried, and you can specify either returning only the summary for each agent, or only the failed results, if you choose. Requires the same libraries, and the same server address/credential setup before running.

sca_dash.py

Hatem Enaami

unread,

Jul 16, 2024, 11:59:15 AM7/16/24

to Wazuh | Mailing List

Is there any other way to get report from the wazuh 4.8 dashboard?

TheLotus 24

unread,

Jul 16, 2024, 2:49:39 PM7/16/24

to Wazuh | Mailing List

You can help? I try to use the script but I get an authentication error. I am entering correct credentials

Captura de pantalla 2024-07-16 123827.png

moosemaimer

unread,

Jul 17, 2024, 2:40:39 PM7/17/24

to Wazuh | Mailing List

If you can't get past the first API call, you should make sure that the user exists and that you are absolutely using the correct password. What version of Wazuh are you running? Is it a distributed install or all-in-one? The script has to be pointed at the wazuh-manager machine, not the wazuh-indexer or wazuh-dashboard, if it isn't.

You could also try creating a new user and assigning it the "read-only" permission and nothing else, and logging in as that user.

Brummbär

unread,

Jun 7, 2025, 1:25:08 PM6/7/25

to Wazuh | Mailing List

Hi, for an upcoming security audit I need a vulnerability report and I was wondering if it would be possible to create a script (eg. In Python) that displays a table of vulnerability information:

agent_id

Package name

Date when the package was installed

Date when the vulnerability was published for the package

Date of the last vulnerability scan of the package

Date when the vulnerable package was detected as active

Date when the vulnerable package was detected as resolved

Current status of the package vulnerability (active/resolved)

Some testing was done with queries like the following, but I wasn't able to put all of this together into the report I need:

GET wazuh-alerts-4.x-*/_search

{

"size": 9000,

"query": {

"bool": {

"must": [

{

"match": {

"data.vulnerability.status": "Active"

}

},

{

"term": {

"agent.id": "001"

}

]

}

And

GET /syscollector/001/packages

These queries provide some information, but I'm not a developer and don't know how to use these data sources to create the report I need.