Wazuh - Vulnerability detection module not working

[David Porupka]

Hello,

I need you help with configuring Vulnerability detection module on Wazuh.

Couple of weeks ago I’ve installed Wazuh (central components), currently version 4.9.2 on a Linux server with OS AlmaLinux 8.9 Midnight Oncilla. Then I’ve installed Wazuh agent on my local laptop with OS Windows 11. So I have a running Wazuh with 1 agent connected to it.

 I am trying to get the Vulnerability Detection module up and running on Wazuh.

 I am following the Wazuh documentation here: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html

 

 1.I’ve set up Vulnerability Detection settings in the Wazuh server configuration file at /var/ossec/etc/ossec.conf

<vulnerability-detection>

    <enabled>yes</enabled>

    <index-status>yes</index-status>

    <feed-update-interval>60m</feed-update-interval>

  </vulnerability-detection>

 

  <indexer>

    <enabled>yes</enabled>

    <hosts>

      <host>https://127.0.0.1:9200</host>

    </hosts>

    <ssl>

      <certificate_authorities>

        <ca>/etc/filebeat/certs/root-ca.pem</ca>

      </certificate_authorities>

      <certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>

      <key>/etc/filebeat/certs/wazuh-server-key.pem</key>

    </ssl>

  </indexer>

 

2. Then I’ve made the changes on my WIN11 laptop (where my Wazuh agent is installed) according to the instructions – The configuration file is located at: C:\Program Files (x86)\ossec-agent\ossec.conf.

 I have set it up like this:

 <vulnerability-detection>

    <enabled>yes</enabled>

    <index-status>yes</index-status>

    <feed-update-interval>60m</feed-update-interval>

</vulnerability-detection>

  <!-- System inventory -->

  <wodle name="syscollector">

    <disabled>no</disabled>

    <interval>1h</interval>

    <scan_on_start>yes</scan_on_start>

    <hardware>yes</hardware>

    <os>yes</os>

    <network>yes</network>

    <packages>yes</packages>

    <ports all="no">yes</ports>

    <processes>yes</processes>

 

  <!-- Database synchronization settings -->

    <synchronization>

      <max_eps>10</max_eps>

    </synchronization>

  </wodle>

3. In the last step, you must save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool.

So I’ve run following:

# echo 'admin1' | /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin1

# echo 'password1' | /var/ossec/bin/wazuh-keystore -f indexer -k password -v password1

 

4. Finally , I’ve restarted Wazuh manager:

sudo systemctl restart wazuh-manager

5. I’ve logged into Wazuh Dashboard web ui, then clicked on Vulnerability Detection module:

 6. I landed on the Dashboard tab:

Nothing is displayed…

7. I clicked on Inventory tab:

Still no records displayed…

 

 

8. And finally I clicked on Events tab:

Also no results…

 

So it looks like Vulnerability Detection module is not working. Am I doing something wrong, should I configure it differently?

Could you please help me?

Thanks,

David Porupka

 

[Santiago David Vendramini]

Hi! I hope you are doing well! 

I'm reviewing this and will get back to you ASAP! In the meantime, it would be helpful if you could share the manager and agent ossec.log files to check if everything is working fine.

[David Porupka]

attached.

Dne pondělí 25. listopadu 2024 v 11:21:38 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

Could you tell me the manager version? Additionally, I would like to know if you can run this command to check the status of the indexer cluster: curl -XGET -k -u user:pass "https://127.0.0.1:9200/_cluster/health"

[David Porupka]

My  Wazuh manager version : v4.9.2

When I run this command:

curl -XGET -k -u user:pass "https://127.0.0.1:9200/_cluster/health"

I get no response. 

