Vulnerability scanner not doing full scans following upgrade
1,011 views
Skip to first unread message
Bryan
Aug 22, 2022, 7:00:00 AM8/22/22
to Wazuh mailing list
Hi all
I'm hoping someone can help. We recently upgraded to Wazuh
4.3.6 and since then the vulnerability scanner has stopped working as it
did. It does an initial full scan and keeps doing partial scans. Before
the upgrade it would then do another full scan every 6 hours but it has
stopped doing this bit. We haven't had a full scan on any of the agents
since 12th August.
Our
Wazuh installation is on a single Ubuntu server and it is scanning
mostly Windows Server (2008,20112, 2016 and 2019) servers and a few
other Ubuntu boxes. All of the agents have been upgraded to 4.3.6, too.Can
anyone help me troubleshoot this issue? I feel like I've been
going round in circles looking at logs, restarting the Wazuh-Manager
server, etc.Thanks!
Ian Yenien Serrano
Aug 22, 2022, 7:58:56 AM8/22/22
to Wazuh mailing list
Hi Bryan,
Thanks for using wazuh,
While I do some research can you tell me if you followed any guide for the upgrade?
If so what guide did you use?
I look forward to your answer
Thanks for using wazuh,
While I do some research can you tell me if you followed any guide for the upgrade?
If so what guide did you use?
I look forward to your answer
Bryan
Aug 22, 2022, 9:23:26 AM8/22/22
to Wazuh mailing list
Hi Ian
Thanks for offering to help. I used the Open Distro guide found here: https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-open-distro.html
I then upgraded the agents using the Remote Upgrading guide here: https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html
Thanks again
Bryan
Ian Yenien Serrano
Aug 23, 2022, 3:48:45 AM8/23/22
to Wazuh mailing list
Thanks for the information, I will investigate what may be happening,
I notice you are using kibana, if so I would recommend you to migrate to Wazuh server, Wazuh indexer, Wazuh dashboard and Wazuh agents.
I notice you are using kibana, if so I would recommend you to migrate to Wazuh server, Wazuh indexer, Wazuh dashboard and Wazuh agents.
Bryan
Aug 23, 2022, 4:25:38 AM8/23/22
to Wazuh mailing list
I saw mention of Wazuh Server, Index and Dashboard but I think I missed the bit about migrating over to them. I'll look into it right away!
Kind regards
Bryan
Ian Yenien Serrano
Aug 23, 2022, 4:45:10 AM8/23/22
to Bryan, Wazuh mailing list
great I pass you the link to the documentation
https://documentation.wazuh.com/current/migration-guide/index.html#migration-guide
https://documentation.wazuh.com/current/migration-guide/index.html#migration-guide
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/0siVzvvp1Sg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a62a0df0-e84d-4c89-9162-aafa68164acan%40googlegroups.com.
 | Ian Yenien Serrano Frontend developer  The Open Source Security Platform |
Bryan
Aug 23, 2022, 8:50:27 AM8/23/22
to Wazuh mailing list
Thank you, Ian. I have now migrated over to Wazuh-Server/Indexer/Dashboard and Agents.
We'll see if this helps.
Bryan
Aug 30, 2022, 11:54:07 AM8/30/22
to Wazuh mailing list
Hello Ian
No change in behaviour. I notice that in the <vulnerabiliy-detector> section of ossec.conf, things have change from having an <ignore_time> option (v4.2 and before) to <min_full_scan_interval> option in v4.3. I wonder if the functionality has been subtly altered?
From https://documentation.wazuh.com/4.2/user-manual/reference/ossec-conf/vuln-detector.html#ignore-time:
ignore_time
Time during which vulnerabilities that have already been alerted will be ignored. When this time hasn't passed yet, only partial scans will be performed.
From https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/vuln-detector.html#min-full-scan-interval:
min_full_scan_interval
The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a full scan will be performed only if the CVEs database has changed.
This seems to indicate that previously, if we had <ignore_time> set to 6h then a full scan would be done every 6 hours (indeed, that seems to be what was happening). Now, we have <min_full_scan_interval> set to 6 hours but, by the read of the above, a full scan will only be done when the CVEs database changes. I don't know how often the CVEs database changes so I guess it's no less predictable how often this full scans happen?
For us, this was all about getting a dashboard working which showed how many vulnerabilities there were across our server estate over the past 6 hours, chosen as that was how often full scans were done. It also highlighted which servers had the most Critical vulnerabilities during that time. Now it's less predictable how often the full scans are being done so I probably need to just rethink how the dashboard is created.
Many thanks for your help
Bryan
Ian Yenien Serrano
Sep 5, 2022, 3:29:47 AM9/5/22
to Wazuh mailing list
Hi, sorry for the delay
if i understand correctly, do you want to scan for vulnerabilities every 6 hours? if so, you can use the retry_interval setting in the ossec.conf
if i understand correctly, do you want to scan for vulnerabilities every 6 hours? if so, you can use the retry_interval setting in the ossec.conf
Александр Камалиев
Nov 9, 2022, 6:49:29 AM11/9/22
to Wazuh mailing list
Hi everyone,
I think i have the same issue maybe someone have an answer
I want to open an issue on GitHub but firstly decided to write here, here is my situation
I think there is a bug with the vulnerability scan module. I read the documentation and tried to change configuration but it didn't want to work. The issue is that the full scan works once when an agent is installed then it never updates, the partial scan works like it says in the documentation but full scan is not. Here is what I did:
- change vulnerability-detector interval, min_full_scan_interval
- change syscollector interval
- analyze log for errors /var/ossec/logs/ossec.log
- Try to use debug mode. Here's an interesting thing when you look at ossec.log when debug=2 set up I see that the partial scan successfully work as well syscollector but there are no any messages about full scan although <min_full_scan_interval>5m is set up.
