About vulnerability scanning in Wazuh

711 views
Skip to first unread message

nguyencunq

unread,
May 24, 2024, 12:05:48 AM5/24/24
to Wazuh | Mailing List
Hi team, 
Can anyone explain to me how module vulnerability scanning work in Wazuh, 

Recently, I follow this video:  Enable vulnerability scanning wazuh (youtube.com) and try to run this module, but I only change this setting in manager config:
<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>
....
....
 And I didn't add this to /var/ossec/etc/shared/default/agent.conf
<wodle name="syscollector">
   <disabled>no</disabled>
   <interval>1h</interval>
   <os>yes</os>
   <packages>yes</packages>
   <hotfixes>yes</hotfixes>
</wodle>

Howerver this scan still running and return result to me :v.
The result I receive is total 2570 vuln in my RADIUS SERVER in Windows Server 2012. 

Stuti Gupta

unread,
May 24, 2024, 4:12:21 AM5/24/24
to Wazuh | Mailing List
Hi nguyencunq,

The Wazuh server has the Vulnerability Detector module disabled by default, while the Wazuh agent has Syscollector enabled by default. That’s why it is working for you. To ensure you are scanning both packages and hotfixes, you can add the following configuration to `/var/ossec/etc/shared/default/agent.conf`:


<wodle name="syscollector">
   <disabled>no</disabled>
   <interval>1h</interval>
   <os>yes</os>
   <packages>yes</packages>
   <hotfixes>yes</hotfixes>
</wodle>

By default, this configuration scans only packages, not hotfixes.

I recommend following the https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html for more details on Wazuh's vulnerability detection capabilities.

Hope this helps

nguyencunq

unread,
May 24, 2024, 6:27:58 AM5/24/24
to Wazuh | Mailing List

Hi Stuti Gupta,

Thanks for your answer.

So the problem why my scan have over 2000 CVE is my scan doesn't hotfixes scan, right? Its maybe have many false positive.

And what CVE database Wazuh using ?

Stuti Gupta

unread,
May 27, 2024, 7:15:33 AM5/27/24
to Wazuh | Mailing List
Yes, that's correct. The reason why your scan returned over 2000 CVEs is likely because it didn't include hotfixes in the scan. Hotfixes are patches or updates provided by software vendors to address specific vulnerabilities in their products. Including hotfixes in your vulnerability scans can significantly increase the number of vulnerabilities detected.

Regarding the CVE database used by Wazuh, it utilizes the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST). The NVD is a comprehensive database of publicly known security vulnerabilities, and Wazuh regularly updates its vulnerability database using the information provided by NVD.

By enabling hotfixes in your vulnerability scans and ensuring that your Wazuh manager is regularly updated with the latest vulnerability data from NVD, you can improve the accuracy and effectiveness of your vulnerability detection process.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

Hope this helps

nguyencunq

unread,
May 27, 2024, 10:30:05 PM5/27/24
to Wazuh | Mailing List
Hi, Stuti Gupta

How can I force run full scan again after add  <wodle name="syscollector"> config.

I want clear old scan and run new full scan on all of my agents

Thanks

nguyencunq

unread,
May 27, 2024, 10:32:48 PM5/27/24
to Wazuh | Mailing List
I already restart agents services from my agent and it's seem did not run full scan again

Stuti Gupta

unread,
May 29, 2024, 6:48:35 AM5/29/24
to Wazuh | Mailing List

We have this https://github.com/wazuh/wazuh/issues/9220 issue for manually scan the vulnerability
min_full_scan_interval: The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a full scan will be performed only if the CVEs database has changed.

In the meantime, I can only suggest you to restart the Wazuh manager after enabling the <run_on_start> option in your ossec.conf file. This configuration will force a vulnerability scan on every start



<vulnerability-detector>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <min_full_scan_interval>6h</min_full_scan_interval>
  <run_on_start>yes</run_on_start>
  ...

</vulnerability-detector>
Also, consider that the agent will collect its package and hotfixes information according to the <interval> option. You may have to restart it too or wait to see the changes. Here is the agents' configuration section



<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <os>yes</os>
  <packages>yes</packages>
<hotfixes>yes</hotfixes>
</wodle>

There is more information about it in the Running a vulnerability scan documentation section.

Please, tell me if there is anything else.

Reply all
Reply to author
Forward
0 new messages