When I run command in verbose mode: curl -v -XGET -k -u user:pass "https://127.0.0.1:9200/_cluster/health", I get this response:

Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; L=California; O=Wazuh; OU=Wazuh; CN=wazuh-indexer
*  start date: Sep 18 08:15:31 2024 GMT
*  expire date: Sep 16 08:15:31 2034 GMT
*  issuer: OU=Wazuh; O=Wazuh; L=California
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'user'
> GET /_cluster/health HTTP/1.1
> Host: 127.0.0.1:9200
> Authorization: Basic dXNlcjpwYXNz
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="OpenSearch Security"
< content-type: text/plain; charset=UTF-8
< content-length: 0
<
* Connection #0 to host 127.0.0.1 left intact

When I replace user:pass with username:admin1 and password:password1 (which I have saved into keystore previously) ,

I get same response:

 HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="OpenSearch Security"
< content-type: text/plain; charset=UTF-8
< content-length: 0
<
* Connection #0 to host 127.0.0.1 left intact

Dne pondělí 25. listopadu 2024 v 14:14:08 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

Hi, thank you for your patience.

The username and password must be the ones used to connect to the indexer. They are not new credentials but the ones previously used during the indexer configuration. Which method did you use for the deployment? If you haven't changed them during the installation process, they will be the default credentials. And the Wazuh indexer password is not the same as the API password. You can check this documentation to learn about the usernames and passwords: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html# 

To configure the Wazuh Manager's indexer connector, you must add valid Wazuh Indexer credentials to the keystore as indicated below:

# echo 'validIndexerUser' | /var/ossec/bin/wazuh-keystore -f indexer -k username -v validIndexerUser

# echo 'validIndexerPass' | /var/ossec/bin/wazuh-keystore -f indexer -k password -v validIndexerPass

Let me know if you have any problem to do this! Best Regards!

[David Porupka]

I've used Quickstart installation method.

So I have used admin user credentials to run following command: curl -v -XGET -k -u admin:password "https://127.0.0.1:9200/_cluster/health" 

The response is now status 200 OK:

* Server auth using Basic with user 'admin'

> GET /_cluster/health HTTP/1.1
> Host: 127.0.0.1:9200

> Authorization: Basic YWRtaW46alFHK3REV2JxbFQ2RXcuTTZVRVVmZzB2cHhOMHIrMTU=
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 452

<
* Connection #0 to host 127.0.0.1 left intact

{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":157,"active_shards":157,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}

Further, you wrote: To configure the Wazuh Manager's indexer connector, you must add valid Wazuh Indexer credentials to the keystore as indicated below:

# echo 'validIndexerUser' | /var/ossec/bin/wazuh-keystore -f indexer -k username -v validIndexerUser

# echo 'validIndexerPass' | /var/ossec/bin/wazuh-keystore -f indexer -k password -v validIndexerPass

So should I run these two commands to add valid Wazuh Indexer credentials to the keystore?:

# echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin

# echo 'admin_password' | /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin_password

Dne úterý 26. listopadu 2024 v 16:53:29 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

Hi! 

Exactly, try adding the valid credentials you mentioned to the keystore and then restart the manager. After that, let's check the manager's ossec.log to see if it connected successfully!

[David Porupka]

Hi,

i've added valid credentials to the keystore, restarted wazuh manager and voila! Vulnerability detection module has started working!

Thank you for your assistance Santiago, much appreciated.

David

Dne středa 27. listopadu 2024 v 13:21:18 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

It's great to know it worked for you! Best regards.

[DG]

Hi team,

I am having a similar issue but I am using single node docker instance v4.9.2. since I am using docker, its a little unclear on some of the instructions. Find where the certs are located inside single-node_wazuh.manager_1 docker image and changed accordingly. 

I am trying to figure out if I need to do the following now: 

# echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin

# echo 'admin_password' | /var/ossec/bin/wazuh-keystore -f indexer -k password -v admin_password

If so, should I be doing is within the wazuh.manager docker image? 

Thanks

[Red Team]

Looks like I was able to figure out the resolution for docker installs. Have to use the hostname wazuh.indexer:9200. Then it works. However, I am noticing the dashboard is working and populating with data, but the counts of vulns will increase then decrease with every refresh. 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6f045OeA2EM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/eb1ae4c2-14c2-4471-87be-316e974c54a2n%40googlegroups.com.