offline updates
580 views
Skip to first unread message
bosbill88
Feb 28, 2022, 12:28:47 PM2/28/22
to Wazuh mailing list
Hello All, I am new to Wazuh and would like to know how i can update the vulnerabilities in offline mode. This doc provided by Wazuh was maybe missing something?
Please advise and thanks again.
Miguel Angel Cazajous
Feb 28, 2022, 3:30:55 PM2/28/22
to Wazuh mailing list
Hi Wong,
- What Wazuh version are you using?
Take into account that in addition to the OVAL files you also need to configure offline updates for the NVD.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html#national-vulnerability-database
I looking forward to your comments. Regards!
- What Wazuh version are you using?
- What OS do you want to scan with vulnerability detector?
- Is there any step that is not easy to understand? Your comments are really appreciated, so we can improve our documentation.
- Do you have some logs to look for errors? You could enable more verbosity for modulesd with "wazuh_modules.debug=2" (without quotes) in your /var/ossec/etc/local_internal_options.conf file.Take into account that in addition to the OVAL files you also need to configure offline updates for the NVD.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html#national-vulnerability-database
I looking forward to your comments. Regards!
bosbill88
Mar 2, 2022, 11:09:58 AM3/2/22
to Wazuh mailing list
Hello Miguel thanks for getting back to me. I end up downloading the
https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml.bz2 and extracting the xml file. then i moved this xml to another location and vi /var/ossec/etc/ossec.conf file to point to this update. Can you please confirm if this how you update the vulnerabilities? To be honest i dont even know what am i updating , are these updates for CIS Benchmarks (SDR ) for openscap , can you please let me know and thanks.
Miguel Angel Cazajous
Mar 2, 2022, 5:17:25 PM3/2/22
to Wazuh mailing list
Hi Wong,
security-metadata...
- Uncompress the bz2 file previously downloaded under a folder (in my case I used /home/<user>/offline_updates/OVAL)
- Use the script provided in the documentation https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html#national-vulnerability-database (nvd-generator.sh).
I use the path /home/<user>/offline_updates/NVD.
- You will end with multiple .gz files.
And they must be extracted. You could execute this simple loop in the folder where the .gz files are stored to do the work. for i in *gz; do gzip -d "$i"; done
- You should see something like this.
- Then configure Ubuntu Focal and NVD as follow.
put this line wazuh_modules.debug=2
- After that, you should be able to see some alerts about new vulnerabilities found.
Hope this helps. Regards!
I will go step by step as clear as possible to set up Ubuntu Focal with offline feeds for Wazuh 4.2.5, I confirm that what you did is one of the required steps to set up offline updates.
But as far as I can see you're missing the NVD configuration as I commented before.
- First I suggest downloading the OVAL information from this link https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2, since the previous link seems to be outdated. We are aware of this issue and we will implement the changes in the code and the documentation.
people.canonical...
But as far as I can see you're missing the NVD configuration as I commented before.
- First I suggest downloading the OVAL information from this link https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2, since the previous link seems to be outdated. We are aware of this issue and we will implement the changes in the code and the documentation.
people.canonical...
security-metadata...
- Uncompress the bz2 file previously downloaded under a folder (in my case I used /home/<user>/offline_updates/OVAL)
- Use the script provided in the documentation https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html#national-vulnerability-database (nvd-generator.sh).
I use the path /home/<user>/offline_updates/NVD.
- You will end with multiple .gz files.
And they must be extracted. You could execute this simple loop in the folder where the .gz files are stored to do the work. for i in *gz; do gzip -d "$i"; done
- You should see something like this.
- Then configure Ubuntu Focal and NVD as follow.
- Restart your manager and wait until the information is indexed.
- It is possible to check that the configuration succeeds by setting debug=2 for modulesd. In your /var/ossec/etc/local_internal_options.conf put this line wazuh_modules.debug=2
- After that, you should be able to see some alerts about new vulnerabilities found.
Hope this helps. Regards!
bosbill88
Mar 3, 2022, 12:06:25 PM3/3/22
to Wazuh mailing list
Thanks Miguel, so for offline mode, i would have to run the nvd-generator script with internet connection and bring in the generated final json files to the offline server? the rest i can do on the offline server.
bosbill88
Mar 4, 2022, 11:32:44 PM3/4/22
to Wazuh mailing list
Thanks Miguel, so for offline mode, i would have to run the
nvd-generator script with internet connection and bring in the generated
final json files to the offline server? the rest i can do on the
offline server?
Matias Pereyra
Mar 10, 2022, 4:32:11 PM3/10/22
to Wazuh mailing list
Hello!
Miguel is out of the office for now.
Yes, you have to run the scripts with an internet connection. Then, when you have all the vulnerabilities feeds locally, you can move them to the offline server.
You have to modify the ossec.conf file to point to the folder where you've stored the feeds.
The Vulnerability Detector module will be able to work without an internet connection this way but consider that if you don't update those offline feeds regularly, you might miss important new CVEs.
Regards.
Yes, you have to run the scripts with an internet connection. Then, when you have all the vulnerabilities feeds locally, you can move them to the offline server.
You have to modify the ossec.conf file to point to the folder where you've stored the feeds.
The Vulnerability Detector module will be able to work without an internet connection this way but consider that if you don't update those offline feeds regularly, you might miss important new CVEs.
Regards.
Reply all
Reply to author
Forward
0 new messages