diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index bcb490468f..fa4f0ef4fc 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -251,6 +251,7 @@ newUrls['4.4'] = [ '/user-manual/capabilities/system-calls-monitoring/use-cases/monitoring-commands-run-as-root.html', '/user-manual/capabilities/system-calls-monitoring/use-cases/privilege-abuse.html', '/user-manual/capabilities/wazuh-archives.html', + '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html', ]; /* Pages removed in 4.4 */ diff --git a/source/_templates/installations/wazuh/common/enable_wazuh_agent_service.rst b/source/_templates/installations/wazuh/common/enable_wazuh_agent_service.rst index 4e6842bbad..6621eb951d 100644 --- a/source/_templates/installations/wazuh/common/enable_wazuh_agent_service.rst +++ b/source/_templates/installations/wazuh/common/enable_wazuh_agent_service.rst @@ -35,7 +35,7 @@ .. group-tab:: No service manager - On some system, like Alpine Linux, you need to start the agent manually: + On some systems, like Alpine Linux, you need to start the agent manually: .. code-block:: console diff --git a/source/deployment-options/wazuh-from-sources/wazuh-agent/index.rst b/source/deployment-options/wazuh-from-sources/wazuh-agent/index.rst index c3b0812b4d..d6189ed2e4 100644 --- a/source/deployment-options/wazuh-from-sources/wazuh-agent/index.rst +++ b/source/deployment-options/wazuh-from-sources/wazuh-agent/index.rst @@ -258,7 +258,7 @@ The Wazuh agent is a single and lightweight monitoring software. It is a multi-p .. code-block:: doscon - :: signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /d "%MSI_NAME%" /td SHA256 "%MSI_NAME%" + :: signtool sign /a /tr http://timestamp.digicert.com /d "%MSI_NAME%" /fd SHA256 /td SHA256 "%MSI_NAME%" #. Specify the version and the revision number when prompted. This will also generate the Windows installer file. In the following output, the version is set as |WAZUH_CURRENT_WIN_FROM_SOURCES| and the revision is set as |WAZUH_CURRENT_WIN_FROM_SOURCES_REV|. This generates the Windows installer ``wazuh-agent-|WAZUH_CURRENT_WIN_FROM_SOURCES|-|WAZUH_CURRENT_WIN_FROM_SOURCES_REV|.msi`` diff --git a/source/development/makefile.rst b/source/development/makefile.rst index 7c03f888d8..efebe97982 100644 --- a/source/development/makefile.rst +++ b/source/development/makefile.rst @@ -249,7 +249,7 @@ Available flags +---------------------------+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+ | **CA_NAME** | Defines the name of the CA certificate. | | +------------------+----------------------------------------------------------------------------------------------------------------------------------------------+ -| | Default value | DigiCert High Assurance EV Root CA | +| | Default value | DigiCert Assured ID Root CA | | +------------------+----------------------------------------------------------------------------------------------------------------------------------------------+ | | Allowed values | Any string. | +---------------------------+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/source/development/packaging/generate-windows-package.rst b/source/development/packaging/generate-windows-package.rst index e2d75e005d..203137787b 100644 --- a/source/development/packaging/generate-windows-package.rst +++ b/source/development/packaging/generate-windows-package.rst @@ -51,7 +51,7 @@ image with all the necessary tools to compile and obtain the Windows agent compi -s, --store [Optional] Set the directory where the package will be stored. By default the current path. -d, --debug [Optional] Build the binaries with debug symbols. By default: no. -t, --trust_verification [Optional] Build the binaries with trust load images verification. By default: 1 (only warnings). - -c, --ca_name [Optional] CA name to be used to verify the trust of the agent. By default: DigiCert High Assurance EV Root CA. + -c, --ca_name [Optional] CA name to be used to verify the trust of the agent. By default: DigiCert Assured ID Root CA. -h, --help Show this help. Below, you will find an example of how to build a compiled Windows agent. diff --git a/source/images/manual/fim/dashboard.png b/source/images/manual/fim/dashboard.png index 0f8103601a..19a470eab1 100644 Binary files a/source/images/manual/fim/dashboard.png and b/source/images/manual/fim/dashboard.png differ diff --git a/source/images/manual/fim/expand-the-alert-with-rule.id:550.png b/source/images/manual/fim/expand-the-alert-with-rule.id-550.png similarity index 100% rename from source/images/manual/fim/expand-the-alert-with-rule.id:550.png rename to source/images/manual/fim/expand-the-alert-with-rule.id-550.png diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index 202a6627f7..6a14283042 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -359,7 +359,7 @@ Navigate to **Modules > Integrity monitoring** on the Wazuh dashboard and find t Expand the alert with ``rule.id:550`` to view all the information. In the alert fields below, you can see the user ``wazuh`` added the word *“Hello”* to the ``audit_docu.txt`` file using the ``Notepad`` text editor. -.. thumbnail:: ../../../images/manual/fim/expand-the-alert-with-rule.id:550.png +.. thumbnail:: ../../../images/manual/fim/expand-the-alert-with-rule.id-550.png :title: Expand the alert with rule.id:550 :alt: Expand the alert with rule.id:550 :align: center diff --git a/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst b/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst index c447a3c3bb..6859cc4ee5 100644 --- a/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst +++ b/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst @@ -157,7 +157,7 @@ The Vulnerability Detector module converts the dictionary entries to the CPE for +------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ How to translate a Windows program to CPE format -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------------------------------------------ To include a Windows program in the CPE helper dictionary, it's necessary to know the vendor, product name, and program version present in the Wazuh software inventory. After this, it's necessary to look for the CPE that is suitable for the program to configure the dictionary entry with the appropriate values. @@ -380,7 +380,7 @@ In this guide, we generate dictionary entries for *Skype* and *Skype for Busines The product `Skype for Business Basic 2016 - en-us` matches both ``^Skype for Business`` and ``^Skype`` patterns. However, the Vulnerability Detector uses the first because it sorts the entries by priority from top to bottom. Products whose version does not change between updates -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------------------------------------------------ For some software products, generally from Microsoft, users cannot confirm vulnerabilities by consulting the National Vulnerability Database. These products do not change their visible version between updates, so the Vulnerability Detector cannot tell when the products are no longer vulnerable. @@ -563,7 +563,7 @@ The Vulnerability Detector can automate this search using the CPE Helper and the } Products with update field -^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------------------- Often, the product version isn't enough to decide if a specific CVE affects a program. In some cases, you also need to consider the `update` component of the CPE name. This section presents a use case for the CVE-2022-23277 vulnerability affecting Microsoft Exchange Server. diff --git a/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst b/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst index ead125a8dc..2b92b71e12 100644 --- a/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst +++ b/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst @@ -6,7 +6,7 @@ How it works ============ -To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Also, the Wazuh server builds a global vulnerability database from publicly available CVE repositories. It uses this database to cross-correlate this information with the application inventory data of the agent. The database location is ``/var/ossec/queue/vulnerabilities/cve.db``, and users can query the database using ``SQLite``: +To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Also, the Wazuh server builds a global :doc:`vulnerability database ` from publicly available CVE repositories. It uses this database to cross-correlate this information with the application inventory data of the agent: #. Start SQLite and open the vulnerability database using the following command. diff --git a/source/user-manual/capabilities/vulnerability-detection/index.rst b/source/user-manual/capabilities/vulnerability-detection/index.rst index 28eb76862a..12da215fb3 100644 --- a/source/user-manual/capabilities/vulnerability-detection/index.rst +++ b/source/user-manual/capabilities/vulnerability-detection/index.rst @@ -6,7 +6,9 @@ Vulnerability detection ======================= -Wazuh Vulnerability Detector module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using Wazuh’s native integration with external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), SUSE Linux Enterprise, Microsoft, and the National Vulnerability Database (NVD). +Vulnerabilities are security flaws in computer systems that threat actors can exploit to gain unauthorized access to these systems. After exploitation, malware and threat actors may be able to perform remote code execution, exfiltrate data, and carry out other malicious activities. Therefore, organizations must have strategies or security solutions that promptly detect vulnerabilities in their network before bad actors exploit them. Prompt detection and remediation of vulnerabilities in a network help to strengthen its overall security posture. + +The Wazuh Vulnerability Detector module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using Wazuh native integration with external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). .. topic:: Contents @@ -19,3 +21,4 @@ Wazuh Vulnerability Detector module helps users discover vulnerabilities in the allow-os cpe-helper offline-update + querying-the-vulnerability-database diff --git a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst index a23f3fb9a0..725e18a696 100644 --- a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst +++ b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst @@ -89,7 +89,7 @@ To update the vulnerability feed from a user-defined repository, use a configura 1h -To use a local feed file, add the path attribute accompanying the os option as follows. +To use a local feed file, add the ``path`` attribute accompanying the ``os`` option as follows. .. code-block:: xml @@ -106,7 +106,7 @@ Debian Security Tracker JSON feed To perform an offline update, you must download the corresponding file. +------------+--------------------------------------------------------------------------------------------+ -| OS | File | +| OS | Files | +============+============================================================================================+ | ALL | `Debian Security Tracker JSON `_ | +------------+--------------------------------------------------------------------------------------------+ @@ -195,7 +195,7 @@ Alternatively, the feeds can be loaded from a local path. To achieve this, use t Red Hat Security Data JSON feed ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides a script that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database. +To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides an `update script `__ that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database. How to use the update script ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -212,7 +212,7 @@ How to use the update script # ./rh-generator.sh /local_path/rh-feed - The script may output an error message like the following. + The script might output an error message like the following. .. code-block:: console :class: output @@ -247,7 +247,7 @@ Arch To perform an offline update of the Arch feed, download the corresponding JSON file. +------------+--------------------------------------------------------------------------------------------+ -| OS | File | +| OS | Files | +============+============================================================================================+ | Rolling | `all.json `_ | +------------+--------------------------------------------------------------------------------------------+ @@ -308,7 +308,7 @@ Alternatively, you can load the feeds from a local path with the ``path`` attrib SUSE -^^^^ +---- Currently, the SUSE Linux vulnerabilities are fetched from one OVAL file for each supported SUSE Linux version. @@ -361,7 +361,7 @@ Alternatively, they also can be loaded from a local path as follows: National Vulnerability Database ------------------------------- -To perform an offline update of the National Vulnerability Database, you must request its feed stating a starting year. Wazuh provides a `script `__ that automates the process of downloading the feed and checking for server downtime. +To perform an offline update of the National Vulnerability Database, you must request its feed stating a starting year. Wazuh provides an `update script `__ that automates the process of downloading the feed and checking for server downtime. How to use the update script ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/source/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst b/source/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst new file mode 100644 index 0000000000..2aa38335fe --- /dev/null +++ b/source/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst @@ -0,0 +1,127 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description: You can find the vulnerability database on the Wazuh server and query it using SQLite. Learn more about it in this section of our documentation. + +Querying the vulnerability database +=================================== + +You can find the vulnerability database at ``/var/ossec/queue/vulnerabilities/cve.db`` on the Wazuh server and query it using ``SQLite``. ``SQLite`` provides an interface that you can use to interact with SQL databases. + +Perform the following steps to query the vulnerability database using SQLite. + +#. Start ``SQLite`` and open the vulnerability database using the following command: + + .. code-block:: console + + # sqlite3 /var/ossec/queue/vulnerabilities/cve.db + +#. List the tables in the database using the following command: + + .. code-block:: sqlite3 + + sqlite> .tables + +#. Retrieve all the data in a table by running the following command: + + .. code-block:: sqlite3 + + sqlite> SELECT * from ; + +Replace ``
`` with the name of the table you are interested in. + +.. Warning:: + Don’t make changes to the database. It can lead to issues when the Vulnerability Detector module is running a scan. + +Use Case: Find all KBs that patch a specified CVE for Windows endpoints +----------------------------------------------------------------------- + +In this example, you will see how to find all Windows Knowledge Base (KB) updates that patch a specific vulnerability on Windows endpoints from the vulnerability database. You can achieve this using ``SQLite`` on the Wazuh server. + +#. Start ``SQLite`` and open the vulnerability database using the following command: + + .. code-block:: console + + # sqlite3 /var/ossec/queue/vulnerabilities/cve.db + +#. Run ``.mode line`` in the SQLite prompt to configure the SQLite output format. + +#. Run the following command to view all the details of the chosen CVE and operating system: + + .. code-block:: sqlite3 + + sqlite> SELECT * FROM msu WHERE cveid = "" AND PRODUCT LIKE "%%"; + + Where: + + - ```` is a string from the operating system name. It displays result for only the specified operating system. + - ```` is the identifier for the CVE. + + You can see an example below: + + .. code-block:: sqlite3 + + sqlite> SELECT * FROM msu WHERE cveid = "CVE-2023-21524" AND PRODUCT LIKE "%Server 2022%"; + + .. code-block:: none + :class: output + :emphasize-lines: 3,12 + + CVEID = CVE-2023-21524 + PRODUCT = Windows Server 2022 (Server Core installation) + PATCH = 5022291 + TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability + URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291 + SUBTYPE = Security Update + RESTART_REQUIRED = Yes + CHECK_TYPE = 1 + + CVEID = CVE-2023-21524 + PRODUCT = Windows Server 2022 + PATCH = 5022291 + TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability + URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291 + SUBTYPE = Security Update + RESTART_REQUIRED = Yes + CHECK_TYPE = 1 + +#. Run the command below to list all the KBs that patch ``KB5022291`` replaces. This will be a list of patches that are no longer necessary to install once a user installs ``KB5022291``. + + .. code-block:: sqlite3 + + sqlite> SELECT patch FROM msu_supersedence WHERE super = "5022291"; + + .. code-block:: console + :class: output + + PATCH = 5010796 + + PATCH = 5022291 + + PATCH = 5022553 + + PATCH = 5021656 + + PATCH = 5021249 + + PATCH = 5020436 + + PATCH = 5020032 + ... + +#. Run the command below to get a list of all the patches that replaced ``KB5022291``. This list contains all the patches that resolve the same vulnerabilities as ``KB5022291`` when installed. + + .. code-block:: sqlite3 + + sqlite> SELECT super FROM msu_supersedence WHERE patch = "5022291"; + + .. code-block:: none + :class: output + + SUPER = 5022291 + SUPER = 5022842 + SUPER = 5023705 + SUPER = 5025230 + SUPER = 5026370 + +