Good morning! Team,
I have seen a lot of posts regarding problems around Vulnerability Detector and I am adding to the list. Below is a triage of what I have done so far, but success alludes me. May I kindly request Wazuh Team to help in this matter. I have tried install of Wazuh Manager (WM) using both methods - package and source. The events posted below is from a test instance running compiled source, version 4.3.6.
Any help would be appreciated, please. Thank you!
SJ
{
"os": {
"build": "19044",
"major": "10",
"minor": "0",
"name": "Microsoft Windows 10 Pro",
"platform": "windows",
"uname": "Microsoft Windows 10 Pro",
"version": "10.0.19044"
},
"status": "active",
"manager": "ubuntu20vanilla",
"configSum": "ab73af41699f13fdd81903b5f23d8d00",
"name": "cappc",
"dateAdd": "2022-08-06T04:10:20Z",
"version": "Wazuh v4.3.6",
"node_name": "node01",
"ip": "172.25.158.10",
"id": "003",
"lastKeepAlive": "2022-08-06T05:43:33Z",
"group": [
"default"
],
"mergedSum": "4a8724b20dee0124ff9656783c490c4e",
"registerIP": "any"
}
For the purpose of test best only 1 agent 003 (Windows 10 Pro 21H2) + 000 (WM agent id)
3) Agent OSSEC Conf for Vulnerability Detector
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
4) WM OSSEC Conf
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
Information stored within /var/ossec/queue/db/003.db
5) sqlite> select count(1) from sys_programs;
12 (user installed programs)
6) sqlite> select count(1) from sys_hotfixes;
18 (hotfixes applied)
7) select * from vuln_metadata;
1659765791|1659759475
8) sqlite> select count(1) from vuln_cves ;
0
9) sqlite> select hostname, os_name, os_version, scan_time from sys_osinfo ;
CAPPC|Microsoft Windows 10 Enterprise|10.0.19044|2022/08/06 05:14:32
Information stored within /var/ossec/queue/vulnerabilities/cve.db
10) sqlite> select count(1) from agents;
0
11) sqlite> select count(1) from AGENT_HOTFIXES ;
0
12) sqlite> select distinct PRODUCT from MSU;
output snipped
.NET 5.0
.NET 6.0
.NET Core 3.1
ASP.NET MVC 5.2 on Microsoft Visual Studio 2013 Update 5
ASP.NET MVC 5.2 on Microsoft Visual Studio 2015 Update 3
ASP.NET Web Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5
ASP.NET Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3
Adobe Flash Player on Windows 10 Version 1511 for 32-bit Systems
Adobe Flash Player on Windows 10 Version 1511 for x64-based Systems
Adobe Flash Player on Windows 10 Version 1607 for 32-bit Systems
Adobe Flash Player on Windows 10 Version 1607 for x64-based Systems
Adobe Flash Player on Windows 10 Version 1703 for 32-bit Systems
13) sqlite> select count(distinct PRODUCT) from MSU;
907
14) sqlite> select count(1) from NVD_METADATA;
13
15) sqlite> select count(1) from nvd_cpe;
256197
16) sqlite> select count(1) from nvd_cve;
150702
Let me force WM to conduct a forced baseline scan of agent id 003 and capture the logs of Vulnerability process
17) sqlite> update vuln_metadata set LAST_PARTIAL_SCAN=0, LAST_FULL_SCAN = 0;
sqlite> select * from vuln_metadata ;
0 | 0
18) restart wazuh services
19 Output of debug logs in /var/ossec/logs/ossec.json (attached 003_vulnerability_oosec.debug.log)