Vulnerabilities are innate security flaws in computer systems that can be exploited by hostile actors to break into and breach these systems. When these vulnerabilities are effectively exploited, malware and bad actors can enter the system and carry out nefarious tasks including data exfiltration, remote code execution etc. Thus, in order to prevent any potential exploitation, it is crucial for enterprises to implement strong preventive measures, such as security solutions, for the prompt discovery of vulnerabilities inside their network architecture.
In my preceding blog entry (part1, part2) I have shown you how to setup Wazuh SIEM in a dockerized environment and how to forward logs from endpoint by installing Wazuh agent. In this post I’ll show you how to enable vulnerability scanning module in Wazuh.
The Wazuh dashboard is divided in several modules like below. Among them one of the coolest module is Vulnerability scanning.
How vulnerability module work
In the process of vulnerability detection, Wazuh agents conduct periodic scans of monitored endpoints to compile a comprehensive list of installed applications. This data is then transmitted to the Wazuh server, where it is stored within local SQLite databases. Simultaneously, the Wazuh server establishes and maintains a global vulnerability database by aggregating information from publicly accessible CVE repositories. This repository serves as a reference point for cross-referencing the collected application inventory data from the agents, facilitating a comprehensive analysis of potential security weaknesses.
Enable vulnerability scanning
By default vulnerability scan is disable in the Wazuh manager. To activate vulnerability scan perform the below steps. Go to wazuh_cluster folder. (for more you can see part1 of this post).
cd wazuh-docker/single-node/config/wazuh_cluster/
Open the “wazuh_manager.conf” file with your preferred editor like below
vim wazuh_manager.conf
Fond the below configuration snippet in the “wazuh_manager.conf” file
<vulnerability-detector> <enabled>no</enabled> <interval>5m</interval> <min_full_scan_interval>6h</min_full_scan_interval> <run_on_start>yes</run_on_start>
enable it by changing no to yes like below. You can also change some other parameter like scan interval, run on start etc. For now just enable the vulnerability engine.
<vulnerability-detector> <enabled>yes</enabled> <interval>5m</interval> <min_full_scan_interval>6h</min_full_scan_interval> <run_on_start>yes</run_on_start>
If you follow the previous post then you may know that one of our server is Ubuntu Linux. By default the “Ubuntu OS vulnerabilities” section is not enable. As you can see it from the below configuration snippet:
<!-- Ubuntu OS vulnerabilities --> <provider name="canonical"> <enabled>no</enabled> <os>trusty</os> <os>xenial</os> <os>bionic</os> <os>focal</os> <update_interval>1h</update_interval> </provider>
Change no to yes. Your scripts should looks like below
<!-- Ubuntu OS vulnerabilities --> <provider name="canonical"> <enabled>yes</enabled> <os>trusty</os> <os>xenial</os> <os>bionic</os> <os>focal</os> <update_interval>1h</update_interval> </provider>
save and exit from the file. Restart the single-node_wazuh.manager_1 container using the below docker command.
docker restart single-node_wazuh.manager_1
Check the result
Please wait briefly. To assess the vulnerabilities existing within your Ubuntu server, navigate to the Vulnerabilities module. In case no agent is currently selected, the system will prompt you to choose an agent, as illustrated below.
Select the Linux agent (002). You will see Wazuh detect the vulnerability in the Linux agent which will be presented as follows.
Return to the Module dashboard, and within the Vulnerabilities section, opt for the Windows agent. You will be able to observe the Windows agent’s vulnerabilities displayed as shown below. It is worth noting that vulnerability scanning for Windows is automatically activated by default in Wazuh.
The vulnerabilities are systematically grouped into severity levels, including Critical, High, Medium, and Low. You have the option to apply filters based on severity, enabling you to access comprehensive details about each vulnerability.
That’s a wrap for now. By diligently following the outlined steps, you can successfully activate vulnerability scanning within your Wazuh SIEM, bolstering your organization’s threat detection capabilities. In my upcoming blog post, I will show you the essential topic of server hardening, employing industry-standard Security Configuration and Assessment (SCA) techniques to further enhance your system’s security posture. Until then, continue to explore the valuable insights provided by Wazuh, empowering you to proactively address vulnerabilities and fortify your cybersecurity defenses.
Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.