Vulnerability module - re scan

[German DiCasas]

Hi Team,

I have wazuh 4.10.1 all in same server. How can I force the agent packages to be rescanned to see if they're vulnerable or not?

I mean, I performed an update on a Linux system that had several packages to update, but the Wazuh Manager still shows me the old information (related to vulnerability seccion).

In previous versions, just restarting wazuh-manager was enough. Is this still the case?

Regards,

[Emiliano Salvatori]

Hello. After analyzing your question, I can provide the following information.

I understand your concern about updating vulnerability information in Wazuh after updating packages on your agents. Version 4.10.1 has introduced significant improvements in vulnerability management, and the way this information is updated may be different from previous versions. Below, we'll explore possible problem areas and best practices to resolve your situation.

1. Exploring Common Problem Areas

Wazuh's vulnerability scanning depends on several components working in sync. If the information is not updating, the problem may lie in one of the following areas:

• Agent Data Collection: The agent must accurately collect the list of installed packages and their versions and send it to the manager. If the agent's local scan fails or if the information is not transmitted correctly, the manager will not have the correct data to analyze.

• Vulnerability Module Configuration: The vulnerability-detector module on the Wazuh manager is responsible for cross-referencing the agents' package lists with vulnerability databases (NVD, OVAL, etc.). It's crucial that this module is enabled and correctly configured for your agents' operating systems.

• Database Synchronization: The Wazuh manager needs to download and keep vulnerability databases up to date. If the download of these databases fails or they are outdated, the manager won't be able to perform an accurate assessment.

• Alert Processing and Storage: Once a vulnerability is detected, the manager generates an alert that is processed by the analysis engine and finally stored in the backend (OpenSearch/Elasticsearch). If there's a problem in this flow, the information might not display correctly in the Wazuh user interface.

2. Technical Examples and Useful Commands

To investigate the issue, I suggest you check the following points:

• Verify the vulnerability-detector Module Configuration:

  Make sure the module is enabled in the manager's ossec.conf file (/var/ossec/etc/ossec.conf). It should have a section similar to this:

  XML

  <ossec_config> <vulnerability-detector> <enabled>yes</enabled> <interval>5h</interval> <run_on_start>yes</run_on_start> <provider name="canonical"> <enabled>yes</enabled> <os>ubuntu</os> <os>debian</os> </provider> </vulnerability-detector> </ossec_config>

  Verify that the provider (provider) and operating system (os) are configured for your agents.

• Check the Manager's Logs:

  Review the manager's logs for errors related to vulnerability-detector or communication with the agents.

  Bash

  grep 'vulnerability-detector' /var/ossec/logs/ossec.log

  Look for messages indicating failures in database downloads or information processing.

• Force a Manual Rescan:

  While restarting the manager was often enough in previous versions, in more recent versions like 4.10.1, the process is more granular. The Wazuh manager automatically detects changes in the agents' software inventory. However, to force a rescan, you can restart the agent individually.

  On the Linux agent:

  Bash

  sudo systemctl restart wazuh-agent

  This will force the agent to send the updated package list to the manager on its next check-in.

• Verify Agent Inventory Information:

  You can verify the information the manager has for your agent via the API. For example, if the agent_id is 001:

  Bash

  curl -u <username>:<password> -k -X GET "https://localhost:55000/agents/001/syscollector/packages"

  This will allow you to confirm whether the manager has received the updated package list.

3. Useful Resources for Further Investigation

• Official Wazuh Documentation: The documentation is your best ally. Check the Vulnerability Detection section for your specific version (4.10.1).

  • https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html

• Wazuh Forum and Community: The Wazuh community is a valuable resource for finding solutions to common problems.

  • https://groups.google.com/forum/#!forum/wazuh

4. Best Practices and Warnings

• Configuration Consistency: Ensure that the vulnerability-detector module configuration on the Wazuh manager matches the operating systems of your agents. An error in this configuration can lead to vulnerabilities not being detected.

• Performance Considerations: If you have a large number of agents, forcing constant restarts or a very high scanning frequency can impact the manager's performance. Adjust the scanning interval (interval) according to your needs and your infrastructure's capacity.

• Versions and Compatibility: Always ensure that the manager and agents are compatible. Although your version 4.10.1 is recent, it's important to consider the release notes.

• User Interface Usage: Sometimes, the problem may simply be a matter of browser cache. Try reloading the page or clearing your browser's cache to ensure you're seeing the most recent information.

In summary, while restarting the manager might have been a solution in previous versions, the modular architecture of recent Wazuh versions requires a more detailed approach. We recommend you follow the diagnostic steps mentioned to identify the root cause of the problem. If the situation persists after following these steps, we suggest you review the manager and agent logs in more detail to identify any specific errors.