Vulnerability Detection Not Clearing Properly
164 views
Skip to first unread message
Matthew M.
Nov 3, 2023, 2:07:03 PM11/3/23
to Wazuh | Mailing List
I have several servers I'm attempting to resolve found vulnerabilities and when I go and do my own check the vulnerabilities are all remediated, but are not falling off within the Vulnerability detections:
When I go to the events it only shows the active vulnerabilities I know exist on this server:
How can I manually remove these vulnerabilities?
Version is 4.5.4.
Santiago David Vendramini
Nov 3, 2023, 3:24:57 PM11/3/23
to Wazuh | Mailing List
Hi! I'm reviewing this, I will answer you ASAP!
Santiago David Vendramini
Nov 6, 2023, 7:52:38 AM11/6/23
to Wazuh | Mailing List
Hello, what do you mean by ""when I go and do my own check the vulnerabilities are all remediated"? According to the screenshots, 4 of the vulnerabilities are related to grub. Did you try to update grub?
Matthew M.
Nov 7, 2023, 11:28:45 AM11/7/23
to Wazuh | Mailing List
I'm talking about the other mass of vulnerabilities such as this one:
When I attempt to go and verify that SAMBA exists on the target machine I get the following output:
Yet the vulnerability NEVER clears from the dashboard and I do not see a way to remove the vulnerability manually.
When I attempt to go and verify that SAMBA exists on the target machine I get the following output:
Yet the vulnerability NEVER clears from the dashboard and I do not see a way to remove the vulnerability manually.
Santiago David Vendramini
Nov 8, 2023, 8:53:53 AM11/8/23
to Wazuh | Mailing List
Hi! The first time you ran these checks, was the application installed? Was another full scan run after November 3?
One way to see if the vulnerability was indeed fixed is to see if it is present in the database by running this query in the manager: sqlite3 /var/ossec/queue/db/agent_id.db 'select * from vuln_cves'
Matthew M.
Nov 8, 2023, 12:24:21 PM11/8/23
to Wazuh | Mailing List
The full scans run every 24-hours.
The application was not installed ever.
The application was not installed ever.
The vulnerability is listed in the agent_id.db through what you've specified below. I can verify with 100% that all but four of the vulnerabilities listed are there incorrectly. Is there a method for me to go about cleaning this up and running another scan?
Santiago David Vendramini
Nov 10, 2023, 8:01:51 AM11/10/23
to Wazuh | Mailing List
Hi! If the vulnerability appears in the database, it will be detected with each new scan, so there is no point in removing it. If these vulnerabilities are false positives, I encourage you to create an issue at https://github.com/wazuh/wazuh/issues detailing the scenario as best as possible:
- Operating System
- Wazuh version
- Package inventory
- Vulnerabilities detected
This will allow for a more in-depth analysis of the case.
- Operating System
- Wazuh version
- Package inventory
- Vulnerabilities detected
This will allow for a more in-depth analysis of the case.
Reply all
Reply to author
Forward
0 new messages