Also one interesting thing is that partial scan "took '0' seconds to 'scan' vulnerabilities" in each agent every scan.
Wazuh version v4.3.9
Testing stand Oracle VM VirtualBox with 1 VM Ubuntu and 1 main machine with Windows 10
- change vulnerability-detector interval, min_full_scan_interval
- change syscollector interval
- analyze log for errors /var/ossec/logs/ossec.log
- Try to use debug mode. Here's an interesting thing when you look at ossec.log when debug=2 set up I see that the partial scan successfully work as well syscollector but there are no any messages about full scan although <min_full_scan_interval>5m is set up.
Also one interesting thing is that partial scan "took '0' seconds to 'scan' vulnerabilities" in each agent every scan.
Wazuh version v4.3.9
Testing stand Oracle VM VirtualBox with 1 VM Ubuntu and 1 main machine with Windows 10
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>5m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>5m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>5m</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>5m</min_full_scan_interval>
<run_on_start>yes</run_on_start>
понедельник, 5 сентября 2022 г. в 13:29:47 UTC+6, ian.s...@wazuh.com:
Ian Yenien Serrano
Nov 10, 2022, 3:32:49 AM11/10/22
to Wazuh mailing list
Hi Alexandr, thank you for using Wazuh,
I understand that you are not seeing vulnerabilities, it may be because you need to activate the vulnerabilities of the operating system of the agents.
A little further down in the configuration you shared, the operating systems are displayed.
I share with you the link to the documentation so that you can see the configuration.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/running-vu-scan.html
I understand that you are not seeing vulnerabilities, it may be because you need to activate the vulnerabilities of the operating system of the agents.
A little further down in the configuration you shared, the operating systems are displayed.
I share with you the link to the documentation so that you can see the configuration.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/running-vu-scan.html
Александр Камалиев
Nov 10, 2022, 5:12:47 AM11/10/22
to Wazuh mailing list
Hi Yan,
Thank you for answering, I think I think my explanation was unclear.
I didn't say that I don't see vulnerabilities, I see them but the problem is that the full vulnerability scan doesn't work properly, while the partial scan works properly. Full scan works once when installing a new agent, and then it does not work.
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>5m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>30m</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>6h</interval>
<min_full_scan_interval>5m</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
Thank you for answering, I think I think my explanation was unclear.
I didn't say that I don't see vulnerabilities, I see them but the problem is that the full vulnerability scan doesn't work properly, while the partial scan works properly. Full scan works once when installing a new agent, and then it does not work.
For some reason I can't attach a screenshot to show you what I mean.
Yesterday for one agent full scan was done and I don't understand why it happened and how. In logs I saw just one new message "wazuh-modulesd:vulnerability-detector[106694] wm_vuln_detector.c:2561 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5438): A full scan will be run on agent '001'".
Here is my config
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>5m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>30m</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>6h</interval>
<min_full_scan_interval>5m</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
четверг, 10 ноября 2022 г. в 14:32:49 UTC+6, ian.s...@wazuh.com:
Ian Yenien Serrano
Nov 10, 2022, 7:17:13 AM11/10/22
to Wazuh mailing list
Ah sorry, I had misunderstood, what I understand now is that you have doubts about how the full scan works. According to documentation, for the full scan to run, 2 conditions must be met:
1. The time set in the min_full_scan_interval configuration has to pass (by default it is 6 hours).
2. That the CVEs database changes.
That's why maybe only the one of 1 agent was executed at that moment, because it will have had the 2 conditions
1. The time set in the min_full_scan_interval configuration has to pass (by default it is 6 hours).
2. That the CVEs database changes.
That's why maybe only the one of 1 agent was executed at that moment, because it will have had the 2 conditions
Александр Камалиев
Nov 10, 2022, 11:23:49 PM11/10/22
to Wazuh mailing list
This sound more realistic, because yesterday full scan for both agents, was done. I think is it possible you need to propose changing the documentation to make this moment easy to understand.
After some shenanigans today now I see how it work inventory checks that a package was updated or removed and partial scan check that the vulnerability is solved and then information on the vulnerability dashboard is updates.
Full scan works exactly as you said.
Thank you for your answers!
After some shenanigans today now I see how it work inventory checks that a package was updated or removed and partial scan check that the vulnerability is solved and then information on the vulnerability dashboard is updates.
Full scan works exactly as you said.
Thank you for your answers!
четверг, 10 ноября 2022 г. в 18:17:13 UTC+6, ian.s...@wazuh.com:
Ian Yenien Serrano
Nov 11, 2022, 10:07:59 AM11/11/22
to Wazuh mailing list
Hello I understand that you think a change in the documentation is necessary, if you want you can create a new issue or directly make a contribution to this repository.
Great that you now have it clear
Reply all
Reply to author
Forward
0 new messages