Cannot Get Wazuh Vulnerability Scanner to Work Properly
152 views
Skip to first unread message
Jon Gomez
Nov 9, 2022, 6:30:18 PM11/9/22
to Wazuh mailing list
All defaults are set in the agent and manager. I grepped the logs and it appears to be functioning as normal only agent 003 is showing data in Wazuh. The others are empty I don't know why as the agent conf files are exactly the same. I also don't know what agent 000 is so new to Wazuh. Any help would be appreaciated.Â
Miguel Angel Cazajous
Nov 9, 2022, 6:37:51 PM11/9/22
to Wazuh mailing list
Hi Jonathona,
For agents, you don't need any configuration if you are using the default one that enables the package inventory on the Syscollector module. Please share the configuration of the vulnerability detector module (that is only present in your manager (also agent 000)) and the operating system it is running on to see what is the real issue.
What version of Wazuh are you using? for both agent and manager.
Please take a look at this section of the documentation that explains how the module works https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html. Let me know if something is not clear.
Regards!
For agents, you don't need any configuration if you are using the default one that enables the package inventory on the Syscollector module. Please share the configuration of the vulnerability detector module (that is only present in your manager (also agent 000)) and the operating system it is running on to see what is the real issue.
What version of Wazuh are you using? for both agent and manager.
Please take a look at this section of the documentation that explains how the module works https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html. Let me know if something is not clear.
Regards!
Jon Gomez
Nov 9, 2022, 6:56:16 PM11/9/22
to Wazuh mailing list
The manager is running App version: 4.3.9 and the agent Wazuh v4.3.9 from what I can see in the about and under agents.Â
Jon Gomez
Nov 9, 2022, 6:57:14 PM11/9/22
to Wazuh mailing list
Also I don't know what agent 000 is there's nothing in Wazuh giving me an identifier for that. Installed on Ubuntu 22.04
Jon Gomez
Nov 9, 2022, 6:59:00 PM11/9/22
to Wazuh mailing list
 <!-- System inventory -->
 <wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <!-- Database synchronization settings -->
  <synchronization>
   <max_eps>10</max_eps>
  </synchronization>
 </wodle>
 <sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <interval>12h</interval>
  <skip_nfs>yes</skip_nfs>
 </sca>
 <vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>2h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>
  <!-- Ubuntu OS vulnerabilities -->
  <provider name="canonical">
   <enabled>no</enabled>
   <os>trusty</os>
   <os>xenial</os>
   <os>bionic</os>
   <os>focal</os>
   <os>jammy</os>
   <update_interval>1h</update_interval>
  </provider>
  <!-- RedHat OS vulnerabilities -->
  <provider name="redhat">
   <enabled>no</enabled>
   <os>5</os>
   <os>6</os>
   <os>7</os>
   <os>8</os>
   <os>9</os>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Amazon Linux OS vulnerabilities -->
  <provider name="alas">
   <enabled>no</enabled>
   <os>amazon-linux</os>
   <os>amazon-linux-2</os>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Arch OS vulnerabilities -->
  <provider name="arch">
   <enabled>no</enabled>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Windows OS vulnerabilities -->
  <provider name="msu">
   <enabled>yes</enabled>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Aggregate vulnerabilities -->
  <provider name="nvd">
   <enabled>yes</enabled>
   <update_from_year>2010</update_from_year>
   <update_interval>1h</update_interval>
  </provider>
 </vulnerability-detector>
 <wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <!-- Database synchronization settings -->
  <synchronization>
   <max_eps>10</max_eps>
  </synchronization>
 </wodle>
 <sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <interval>12h</interval>
  <skip_nfs>yes</skip_nfs>
 </sca>
 <vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>2h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>
  <!-- Ubuntu OS vulnerabilities -->
  <provider name="canonical">
   <enabled>no</enabled>
   <os>trusty</os>
   <os>xenial</os>
   <os>bionic</os>
   <os>focal</os>
   <os>jammy</os>
   <update_interval>1h</update_interval>
  </provider>
  <!-- RedHat OS vulnerabilities -->
  <provider name="redhat">
   <enabled>no</enabled>
   <os>5</os>
   <os>6</os>
   <os>7</os>
   <os>8</os>
   <os>9</os>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Amazon Linux OS vulnerabilities -->
  <provider name="alas">
   <enabled>no</enabled>
   <os>amazon-linux</os>
   <os>amazon-linux-2</os>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Arch OS vulnerabilities -->
  <provider name="arch">
   <enabled>no</enabled>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Windows OS vulnerabilities -->
  <provider name="msu">
   <enabled>yes</enabled>
   <update_interval>1h</update_interval>
  </provider>
  <!-- Aggregate vulnerabilities -->
  <provider name="nvd">
   <enabled>yes</enabled>
   <update_from_year>2010</update_from_year>
   <update_interval>1h</update_interval>
  </provider>
 </vulnerability-detector>
On Wednesday, November 9, 2022 at 4:37:51 PM UTC-7 miguel....@wazuh.com wrote:
Miguel Angel Cazajous
Nov 9, 2022, 7:03:52 PM11/9/22
to Wazuh mailing list
Agent 000, as I said before, is the manager but is also considered an agent. If I understood correctly you installed the manager on a Ubuntu Jammy machine. Then enable the Ubuntu provider in your vulnerability detector config block and restart your manager so the config takes effect, the feeds from Ubuntu should populate the CVE database to perform the scan.
Let us know how it goes.
  <!-- Ubuntu OS vulnerabilities -->
  <provider name="canonical">
   <enabled>yes</enabled>  <provider name="canonical">
Let us know how it goes.
Jon Gomez
Nov 9, 2022, 7:29:26 PM11/9/22
to Wazuh mailing list
Ahhh sorry for the miss understanding I'll enable it. Also any reason why only one of my windows server machines is showing vulnerabilities? Is there something I can force?
Jon Gomez
Nov 9, 2022, 7:36:56 PM11/9/22
to Wazuh mailing list
Here is the log now
Jon Gomez
Nov 9, 2022, 7:44:01 PM11/9/22
to Wazuh mailing list
Example agent 001 Not Working 
Example agent 003 workingÂ
Example agent 003 workingÂ
Both are windows servers same agent installed same configuration in the conf file.Â
Miguel Angel Cazajous
Nov 10, 2022, 8:04:29 AM11/10/22
to Wazuh mailing list
If one of the agents is fully patched it is an expected outcome to not have any vulnerabilities.
Please share the following information. (All these commands must be executed in your manager).
agent_control -i 001
agent_control -i 003
sqlite3 /var/ossec/queue/db/001.db 'select * from sys_hotfixes'
sqlite3 /var/ossec/queue/db/003.db 'select * from sys_hotfixes'
Regards!
Please share the following information. (All these commands must be executed in your manager).
agent_control -i 001
agent_control -i 003
sqlite3 /var/ossec/queue/db/001.db 'select * from sys_hotfixes'
sqlite3 /var/ossec/queue/db/003.db 'select * from sys_hotfixes'
Regards!
Reply all
Reply to author
Forward
0 new messages