Wazuh Vulnerability Scanner suddenly stopped reporting results

Raphael Pepi

unread,

Jun 13, 2023, 9:54:55 PM6/13/23

to Wazuh mailing list

recently upgraded from Wazuh Server 4.3 to 4.4.

After the update, many of my agents have mysteriously stopped reporting vulnerabilities.

I'ts confusing and unclear what changed or why. hoping someone might have some thoughts on where to begin.

heres the ossec.conf from the server followed by the global agents defaults conf

#### Server Config

cat /var/ossec/etc/ossec.conf

<!--

Wazuh - Manager - Default configuration for ubuntu 20.04

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall_json>no</logall_json>

<email_notification>no</email_notification>

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>wa...@example.wazuh.com</email_from>

<email_to>reci...@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

<agents_disconnection_time>10m</agents_disconnection_time>

<agents_disconnection_alert_time>0</agents_disconnection_alert_time>

</global>

<log_alert_level>3</log_alert_level>

<email_alert_level>12</email_alert_level>

</alerts>

<log_format>plain</log_format>

</logging>

<connection>secure</connection>

<queue_size>131072</queue_size>

</remote>

<check_files>yes</check_files>

<check_trojans>yes</check_trojans>

<check_dev>yes</check_dev>

<check_sys>yes</check_sys>

<check_pids>yes</check_pids>

<check_ports>yes</check_ports>

<check_if>yes</check_if>

<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>

<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>

<ciscat_path>wodles/ciscat</ciscat_path>

</wodle>

<run_daemon>yes</run_daemon>

<log_path>/var/log/osquery/osqueryd.results.log</log_path>

<config_path>/etc/osquery/osquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<scan_on_start>yes</scan_on_start>

<max_eps>10</max_eps>

</synchronization>

</wodle>

<sca>

<scan_on_start>yes</scan_on_start>

<skip_nfs>yes</skip_nfs>

</sca>

<vulnerability-detector>

<min_full_scan_interval>3d</min_full_scan_interval>

<run_on_start>yes</run_on_start>

<os>trusty</os>

<os>xenial</os>

<os>bionic</os>

<os>focal</os>

<os>jammy</os>

<update_interval>1h</update_interval>

</provider>

<os>buster</os>

<os>bullseye</os>

<update_interval>1h</update_interval>

</provider>

<update_interval>1h</update_interval>

</provider>

<os>amazon-linux</os>

<os>amazon-linux-2</os>

<update_interval>1h</update_interval>

</provider>

<os>11-server</os>

<os>11-desktop</os>

<os>12-server</os>

<os>12-desktop</os>

<os>15-server</os>

<os>15-desktop</os>

<update_interval>1h</update_interval>

</provider>

<update_interval>1h</update_interval>

</provider>

<update_interval>1h</update_interval>

</provider>

<update_from_year>2010</update_from_year>

<update_interval>1h</update_interval>

</provider>

</vulnerability-detector>

<scan_on_start>yes</scan_on_start>

<alert_new_files>yes</alert_new_files>

<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<skip_dev>yes</skip_dev>

<skip_proc>yes</skip_proc>

<skip_sys>yes</skip_sys>

<process_priority>10</process_priority>

<max_eps>100</max_eps>

<max_interval>1h</max_interval>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>127.0.0.53</white_list>

</global>

<name>disable-account</name>

<executable>disable-account</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-wazuh</name>

<executable>restart-wazuh</executable>

</command>

<name>firewall-drop</name>

<executable>firewall-drop</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>route-null</name>

<executable>route-null</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null</name>

<executable>route-null.exe</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh</name>

<executable>netsh.exe</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<!--

<active-response>

active-response options here

</active-response>

-->

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d</command>

<alias>netstat listening ports</alias>

</localfile>

<log_format>full_command</log_format>

</localfile>

<decoder_dir>ruleset/decoders</decoder_dir>

<rule_dir>ruleset/rules</rule_dir>

<rule_exclude>0215-policy_rules.xml</rule_exclude>

<list>etc/lists/audit-keys</list>

<list>etc/lists/amazon/aws-eventnames</list>

<list>etc/lists/security-eventchannel</list>

<decoder_dir>etc/decoders</decoder_dir>

<rule_dir>etc/rules</rule_dir>

</ruleset>

<rule_test>

<max_sessions>64</max_sessions>

<session_timeout>15m</session_timeout>

</rule_test>

<auth>

<use_source_ip>no</use_source_ip>

<use_password>no</use_password>

<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>

<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>

<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>

<ssl_auto_negotiate>no</ssl_auto_negotiate>

</auth>

<name>wazuh</name>

<node_name>node01</node_name>

<node_type>master</node_type>

<bind_addr>0.0.0.0</bind_addr>

<nodes>

</nodes>

</cluster>

</ossec_config>

<ossec_config>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

</localfile>

</ossec_config>

#### Default Agent Config

cat /var/ossec/etc/shared/default/agent.conf

<agent_config>

</wodle>

</agent_config>

whats odd is that about 5 of my 17 agents are reporting vulnerabilities normally, but the other 12 just suddenly stopped.

