How to compile full report of vulnerabilities for all hosts / agents?

[Antti Backman]

Hi Wazuh Team

I've been trying to figure out what would be the most effective way of compling report for all Active Vulnerabilities from All Agents / hosts in Wazuh.

The Vulnerability view on Wazuh Dashboard is good on per host basis, but as it is only reporting active vulnerabilities on selected Agent the complete view of the managed Agents is quite worsome to come up with.

I am sure this is my deficiency using OpenSearch, therefore I am requesting expert help on this.

I have compliance requirements to report on regular basis (weekly) the full picture of Active vulnerabilities with certain criterion based on CVSS3.0 score system. Therefore I cannot fully rely on the vulnerability categories built-in Wazuh (Critical, High, Medium, Low, Untrgiaged). Basically I need to be able to report on Active Critical vulnerabilities as per CVSS3.0 Base Score Critical.

Any advice how could I solve this demand?

Br, Antti

[elw...@wazuh.com]

Hello Antti,

To collect all vulnerabilities across the Wazuh agents applying any filters needed you can use the Wazuh API : https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.vulnerability_controller.get_vulnerability_agent and https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agents.

You can find in this thread https://groups.google.com/g/wazuh/c/KHAoZQ3BNb0/m/UAnDogpHBQAJ example of script using the API endpoints addressing the same requirement.

I hope this helps.

Regards,
Wali

[moosemaimer]

I have been experimenting with adding a graphical display to the tool: at the moment, it returns distribution of severities, hits per agent by severity, and top results for CVE and package name, as graphs.

Running the vuln_dash.py script from a terminal requires the requests and urllib3 python libraries; vuln_gui.py also requires the matplotlib library.

The server address and login must be added to the vuln_lib.py file, in the Configuration section.

[Antti Backman]

Hi

Thank you for both of you on quick responses.

Yes, I am aware that through API we can do the magic, but that isn't what I would like to do. In our case we have high security operations where I really cannot easily deploy additional software / scripts to meet the objective.

I certainlly on personal level will look at the tool 'moosemaimer' so kindly shared here.

From Wazuh, I would like to see Dashboard feature to support overall Vulnerablity view.

BR, Antti

[elw...@wazuh.com]

Hello Antti,

You're welcome and thank you for your suggestion. We hope to offer that possibility in future releases.

Regards,
Wali

[Emrah Uludag]

Hello Moosemaimer,

I can't run in wazuh server cli.  When i run  vuln_dash.py it's show error. Can you help me ?

[wazuh2 wazuh]# /usr/bin/python3.6 vuln_dash.py

Traceback (most recent call last):
  File "vuln_dash.py", line 21, in <module>
    from vuln_lib import api_calls, ProcessInfo
  File "/home/admin/wazuh/vuln_lib.py", line 56, in <module>
    def api_calls(filters: str, group: str) -> tuple[list, list, dict]:
TypeError: 'type' object is not subscriptable

24 Nisan 2023 Pazartesi tarihinde saat 22:06:54 UTC+3 itibarıyla moosemaimer şunları yazdı: