Vulnerability Detector Offline not working
243 views
Skip to first unread message
sau sau
May 29, 2023, 7:04:38 AM5/29/23
to Wazuh mailing list
Hello all,
This manager does not have any access to the internet.
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os path="/local_path/oval-definitions-buster.xml">buster</os>
<os path="/local_path/oval-definitions-stretch.xml">stretch</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<path>/local_path/msu-updates.json.gz</path>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
# <provider name="nvd">
# <enabled>yes</enabled>
# <path>/local_path/nvd-feed.*json$</path>
# <update_interval>1h</update_interval>
# </provider>
</vulnerability-detector>
Wazuh log show following:
023/05/29 10:26:37 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'redhat' will be updated offline.
2023/05/29 10:26:40 ossec-integratord: INFO: Remote integrations not configured. Clean exit.
2023/05/29 10:26:48 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'redhat' will be updated offline.
2023/05/29 10:27:14 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Trusty' feed finished successfully.
2023/05/29 10:27:14 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2023/05/29 10:27:30 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Xenial' feed finished successfully.
2023/05/29 10:27:30 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2023/05/29 10:27:46 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2023/05/29 10:27:46 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2023/05/29 10:27:55 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2023/05/29 10:27:55 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2023/05/29 10:27:59 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Stretch' feed finished successfully.
2023/05/29 10:27:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.
2023/05/29 10:28:05 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Buster' feed finished successfully.
2023/05/29 10:28:05 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.
2023/05/29 10:28:11 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 5' feed finished successfully.
2023/05/29 10:28:11 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update.
2023/05/29 10:28:26 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 6' feed finished successfully.
2023/05/29 10:28:26 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2023/05/29 10:28:42 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully.
2023/05/29 10:28:42 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.
2023/05/29 10:28:59 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 8' feed finished successfully.
2023/05/29 10:28:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
023/05/29 10:29:50 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2' after '3' attempts. Trying the next page.
2023/05/29 10:31:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2023/05/29 10:31:31 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2023/05/29 10:31:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2023/05/29 10:31:45 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2023/05/29 10:31:45 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/05/29 10:54:20 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page.
2023/05/29 10:59:21 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/05/29 10:59:21 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
<enabled>yes</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os path="/local_path/oval-definitions-buster.xml">buster</os>
<os path="/local_path/oval-definitions-stretch.xml">stretch</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<path>/local_path/msu-updates.json.gz</path>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
# <provider name="nvd">
# <enabled>yes</enabled>
# <path>/local_path/nvd-feed.*json$</path>
# <update_interval>1h</update_interval>
# </provider>
</vulnerability-detector>
Wazuh log show following:
023/05/29 10:26:37 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'redhat' will be updated offline.
2023/05/29 10:26:40 ossec-integratord: INFO: Remote integrations not configured. Clean exit.
2023/05/29 10:26:48 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'redhat' will be updated offline.
2023/05/29 10:27:14 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Trusty' feed finished successfully.
2023/05/29 10:27:14 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2023/05/29 10:27:30 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Xenial' feed finished successfully.
2023/05/29 10:27:30 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2023/05/29 10:27:46 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Bionic' feed finished successfully.
2023/05/29 10:27:46 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2023/05/29 10:27:55 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Ubuntu Focal' feed finished successfully.
2023/05/29 10:27:55 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2023/05/29 10:27:59 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Stretch' feed finished successfully.
2023/05/29 10:27:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.
2023/05/29 10:28:05 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Buster' feed finished successfully.
2023/05/29 10:28:05 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.
2023/05/29 10:28:11 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 5' feed finished successfully.
2023/05/29 10:28:11 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update.
2023/05/29 10:28:26 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 6' feed finished successfully.
2023/05/29 10:28:26 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2023/05/29 10:28:42 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully.
2023/05/29 10:28:42 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.
2023/05/29 10:28:59 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 8' feed finished successfully.
2023/05/29 10:28:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
023/05/29 10:29:50 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2' after '3' attempts. Trying the next page.
2023/05/29 10:31:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2023/05/29 10:31:31 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2023/05/29 10:31:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2023/05/29 10:31:45 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2023/05/29 10:31:45 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/05/29 10:54:20 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page.
2023/05/29 10:59:21 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/05/29 10:59:21 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
VD dashboard is never populated after this.
Marcel Kemp
May 29, 2023, 8:08:48 AM5/29/23
to Wazuh mailing list
Hi sau sau,
There seem to be two issues with the configuration:
- The first issue is that in the case of Red Hat feed, as it says in the documentation, you need to specify the path of the OVAL file as well as the JSON feed. So, you need to download the JSON feed (using the following script) and add the path where it is downloaded to the configuration:
- Secondly, it seems that you have not inserted the NVD feeds correctly in the DB, so I recommend you to check that the path inserted in the configuration is correct and that it contains all the NVD feeds. Also, I recommend that you use the next block in the configuration to make sure that it matches the name of your feeds:
- Script: https://github.com/wazuh/wazuh/blob/4.4/tools/vulnerability-detector/nvd-generator.sh
- Configuration: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html#national-vulnerability-database
- <path>/local_path/nvd-feed/nvd-feed[[:digit:]]\{4\}\.json\.gz$</path>
- The feeds should look like this: /local_path/nvd-feed/nvd-feed2020.json.gz, /local_path/nvd-feed/nvd-feed2021.json.gz, /local_path/nvd-feed/nvd-feed2022.json.gz...
I hope this helps.
sau sau
May 30, 2023, 12:58:27 AM5/30/23
to Wazuh mailing list
I am getting the same error even if i disable NVD feeds.
2023/05/30 04:39:10 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
Also I added JSON feed along wih OVAL file for Red Hat, after which it stopped throwing WARNING like : WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page. However, I am not seeing any log messages indicating the completion of vulnerability scan.
I only see vulnerability scan start log messages:
2023/05/30 04:39:10 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
On the front end, I don't see any vulnerability scan result for ubuntu, debain, or red hat.
2023/05/30 04:39:10 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
Also I added JSON feed along wih OVAL file for Red Hat, after which it stopped throwing WARNING like : WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page. However, I am not seeing any log messages indicating the completion of vulnerability scan.
I only see vulnerability scan start log messages:
2023/05/30 04:39:10 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
On the front end, I don't see any vulnerability scan result for ubuntu, debain, or red hat.
Marcel Kemp
May 30, 2023, 6:37:48 AM5/30/23
to Wazuh mailing list
It is normal that it still does not work, as Vulnerability Detector does not work if you do not have the NVD feeds, as they are mandatory due to the fact that they are used in all OSes to check for vulnerabilities, as you can see in the documentation:
So, first of all you need to download the NVD feeds, and then modify the configuration indicating the path where they are downloaded so that it can parse them and insert the feed information into the database.
- Compatibility matrix: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#compatibility-matrix
So, first of all you need to download the NVD feeds, and then modify the configuration indicating the path where they are downloaded so that it can parse them and insert the feed information into the database.
Once completed, it will start scanning the agents.
Reply all
Reply to author
Forward
0 new messages