Fabian Ruiz

unread,

Jun 13, 2023, 10:23:07 PM6/13/23

to Wazuh mailing list

Hi Raphael Pepi

Can you send me the logs of the manager and agents to check if there is an error that can tell us what is happening?

Thanks for using Wazuh,

Regards.

Raphael Pepi

unread,

Jun 14, 2023, 7:52:33 AM6/14/23

to Wazuh mailing list

Heres my ossec-log data from the wazuh-server, and 2 agents (one working and 1 not) as well as the screen shots of what the results look like inside the wazuh app

If theres a different log that you need let me know the name.

vulnresults-working.png

vulnresults-notworking.png

wazuh-manager-ossec.log

wazuh-agent-ossec-vulnnotworking.log

wazuh-agent-ossec-vulnworking.log

Fabian Ruiz

unread,

Jun 14, 2023, 8:49:12 AM6/14/23

to Wazuh mailing list

I have checked the logs and it seems that the vunerability detector is working fine, it is possible that it has not detected vunerabilities for these agents, because they use different operating systems:

- Ubuntu 18.04.6 LTS (Bionic Beaver)
- Ubuntu: 20.04.6 LTS (Focal Fossa)

If the Wazuh server is on the internet it should have the CVEs updated, in case it should not be updated manually, you can check this documentation: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html

Raphael Pepi

unread,

Jun 14, 2023, 9:29:02 AM6/14/23

to Wazuh mailing list

after looking a bit more i've noticed specifically that all the servers that are reporting 0 results are ubuntu 18.04.6 (bionic) servers and the ones reporting correctly are all ubuntu 20+ (focal)

i checked ossec.conf to verify correctness of this block:

<os>trusty</os>

<os>xenial</os>

<os>bionic</os>

<os>focal</os>

<os>jammy</os>

<update_interval>1h</update_interval>

</provider>

and it does look correct. Beyond that Im not sure where to look to dive deeper into whats causing no results for bionic servers, but this is at least the right direction.

Message has been deleted

Raphael Pepi

unread,

Jun 15, 2023, 3:30:06 AM6/15/23

to Wazuh mailing list

Where/How can i clear the database for this (Bionic)? The Machine is connected to the internet, and does appear to be updating automatically, but somehow results for bionic servers arnt working corretkly. i would like to restore it to working automatically (as it ad been till 06-03-2023) vs manually updating it.

Fabian Ruiz

unread,

Jun 15, 2023, 7:44:59 AM6/15/23

to Wazuh mailing list

Hi Rapahel,

If your agents are connected to the Internet, it is not necessary to update the CVE manually.

Make sure that the Wazuh server version is updated to the version that matches the version of the agents, in this case if I am not mistaken it is 4.3 or if not use the latest version 4.4.

Raphael Pepi

unread,

Jun 16, 2023, 10:23:08 AM6/16/23

to Wazuh mailing list

All machines are connected to the Internet, none are throwing any type of logging or connection errors, in fact all seem to be regularly (hourly) polling for CVE updates, the wazuh server is running 4.4.4, all agents are 4.4.4

All machines have received Regular and frequent security patch apt updates.

ALL Ubuntu 20.x or Later Servers are reporting Vulnerabilities

NONE of the Ubuntu 18.X Servers are reporting Vulnerabilities anymore (as of 06/03/2022 when they last correctly reported vulnerabilities)

Im kind of as my wits end as to why this is occurring. as I've mentioned previously it just suddenly stopped for no apparent reason, around the time that i updated machines to 4.4.x however not necessarily related.

i do occasionally see this in the logs on a 18.x server:

sca: INFO: Integration checksum failed for policy '/var/ossec/ruleset/sca/cis_ubuntu18-04.yml'. Resending scan results in 185 seconds.

is there a way to fix the checksum or re-get the file so this fail does not occur?

Raphael Pepi

unread,

Jun 19, 2023, 7:18:49 AM6/19/23

to Wazuh mailing list

This issue is still ongoing. The Ui Shows that scans are running but the results its showing for ubuntu 18 are 0/0/0/0 i can see from searching the event log that the last date it actually reported anything was on June 4th. From My end nothing changed on that day, but that is when Ubunutu 18 results stopped showing up completely. Heres an example of what my Ui (Event Log) looks like.

At this point Im wondering if theres any way to remove one of my agents completely and reset the wazuh manager database, then reconnect/rescan so that the agent will start showing results again. Anything would be better than its current state of showing that its scanning, but not showing any results at all. Again this Issue is relegated to specifically our Ubuntu 18 Clients, all Ubuntu 20+ and Other Os are working normally.

Screen Shot 2023-06-19 at 8.15.19 PM.png

Screen Shot 2023-06-19 at 8.01.09 PM.png

Fabian Ruiz

unread,

Jun 19, 2023, 10:30:36 PM6/19/23

to Wazuh mailing list

Hi Raphael,

I would recommend you to open your case in a wazuh issue, apparently Wazuh is not working as it should in that version of ubuntu, I leave you the links to open an issue and comment everything you have to do with this.