Vulnerability Detector - Full scan
140 views
Skip to first unread message
M G
Oct 19, 2023, 4:39:19 AM10/19/23
to Wazuh | Mailing List
Hello,
Unfortunately it does not work.
If it is not possible to run full scan, maybe at least partial?
Is it possible to run a full vulnerability scan on one agent?
Through the API, I only found the possibility of running a scan for all agents.
I tested the group setting.
Through the API, I only found the possibility of running a scan for all agents.
I tested the group setting.
<agent_config>
<!-- Shared agent configuration here -->
<vulnerability-detector>
<enabled>yes</enabled>
<min_full_scan_interval>10m</min_full_scan_interval>
</vulnerability-detector>
</agent_config>
<!-- Shared agent configuration here -->
<vulnerability-detector>
<enabled>yes</enabled>
<min_full_scan_interval>10m</min_full_scan_interval>
</vulnerability-detector>
</agent_config>
and second test
<agent_config>
<!-- Shared agent configuration here -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>10m</interval>
<os>yes</os>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
</wodle>
</agent_config>
<!-- Shared agent configuration here -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>10m</interval>
<os>yes</os>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
</wodle>
</agent_config>
Unfortunately it does not work.
If it is not possible to run full scan, maybe at least partial?
Regards
Mateusz
Stuti Gupta
Oct 19, 2023, 5:58:28 AM10/19/23
to Wazuh | Mailing List
Hi,
Hope you are doing well. Thank you for using Wazuh.
Currently, Wazuh has three different types of scans.
Baseline: The Vulnerability Detector triggers this scan type the first time you enable the module. The Vulnerability Detector performs a full scan of the operating system and every package installed. It creates a CVE inventory and generates an alert for each vulnerability.
Full scan: The Vulnerability Detector scans every installed package and operating system in this scan type. It runs only when the configured min_full_scan_interval expires and when the CVEs database contains new information. As a result, Wazuh generates alerts when there is any update/change in the vulnerability inventory.
Partial scan: The Vulnerability Detector only scans new packages. As a result, Wazuh generates alerts when there is any update/change in the CVE inventory.
Check this document to learn more:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/scan-types.html
The manager uses the same process to run the vulnerability scan for every OS. The query does not allow to scan of a particular agent, but the vulnerability scanner just performs a partial scan: it only checks the packages that have changed since the previous scan, except if the vulnerability feed has changed.
If you want to run a scan for the particular agent you can use an API endpoint and make a script with specific permissions and ownership
Hope this helps.
Regards,
Hope you are doing well. Thank you for using Wazuh.
Currently, Wazuh has three different types of scans.
Baseline: The Vulnerability Detector triggers this scan type the first time you enable the module. The Vulnerability Detector performs a full scan of the operating system and every package installed. It creates a CVE inventory and generates an alert for each vulnerability.
Full scan: The Vulnerability Detector scans every installed package and operating system in this scan type. It runs only when the configured min_full_scan_interval expires and when the CVEs database contains new information. As a result, Wazuh generates alerts when there is any update/change in the vulnerability inventory.
Partial scan: The Vulnerability Detector only scans new packages. As a result, Wazuh generates alerts when there is any update/change in the CVE inventory.
Check this document to learn more:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/scan-types.html
The manager uses the same process to run the vulnerability scan for every OS. The query does not allow to scan of a particular agent, but the vulnerability scanner just performs a partial scan: it only checks the packages that have changed since the previous scan, except if the vulnerability feed has changed.
If you want to run a scan for the particular agent you can use an API endpoint and make a script with specific permissions and ownership
Hope this helps.
Regards,
M G
Oct 19, 2023, 6:21:52 AM10/19/23
to Wazuh | Mailing List
Hi Stuti,
How are you?
Is it possible to configure a group to reduce the interval between full scans for a machine assigned to this group?
I have a problem with checking whether the update has removed vulnerabilities, because currently it takes a lot of hours, and I don't want to use up the manager by scanning all endpoints every half an hour, so I want something like this for one machine.
Alternatively, there is a way to use this script in the API, but could you give me some guidance on this?
Mateusz
Stuti Gupta
Oct 23, 2023, 1:27:11 AM10/23/23
to Wazuh | Mailing List
Hi again
That feature would be really useful and it is already under development. You can see its progress in the related issues #3231 and #3687.
In the meantime, I can only suggest you to restart Wazuh manager after enabling the <run_on_start> option in your ossec.conf file. This configuration will force a vulnerability scan on every start
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
...
</vulnerability-detector>
Also, consider that the agent will collect its packages information according to the <interval> option. You may have to restart it too or wait to see the changes. Here is the agents' configuration section
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<os>yes</os>
<packages>yes</packages>
</wodle>
There is more information about it in the Running a vulnerability scan documentation section.
Hope this helps.
Regards.
Reply all
Reply to author
Forward
0 new messages