cannot enable vulnerability-detector

Todd

unread,

Oct 6, 2021, 1:30:14 PM10/6/21

to Wazuh mailing list

Hello,

I am unable to enable vulnerability detection on my all in one install on AlmaLinux release 8.4, I am currently monitoring 4 Alma 8.4 client hosts. Can you please advise if I’m missing anything or any idea as to why? thank you!

App version: 4.2.2

App revision: 4203-1

Install date: Oct 1, 2021 @ 18:08:34.525

Attempted to remove the cve.db and restarted wazuh-manager, still no vulnerabilities showing up.

/var/ossec/logs/ossec.log

2021/10/06 10:16:40 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.

2021/10/06 10:16:40 wazuh-modulesd:vulnerability-detector: INFO: (5435): The analysis can not be launched because there are no target agents.

2021/10/06 10:16:40 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

This is my ossec.conf:

<vulnerability-detector>

<ignore_time>6h</ignore_time>

<run_on_start>yes</run_on_start>

<os>bionic</os>

<update_interval>1h</update_interval>

</provider>

<os>trusty</os>

<os>xenial</os>

<os>bionic</os>

<os>focal</os>

<update_interval>1h</update_interval>

</provider>

<os>stretch</os>

<os>buster</os>

<update_interval>1h</update_interval>

</provider>

<update_interval>1h</update_interval>

</provider>

<update_interval>1h</update_interval>

</provider>

<update_from_year>2010</update_from_year>

<update_interval>1h</update_interval>

</provider>

</vulnerability-detector>

Luis Contreras

unread,

Oct 6, 2021, 4:22:38 PM10/6/21

to Wazuh mailing list

Hi Todd,

You will need to add your custom OS Alma Linux following these instructions: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/allow_os.html

In order to help you in a better way in the community, you could post your future questions in our slack channel https://wazuh.com/community/join-us-on-slack/

Todd

unread,

Oct 6, 2021, 6:11:14 PM10/6/21

to Wazuh mailing list

Hi Luis,

Thank you for the link to the doc, when adding Alma Linux, I am seeing the following in ossec.log The analysis can not be launched because there are no target agents.

Is Alma Linux supported for vulnerability detection, or am I missing something in my config?

Here are the steps i've taken to add Alma Linux:

{

"data": {

"affected_items": [

{

"os": {

"major": "8",

"name": "AlmaLinux"

},

"id": "001"

}

],

"total_affected_items": 1,

"total_failed_items": 0,

"failed_items": []

},

"message": "All selected agents information was returned",

"error": 0

/var/ossec/etc/ossec.conf

<update_interval>1h</update_interval>

<update_from_year>2010</update_from_year>

</provider>

/var/ossec/logs/ossec.log

[root@wazuh AMS1-SRV ~]# systemctl restart wazuh-manager && tail -f /var/ossec/logs/ossec.log

2021/10/06 15:01:42 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.

2021/10/06 15:01:42 wazuh-modulesd:syscollector: INFO: Module started.

2021/10/06 15:01:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2021/10/06 15:01:42 sca: INFO: Skipping policy '/var/ossec/ruleset/sca/cis_centos8_linux.yml': 'Check Centos 8 family platform'

2021/10/06 15:01:42 sca: INFO: Security Configuration Assessment scan finished. Duration: 0 seconds.

2021/10/06 15:01:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2021/10/06 15:01:43 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.

2021/10/06 15:01:43 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.

2021/10/06 15:01:44 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 5' feed finished successfully.

2021/10/06 15:01:44 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update.

2021/10/06 15:01:46 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 6' feed finished successfully.

2021/10/06 15:01:46 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.

2021/10/06 15:01:48 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully.

2021/10/06 15:01:48 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.

2021/10/06 15:01:49 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 8' feed finished successfully.

2021/10/06 15:01:49 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.

2021/10/06 15:01:54 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.

2021/10/06 15:01:54 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.

2021/10/06 15:01:54 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.

2021/10/06 15:01:54 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.

2021/10/06 15:01:54 wazuh-modulesd:vulnerability-detector: INFO: (5435): The analysis can not be launched because there are no target agents.

2021/10/06 15:01:54 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

Thank you!

Luis Contreras

unread,

Oct 7, 2021, 10:20:46 AM10/7/21

to Wazuh mailing list

Hi Todd,

At your wazuh server in your ossec.conf, you should have something similar to this:

<vulnerability-detector>
<enabled>yes</enabled>
<interval>1m</interval>

<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>

<provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <update_interval>1h</update_interval>
    </provider>

    
    <provider name="debian">
      <enabled>no</enabled>
      <os>stretch</os>
      <os>buster</os>
      <update_interval>1h</update_interval>
    </provider>

    
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>

<os allow="AlmaLinux-8">8</os>
<update_interval>1h</update_interval>

</provider>

    
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

</vulnerability-detector>

I have pointed in bold some configurations that you should check.

Please let me know how it goes.

Todd Riffel

unread,

Oct 7, 2021, 12:06:12 PM10/7/21

to Wazuh mailing list

Hi Luis,

Looks like adding the os allow within redhat vulnerabilities did the trick! thank you very much for the great help!