Forced vulnerability baseline scan
706 views
Skip to first unread message
Nepolean
Jul 1, 2023, 2:42:25 PM7/1/23
to Wazuh mailing list
Dear team,
Is there a way I can forcefully run the baseline scan for vulnerability detector in wazuh. I have vulnerability scan enabled and I already got the alerts when the baseline scan did it's job for the first time. The thing is, I need these alerts to be generated again. How can I do that?
Thanks
Nepolean
Miguel Angel Cazajous
Jul 1, 2023, 3:33:31 PM7/1/23
to Wazuh mailing list
Hello Nepolean,
Yes, you can force a baseline scan only by changing the attribute last_full_scan in the vuln_metadata table from the agent database (/var/ossec/queue/db/<agent_id>.db)
- Stop your manager
Yes, you can force a baseline scan only by changing the attribute last_full_scan in the vuln_metadata table from the agent database (/var/ossec/queue/db/<agent_id>.db)
- Stop your manager
- Execute sqlite3 /var/ossec/queue/db/<agent_id>.db 'update vuln_metadata set last_full_scan = 0'
- Start your manager again
The module will run a Baseline scan, after checking that field is 0 since it represents an epoch value. Let us know if that worked. Regards!
The module will run a Baseline scan, after checking that field is 0 since it represents an epoch value. Let us know if that worked. Regards!
Nepolean
Jul 1, 2023, 3:38:58 PM7/1/23
to Wazuh mailing list
Thanks Miguel. Can I do it for all the agents in one go?
Miguel Angel Cazajous
Jul 1, 2023, 4:10:54 PM7/1/23
to Wazuh mailing list
Yes, with some bash script, it wouldn't be hard to do it.
I'm thinking maybe with the help of this API request, you can get your agents https://documentation.wazuh.com/current/user-manual/agents/listing/listing.html and parse the ID which is the name for the databases.
With agent_control -l and some greps you could achieve the same, but a JSON response would be easier to parse.
Once you have the IDs you can pass those arguments to a bash function that executes that query.
function force_bs {
sqlite3 /var/ossec/queue/db/$1.db 'update vuln_metadata set last_full_scan = 0'
}
To parse the JSON response, JQ it's a great tool https://www.baeldung.com/linux/jq-command-json.
I'm thinking maybe with the help of this API request, you can get your agents https://documentation.wazuh.com/current/user-manual/agents/listing/listing.html and parse the ID which is the name for the databases.
With agent_control -l and some greps you could achieve the same, but a JSON response would be easier to parse.
Once you have the IDs you can pass those arguments to a bash function that executes that query.
function force_bs {
sqlite3 /var/ossec/queue/db/$1.db 'update vuln_metadata set last_full_scan = 0'
}
To parse the JSON response, JQ it's a great tool https://www.baeldung.com/linux/jq-command-json.
Nepolean
Jul 3, 2023, 8:14:09 AM7/3/23
to Wazuh mailing list
Thank Miguel, I tried the command you have given to force the vulnerability baseline scan. But it is not triggering any scan as I am not getting any alerts. In the command we are changing the value for last full scan, right? We need to run the baseline scan. Is that a problem?
Thanks
Nepolean
Miguel Angel Cazajous
Jul 3, 2023, 10:19:51 AM7/3/23
to Wazuh mailing list
Hi Nepolean,
You're right, to report again the vulnerabilities you should clean the inventory, otherwise, it won't report the already reported vulnerabilities.
So the only additional step is: sqlite3 /var/ossec/queue/db/000.db 'delete from vuln_cves'
Change the agent ID to the correct one.
First scan run
After this trick
You're right, to report again the vulnerabilities you should clean the inventory, otherwise, it won't report the already reported vulnerabilities.
So the only additional step is: sqlite3 /var/ossec/queue/db/000.db 'delete from vuln_cves'
Change the agent ID to the correct one.
First scan run
After this trick
Nepolean
Jul 5, 2023, 7:39:04 AM7/5/23
to Wazuh mailing list
Thanks Miguel.. That worked.
I did not understand the 2 screenshots, though.
Thanks
Jayakrishnan
Miguel Angel Cazajous
Jul 5, 2023, 1:42:45 PM7/5/23
to Wazuh mailing list
Hi Nepolean,
Glad to know it worked!, the screenshots were just to show that after that trick the 152 alerts from the first scan triggered again. Have a good day!
Glad to know it worked!, the screenshots were just to show that after that trick the 152 alerts from the first scan triggered again. Have a good day!
Reply all
Reply to author
Forward
0 new messages