Vulnerability Full Scan Results Full Exposure Question

[Ethan Thompson]

Hello, Team

Below is the vulnerability list information of "Test-Agent".
It has about 1,300 vulnerabilities.
The "Full scan" time is July 4th.




I was expecting 1,300 hits on the "Discover Menu page" on the day of the "full scan".
However, only 13 vulnerability information is exposed as shown below.



I sometimes want to include all Agents, not just Test-Agents, and query specific vulnerabilities through the discover channel.

Why is only 13 being viewed?
I would like to ask if there is a way to search 1,300 vulnerabilities, such as adjusting the agent.conf configuration file or initializing the vulnerability db.

[Sebastian Dario Bustos]

Hi Ethan,

Thank you for using Wazuh!!!
The results you see on the last picture are the vulnerabilities that have changed since the db  was populated with an initial scan, the changes in this case was that 12 of the existent vulnerabilities were solved and 1 new vulnerability was detected.

This behaviour is expected since version 4.3 to prevent all the alerts from being shown every time a scan runs which in big environments could be a problem, the way of seeing all the alerts is only by agent and you can check them out on the vulnerability module dashboard in the Wazuh app, from there you can see all the events in the event tab and generate a report if you need.

Another way of pulling alerts (also by agent) is through API calls, which can be included in a script to pull all the active agents, for example, and use that list to run the get vulnerabilities API endpoing.

Here is the reference for the vulnerability API endpoint (change the version on the top right corner to match yours if needed):

https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.vulnerability_controller.get_vulnerability_agent

Here is the instructive on how to use the API endpoints from the command line for example, also there are some script samples:

https://documentation.wazuh.com/current/user-manual/api/getting-started.html

As an alternative, to generate all the vulnerabilities you may delete the agent/s databases to force the full scan to run again and generate, for this you will need to stop the wazuh-manager service and delete all the <id>.db (for example 002.db) which correspond to agents, then restart the service (you need to execute on all the manager nodes where the agents connect).

To stop and restart the manager service you can use the command: 

systemctl stop wazuh-manager

or 

systemctl start wazuh-manager

(respectively)

Let me know if this helps.

Regards.

[Ethan Thompson]

Hi Sebastian,

Thank you for answer.

1)
I confirmed that CVE information is brought through the API.
But, It seems that additional development is required for utilization.

{
   "data": {
      "cve": {
         "CVE-2022-4285": 6,
         "CVE-2021-3618": 5,
         "CVE-2022-1725": 5,
         "CVE-2022-1771": 5,
         "CVE-2022-1886": 5,
         "CVE-2022-2000": 5,
         "CVE-2022-2042": 5,
         "CVE-2022-2182": 5,
         "CVE-2022-2208": 5,
         "CVE-2022-2210": 5,
         "CVE-2022-2231": 5,
         "CVE-2022-2257": 5,
         "CVE-2022-2264": 5,
         "CVE-2022-2284": 5,
         "CVE-2022-2285": 5,
         "CVE-2022-2286": 5,
         "CVE-2022-2...............

2)
Restarted after deleting all .db in the /var/ossec/queue/db path.
I confirmed that all vulnerability information is displayed on the discover page.
But it seems to be acceptable that the agent's group policy is initialized.

It would be nice if the function of integrated inquiry of specific cves was added in the wazuh manager console.

Best Regards.

2023년 7월 5일 수요일 오전 10시 4분 13초 UTC+9에 Sebastian Dario Bustos님이 작성: