diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js
index fb377da07c..79b28309c7 100644
--- a/source/_static/js/redirects.js
+++ b/source/_static/js/redirects.js
@@ -64,10 +64,40 @@ removedUrls['x.y'] = [
/* *** RELEASE 4.8 ****/
+/* Pages added in 4.8 */
+
newUrls['4.8'] = [
'/release-notes/release-4-8-0.html',
];
+/* Pages no longer available in 4.8 */
+
+removedUrls['4.8'] = [
+ '/user-manual/capabilities/vulnerability-detection/cpe-helper.html',
+ '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html',
+ '/user-manual/capabilities/vulnerability-detection/scan-types.html',
+];
+
+/* Redirections from 4.7 to 4.8 */
+
+redirections.push(
+ {
+ 'target': ['4.7=>4.8'],
+ '4.7': '/user-manual/capabilities/vulnerability-detection/cpe-helper.html',
+ '4.8': '/user-manual/capabilities/vulnerability-detection/index.html',
+ },
+ {
+ 'target': ['4.7=>4.8'],
+ '4.7': '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html',
+ '4.8': '/user-manual/capabilities/vulnerability-detection/index.html',
+ },
+ {
+ 'target': ['4.7=>4.8'],
+ '4.7': '/user-manual/capabilities/vulnerability-detection/scan-types.html',
+ '4.8': '/user-manual/capabilities/vulnerability-detection/index.html',
+ },
+);
+
/* *** RELEASE 4.7 ****/
/* Pages added in 4.7 */
diff --git a/source/_variables/replacements.py b/source/_variables/replacements.py
index 81af2f808a..ab387eac57 100644
--- a/source/_variables/replacements.py
+++ b/source/_variables/replacements.py
@@ -33,6 +33,8 @@
"|DEB_AGENT_URL|" : "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent",
"|DEB_MANAGER_URL|" : "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-manager/wazuh-manager",
#
+ "|CTI_URL|" : "https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0",
+ #
# === Global and Wazuh version (wazuh agent, manager, indexer, and dashboard)
"|WAZUH_CURRENT_MAJOR|" : "4.x",
"|WAZUH_CURRENT_MINOR|" : version,
diff --git a/source/compliance/hipaa/vulnerability-detection.rst b/source/compliance/hipaa/vulnerability-detection.rst
index 1b72dcacf1..d9eddf07a5 100644
--- a/source/compliance/hipaa/vulnerability-detection.rst
+++ b/source/compliance/hipaa/vulnerability-detection.rst
@@ -1,57 +1,67 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: The Vulnerability Detector module helps in meeting HIPAA compliance. Learn more about it in this section of the Wazuh documentation.
+ :description: The Vulnerability Detection module helps in meeting HIPAA compliance. Learn more about it in this section of the Wazuh documentation.
Vulnerability detection
=======================
-Wazuh detects vulnerabilities in the applications installed on monitored endpoints using the Vulnerability Detector module. It performs a software audit by building a global vulnerability database from vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. Wazuh cross-correlates these feeds with data from the endpoint application inventory.
+Wazuh detects vulnerabilities in the applications installed on monitored endpoints using the Vulnerability Detection module. It performs a software audit by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.
-The Vulnerability Detector module helps to implement the following HIPAA section:
+The Vulnerability Detection module helps to implement the following HIPAA section:
- **Security Management Process §164.308(a)(1) - Risk Analysis**: *“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”*
This section of the HIPAA standard requires identifying risks and vulnerabilities affecting systems containing healthcare information.
- The Wazuh Vulnerability Detector module assists in meeting aspects of this HIPAA section. The Vulnerability Detector module scans an endpoint for vulnerable applications/packages and missing OS updates. Refer to the :doc:`vulnerability detection ` section of our documentation for more details on configuring vulnerability scans.
+ The Wazuh Vulnerability Detection module assists in meeting aspects of this HIPAA section. The Vulnerability Detection module checks for vulnerable applications/packages and missing OS updates in an endpoint. Refer to the :doc:`vulnerability detection ` section of our documentation for more details on configuring vulnerability detection.
Use case: Detect vulnerabilities
--------------------------------
-In this use case, you configure Wazuh to detect vulnerabilities on an Ubuntu 20.04 endpoint (bionic) with the following steps:
-
-#. Modify the highlighted lines in the Wazuh server configuration file (``/var/ossec/etc/ossec.conf``) using a text editor. This enables vulnerability detection for the specific OS version (in this case Ubuntu bionic):
-
- .. code-block:: console
- :emphasize-lines: 2,6
-
-
- yes
- 5m
- yes
-
- yes
- bionic
- 1h
-
-
-
-
-#. Restart the Wazuh server to apply the changes:
+In this use case, you configure Wazuh to detect vulnerabilities on a Debian endpoint with the following steps:
+
+#. Edit the Wazuh server configuration file ``/var/ossec/etc/ossec.conf``. Make sure the module is enabled.
+
+ .. code-block:: xml
+ :emphasize-lines: 2
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
+
+#. If you made changes, restart the Wazuh manager to apply them.
.. include:: /_templates/common/restart_manager.rst
- The Vulnerability Detector module runs scans on startup when ``run_on_start`` is enabled or periodically (defined by interval). After the scan, you can view the results on the Wazuh dashboard, which includes information about vulnerable packages on the monitored endpoint. In this case, the vim software installed on the endpoint has vulnerabilities. You can also see the date and time of the most recent vulnerability scan.
+You can view the results on the Wazuh dashboard, which includes information about vulnerable packages on the monitored endpoint. In this case, the vim software installed on the endpoint has vulnerabilities.
- .. thumbnail:: /images/compliance/hipaa/06-vulnerability-detection.png
- :title: In this case, the vim software installed on the endpoint has vulnerabilities
- :align: center
- :width: 80%
+.. thumbnail:: /images/compliance/hipaa/06-vulnerability-detection.png
+ :title: In this case, the vim software installed on the endpoint has vulnerabilities
+ :align: center
+ :width: 80%
- When you select any of the vulnerabilities, the dashboard shows an overview of the issues detected and their status on the agent.
+When you select any of the vulnerabilities, the dashboard shows an overview of the issues detected.
- .. thumbnail:: /images/compliance/hipaa/07-vulnerability-detection.png
- :title: The dashboard shows an overview of the issues detected and their status on the agent
- :align: center
- :width: 80%
\ No newline at end of file
+.. thumbnail:: /images/compliance/hipaa/07-vulnerability-detection.png
+ :title: The dashboard shows an overview of the issues detected and their status on the agent
+ :align: center
+ :width: 80%
\ No newline at end of file
diff --git a/source/compliance/nist/vulnerability-detection.rst b/source/compliance/nist/vulnerability-detection.rst
index cf7bc16a79..22612be25f 100644
--- a/source/compliance/nist/vulnerability-detection.rst
+++ b/source/compliance/nist/vulnerability-detection.rst
@@ -1,29 +1,27 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: The Wazuh Vulnerability Detector module performs a software audit of monitored endpoints. Learn more about it in this section of the documentation.
+ :description: The Wazuh Vulnerability Detection module performs a software audit of monitored endpoints. Learn more about it in this section of the documentation.
Vulnerability detection
=======================
-The Wazuh Vulnerability Detector module performs a software audit. It identifies vulnerabilities in the operating system and installed applications in monitored endpoints. The module builds a global vulnerability database from vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. Then it cross-correlates these feeds with data from the endpoint application inventory.
+The Wazuh Vulnerability Detection module performs a software audit. It identifies vulnerabilities in the operating system and installed applications in monitored endpoints. The module queries our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.
-The :doc:`Vulnerability Detector ` module helps to implement the following NIST 800-53 controls:
+The :doc:`Vulnerability Detection ` module helps to implement the following NIST 800-53 controls:
- **RA-5 Vulnerability monitoring and scanning**: *“Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automation Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).”*
- **SC-38 Operations security**: *“Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.”*
-The Wazuh Vulnerability Detector module assists with the above requirements by scanning an endpoint for vulnerable applications/packages and missing OS updates.
+The Wazuh Vulnerability Detection module assists with the above requirements by checking for vulnerable applications/packages and missing OS updates in an endpoint.
Use case: Detect vulnerabilities on a Windows endpoint
------------------------------------------------------
This use case shows how Wazuh helps meet the NIST **RA-5 Vulnerability monitoring and scanning** requirement using the Vulnerability detection module to identify system vulnerabilities.
-In this use case, you configure the Wazuh Vulnerability detector module to perform a vulnerability scan on a monitored Windows 10 endpoint. The **Vulnerability Detection** module of the Wazuh dashboard shows the result of the scan.
-
-Follow the steps below to activate the Wazuh Vulnerability Detector module:
+In this use case, you make sure that a monitored Windows 10 endpoint is properly configured and the Wazuh Vulnerability detection module enabled. The **Vulnerability Detection** module of the Wazuh dashboard shows the result of the vulnerabilities detection.
Windows endpoint
^^^^^^^^^^^^^^^^
@@ -54,54 +52,37 @@ Windows endpoint
Wazuh server
^^^^^^^^^^^^
-#. Edit the ```` block within the ``/var/ossec/etc/ossec.conf`` file and set ```` to ``yes``. This enables the vulnerability detector module.
+#. Edit the ```` block within the ``/var/ossec/etc/ossec.conf`` file and make sure ```` is set to ``yes``. This enables the vulnerability detection module.
- .. code-block:: xml
+ .. code-block:: xml
:emphasize-lines: 2
-
-
- yes
- 5m
- 6h
- yes
-
-
-
- You can also set other options such as **** and ****.
-
-#. Enable the ```` options for ``msu`` and ``nvd`` in the ```` block of the ``/var/ossec/etc/ossec.conf`` configuration file:
-
- .. code-block:: xml
- :emphasize-lines: 3,10
-
-
-
- yes
- 1h
-
-
-
-
-
- yes
- 1h
-
-
- Save the changes:
-
- - ``msu``: Pulls CVEs from the Microsoft vulnerability updates database.
- - ``nvd``: Pulls CVEs from the National Vulnerability Database.
-
-#. Restart the Wazuh server to apply the configuration changes:
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
+
+#. If you made changes, restart the Wazuh server to apply them.
.. include:: /_templates/common/restart_manager.rst
#. Go to **Vulnerability Detection** on the Wazuh dashboard. Select the Windows agent to find vulnerable applications and packages.
- .. thumbnail:: /images/compliance/nist/modules-vulnerabilities.png
- :title: Vulnerability Detection module
- :alt: Vulnerability Detection module
- :align: center
- :width: 80%
-
-The alert details include the detection time, CVE number, and severity, amongst other information.
+The alert details include the CVE number and severity, amongst other information.
diff --git a/source/compliance/pci-dss/vulnerability-detection.rst b/source/compliance/pci-dss/vulnerability-detection.rst
index 9c0fa02fd1..ed27b37678 100644
--- a/source/compliance/pci-dss/vulnerability-detection.rst
+++ b/source/compliance/pci-dss/vulnerability-detection.rst
@@ -6,7 +6,8 @@
Vulnerability detection
=======================
-Wazuh is able to detect vulnerabilities in the applications installed on agents using the Vulnerability Detector module. This software audit is performed through the integration of vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database.
+Wazuh is able to detect vulnerabilities in the applications installed on agents using the Vulnerability Detection module. This software audit is performed by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.
+
The vulnerability detection module helps to meet the following PCI DSS requirements:
- **Requirement 6 - Develop and Maintain Secure Systems and Software**: Actors with bad intentions can use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.
@@ -17,7 +18,7 @@ The goal of this requirement is to ensure that systems and software have the app
The goal of this requirement is to ensure that systems and networks are regularly tested to confirm their security status. These tests include penetration testing and vulnerability scans.
-The Wazuh vulnerability detector module helps to meet the above requirements. The Wazuh agent runs scans on the endpoint to detect vulnerabilities. It collects a list of installed applications and OS information and sends it periodically to the manager. The Wazuh manager compares this information with its global vulnerability database to determine what vulnerabilities exist on an endpoint. Wazuh builds this global vulnerability database from publicly available CVE repositories. You can find more details on configuring vulnerability scans in the :doc:`vulnerability detection ` section of the documentation.
+The Wazuh vulnerability detection module helps to meet the above requirements. The Wazuh agent collects a list of installed applications and OS information and sends it periodically to the manager. The Wazuh manager compares this information with vulnerability content documents to determine what vulnerabilities exist on an endpoint. You can find more details on configuring vulnerability detection in the :doc:`vulnerability detection ` section of the documentation.
Use cases
@@ -25,7 +26,7 @@ Use cases
Below are some PCI DSS requirements use cases that can be met with the vulnerability detection module:
-- PCI DSS 6.3 requires to identify and address security vulnerabilities. You can schedule scans with the vulnerability detector module to identify security vulnerabilities. For example, add the following block to the shared agent configuration file ``/var/ossec/etc/shared/default/agent.conf`` to detect vulnerabilities in packages installed on an Ubuntu 20.04 endpoint:
+- PCI DSS 6.3 requires to identify and address security vulnerabilities. While vulnerability detection is enabled by default, you can still check everything is properly configured. For example, you can add the following block to the shared agent configuration file ``/var/ossec/etc/shared/default/agent.conf`` to make sure to detect vulnerabilities in packages installed on Ubuntu 20.04 endpoints.
.. code-block:: xml
@@ -35,28 +36,38 @@ Below are some PCI DSS requirements use cases that can be met with the vulnerabi
yes
-
- Modify the highlighted lines in the ``/var/ossec/etc/ossec.conf`` manager configuration file to enable vulnerability detection for a specific OS version, for example, Ubuntu bionic:
+ Make sure vulnerability detection is enabled by checking the ``/var/ossec/etc/ossec.conf`` manager configuration file.
.. code-block:: xml
- :emphasize-lines: 2,6,7
-
-
- yes
- 5m
- yes
-
- yes
- bionic
- 1h
-
-
-
- Restart the manager to apply the changes:
+ :emphasize-lines: 2
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
+
+ If you made changes, restart the manager to apply them.
.. include:: /_templates/common/restart_manager.rst
- Once the scan finishes, you can see the results on the Wazuh dashboard. They include details of vulnerable packages, for example, vulnerabilities in the ``OpenSSH`` application.
+ You can see the results on the Wazuh dashboard. They include details of vulnerable packages, for example, vulnerabilities in the ``OpenSSH`` application.
.. thumbnail:: /images/compliance/pci/results-on-the-wazuh-dashboard.png
:title: Results on the Wazuh dashboard
@@ -70,7 +81,7 @@ Below are some PCI DSS requirements use cases that can be met with the vulnerabi
:align: center
:width: 80%
-- PCI DSS 11.3 requires to identify, prioritize, and address external and internal vulnerabilities regularly. You can run scans to identify these vulnerabilities. The Wazuh vulnerability detector gives details on the severity rating and the CVSS scores. This helps to prioritize the vulnerabilities. From the vulnerability detector dashboard, you can filter by vulnerability severity rating to prioritize its remediation.
+- PCI DSS 11.3 requires to identify, prioritize, and address external and internal vulnerabilities regularly. The Wazuh vulnerability detection gives details on the severity rating and the CVSS scores. This helps to prioritize the vulnerabilities. From the vulnerability detection dashboard, you can filter by vulnerability severity rating to prioritize its remediation.
.. thumbnail:: /images/compliance/pci/filter-for-vulnerabilities.png
:title: Filter for vulnerabilities
diff --git a/source/compliance/tsc/common-criteria/cc7.1.rst b/source/compliance/tsc/common-criteria/cc7.1.rst
index c886c07400..bc5c2f0473 100644
--- a/source/compliance/tsc/common-criteria/cc7.1.rst
+++ b/source/compliance/tsc/common-criteria/cc7.1.rst
@@ -1,7 +1,7 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Wazuh helps meet the common criteria CC7.1 by providing the Vulnerability Detector module.
+ :description: Wazuh helps meet the common criteria CC7.1 by providing the Vulnerability Detection module.
Common criteria 7.1
===================
@@ -15,49 +15,42 @@ The use case below shows how Wazuh assists in meeting this requirement.
Use case: Monitoring a CentOS endpoint for vulnerabilities
----------------------------------------------------------
-Wazuh helps meet the *common criteria CC7.1* by providing the Vulnerability Detector module. This module can uncover vulnerabilities in operating systems and installed applications. It builds a database of Common Vulnerabilities and Exposures (CVEs) using data indexed from Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). Wazuh compares the information from these sources with scanned data from the monitored endpoint.
-
-In this use case, we show how the Wazuh Vulnerability Detector module detects vulnerabilities on a CentOS 8 endpoint.
-
-#. Enable the Vulnerability Detector module. This is found under the ```` block of the Wazuh server ``/var/ossec/etc/ossec.conf`` configuration file:
-
- .. code-block:: XML
- :emphasize-lines: 3, 10, 22
-
-
-
- yes
- 5m
- 6h
- yes
-
-
-
- yes
- 5
- 6
- 7
- 8
- 8
- 9
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
-#. Restart the Wazuh manager to apply the changes:
-
- .. code-block:: console
-
- # systemctl restart wazuh-manager
-
-#. Navigate to the Vulnerability Detector module from the Wazuh dashboard. Select an agent to view its discovered vulnerabilities.
+Wazuh helps meet the *common criteria CC7.1* by providing the Vulnerability Detection module. This module can uncover vulnerabilities in operating systems and installed applications. It performs a software audit by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.
+
+In this use case, you can see how the Wazuh Vulnerability Detection module detects vulnerabilities on a CentOS 8 endpoint.
+
+#. Edit the Wazuh server configuration file ``/var/ossec/etc/ossec.conf``. Make sure the module is enabled.
+
+ .. code-block:: xml
+ :emphasize-lines: 2
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
+
+#. If you made changes, restart the Wazuh manager to apply them:
+
+ .. include:: /_templates/common/restart_manager.rst
+
+#. Navigate to the **Vulnerability detection** module from the Wazuh dashboard. Select the agent to view its discovered vulnerabilities.
.. thumbnail:: /images/compliance/tsc/common-criteria/agent-vulnerabilities.png
:title: Agent vulnerabilities
diff --git a/source/compliance/tsc/common-criteria/cc8.1.rst b/source/compliance/tsc/common-criteria/cc8.1.rst
index 57014b64d8..af92ce1862 100644
--- a/source/compliance/tsc/common-criteria/cc8.1.rst
+++ b/source/compliance/tsc/common-criteria/cc8.1.rst
@@ -1,7 +1,7 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Wazuh helps meet the TSC common criteria CC8.1 requirement by providing several modules such as SCA, Vulnerability Detector, and active response.
+ :description: Wazuh helps meet the TSC common criteria CC8.1 requirement by providing several modules such as SCA, vulnerability detection, and active response.
Common criteria 8.1
===================
@@ -13,7 +13,7 @@ The following use case shows how Wazuh can assist in meeting this objective.
Use case: Monitoring packages installed on an Ubuntu endpoint
-------------------------------------------------------------
-Wazuh helps meet the *TSC common criteria CC8.1* requirement by providing several modules such as SCA, vulnerability detector, and active response. This use case shows how Wazuh can be used to view installed packages on an Ubuntu 22.04 endpoint.
+Wazuh helps meet the *TSC common criteria CC8.1* requirement by providing several modules such as SCA, vulnerability detection, and active response. This use case shows how Wazuh can be used to view installed packages on an Ubuntu 22.04 endpoint.
To carry out this use case, set up a Wazuh server and an Ubuntu 22.04 endpoint with the Wazuh agent installed and connected to the Wazuh server.
diff --git a/source/deployment-options/wazuh-from-sources/wazuh-server/index.rst b/source/deployment-options/wazuh-from-sources/wazuh-server/index.rst
index 46d82f8323..ab3195ed86 100644
--- a/source/deployment-options/wazuh-from-sources/wazuh-server/index.rst
+++ b/source/deployment-options/wazuh-from-sources/wazuh-server/index.rst
@@ -93,61 +93,65 @@ To install the required dependencies to build the python interpreter, follow the
Installing the Wazuh manager
----------------------------
-#. Download and extract the latest version:
+#. Download and extract the latest version:
- .. code-block:: console
+ .. code-block:: console
+
+ # curl -Ls https://github.com/wazuh/wazuh/archive/v|WAZUH_CURRENT_FROM_SOURCES|.tar.gz | tar zx
+ # cd wazuh-|WAZUH_CURRENT_FROM_SOURCES|
+
+#. If you have previously compiled for another platform, clean the build using the Makefile in ``src/``:
+
+ .. code-block:: console
- # curl -Ls https://github.com/wazuh/wazuh/archive/v|WAZUH_CURRENT_FROM_SOURCES|.tar.gz | tar zx
+ # make -C src clean
+ # make -C src clean-deps
-#. Run the ``install.sh`` script. This will display a wizard to guide you through the installation process using the Wazuh sources:
+#. Run the ``install.sh`` script. This will display a wizard to guide you through the installation process using the Wazuh sources:
- .. warning::
+ .. warning::
- If you want to enable the database output, :doc:`check out ` this section before running the installation script.
+ If you want to enable the database output, :doc:`check out ` this section before running the installation script.
- .. code-block:: console
+ .. code-block:: console
- # cd wazuh-|WAZUH_CURRENT_FROM_SOURCES|
- # ./install.sh
+ # ./install.sh
- If you have previously compiled for another platform, you must clean the build using the Makefile in ``src``:
+ Alternatively, to download vulnerability detection content during installation, you can set ``DOWNLOAD_CONTENT_AND_DECOMPRESS=y``. The initial run might be time-consuming due to the initial process of downloading and processing :doc:`vulnerability detection ` content. You can download a pre-prepared database during installation to bypass this initial step.
- .. code-block:: console
+ .. code-block:: console
- # cd wazuh-|WAZUH_CURRENT_FROM_SOURCES|
- # make -C src clean
- # make -C src clean-deps
+ # DOWNLOAD_CONTENT_AND_DECOMPRESS=y ./install.sh
-#. When the script asks what kind of installation you want, type ``manager`` to install the Wazuh manager:
+#. When the script asks what kind of installation you want, type ``manager`` to install the Wazuh manager:
- .. code-block:: none
+ .. code-block:: none
- 1- What kind of installation do you want (manager, agent, local, hybrid, or help)? manager
+ 1- What kind of installation do you want (manager, agent, local, hybrid, or help)? manager
- .. note::
+ .. note::
- During the installation, users can decide the installation path. Execute the ``./install.sh`` and select the language, set the installation mode to ``manager``, then set the installation path (``Choose where to install Wazuh [/var/ossec]``). The default path of installation is ``/var/ossec``. A commonly used custom path might be ``/opt``.
+ During the installation, users can decide the installation path. Execute the ``./install.sh`` and select the language, set the installation mode to ``manager``, then set the installation path (``Choose where to install Wazuh [/var/ossec]``). The default path of installation is ``/var/ossec``. A commonly used custom path might be ``/opt``.
- .. warning::
+ .. warning::
- Be extremely careful not to select a critical installation directory if you choose a different path than the default. If the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it.
+ Be extremely careful not to select a critical installation directory if you choose a different path than the default. If the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it.
-#. The installer asks if you want to start Wazuh at the end of the installation. If you choose not to, you can start it later with:
+#. The installer asks if you want to start Wazuh at the end of the installation. If you choose not to, you can start it later with:
- .. tabs::
-
- .. group-tab:: Systemd
+ .. tabs::
+ .. group-tab:: Systemd
- .. code-block:: console
+ .. code-block:: console
- # systemctl start wazuh-manager
+ # systemctl start wazuh-manager
- .. group-tab:: SysV init
+ .. group-tab:: SysV init
- .. code-block:: console
+ .. code-block:: console
- # service wazuh-manager start
+ # service wazuh-manager start
Installing other Wazuh components
---------------------------------
diff --git a/source/getting-started/use-cases/it-hygiene.rst b/source/getting-started/use-cases/it-hygiene.rst
index 74a5345124..737781b8dc 100644
--- a/source/getting-started/use-cases/it-hygiene.rst
+++ b/source/getting-started/use-cases/it-hygiene.rst
@@ -75,7 +75,7 @@ Vulnerability management
Vulnerability management aims to identify and remediate vulnerabilities to prevent cyber attacks. By taking proactive steps to remediate vulnerabilities, your organization can significantly reduce its attack surface, thereby improving its IT hygiene.
-The Wazuh :doc:`Vulnerability Detector ` module identifies vulnerable applications by using the information collected from operating system vendors and :doc:`vulnerability databases `. The Vulnerability Detector module scans and generates alerts for vulnerabilities discovered on monitored endpoints. This provides a comprehensive view of vulnerabilities identified across all monitored endpoints, allowing you to view, analyze, fix, and track the remediation of vulnerabilities.
+The Wazuh :doc:`vulnerability detection ` module identifies vulnerable applications by using :doc:`vulnerability information available in our Wazuh CTI `. The vulnerability detection module generates alerts for vulnerabilities discovered on monitored endpoints. This provides a comprehensive view of vulnerabilities identified across all monitored endpoints, allowing you to view, analyze, fix, and track the remediation of vulnerabilities.
The vulnerabilities discovered are grouped into severity levels, and a summary is provided based on the application name, CVE, and CVSS3 score on the Wazuh dashboard.
@@ -93,7 +93,7 @@ You can download a report that contains security events related to discovered an
:align: center
:width: 80%
-The Wazuh Vulnerability Detector module also enables you to track remediation activities, which could serve as a progress report on improving or maintaining IT hygiene. For example, when a vulnerability is remediated, an alert is generated on the Wazuh dashboard. This feature detects when a patch or software upgrade resolves a previously detected vulnerability.
+The Wazuh vulnerability detection module also enables you to track remediation activities, which could serve as a progress report on improving or maintaining IT hygiene. For example, when a vulnerability is remediated, an alert is generated on the Wazuh dashboard. This feature detects when a patch or software upgrade resolves a previously detected vulnerability.
.. thumbnail:: /images/getting-started/use-cases/it-hygiene/remediation-alerts.png
:title: Remediation alerts
@@ -183,7 +183,7 @@ Wazuh streamlines the process of meeting :doc:`regulatory compliance `, :doc:`Vulnerability Detector `, :doc:`FIM `, and more to identify and report compliance violations. It also provides dedicated compliance dashboards to help monitor compliance status, identify improvement areas, and take appropriate remediation actions.
+Wazuh uses its capabilities such as the :doc:`SCA `, :doc:`vulnerability detection `, :doc:`FIM `, and more to identify and report compliance violations. It also provides dedicated compliance dashboards to help monitor compliance status, identify improvement areas, and take appropriate remediation actions.
For example, you can get a general overview of the PCI DSS requirement of a monitored endpoint on the Wazuh dashboard.
diff --git a/source/getting-started/use-cases/regulatory-compliance.rst b/source/getting-started/use-cases/regulatory-compliance.rst
index cb6b52d69d..e0f991908e 100644
--- a/source/getting-started/use-cases/regulatory-compliance.rst
+++ b/source/getting-started/use-cases/regulatory-compliance.rst
@@ -88,7 +88,7 @@ NIST 800-53 offers recommendations for managing information security and privacy
:align: center
:width: 80%
-The :doc:`Vulnerability Detector ` module runs scans when enabled on startup or periodically as defined. You can view the vulnerability scan results on the Wazuh dashboard which includes the time and date of the scan, vulnerable applications, and packages on the monitored endpoint. You can find more information on how :doc:`Wazuh helps organizations meet the NIST 800-53 standard `.
+You can view the :doc:`vulnerability detection ` module results on the Wazuh dashboard which includes vulnerable applications and packages on the monitored endpoint. You can find more information on how :doc:`Wazuh helps organizations meet the NIST 800-53 standard `.
.. thumbnail:: /images/getting-started/use-cases/regulatory-compliance/vulnerabilities-module-inventory.png
:title: Vulnerability Detection module inventory
diff --git a/source/getting-started/use-cases/vulnerability-detection.rst b/source/getting-started/use-cases/vulnerability-detection.rst
index 9450b5d582..bf963b343d 100644
--- a/source/getting-started/use-cases/vulnerability-detection.rst
+++ b/source/getting-started/use-cases/vulnerability-detection.rst
@@ -1,7 +1,7 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: The Wazuh Vulnerability Detector module correlates the software inventory data with vulnerability feeds to detect vulnerable software on a monitored endpoint. Find more information in this use case.
+ :description: The Wazuh vulnerability detection module correlates the software inventory data with vulnerability feeds to detect vulnerable software on a monitored endpoint. Find more information in this use case.
Vulnerability detection
=======================
@@ -10,16 +10,24 @@ Software vulnerabilities are weaknesses in code that can allow attackers to gain
Vulnerability detection is the process of identifying these flaws before they are discovered and exploited by attackers. The goal of vulnerability detection is to identify vulnerabilities so that remediation can be carried out to prevent successful attacks.
-The :doc:`Wazuh agent ` collects the software inventory data from a monitored endpoint periodically and sends it to the Wazuh server. The Wazuh :doc:`Vulnerability Detector ` module correlates the software inventory data with vulnerability feeds to detect vulnerable software on a monitored endpoint. Wazuh identifies vulnerable applications and produces risk reports using the information collected from the different operating system vendors and vulnerability databases. The :doc:`Vulnerability Detector ` module uses a database of Common Vulnerabilities and Exposures (CVEs) created automatically by processing data pulled from several sources including Wazuh feeds.
+The :doc:`Wazuh agent ` uses the :doc:`Syscollector ` module to collect inventory details from the monitored endpoint. It sends the collected data to the Wazuh server. Within the Wazuh server, the :doc:`Vulnerability Detection ` module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint.
-This variety of sources ensures that the Vulnerability Detector module provides coverage for a variety of operating systems and applications. The module supports Windows, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Amazon Linux, Arch Linux, and macOS operating systems.
+Wazuh detects vulnerable applications, generating risk reports, using our Cyber Threat Intelligence (CTI) platform. In this platform, we aggregate vulnerability data from diverse sources like operating system vendors and vulnerability databases, consolidating it into a unified, reliable repository. The process involves standardizing the varied formats into a common structure. Additionally, we maintain the integrity of our vulnerability data by doing the following.
+
+- Rectifying format inconsistencies like version errors and typos.
+- Completing missing information.
+- Incorporating new cybersecurity vulnerabilities.
+
+Subsequently, we merge this content, uploading the compiled documents to a cloud server. Finally, we publish these documents to our CTI API.
+
+Relying on the Wazuh CTI, the :doc:`Vulnerability Detection ` module supports a variety of operating systems, such as Windows, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Amazon Linux, Arch Linux, and macOS operating systems, and applications.
Achieve comprehensive visibility
--------------------------------
-The Vulnerability Detector module scans and generates alerts for vulnerabilities discovered on the operating system and applications installed on the monitored endpoint. It correlates the software inventory collected by the Wazuh agent with the vulnerability database and displays the alert generated on the Wazuh dashboard. This provides a clear and comprehensive view of vulnerabilities identified in all monitored endpoints, allowing you to view, analyze and fix vulnerabilities.
+The Vulnerability Detection module generates alerts for vulnerabilities discovered on the operating system and applications installed on the monitored endpoint. It correlates the software inventory collected by the Wazuh agent with the vulnerability content documents and displays the alert generated on the Wazuh dashboard. This provides a clear and comprehensive view of vulnerabilities identified in all monitored endpoints, allowing you to view, analyze and fix vulnerabilities.
-On the Wazuh dashboard, the vulnerabilities discovered are grouped into severity levels and a summary is provided based on the application name, CVE, and CVSS3 score. This allows analysts to direct their focus appropriately.
+The vulnerability detection dashboard shows the frequency of occurrences in different categories such as package name, operating system, agent name, vulnerability ID, and alert severity. This allows analysts to direct their focus appropriately.
.. thumbnail:: /images/getting-started/use-cases/vulnerability-detection/vulnerabilities-inventory.png
:title: Vulnerabilities inventory
@@ -27,7 +35,7 @@ On the Wazuh dashboard, the vulnerabilities discovered are grouped into severity
:align: center
:width: 80%
-The Vulnerability Detector module is configured to run scans at intervals. We can view the alerts generated on the dashboard when new vulnerabilities are discovered.
+You can view the alerts generated on the dashboard when new vulnerabilities are discovered.
.. thumbnail:: /images/getting-started/use-cases/vulnerability-detection/vulnerability-alerts.png
:title: Vulnerability alerts
@@ -54,73 +62,114 @@ Wazuh vulnerability alerts contain relevant information about the identified vul
:align: center
:width: 80%
-.. code-block:: none
- :emphasize-lines: 11-17, 19-25, 30-32
+.. code-block:: json
+ :emphasize-lines: 23-50
{
- "agent": {
- "ip": "192.168.229.142",
- "name": "CentOS",
- "id": "001"
- },
- "manager": {
- "name": "wazuh-server"
- },
- "data": {
- "vulnerability": {
- "severity": "Critical",
- "package": {
- "condition": "Package less than 78.4.1-1.el7_9",
- "name": "firefox",
- "version": "68.10.0-1.el7.centos",
- "architecture": "x86_64"
+ "_index": "wazuh-alerts-4.x-env-1-2024.01.04",
+ "_id": "-1DO1IwBV9gueGHd9CSt",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "cluster": {
+ "node": "worker_01",
+ "name": "wazuh1"
+ },
+ "input": {
+ "type": "log"
+ },
+ "agent": {
+ "ip": "10.0.1.64",
+ "name": "Centos",
+ "id": "003"
+ },
+ "manager": {
+ "name": "wazuh-manager-worker-0"
+ },
+ "data": {
+ "vulnerability": {
+ "reference": "https://bugzilla.redhat.com/show_bug.cgi?id=1991687, https://security.gentoo.org/glsa/202209-12, https://security.netapp.com/advisory/ntap-20220930-0001/",
+ "severity": "Medium",
+ "score": {
+ "environmental": "0",
+ "version": "2.0",
+ "temporal": "0",
+ "base": "4.400000"
+ },
+ "cve": "CVE-2021-3697",
+ "package": {
+ "installed": "2021-06-02T06:06:51.000Z",
+ "path": " ",
+ "size": "9264704",
+ "name": "grub2-tools",
+ "description": "Support tools for GRUB.",
+ "type": "rpm",
+ "version": "1:2.02-99.el8",
+ "architecture": "x86_64"
+ },
+ "scanner": {
+ "vendor": "Wazuh"
+ },
+ "description": "A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.",
+ "category": "Packages",
+ "classification": "CVSS",
+ "enumeration": "CVE",
+ "status": "Active"
},
- "references": [
- "https://bugzilla.mozilla.org/show_bug.cgi?id=1675905",
- "https://www.mozilla.org/security/advisories/mfsa2020-49/",
- "http://packetstormsecurity.com/files/166175/Firefox-MCallGetProperty-Write-Side-Effects-Use-After-Free.html",
- "https://nvd.nist.gov/vuln/detail/CVE-2020-26950",
- "https://access.redhat.com/security/cve/CVE-2020-26950"
+ "aws": {
+ "accountId": "",
+ "region": ""
+ }
+ },
+ "rule": {
+ "firedtimes": 3956,
+ "mail": false,
+ "level": 7,
+ "pci_dss": [
+ "11.2.1",
+ "11.2.3"
],
- "cve_version": "4.0",
- "assigner": "security@mozilla.org",
- "published": "2020-12-09",
- "cwe_reference": "CWE-416",
- "title": "CVE-2020-26950 affects firefox",
- "type": "PACKAGE",
- "rationale": "In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.",
- "advisories_ids": [
- "RHSA-2020:5099",
- "RHSA-2020:5100",
- "RHSA-2020:5104",
- "RHSA-2020:5135",
- "RHSA-2020:5138",
- "RHSA-2020:5139",
+ "tsc": [
+ "CC7.1",
+ "CC7.2"
],
- "cve": "CVE-2020-26950",
- "bugzilla_references": [
- "https://bugzilla.redhat.com/show_bug.cgi?id=1896306"
+ "description": "CVE-2021-3697 affects grub2-tools",
+ "groups": [
+ "vulnerability-detector"
],
- "cvss": {
- "cvss2": {
- "base_score": "9.300000",
- "vector": {
- "integrity_impact": "complete",
- "confidentiality_impact": "complete",
- "availability": "complete",
- "attack_vector": "network",
- "access_complexity": "medium",
- "authentication": "none"
- }
- },
- ...
+ "id": "23504",
+ "gdpr": [
+ "IV_35.7.d"
+ ]
+ },
+ "location": "vulnerability-scanner",
+ "decoder": {
+ "name": "json"
+ },
+ "id": "1704377380.22184642",
+ "timestamp": "2024-01-04T14:09:40.138+0000"
+ },
+ "fields": {
+ "timestamp": [
+ "2024-01-04T14:09:40.138Z"
+ ]
+ },
+ "highlight": {
+ "rule.groups": [
+ "@opensearch-dashboards-highlighted-field@vulnerability-detector@/opensearch-dashboards-highlighted-field@"
+ ]
+ },
+ "sort": [
+ 1704377380138
+ ]
+ }
-As you can see above, the alert contains key information about the detected vulnerability. This information includes the CVE information, reference links for further research, and a title that provides a concise description of the vulnerability.
+As you can see above, the alert contains key information about the detected vulnerability. This information includes the CVE information, reference links for further research, and a description that provides a concise explanation of the vulnerability.
Track vulnerability remediation
-------------------------------
-The Wazuh Vulnerability Detector module also allows you to confirm when a vulnerability has been remediated. This feature detects when a patch or software upgrade resolves a previously detected vulnerability. The feature is enabled using the :ref:`hotfixes ` option and is available for Windows endpoints.
+The Wazuh Vulnerability Detection module also allows you to confirm when a vulnerability has been remediated. This feature detects when a patch or software upgrade resolves a previously detected vulnerability. The feature is enabled using the :ref:`hotfixes ` option and is available for Windows endpoints.
.. thumbnail:: /images/getting-started/use-cases/vulnerability-detection/windows-vulnerability-resolved-alert.png
:title: Windows vulnerability resolved alert
diff --git a/source/images/compliance/hipaa/06-vulnerability-detection.png b/source/images/compliance/hipaa/06-vulnerability-detection.png
index 3a38cd9196..5dc635df3f 100644
Binary files a/source/images/compliance/hipaa/06-vulnerability-detection.png and b/source/images/compliance/hipaa/06-vulnerability-detection.png differ
diff --git a/source/images/compliance/hipaa/07-vulnerability-detection.png b/source/images/compliance/hipaa/07-vulnerability-detection.png
index d2bf8be61e..6ae0c700d3 100644
Binary files a/source/images/compliance/hipaa/07-vulnerability-detection.png and b/source/images/compliance/hipaa/07-vulnerability-detection.png differ
diff --git a/source/images/compliance/pci/filter-for-vulnerabilities.png b/source/images/compliance/pci/filter-for-vulnerabilities.png
index b68092c0a2..bb60db9f96 100644
Binary files a/source/images/compliance/pci/filter-for-vulnerabilities.png and b/source/images/compliance/pci/filter-for-vulnerabilities.png differ
diff --git a/source/images/compliance/pci/overview-of-the-issue-detected.png b/source/images/compliance/pci/overview-of-the-issue-detected.png
index 3784801bed..fb65cf09ff 100644
Binary files a/source/images/compliance/pci/overview-of-the-issue-detected.png and b/source/images/compliance/pci/overview-of-the-issue-detected.png differ
diff --git a/source/images/compliance/pci/results-on-the-wazuh-dashboard.png b/source/images/compliance/pci/results-on-the-wazuh-dashboard.png
index 5bc0d80978..dbdc93a1f0 100644
Binary files a/source/images/compliance/pci/results-on-the-wazuh-dashboard.png and b/source/images/compliance/pci/results-on-the-wazuh-dashboard.png differ
diff --git a/source/images/compliance/tsc/common-criteria/agent-vulnerabilities.png b/source/images/compliance/tsc/common-criteria/agent-vulnerabilities.png
index 658156019d..a538b6fb7b 100644
Binary files a/source/images/compliance/tsc/common-criteria/agent-vulnerabilities.png and b/source/images/compliance/tsc/common-criteria/agent-vulnerabilities.png differ
diff --git a/source/images/getting-started/use-cases/it-hygiene/vulnerabilities-inventory-dashboard.png b/source/images/getting-started/use-cases/it-hygiene/vulnerabilities-inventory-dashboard.png
index dd0cce8661..0a7461df51 100644
Binary files a/source/images/getting-started/use-cases/it-hygiene/vulnerabilities-inventory-dashboard.png and b/source/images/getting-started/use-cases/it-hygiene/vulnerabilities-inventory-dashboard.png differ
diff --git a/source/images/getting-started/use-cases/vulnerability-detection/vulnerabilities-inventory.png b/source/images/getting-started/use-cases/vulnerability-detection/vulnerabilities-inventory.png
index f8df3aadaf..f27624fc35 100644
Binary files a/source/images/getting-started/use-cases/vulnerability-detection/vulnerabilities-inventory.png and b/source/images/getting-started/use-cases/vulnerability-detection/vulnerabilities-inventory.png differ
diff --git a/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alert-example.png b/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alert-example.png
index a899fca698..b164574dc7 100644
Binary files a/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alert-example.png and b/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alert-example.png differ
diff --git a/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alerts.png b/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alerts.png
index f1fbaa0e06..9ba63e3bf1 100644
Binary files a/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alerts.png and b/source/images/getting-started/use-cases/vulnerability-detection/vulnerability-alerts.png differ
diff --git a/source/images/manual/vuln-detector/vuln-alert-fields.png b/source/images/manual/vuln-detector/vuln-alert-fields.png
index f350bfd72e..7c0bbb1ae0 100644
Binary files a/source/images/manual/vuln-detector/vuln-alert-fields.png and b/source/images/manual/vuln-detector/vuln-alert-fields.png differ
diff --git a/source/images/manual/vuln-detector/vuln-detector-workflow-baseline-scan.png b/source/images/manual/vuln-detector/vuln-detector-workflow-baseline-scan.png
deleted file mode 100644
index 6428aea8dd..0000000000
Binary files a/source/images/manual/vuln-detector/vuln-detector-workflow-baseline-scan.png and /dev/null differ
diff --git a/source/images/manual/vuln-detector/vuln-detector-workflow-subsequent-scans.png b/source/images/manual/vuln-detector/vuln-detector-workflow-subsequent-scans.png
deleted file mode 100644
index 24d6203b56..0000000000
Binary files a/source/images/manual/vuln-detector/vuln-detector-workflow-subsequent-scans.png and /dev/null differ
diff --git a/source/images/manual/vuln-detector/vuln-detector-workflow.png b/source/images/manual/vuln-detector/vuln-detector-workflow.png
new file mode 100644
index 0000000000..a79c727ecc
Binary files /dev/null and b/source/images/manual/vuln-detector/vuln-detector-workflow.png differ
diff --git a/source/images/manual/vuln-detector/vuln-inventory01.png b/source/images/manual/vuln-detector/vuln-inventory01.png
index bdd1b55ccc..6e36faab45 100644
Binary files a/source/images/manual/vuln-detector/vuln-inventory01.png and b/source/images/manual/vuln-detector/vuln-inventory01.png differ
diff --git a/source/images/manual/vuln-detector/vuln-inventory02.png b/source/images/manual/vuln-detector/vuln-inventory02.png
index 910085ce2e..769fd32094 100644
Binary files a/source/images/manual/vuln-detector/vuln-inventory02.png and b/source/images/manual/vuln-detector/vuln-inventory02.png differ
diff --git a/source/images/poc/vulnerabilities-ubuntu-alerts.png b/source/images/poc/vulnerabilities-ubuntu-alerts.png
index fc28c525e6..e7859b9a95 100644
Binary files a/source/images/poc/vulnerabilities-ubuntu-alerts.png and b/source/images/poc/vulnerabilities-ubuntu-alerts.png differ
diff --git a/source/proof-of-concept-guide/poc-vulnerability-detection.rst b/source/proof-of-concept-guide/poc-vulnerability-detection.rst
index 07cd30d7ad..3b7a0d52ed 100644
--- a/source/proof-of-concept-guide/poc-vulnerability-detection.rst
+++ b/source/proof-of-concept-guide/poc-vulnerability-detection.rst
@@ -6,7 +6,7 @@
Vulnerability detection
=======================
-Wazuh uses the Vulnerability Detector module to identify vulnerabilities in applications and operating systems running on endpoints.
+Wazuh uses the Vulnerability Detection module to identify vulnerabilities in applications and operating systems running on endpoints.
This use case shows how Wazuh detects unpatched Common Vulnerabilities and Exposures (CVEs) in the monitored endpoint.
@@ -18,104 +18,55 @@ Infrastructure
+---------------+--------------------------------------------------------------------------------------------------------------------------------------------+
| Endpoint | Description |
+===============+============================================================================================================================================+
-| Ubuntu 22.04 | The vulnerability detection module scans this Linux endpoint for vulnerabilities in its operating system and installed applications. |
+| Ubuntu 22.04 | The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Linux endpoint. |
+---------------+--------------------------------------------------------------------------------------------------------------------------------------------+
-| Windows 11 | The vulnerability detection module scans this Windows endpoint for vulnerabilities in its operating system and installed applications. |
+| Windows 11 | The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Windows endpoint. |
+---------------+--------------------------------------------------------------------------------------------------------------------------------------------+
Configuration
-------------
-Perform the following steps on the Wazuh server to enable the Wazuh Vulnerability Detector module.
+The Vulnerability Detection module is enabled by default. You can perform the following steps on the Wazuh server to ensure that the Wazuh Vulnerability Detection module is enabled.
-#. Enable the Vulnerability Detector module in the ``/var/ossec/etc/ossec.conf`` file on the Wazuh server:
+#. Open the ``/var/ossec/etc/ossec.conf`` file on the Wazuh server. Check the Vulnerability Detection module is enabled:
.. code-block:: xml
- :emphasize-lines: 3, 10, 41, 47
-
-
-
- yes
- 5m
- 6h
- yes
-
-
-
- yes
- trusty
- xenial
- bionic
- focal
- jammy
- 1h
-
-
-
-
- yes
- buster
- bullseye
- bookworm
- 1h
-
-
-
-
- yes
- 5
- 6
- 7
- 8
- 8
- 9
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
-#. Restart the Wazuh manager to apply the configuration changes:
+ :emphasize-lines: 2
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
+
+#. If you made changes to the configuration, restart the Wazuh manager.
.. code-block:: console
$ sudo systemctl restart wazuh-manager
-Test the configuration
-----------------------
-
-You don’t have to perform any action. The Wazuh server creates a CVE database in ``/var/ossec/queue/vulnerabilities/cve.db``. It performs vulnerability detection scans periodically for applications and operating systems on each monitored endpoint.
-
-.. note::
-
- Depending on the user's network, it takes time to download the vulnerability database. And also more time to scan for vulnerable packages on the monitored endpoint.
-
Visualize the alerts
--------------------
-You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability detector module, select an agent and click on any vulnerability.
-
-- Windows
-
- .. thumbnail:: /images/poc/vulnerabilities-windows-alerts.png
- :title: Detected vulnerabilities on Windows alerts
- :align: center
- :width: 80%
-
-- Ubuntu
+You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability Detection module, select Events, and click on any vulnerability to expand the document.
- .. thumbnail:: /images/poc/vulnerabilities-ubuntu-alerts.png
- :title: Detected vulnerabilities on Ubuntu alerts
- :align: center
- :width: 80%
+.. thumbnail:: /images/poc/vulnerabilities-ubuntu-alerts.png
+ :title: Detected vulnerabilities on Ubuntu alerts
+ :align: center
+ :width: 80%
diff --git a/source/user-manual/capabilities/system-inventory/available-inventory-fields.rst b/source/user-manual/capabilities/system-inventory/available-inventory-fields.rst
index 39d4fcfc69..73cffafa0e 100644
--- a/source/user-manual/capabilities/system-inventory/available-inventory-fields.rst
+++ b/source/user-manual/capabilities/system-inventory/available-inventory-fields.rst
@@ -93,7 +93,7 @@ The ``sys_osinfo`` system table in the inventory database stores information abo
Packages
--------
-The ``sys_programs`` table in the inventory database stores information about the currently installed software on an endpoint. The Vulnerability Detector module uses information from this table to scan and detect vulnerable software. On Linux systems, the Syscollector module retrieves *deb, rpm, pacman, npm, and pypi* packages. The table below describes the fields in the database.
+The ``sys_programs`` table in the inventory database stores information about the currently installed software on an endpoint. The vulnerability detection module uses information from this table to detect vulnerable software. On Linux systems, the Syscollector module retrieves *deb, rpm, pacman, npm, and pypi* packages. The table below describes the fields in the database.
+------------------+-------------------------------------------+-------------------------------------------+----------------------------------------------+
| Field | Description | Example | Available |
@@ -351,7 +351,7 @@ The ``sys_processes`` table in the inventory database stores basic information a
Windows updates
---------------
-The ``sys_hotfixes`` table contains information about the updates installed on Windows endpoints. The Vulnerability Detector module uses the hotfix identifier to discover what vulnerabilities exist on Windows endpoints and the patches you have applied. The table below describes the fields in the ``sys_hotfixes`` table.
+The ``sys_hotfixes`` table contains information about the updates installed on Windows endpoints. The vulnerability detection module uses the hotfix identifier to discover what vulnerabilities exist on Windows endpoints and the patches you have applied. The table below describes the fields in the ``sys_hotfixes`` table.
+------------------+-------------------------------------------+------------------------------------------+-------------------+
| Field | Description | Example | Available |
diff --git a/source/user-manual/capabilities/system-inventory/how-it-works.rst b/source/user-manual/capabilities/system-inventory/how-it-works.rst
index 4d12a2b9fe..44c0089591 100644
--- a/source/user-manual/capabilities/system-inventory/how-it-works.rst
+++ b/source/user-manual/capabilities/system-inventory/how-it-works.rst
@@ -10,7 +10,7 @@ As mentioned above, the Wazuh agent uses the Syscollector module to gather relev
The agent forwards the newly collected data from its local database to the Wazuh server. Each agent uses a separate database on the Wazuh server. The Wazuh server updates the appropriate tables of the inventory database on the Wazuh server using the information the agent sends. For example, the Wazuh server stores hardware-related information in a table called ``sys_hwinfo``.
-The Wazuh dashboard automatically displays the data stored in the inventory database. However, you can query the database using the Wazuh API or the ``SQLite`` tool. In addition, the :doc:`Vulnerability Detector ` module uses :ref:`packages ` and :ref:`Windows updates ` information in the inventory to detect vulnerable and patched software on monitored endpoints.
+The Wazuh dashboard automatically displays the data stored in the inventory database. However, you can query the database using the Wazuh API or the ``SQLite`` tool. In addition, the :doc:`vulnerability detection ` module uses :ref:`packages ` and :ref:`Windows updates ` information in the inventory to detect vulnerable and patched software on monitored endpoints.
diff --git a/source/user-manual/capabilities/vulnerability-detection/allow-os.rst b/source/user-manual/capabilities/vulnerability-detection/allow-os.rst
index 3202d376a2..dae20a5fab 100644
--- a/source/user-manual/capabilities/vulnerability-detection/allow-os.rst
+++ b/source/user-manual/capabilities/vulnerability-detection/allow-os.rst
@@ -1,18 +1,18 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Check out how Scan vulnerabilities on unsupported systems and learn how to use the allow option of the Vulnerability Detector of Wazuh.
+ :description: Check out how Scan vulnerabilities on unsupported systems and learn how to use the allow option of the Vulnerability Detection module of Wazuh.
Scanning unsupported systems
============================
-The Vulnerability Detector module supports :ref:`a comprehensive list ` of operating systems natively. However, the module doesn't have a natively predefined feed for every existing operating system. Operating systems without a predefined feed are unsupported systems. Examples of unsupported operating systems are Linux Mint and Oracle Linux. To scan unsupported operating systems, you must configure the Vulnerability Detector module to use the existing feeds of supported operating systems. You can do this using the ``allow`` option. The ``allow`` option indicates that the module can scan an unsupported operating system with the configured feed.
+Our Cyber Threat Intelligence (CTI) platform supports :ref:`a comprehensive list ` of operating systems for vulnerability detection. Operating systems not in this list are unsupported systems. Examples of unsupported operating systems are Linux Mint and Oracle Linux. To detect vulnerabilities in unsupported operating systems, you must configure the Vulnerability Detection module to use existing vulnerability content documents for supported operating systems. You can do this using the ``allow`` option. The ``allow`` option indicates that the module can detect the vulnerabilities of an unsupported operating system using an alternative source.
This section explains how to extend support for unsupported operating systems.
.. warning::
- This configuration can lead to false positives. The OS vendor of the unsupported operating system handles the package management and security patching independently of the configured feed.
+ This configuration can lead to false positives. The OS vendor of the unsupported operating system handles the package management and security patching independently of the configured source.
Checking the registered name of the operating system
----------------------------------------------------
@@ -68,40 +68,45 @@ The registered name of the operating system on which you have installed the Wazu
Oracle Linux Server|7
- You need the name and major operating system version to configure the Vulnerability Detector.
+ You need the name and major operating system version to configure the Vulnerability Detection module.
-Configuring Vulnerability Detector to include unsupported systems
------------------------------------------------------------------
+Configuring Vulnerability Detection module to include unsupported systems
+-------------------------------------------------------------------------
-Use the format ``OS_name-OS_major`` with the ``allow`` attribute to include the operating system. Add a list of systems separated by commas to include more than one operating system.
+Use the format ``OS_name-OS_major`` with the ``allow`` attribute to include the operating system. For example ``Oracle Linux Server-7``. Add a list of systems separated by commas to include more than one operating system.
-For example, if you want to scan PopOS 18 and Linux Mint 19 using the Ubuntu 18 (Bionic) feed, use:
+For example, if you want to scan PopOS 18 and Linux Mint 19 using the vulnerability content documents for Canonical, add the following setting:
.. code-block:: xml
+ :emphasize-lines: 5
-
- yes
- bionic
- 1h
-
-
-To scan Kali Linux 2023 using the Debian 10 (Buster) vulnerability feed, use:
+
+ yes
+ yes
+ 60m
+ canonical
+
+
+To scan Kali Linux 2023 using the vulnerability content documents for Debian, add the following setting:
.. code-block:: xml
+ :emphasize-lines: 5
-
- yes
- buster
- 1h
-
+
+ yes
+ yes
+ 60m
+ debian
+
-You can also scan other operating systems using the Redhat vulnerability feed. Alternatively, you can use a substring of the operating system extracted from the agent in the second step. For this reason, you see ``Oracle Linux`` instead of ``Oracle Linux Server``.
+You can also detect vulnerabilities in other operating systems using vulnerability content documents for Redhat. Additionally, you can use a substring of the operating system extracted from the agent in the second step. For this reason, you see ``Oracle Linux`` instead of ``Oracle Linux Server`` in the following example.
.. code-block:: xml
+ :emphasize-lines: 5
-
+
yes
- 7
- 1h
- 2010
-
+ yes
+ 60m
+ redhat
+
diff --git a/source/user-manual/capabilities/vulnerability-detection/configuring-scans.rst b/source/user-manual/capabilities/vulnerability-detection/configuring-scans.rst
index 29d68188d1..d8809fe31a 100644
--- a/source/user-manual/capabilities/vulnerability-detection/configuring-scans.rst
+++ b/source/user-manual/capabilities/vulnerability-detection/configuring-scans.rst
@@ -1,188 +1,136 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Learn how to enable the Vulnerability Detector module and set the configuration for running vulnerability scans in this section of the documentation.
-
-Configuring and running scans
-=============================
-
-Running vulnerability scans in Wazuh requires enabling the Vulnerability Detector module and setting the configuration for the scan. The Wazuh server has the Vulnerability Detector module disabled by default when you install it, while the Wazuh agent has Syscollector enabled by default. The following steps show how to configure the vulnerability detection components:
-
-#. Add the following block of settings to your :doc:`shared agent configuration file `. You can find the file at ``/var/ossec/etc/shared/default/agent.conf`` on the Wazuh server. You can also configure these options in each agent ``ossec.conf`` configuration file:
-
- .. code-block:: xml
-
-
- no
- 1h
- yes
- yes
- yes
-
-
-#. Enable the Vulnerability Detector module in the Wazuh server :doc:`configuration file ` at ``/var/ossec/etc/ossec.conf``. Set the value for the ```` tag to ``yes`` for the Vulnerability Detector module and every operating system you intend to scan. We have added a sample below:
-
- .. code-block:: xml
- :emphasize-lines: 2,9,20,28,39,47,59,65,73,79
-
-
- yes
- 5m
- 6h
- yes
-
-
-
- yes
- trusty
- xenial
- bionic
- focal
- jammy
- 1h
-
-
-
-
- yes
- buster
- bullseye
- bookworm
- 1h
-
-
-
-
- yes
- 5
- 6
- 7
- 8
- 9
- 1h
-
-
-
-
- yes
- amazon-linux
- amazon-linux-2
- amazon-linux-2023
- 1h
-
-
-
-
- yes
- 11-server
- 11-desktop
- 12-server
- 12-desktop
- 15-server
- 15-desktop
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
- yes
- 8
- 9
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-#. Restart the manager to apply the changes.
-
- .. include:: /_templates/common/restart_manager.rst
-
-The Vulnerability Detector generates logs in the Wazuh server that trigger alerts. Every alert contains the following fields:
+ :description: Learn how to check the Vulnerability Detection module configuration in this section of the documentation.
+
+Configuring vulnerability detection
+===================================
+
+The Vulnerability Detection module is enabled by default.
+
+The following configuration block shows a configuration example for the Vulnerability Detection module. You can find the Vulnerability Detection settings in the Wazuh server :doc:`configuration file ` at ``/var/ossec/etc/ossec.conf``.
+
+.. code-block:: xml
+
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
+
+The following configuration block shows a configuration example for Syscollector in a Windows endpoint. You can find these settings in the Windows agent :doc:`configuration file ` at ``C:\Program Files (x86)\ossec-agent\ossec.conf``.
+
+ .. code-block:: xml
+
+
+
+ no
+ 1h
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+ yes
+
+
+
+ 10
+
+
+
+The Vulnerability Detection module generates logs in the Wazuh server that trigger alerts. Every alert contains the following fields:
- **CVE**: The Common Vulnerabilities and Exposures identifier for the corresponding vulnerability.
-- **Title**: Short description of the impact of the vulnerability.
-- **Rationale**: Broad description of the vulnerability.
+- **Rule description**: Short description of the impact of the vulnerability.
+- **Description**: Broad description of the vulnerability.
- **Severity**: Impact of the vulnerability in terms of security.
- **Package**: Information about the affected package, including why the package is marked as vulnerable.
-- **Published**: Date when the feed added the vulnerability.
-- **Updated**: Date of the last vulnerability update.
-- **CWE**: The Common Weakness Enumeration reference.
-- **CVSS**: Vulnerability assessment according to the Common Vulnerability Scoring System (versions 2 and 3).
-- **Advisories IDs**: Red Hat security advisories.
-- **References**: URLs with extra information on the vulnerability.
-- **Bugzilla references**: Links to the references of the vulnerability in Bugzilla.
+- **Enumeration**: The enumeration reference.
+- **Classification**: The classification reference.
+- **Reference**: URL with extra information on the vulnerability.
You can see an alert sample below showing the fields with vulnerability data:
.. code-block:: json
-
- "data": {
+ :emphasize-lines: 24, 25, 32-42, 46, 48, 49, 69
+
+ {
+ "_index": "wazuh-alerts-4.x-env-1-2024.01.04",
+ "_id": "5ZzO1IwBJcbqfTZ98NzR",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "cluster": {
+ "node": "worker_01",
+ "name": "wazuh1"
+ },
+ "input": {
+ "type": "log"
+ },
+ "agent": {
+ "ip": "10.0.1.64",
+ "name": "Centos",
+ "id": "003"
+ },
+ "manager": {
+ "name": "wazuh-manager-worker-0"
+ },
+ "data": {
"vulnerability": {
+ "reference": "https://access.redhat.com/security/cve/cve-2022-3775, https://security.gentoo.org/glsa/202311-14",
"severity": "High",
+ "score": {
+ "environmental": "0",
+ "version": "3.1",
+ "temporal": "0",
+ "base": "7.100000"
+ },
+ "cve": "CVE-2022-3775",
"package": {
- "condition": "Package unfixed",
- "name": "rpm-common",
- "source": "rpm",
- "version": "4.14.2.1+dfsg1-1build2",
- "architecture": "amd64"
+ "installed": "2021-06-02T06:06:51.000Z",
+ "path": " ",
+ "size": "9264704",
+ "name": "grub2-tools",
+ "description": "Support tools for GRUB.",
+ "type": "rpm",
+ "version": "1:2.02-99.el8",
+ "architecture": "x86_64"
},
- "references": [
- "https://bugzilla.redhat.com/show_bug.cgi?id=1964114",
- "https://github.com/rpm-software-management/rpm/pull/1919",
- "https://bugzilla.suse.com/show_bug.cgi?id=1157880",
- "https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef22c1aecf3a9c033",
- "https://access.redhat.com/security/cve/CVE-2021-35938",
- "https://rpm.org/wiki/Releases/4.18.0",
- "https://nvd.nist.gov/vuln/detail/CVE-2021-35938",
- "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35938",
- "https://ubuntu.com/security/CVE-2021-35938"
- ],
- "cve_version": "4.0",
- "assigner": "secalert@redhat.com",
- "published": "2022-08-25",
- "cwe_reference": "CWE-59",
- "title": "CVE-2021-35938 affects rpm-common",
- "type": "PACKAGE",
- "rationale": "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
- "cve": "CVE-2021-35938",
- "cvss": {
- "cvss3": {
- "base_score": "7.800000",
- "vector": {
- "user_interaction": "none",
- "integrity_impact": "high",
- "scope": "unchanged",
- "confidentiality_impact": "high",
- "availability": "high",
- "attack_vector": "local",
- "access_complexity": "low",
- "privileges_required": "low"
- }
- }
+ "scanner": {
+ "vendor": "Wazuh"
},
- "updated": "2022-08-31",
+ "description": "When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.",
+ "category": "Packages",
+ "classification": "CVSS",
+ "enumeration": "CVE",
"status": "Active"
+ },
+ "aws": {
+ "accountId": "",
+ "region": ""
}
},
"rule": {
- "firedtimes": 458,
+ "firedtimes": 1752,
"mail": false,
"level": 10,
"pci_dss": [
@@ -193,7 +141,7 @@ You can see an alert sample below showing the fields with vulnerability data:
"CC7.1",
"CC7.2"
],
- "description": "CVE-2021-35938 affects rpm-common",
+ "description": "CVE-2022-3775 affects grub2-tools",
"groups": [
"vulnerability-detector"
],
@@ -202,42 +150,29 @@ You can see an alert sample below showing the fields with vulnerability data:
"IV_35.7.d"
]
},
- "location": "vulnerability-detector",
+ "location": "vulnerability-scanner",
"decoder": {
"name": "json"
},
- "id": "1664242144.7029312",
- "timestamp": "2022-09-27T04:29:04.491+0300"
+ "id": "1704377379.22094196",
+ "timestamp": "2024-01-04T14:09:39.845+0000"
},
"fields": {
- "data.vulnerability.published": [
- "2022-08-25T00:00:00.000Z"
- ],
- "data.vulnerability.updated": [
- "2022-08-31T00:00:00.000Z"
- ],
"timestamp": [
- "2022-09-27T01:29:04.491Z"
+ "2024-01-04T14:09:39.845Z"
]
},
"highlight": {
- "agent.id": [
- "@opensearch-dashboards-highlighted-field@010@/opensearch-dashboards-highlighted-field@"
- ],
- "manager.name": [
- "@opensearch-dashboards-highlighted-field@localhost.localdomain@/opensearch-dashboards-highlighted-field@"
- ],
"rule.groups": [
"@opensearch-dashboards-highlighted-field@vulnerability-detector@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
- 1664242144491
+ 1704377379845
]
}
-
-You can see the inventory of all the vulnerable packages installed for a particular agent by clicking on the **Vulnerability Detection** module on the Wazuh dashboard and selecting the agent.
+You can see the inventory of all the vulnerable packages installed for any agent by clicking on the **Vulnerability Detection** module on the Wazuh dashboard.
.. thumbnail:: /images/manual/vuln-detector/vuln-inventory01.png
:title: Vulnerable packages inventory
diff --git a/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst b/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst
deleted file mode 100644
index 6859cc4ee5..0000000000
--- a/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst
+++ /dev/null
@@ -1,750 +0,0 @@
-.. Copyright (C) 2015, Wazuh, Inc.
-
-.. meta::
- :description: The package inventory of agents is stored in Wazuh DB and used by Vulnerability Detector directly. Learn more about the CPE Helper in this section.
-
-Scanning Windows applications using CPE Helper
-==============================================
-
-The Vulnerability Detector relies on the National Vulnerability Database to report vulnerabilities that affect the applications installed on Windows endpoints. The Vulnerability Detector uses an auxiliary dictionary to translate the gathered application names into the NVD format called `CPE (Common Platform Enumeration) `__.
-
-Users must add the applications installed on Windows endpoints to this dictionary to enable the Vulnerability Detector module to scan the applications.
-
-CPE Helper Schema
------------------
-
-The CPE helper dictionary is located at ``/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json`` and has the following basic fields:
-
-- **version**: The version of the CPE helper.
-- **version_format**: The version of the CPE helper format. If it differs from the CPE helper version, you must :doc:`upgrade the Wazuh central components ` to the latest version to process the dictionary.
-- **update_date**: The date the dictionary was updated.
-- **dictionary**: Dictionary containing the translation entries.
-- **license**: License of the dictionary.
-
-You can see a sample of the dictionary below:
-
-.. code-block:: json
- :class: output
-
- {
- "version": "1.0",
- "version_format": "1.0",
- "update_date": "2019-05-14T00:00Z",
- "dictionary": [
- "..."
- ],
- "license": {
- "title": "Dictionary of CPEs to analyze system vulnerabilities.",
- "copyright": "Copyright (C) 2015-2019, Wazuh Inc.",
- "date": "March 6, 2019.",
- "type" : "GPLv2"
- }
- }
-
-Dictionary schema
------------------
-
-Each dictionary entry has the following fields to describe the application that the user wants to add:
-
-- **target**: Operating system of the application you want to add. Currently, Wazuh only uses the CPE helper dictionary for applications installed on Windows endpoints.
-
-- **source**: Parameters of the application you want to translate. The allowed sections are the following:
-
- - **vendor**: Array of one or more vendor fields that match the dictionary entry. You can use a regular expression. For example, *^Oracle*.
- - **product**: Array of one or more product fields that match the dictionary entry. You can use a regular expression. For example, *^Oracle.*VirtualBox [0-9]*.
- - **version (optional)**: Array of one or more version fields that match the dictionary entry. You can also define a pattern to match the software version using regular expressions. For example *^Microsoft Office.*([0-9]{4})*.
- - **target_hw (optional)**: This field defines the target hardware of the application. It can also be a regular expression. For example, *^Python [0-9]+\\.*[0-9]*\\.*[0-9]* \\(([6432]{2}-bit)\\)*.
- - **update (optional)**: Pattern to extract the ``update`` field. Example: *^Microsoft Exchange Server\\.*Update \\(([0-9]+)\\)*.
-
-- **translation**: Section to specify the CPE translation. The allowed sections are the following:
-
- - **vendor**: Array of one or more *vendor* fields that match the CPE translation of the dictionary entry.
- - **product**: Array of one or more *product* fields that match the CPE translation of the application you want to add to the dictionary.
- - **version (optional)**: Array of one or more *version* fields that match the CPE translation of the application you want to add to the dictionary.
- - **update (optional)**: Array of one or more *update* fields that can form the CPE of the input program. You can also use variables to complete this string. Example: *cumulative_update_$(UPDATE)*.
- - **msu_name (optional)**: This field is for Microsoft products. You can find the name of the application in the `Microsoft Security Guide `_. You can also use variables to complete this string. For example, *Microsoft Office $(VERSION)*.
-
-- **action**: Array of actions to apply on the entry.
-
-You can find a template for a dictionary entry below:
-
-.. code-block:: json
- :class: output
-
- {
- "target": "target OS",
- "source": {
- "vendor": [
- "..."
- ],
- "product": [
- "..."
- ],
- "version": [
- "..."
- ],
- "target_hw": [
- "..."
- ],
- "update": [
- "..."
- ]
- },
- "translation": {
- "vendor": [
- "..."
- ],
- "product": [
- "..."
- ],
- "version": [
- "..."
- ],
- "sw_edition": [
- "..."
- ],
- "update": [
- "..."
- ],
- "msu_name": [
- "..."
- ]
- },
- "action": [
- "..."
- ]
- }
-
-Translation types
------------------
-
-The Vulnerability Detector module converts the dictionary entries to the CPE format based on the flags used in the action section. The possible flags are:
-
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| Option | Description |
-+==========================================+===================================================================================================================================================================================================================================================================+
-| ignore | Ignore the dictionary entry. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_vendor | Convert the vendor to the indicated one if the pattern matches. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_product | Convert the product to the indicated one if the pattern matches. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_vendor_if_matches | Used when there is more than one vendor for a dictionary entry. It uses a vendor that is similar to the one matching the pattern. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_product_if_matches | Used when there is more than one product for a dictionary entry. It uses a product that is similar to the one that matches the pattern. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| set_version_if_matches | Sets the application version to the version extracted from the version field pattern if the pattern matches successfully. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_sw_edition_if_product_matches | Used with the sections ``sw_edition`` and ``version``. It uses the sw_edition field similar to the matching version. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| check_hotfix | Used to indicate those software products where the vulnerability range is unknown, and there is a need to validate a hotfix. These are usually Microsoft products. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_msu_name_if_version_matches | Used with the sections ``msu_name`` and ``version``. It indicates the name taken by the application in the `Microsoft Security Guide `_. You must use it with ``check_hotfix`` and Microsoft products. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| replace_msu_name | Used with ``msu_name``. It indicates the name taken by the program in the `Microsoft Security Guide `_. You must use it with ``check_hotfix`` and Microsoft products. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| set_version_if_product_matches | Sets the software version if the Vulnerability Detector can find the product name using the regular expression expressed in the version section. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| set_targethw_if_product_matches | Sets the software architecture if the Vulnerability Detector can find the product name using the regular expression expressed in the ``target_hw`` section. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| **set_update_if_product_matches** | Sets the update if it can be found in the product name through a regular expression set in the `update` section. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| set_version_only_if_product_matches | Sets the software version if the Vulnerability Detector can find the product name using the regular expression expressed in the version section. The Vulnerability Detector will not generate the CPE if there is no match. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| set_targethw_only_if_product_matches | Sets the software architecture if the Vulnerability Detector can find the product name using the regular expression expressed in the target_hw section. The Vulnerability Detector will not generate the CPE if there is no match. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| **set_update_only_if_product_matches** | Sets the update if it can be found in the product name through a regular expression set in the `update` section. If it does not match, the CPE will not be generated. |
-+------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-
-How to translate a Windows program to CPE format
-------------------------------------------------
-
-To include a Windows program in the CPE helper dictionary, it's necessary to know the vendor, product name, and program version present in the Wazuh software inventory. After this, it's necessary to look for the CPE that is suitable for the program to configure the dictionary entry with the appropriate values.
-
-#. Get the agent programs.
-
- You can get a list of the programs installed on an agent by using the Wazuh API endpoint :api-ref:`GET /syscollector/{agent_id}/packages `:
-
- .. code-block:: console
-
- curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H "Authorization: Bearer $TOKEN"
-
- In this use case, you configure the CPE for Wireshark. The output below is the data returned by Syscollector for an endpoint with Wireshark:
-
- .. code-block:: json
- :class: output
-
- {
- "data": {
- "affected_items": [
- {
- "scan": {"id": 27266015, "time": "2019/05/21 16:25:21"},
- "version": "2.4.5",
- "name": "Wireshark 2.4.5 64-bit",
- "format": "win",
- "vendor": "The Wireshark developer community, https://www.wireshark.org",
- "location": "C:\\Program Files\\Wireshark",
- "architecture": "i686",
- "agent_id": "001",
- }
- ],
- "total_affected_items": 1,
- "total_failed_items": 0,
- "failed_items": [],
- },
- "message": "All specified syscollector information was returned",
- "error": 0,
- }
-
-#. Find the CPE program.
-
- To find the CPE translation of the program, you can use `NVD's CPEs search engine `_.
-
- .. thumbnail:: /images/manual/vuln-detector/cpe-search-wireshark-1.png
- :title: Wireshark CPE search
- :align: center
- :width: 80%
-
- Select the least generic CPE. In this case, take the first one.
-
- .. thumbnail:: /images/manual/vuln-detector/cpe-search-wireshark-2.png
- :title: Wireshark CPE election
- :align: center
- :width: 80%
-
- You're only interested in the *vendor* and *product* fields of this CPE since the version that comes from the agent inventory is valid. You can find out by checking if it follows the same format as the CPEs we found (2.4.5 ~= 0.99.2).
-
- The entry only has to replace a vendor and a product, so we need to use the ``replace_vendor`` and ``replace_product`` actions. Take into account that the source patterns are regular expressions. The table below summarizes the goals you need to achieve using the CPE helper:
-
- +--------------+--------------------------------------------------------------+-------------------------+------------------+------------------+
- | CPE part | Syscollector name | Source pattern | Translation | Action |
- +==============+==============================================================+=========================+==================+==================+
- | Vendor | The Wireshark developer community, https://www.wireshark.org | www\.wireshark\.org | wireshark | replace_vendor |
- +--------------+--------------------------------------------------------------+-------------------------+------------------+------------------+
- | Product name | Wireshark 2.4.5 64-bit | Wireshark | wireshark | replace_product |
- +--------------+--------------------------------------------------------------+-------------------------+------------------+------------------+
-
- Therefore, we can add the following entry to the CPE helper dictionary at ``/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json``:
-
- .. code-block:: json
- :class: output
-
- {
- "target": "windows",
- "source": {
- "vendor": [
- "www\\.wireshark\\.org"
- ],
- "product": [
- "Wireshark"
- ],
- "version": []
- },
- "translation": {
- "vendor": [
- "wireshark"
- ],
- "product": [
- "wireshark"
- ],
- "version": []
- },
- "action": [
- "replace_vendor",
- "replace_product"
- ]
- }
-
-Combine several programs in a dictionary entry
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-An application can have several CPEs associated depending on its vendor, version, or the syntax of its name. This section will explain how to create an entry to include all possible translations of a program collected by Syscollector.
-
-In this guide, we generate dictionary entries for *Skype* and *Skype for Business* as an example.
-
-#. Get the agent programs.
-
- You can get a list of the programs installed on the agent by using the Wazuh API endpoint :api-ref:`GET /syscollector/{agent_id}/packages `:
-
- .. code-block:: console
-
- curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H "Authorization: Bearer $TOKEN"
-
- If you have *Skype* and *Skype for Business* installed, you get the result shown below:
-
- .. code-block:: json
- :class: output
-
- {
- "data": {
- "affected_items": [
- {
- "scan": {"id": 908227078, "time": "2019/05/22 10:05:24"},
- "format": "win",
- "version": "16.0.11425.20244",
- "location": "C:\\Program Files (x86)\\Microsoft Office",
- "name": "Skype for Business Basic 2016 - en-us",
- "vendor": "Microsoft Corporation",
- "architecture": "x86_64",
- "agent_id": "001",
- },
- {
- "scan": {"id": 908227078, "time": "2019/05/22 10:05:24"},
- "format": "win",
- "version": "8.42",
- "install_time": "20190329",
- "location": "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\",
- "name": "Skype version 8.42",
- "vendor": "Skype Technologies S.A.",
- "architecture": "i686",
- "agent_id": "001",
- },
- ],
- "total_affected_items": 2,
- "total_failed_items": 0,
- "failed_items": [],
- },
- "message": "All specified syscollector information was returned",
- "error": 0,
- }
-
-#. Find the CPE program.
-
- To find the CPE translation of the program, use `NVD's CPEs search engine `_.
-
- .. thumbnail:: /images/manual/vuln-detector/cpe-search-skype-1.png
- :title: Skype CPE search
- :align: center
- :width: 80%
-
- There are various combinations of *vendor* and *product* fields for the products in the search results. This use case doesn’t include *Skype for Business Server* in this use case, but users can translate the program using the same techniques described in this section.
-
- .. thumbnail:: /images/manual/vuln-detector/cpe-search-skype-2.png
- :title: Skype CPE election
- :align: center
- :width: 80%
-
- Like the example in the previous section, you're interested in the *vendor* and *product* fields of this CPE. You can find out by checking if it follows the same format as the CPEs we found (8.42 ~= 8.35).
-
- Therefore, you need to add an entry to replace the *vendor* and *product* of the two applications, so use the actions ``replace_vendor_if_match`` and ``replace_product_if_match``. The table below summarizes the goals you need to achieve using the CPE helper:
-
- +-----------------+--------------------------------------------------------------+-------------------------+-----------------------+---------------------------+
- | Generated input | Syscollector name | Source pattern | Translation | Action |
- +=================+==============================================================+=========================+=======================+===========================+
- | Vendor | Microsoft Corporation | ^Microsoft | microsoft | replace_vendor_if_matches |
- | +--------------------------------------------------------------+-------------------------+-----------------------+ |
- | | Skype Technologies S.A. | ^Skype | skype | |
- +-----------------+--------------------------------------------------------------+-------------------------+-----------------------+---------------------------+
- | Product name | Skype for Business Basic 2016 - en-us | ^Microsoft | skype_for_business | replace_product_if_matches|
- | +--------------------------------------------------------------+-------------------------+-----------------------+ |
- | | Skype version 8.42 | ^Skype | skype | |
- +-----------------+--------------------------------------------------------------+-------------------------+-----------------------+---------------------------+
-
- Therefore, you can add the following dictionary entry to the CPE helper dictionary at ``/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json``:
-
- .. code-block:: json
- :class: output
-
- {
- "target": "windows",
- "source": {
- "vendor": [
- "^Skype",
- "^Microsoft"
- ],
- "product": [
- "^Skype for Business",
- "^Skype"
- ],
- "version": []
- },
- "translation": {
- "vendor": [
- "skype",
- "microsoft"
- ],
- "product": [
- "skype_for_business",
- "skype"
- ],
- "version": []
- },
- "action": [
- "replace_vendor_if_matches",
- "replace_product_if_matches"
- ]
- }
-
- .. note ::
-
- The product `Skype for Business Basic 2016 - en-us` matches both ``^Skype for Business`` and ``^Skype`` patterns. However, the Vulnerability Detector uses the first because it sorts the entries by priority from top to bottom.
-
-Products whose version does not change between updates
-------------------------------------------------------
-
-For some software products, generally from Microsoft, users cannot confirm vulnerabilities by consulting the National Vulnerability Database. These products do not change their visible version between updates, so the Vulnerability Detector cannot tell when the products are no longer vulnerable.
-
-For example, if you consult the CVE-2019-0671 vulnerability for Microsoft Office 2016 in the National Vulnerability Database, you find the following:
-
-.. thumbnail:: /images/manual/vuln-detector/nvd-office-2016.png
- :title: Affected software for CVE-2019-0671
- :align: center
- :width: 80%
-
-As seen in the output, the CPEs only specify that the vulnerability affects the 2016 version. This information is not enough because your program may not be affected by the vulnerability if you have applied the patch that fixes it.
-
-In this case, you can check the Microsoft Security Update Guide to verify if *Microsoft Office 2016* fixes the vulnerability in any update.
-
-.. thumbnail:: /images/manual/vuln-detector/msug-office-2016.png
- :title: CVE-2019-0671 in the Microsoft Security Update Guide
- :align: center
- :width: 80%
-
-The Vulnerability Detector can automate this search using the CPE Helper and the ``check_hotfix`` action. To illustrate the process, follow the same procedure as in the previous use cases.
-
-#. Get the agent programs.
-
- You can get a list of the programs installed on the agent by using the Wazuh API endpoint :api-ref:`GET /syscollector/{agent_id}/packages `:
-
- .. code-block:: console
-
- curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H "Authorization: Bearer $TOKEN"
-
- If you have *Microsoft Office 2016* and *Office 16 Click-to-Run* installed, you get results similar to the following:
-
- .. code-block:: json
- :class: output
-
- {
- "data": {
- "affected_items": [
- {
- "scan": {"id": 214307089, "time": "2019/05/22 11:53:07"},
- "vendor": "Microsoft Corporation",
- "name": "Office 16 Click-to-Run Extensibility Component 64-bit Registration",
- "install_time": "20190429",
- "architecture": "x86_64",
- "format": "win",
- "version": "16.0.11425.20244",
- "agent_id": "001",
- },
- {
- "scan": {"id": 214307089, "time": "2019/05/22 11:53:07"},
- "version": "16.0.11425.20244",
- "location": "C:\\Program Files (x86)\\Microsoft Office",
- "vendor": "Microsoft Corporation",
- "architecture": "x86_64",
- "format": "win",
- "name": "Microsoft Office Professional Plus 2016 - en-us",
- "agent_id": "001",
- },
- ],
- "total_affected_items": 2,
- "total_failed_items": 0,
- "failed_items": [],
- },
- "message": "All specified syscollector information was returned",
- "error": 0,
- }
-
-#. Find the CPE program.
-
- Use the information obtained earlier on the CPEs affected by *CVE-2019-0671* to extract the CPEs from the program. From that source, you can see the CPEs that the vulnerability directly affects. These are:
-
- - ``cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*``
- - ``cpe:2.3:a:microsoft:office:2016:*:*:*:click-to-run:*:*:*``
-
- The two target programs only differ in the field *sw_edition* (click-to-run). If the *sw_edition* field was present in this case, you might use the ``replace_sw_edition_if_product_match`` option to add the *sw_edition* field. However, the vulnerabilities in Microsoft Office do not include this parameter.
-
- The package version that Syscollector has (16.0.11425.20244) is not valid for this use case, so we need to extract the version from the product name to create the CPE. To do this, use the ``set_version_only_if_product_matches`` option, which does not generate the CPE if the Vulnerability Detector cannot decode the version.
-
- Finally, indicate the name of these programs in the Microsoft Security Update Guide using their version variable as a reference. To do this, use the ``replace_msu_name`` action and the ``msu_name`` section. To evaluate the hotfixes installed on a Windows computer, include the action ``check_hotfixes``.
-
- +---------------------+----------------------------------------------------------------------+-------------------------------------------------+--------------------------------------+--------------------------------------+
- | Generated input | Syscollector name | Source pattern | Translation | Action |
- +=====================+======================================================================+=================================================+======================================+======================================+
- | Vendor | Microsoft Corporation | ^Microsoft Corporation | microsoft | replace_vendor |
- +---------------------+----------------------------------------------------------------------+-------------------------------------------------+--------------------------------------+--------------------------------------+
- | Product name | Microsoft Office Professional Plus 2016 - en-us | ^Microsoft Office | office | replace_product |
- | +----------------------------------------------------------------------+-------------------------------------------------+ | |
- | | Office 16 Click-to-Run Extensibility Component 64-bit Registration | Office % Click-to-Run Extensibility Component% | | |
- +---------------------+----------------------------------------------------------------------+-------------------------------------------------+--------------------------------------+--------------------------------------+
- | Version | 16.0.11425.20244 | ^Microsoft Office.*([0-9]{4}) | 2016 | set_version_only_if_product_matches |
- +---------------------+----------------------------------------------------------------------+-------------------------------------------------+--------------------------------------+--------------------------------------+
- | MSU name | | Microsoft Office $(VERSION) | Microsoft Office 2016 | replace_msu_name |
- +---------------------+----------------------------------------------------------------------+-------------------------------------------------+--------------------------------------+--------------------------------------+
-
- The resulting dictionary entry, which also includes more versions of Microsoft Office:
-
- .. code-block:: json
- :class: output
-
- {
- "target": "windows",
- "source": {
- "vendor": [
- "^Microsoft Corporation"
- ],
- "product": [
- "^Microsoft Office"
- ],
- "version": [
- "^Microsoft Office.*([0-9]{4})"
- ]
- },
- "translation": {
- "vendor": [
- "microsoft"
- ],
- "product": [
- "office"
- ],
- "version": [],
- "msu_name": [
- "Microsoft Office $(VERSION)"
- ]
- },
- "action": [
- "replace_vendor",
- "replace_product",
- "set_version_only_if_product_matches",
- "replace_msu_name",
- "check_hotfix"
- ]
- }
-
- Alert example using this dictionary entry:
-
- .. code-block:: json
- :class: output
-
- {
- "vulnerability":{
- "cve":"CVE-2019-0671",
- "title":"A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675.",
- "severity":"High",
- "published":"2019-03-05T23:29Z",
- "updated":"2019-03-06T15:53Z",
- "state":"Fixed",
- "cvss":{
- "cvss2":{
- "vector":{
- "attack_vector":"network",
- "access_complexity":"medium ",
- "authentication":"none",
- "integrity_impact":"complete",
- "availability":"complete"
- },
- "base_score":"9.300000"
- },
- "cvss3":{
- "vector":{
- "attack_vector":"local",
- "access_complexity":"low",
- "confidentiality_impact":"low",
- "availability":"high",
- "privileges_required":"none",
- "user_interaction":"required ",
- "scope":"unchanged"
- },
- "base_score":"7.800000"
- }
- },
- "package":{
- "name":"Microsoft Office Professional Plus 2016 - en-us",
- "version":"16.0.11425.20244",
- "generated_cpe":"a:microsoft:office:2016::::::x86_64:",
- "architecture":"x86_64"
- },
- "condition":"4018294 patch is not installed.",
- "cwe_reference":"CWE-119",
- "reference":"http://www.securityfocus.com/bid/106928"
- }
- }
-
-Products with update field
---------------------------
-
-Often, the product version isn't enough to decide if a specific CVE affects a program. In some cases, you also need to consider the `update` component of the CPE name. This section presents a use case for the CVE-2022-23277 vulnerability affecting Microsoft Exchange Server.
-
-If you check the `CVE-2022-23277 vulnerability `__ in the National Vulnerability Database (NVD), you find the following CPEs.
-
-.. thumbnail:: /images/manual/vuln-detector/nvd-exchange-server.png
- :title: Affected software for CVE-2022-23277
- :align: center
- :width: 80%
-
-In the NVD details, the `update` component shows every cumulative update that CVE-2022-23277 affects. For example `cumulative_update_22`.
-
-Besides this knowledge, when assessing vulnerabilities of Microsoft products you must also consider that an external security patch can solve the problem. It's necessary then to find out the `Microsoft Exchange Server patches that fix CVE-2022-23277 `__ in the Microsoft Security Update Guide.
-
-.. thumbnail:: /images/manual/vuln-detector/msug-exchange-server.png
- :title: CVE-2022-23277 in the Microsoft Security Update Guide
- :align: center
- :width: 80%
-
-Thus, similarly to the previous use case, you have to include the ``check_hotfix`` action to automate this search.
-
-Follow the same guide used for the previous use case.
-
-#. Get the agent programs and look for Microsoft Exchange Server.
-
- You can query the programs installed in the agent using the Wazuh API endpoint :api-ref:`GET /syscollector/{agent_id}/packages `.
-
- .. code-block:: console
-
- curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H "Authorization: Bearer $TOKEN"
-
- With the *Microsoft Exchange Server* package installed, you get an output like this:
-
- .. code-block:: json
- :class: output
-
- {
- "data": {
- "affected_items": [
- {
- "scan": {
- "id": 1655979702,
- "time": "2022-05-13T12:15:52+00:00"
- },
- "architecture": "x86_64",
- "location": "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\",
- "name": "Microsoft Exchange Server 2016 Cumulative Update 22",
- "format": "win",
- "version": "15.1.2375.7",
- "vendor": "Microsoft Corporation",
- "agent_id": "001"
- },
- ],
- "total_affected_items": 1,
- "total_failed_items": 0,
- "failed_items": [],
- },
- "message": "All specified syscollector information was returned",
- "error": 0,
- }
-
-#. Find the CPE.
-
- Add the ``set_update_if_product_match`` action to include the ``update`` field in the CPE. The vulnerability affects packages for specific cumulative updates as reported in the NVD. The previous information about CPEs for CVE-2022-23277 shows the following CPEs that confirm the product as vulnerable.
-
- - ``cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*``
- - ``cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*`` (The package in the example would match this CPE)
-
- You can see that the two target programs differ in the `update` component (cumulative_update_<#>).
-
- Use the ``set_version_only_if_product_matches`` option. This option doesn't generate the CPE if it can't decode the product version from the name. The `15.1.2375.7` package version that Syscollector extracted in this use case isn't valid. You need to extract the version from the product name to create the CPE.
-
- Also, use the ``replace_msu_name`` action and the ``msu_name`` field to set the name of these programs from the Microsoft Security Update Guide using their version variable as a reference. Include the ``check_hotfixes`` action to check the hotfixes installed on a Windows computer.
-
- +---------------------+------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------------+--------------------------------------+
- | Generated input | Syscollector name | Source pattern | Translation | Action |
- +=====================+======================================================+==================================================================+=====================================================+======================================+
- | Vendor | Microsoft Corporation | ^Microsoft Corporation | microsoft | replace_vendor |
- +---------------------+------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------------+--------------------------------------+
- | Product name | Microsoft Exchange Server 2016 Cumulative Update 22 | ^Microsoft Exchange Server | exchange_server | replace_product |
- +---------------------+------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------------+--------------------------------------+
- | Version | 15.1.2375.7 | ^Microsoft Exchange Server ([0-9]{4}) | 2016 | set_version_only_if_product_matches |
- +---------------------+------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------------+--------------------------------------+
- | Update | | ^Microsoft Exchange Server.*Update ([0-9]+) | cumulative_update_$(UPDATE) = cumulative_update_22 | set_update_if_product_matches |
- +---------------------+------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------------+--------------------------------------+
- | MSU name | | Microsoft Exchange Server $(VERSION) Cumulative Update $(UPDATE) | Microsoft Exchange Server 2016 Cumulative Update 22 | replace_msu_name |
- +---------------------+------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------------+--------------------------------------+
-
- Here you have the CPE helper entry needed to detect vulnerabilities of the *Microsoft Exchange Server* program:
-
- .. code-block:: json
- :class: output
-
- {
- "target": "windows",
- "source": {
- "vendor": [
- "^Microsoft Corporation"
- ],
- "product": [
- "^Microsoft Exchange Server"
- ],
- "version": [
- "^Microsoft Exchange Server ([0-9]{4})"
- ],
- "update":[
- "^Microsoft Exchange Server.*Update ([0-9]+)"
- ]
- },
- "translation": {
- "vendor": [
- "microsoft"
- ],
- "product": [
- "exchange_server"
- ],
- "version": [],
- "update":[
- "cumulative_update_$(UPDATE)"
- ],
- "msu_name": [
- "Microsoft Exchange Server $(VERSION) Cumulative Update $(UPDATE)"
- ]
- },
- "action": [
- "replace_vendor",
- "replace_product",
- "set_version_if_product_matches",
- "set_update_if_product_matches",
- "replace_msu_name",
- "check_hotfix"
- ]
- }
-
- Once applied the entry in the CPE helper and the scanner detects it, the module reports the vulnerabilities:
-
- .. code-block:: json
- :class: output
-
- {
- "vulnerability":{
- "package":{
- "name":"Microsoft Exchange Server 2016 Cumulative Update 22",
- "version":"15.1.2375.7","architecture":"x64",
- "condition":"KB5012698 patch is not installed"
- },
- "cvss":{
- "cvss2":{
- "vector":{
- "attack_vector":"network",
- "access_complexity":"low",
- "authentication":"single",
- "confidentiality_impact":"partial",
- "integrity_impact":"partial",
- "availability":"partial"
- },
- "base_score":"6.500000"
- },
- "cvss3":{
- "vector":{
- "attack_vector":"network",
- "access_complexity":"low",
- "privileges_required":"low",
- "user_interaction":"none",
- "scope":"unchanged",
- "confidentiality_impact":"high",
- "integrity_impact":"high",
- "availability":"high"
- },
- "base_score":"8.800000"
- }
- },
- "cve":"CVE-2022-23277",
- "title":"CVE-2022-23277 affects Microsoft Exchange Server 2016 Cumulative Update 22",
- "rationale":"Microsoft Exchange Server Remote Code Execution Vulnerability.",
- "severity":"High","published":"2022-03-09","updated":"2022-03-14",
- "cwe_reference":"NVD-CWE-noinfo",
- "status":"Active",
- "type":"PACKAGE",
- "references":["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23277","https://nvd.nist.gov/vuln/detail/CVE-2022-23277"],
- "assigner":"secure@microsoft.com",
- "cve_version":"4.0"
- }
- }
diff --git a/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst b/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst
index fd85615a06..9309e3334c 100644
--- a/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst
+++ b/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst
@@ -6,144 +6,54 @@
How it works
============
-To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Also, the Wazuh server builds a global :doc:`vulnerability database ` from publicly available CVE repositories. It uses this database to cross-correlate this information with the application inventory data of the agent:
+To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint. These documents are Common Vulnerabilities and Exposures (CVE) records that are available in our Cyber Threat Intelligence (CTI) platform.
-#. Start SQLite and open the vulnerability database using the following command.
+On the CTI platform, we aggregate vulnerability data from diverse sources like operating system vendors and vulnerability databases, consolidating it into a unified, reliable repository. The process involves standardizing the varied formats into a common structure using the CVE JSON 5 format.
- .. code-block:: console
+We maintain the integrity of our vulnerability data by doing the following additional tasks.
- # sqlite3 /var/ossec/queue/vulnerabilities/cve.db
+- Rectifying format inconsistencies like version errors and typos.
+- Completing missing information.
+- Incorporating new cybersecurity vulnerabilities.
-#. List the tables in the database using the following command.
+Subsequently, we merge this content, uploading the compiled documents to a cloud server. And finally, we publish these documents to our CTI API.
- .. code-block:: sqlite3
+To update the vulnerabilities information on the Wazuh server, the vulnerability detection module queries the CTI API or an offline local repository. It obtains new documents and any resulting difference with old ones. Then the module publishes new content to a channel notifying subscribers.
- sqlite> .tables
+Subscribers scan the software inventory of the endpoints using the latest available vulnerabilities information. The detection process looks for vulnerable packages in the inventory databases. These inventories are unique to each agent.
-#. Retrieve the data in a table by running the following command.
+A package is labeled as vulnerable when its version matches those within the affected range of a CVE. Alerts show the results, and the module stores the findings in a per-agent vulnerability inventory. This inventory contains the current state of every agent and includes vulnerabilities that have been detected and not resolved. Users can :doc:`query the inventory ` to check for alerts and vulnerability information.
- .. code-block:: sqlite3
-
- sqlite> select * from ;
-
-.. warning::
-
- Don’t make changes to the database. It can lead to issues when the Vulnerability Detector is running a scan.
-
-The Wazuh server automatically creates the global vulnerability database with data from the following repositories:
-
-- https://canonical.com: Used to pull CVEs for Ubuntu Linux distributions.
-- https://www.redhat.com: Used to pull CVEs for Red Hat and CentOS Linux distributions.
-- https://www.debian.org: Used to pull CVEs for Debian Linux distributions.
-- https://security.archlinux.org: Used to pull CVEs for Arch Linux distributions.
-- https://nvd.nist.gov: Used to pull CVEs from the National Vulnerability Database.
-- https://feed.wazuh.com: Used to pull Microsoft Security Updates (MSU) and ALAS feeds. The feeds contain CVE and patch information for Microsoft products and Amazon Linux. They use the `Microsoft Update Catalog `__ and the `Amazon Linux Security Center `__ as sources of information. Wazuh parses and formats the data before uploading them to the Wazuh feed.
-
-Wazuh updates this database on a regular basis, ensuring the solution checks for the latest CVEs. You can configure the update interval.
-
-Once the Vulnerability Detector module has created the global vulnerability database containing the CVEs, the detection process looks for vulnerable packages in the inventory databases. These inventories are unique to each agent. A package is labeled as vulnerable when its version matches those within the affected range of a CVE. Alerts show the results, and the module stores the findings in a per-agent vulnerability inventory. This inventory contains the current state of every agent and includes vulnerabilities that have been detected and not resolved. Users can :doc:`query the inventory ` to check for alerts and vulnerability information.
-
-For Microsoft Windows systems and specific Microsoft products, the Vulnerability Detector has the ``hotfixes`` option in the syscollector settings on the Wazuh agent. Using this option enables the module to detect packages that the user has patched. When the Vulnerability Detector detects a patch, it uses the information provided by Microsoft to decide if the patch has resolved the CVEs. Then, it removes them from the list of vulnerabilities.
+For Microsoft Windows systems and specific Microsoft products, the Vulnerability Detection module has the ``hotfixes`` option in the syscollector settings on the Wazuh agent. Using this option enables the module to detect packages that the user has patched. When the Vulnerability Detection module detects a patch, it uses the information provided by Microsoft to decide if the patch has resolved the CVEs. Then, it removes them from the list of vulnerabilities.
Alert generation
----------------
-The Vulnerability Detector generates alerts during the baseline scan for every detected vulnerability. You can see this workflow in the diagram below.
-
-.. thumbnail:: /images/manual/vuln-detector/vuln-detector-workflow-baseline-scan.png
- :title: Vulnerability detector workflow: Baseline scan
- :alt: Vulnerability detector workflow: Baseline scan
- :align: center
- :width: 80%
-
-The Vulnerability Detector also generates alerts when it detects new vulnerabilities or when users fix identified vulnerabilities.
+The Vulnerability Detection module generates alerts when it detects new vulnerabilities or when users fix identified vulnerabilities. You can see this workflow in the diagram below.
-.. thumbnail:: /images/manual/vuln-detector/vuln-detector-workflow-subsequent-scans.png
- :title: Vulnerability detector workflow: Subsequent scans
- :alt: Vulnerability detector workflow: Subsequent scans
- :align: center
- :width: 80%
+.. thumbnail:: /images/manual/vuln-detector/vuln-detector-workflow.png
+ :title: Vulnerability detection workflow
+ :alt: Vulnerability detection workflow
+ :align: center
+ :width: 80%
.. _vuln_det_compatibility_matrix:
Compatibility matrix
--------------------
-The following table shows the operating systems the Vulnerability Detector currently supports and the provider(s) needed for each distribution.
-
-+---------------+------------------------+-----------------------------------+
-| Distribution | Versions | Provider |
-+===============+========================+===================================+
-| | 5 | |
-| +------------------------+ |
-| CentOS | 6 | |
-| +------------------------+ |
-| | 7 | - Red Hat |
-| +------------------------+ - National Vulnerability Database |
-| | 8 | |
-| +------------------------+ |
-| | 9 | |
-+---------------+------------------------+-----------------------------------+
-| | 5 | |
-| +------------------------+ |
-| | 6 | |
-| +------------------------+ |
-| Red Hat | 7 | - Red Hat |
-| +------------------------+ - National Vulnerability Database |
-| | 8 | |
-| +------------------------+ |
-| | 9 | |
-+---------------+------------------------+-----------------------------------+
-| | trusty / 14 | |
-| +------------------------+ |
-| Ubuntu | xenial / 16 | |
-| +------------------------+ - Canonical |
-| | bionic / 18 | - National Vulnerability Database |
-| +------------------------+ |
-| | focal / 20 | |
-| +------------------------+ |
-| | jammy / 22 | |
-+---------------+------------------------+-----------------------------------+
-| Debian | buster / 10 | |
-| +------------------------+ - Debian |
-| | bullseye / 11 | - National Vulnerability Database |
-| +------------------------+ |
-| | bookworm / 12 | |
-+---------------+------------------------+-----------------------------------+
-| | Amazon Linux 1 | - ALAS |
-| Amazon Linux +------------------------+ - National Vulnerability Database |
-| | Amazon Linux 2 | |
-| +------------------------+ |
-| | Amazon Linux 2023 | |
-+---------------+------------------------+-----------------------------------+
-| | | |
-| Arch Linux | Rolling release | - Arch |
-| | | - National Vulnerability Database |
-+---------------+------------------------+-----------------------------------+
-| | SLES 11 server | |
-| +------------------------+ |
-| | SLED 11 desktop | - SUSE |
-| +------------------------+ - National Vulnerability Database |
-| | SLES 12 server | |
-| SUSE +------------------------+ |
-| | SLED 12 desktop | |
-| +------------------------+ |
-| | SLES 15 server | |
-| +------------------------+ |
-| | SLED 15 desktop | |
-+---------------+------------------------+-----------------------------------+
-| | AlmaLinux 8 | - AlmaLinux |
-| AlmaLinux +------------------------+ - National Vulnerability Database |
-| | AlmaLinux 9 | |
-+---------------+------------------------+-----------------------------------+
-| | | |
-| Windows | Windows XP and later | - National Vulnerability Database |
-| | | - MSU |
-+---------------+------------------------+-----------------------------------+
-| | | |
-| macOS | macOS Sierra and later | - National Vulnerability Database |
-| | | |
-+---------------+------------------------+-----------------------------------+
+The following list shows the operating systems the CTI platform currently supports for vulnerability detection.
+
+- CentOS 5, 6, 7, 8, 9.
+- Red Hat 5, 6, 7, 8, 9.
+- Ubuntu 14 trusty, 16 xenial, 18 bionic, 20 focal, 22 jammy.
+- Debian 10 buster, 11 bullseye, 12 bookworm.
+- Amazon Linux 1, Amazon Linux 2, Amazon Linux 2023.
+- Arch Linux Rolling release.
+- SLES 11 server, SLED 11 desktop, SLES 12 server, SLED 12 desktop, SLES 15 server, SLED 15 desktop.
+- AlmaLinux 8, 9.
+- Windows XP and later.
+- macOS Sierra and later.
.. note::
diff --git a/source/user-manual/capabilities/vulnerability-detection/index.rst b/source/user-manual/capabilities/vulnerability-detection/index.rst
index 12da215fb3..abdf6a9e71 100644
--- a/source/user-manual/capabilities/vulnerability-detection/index.rst
+++ b/source/user-manual/capabilities/vulnerability-detection/index.rst
@@ -1,14 +1,19 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: The Vulnerability Detector module detects vulnerabilities in applications installed on the endpoints. Learn more about this capability in this section.
+ :description: The Vulnerability Detection module detects vulnerabilities in applications installed on the endpoints. Learn more about this capability in this section.
Vulnerability detection
=======================
Vulnerabilities are security flaws in computer systems that threat actors can exploit to gain unauthorized access to these systems. After exploitation, malware and threat actors may be able to perform remote code execution, exfiltrate data, and carry out other malicious activities. Therefore, organizations must have strategies or security solutions that promptly detect vulnerabilities in their network before bad actors exploit them. Prompt detection and remediation of vulnerabilities in a network help to strengthen its overall security posture.
-The Wazuh Vulnerability Detector module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using Wazuh native integration with external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD).
+The Wazuh Vulnerability Detection module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using one of the following vulnerability sources.
+
+- Wazuh vulnerabilities repository in our Cyber Threat Intelligence (CTI) platform.
+- Offline local vulnerabilities repository.
+
+ We aggregate vulnerability data from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD) to provide vulnerability information. We keep this information updated ensuring the solution checks for the latest CVEs.
.. topic:: Contents
@@ -16,9 +21,6 @@ The Wazuh Vulnerability Detector module helps users discover vulnerabilities in
:maxdepth: 2
how-it-works
- scan-types
configuring-scans
allow-os
- cpe-helper
offline-update
- querying-the-vulnerability-database
diff --git a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst
index 62c2dea4a8..7f810f6a4a 100644
--- a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst
+++ b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst
@@ -1,549 +1,47 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Learn more about how to perform the offline update of the Wazuh Vulnerability Detector in this section of our documentation.
+ :description: Learn more about how to perform the offline update of the Wazuh Vulnerability Detection module in this section of our documentation.
Offline Update
==============
-If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the vulnerability feeds updated. You can fetch the database files from your local environment or network. The steps include downloading the specific vulnerability files and configuring the Wazuh server to locate them. You can find feeds in a custom location compressed in `gz` or `bzip2` or decompressed in `XML` or `JSON`, depending on the original format of the feed. The configuration examples in this section are all set in the Wazuh server ``/var/ossec/etc/ossec.conf`` file.
+If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.
-Canonical
----------
+Downloading the Wazuh vulnerabilities file
+------------------------------------------
-To perform an offline update of the Canonical feeds, you must download the corresponding OVAL files.
+We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.
-+------------+---------------------------------------------------------------------------------------------------------------------------+
-| OS | Files |
-+============+===========================================================================================================================+
-| Jammy | `com.ubuntu.jammy.cve.oval.xml.bz2 `__ |
-+------------+---------------------------------------------------------------------------------------------------------------------------+
-| Focal | `com.ubuntu.focal.cve.oval.xml.bz2 `__ |
-+------------+---------------------------------------------------------------------------------------------------------------------------+
-| Bionic | `com.ubuntu.bionic.cve.oval.xml.bz2 `__ |
-+------------+---------------------------------------------------------------------------------------------------------------------------+
-| Xenial | `com.ubuntu.xenial.cve.oval.xml.bz2 `__ |
-+------------+---------------------------------------------------------------------------------------------------------------------------+
-| Trusty | `com.ubuntu.trusty.cve.oval.xml.bz2 `__ |
-+------------+---------------------------------------------------------------------------------------------------------------------------+
+.. code-block:: console
-To fetch the vulnerability feeds from a user-defined repository, the configuration must be similar to the following.
+ $ response=$(curl -s -X GET |CTI_URL|)
+ $ echo "$response" | jq -r '.data.last_snapshot_link'
+ $ echo "$response" | jq -r '.data.last_snapshot_at'
-.. code-block:: xml
+.. code-block:: none
+ :class: output
-
- yes
- focal
- bionic
- xenial
- trusty
- 1h
-
+ https://s3.us-east-1.amazonaws.com/cti-snapshots-pro/store/contexts/vd_1.0.0/consumers/vd_4.8.0/276948_1702552338.zip
+ 2023-12-14T11:12:18.241777Z
-Alternatively, you can load the feeds from a local path. To achieve it, use the ``path`` attribute as this example shows.
+Configure offline vulnerability detection
+-----------------------------------------
-.. code-block:: xml
+To use the Vulnerability Detection module offline, follow these steps.
-
- yes
- focal
- bionic
- xenial
- trusty
- 1h
-
+#. Edit the Wazuh server ``/var/ossec/etc/ossec.conf`` file. Add the offline repository file path in the vulnerability detection block. This configures the Wazuh server to locate it.
-Debian
-------
+ .. code-block:: xml
+ :emphasize-lines: 5
+
+
+ yes
+ yes
+ 60m
+ file:///var/path/to/the/cves.file.zip
+
-Currently, the module fetches the Debian vulnerabilities from two different sources.
+#. Restart the Wazuh manager.
-- OVAL file for each supported Debian version.
-- JSON feed with global information about the affected packages for each distribution.
-
-.. note::
-
- Both sources are necessary for the proper functioning of the scanner. Below are the steps to configure each source for the offline update.
-
-Debian OVAL feed
-^^^^^^^^^^^^^^^^
-
-To perform an offline update of Debian OVAL feeds, you must download the appropriate files.
-
-+------------+---------------------------------------------------------------------------------------------------------------+
-| OS | Files |
-+============+===============================================================================================================+
-| Buster | `oval-definitions-buster.xml.bz2 `_ |
-+------------+---------------------------------------------------------------------------------------------------------------+
-| Bullseye | `oval-definitions-bullseye.xml.bz2 `_ |
-+------------+---------------------------------------------------------------------------------------------------------------+
-| Bookworm | `oval-definitions-bookworm.xml.bz2 `_ |
-+------------+---------------------------------------------------------------------------------------------------------------+
-
-To update the vulnerability feed from a user-defined repository, use a configuration similar to the following.
-
-.. code-block:: xml
-
-
- yes
- buster
- bullseye
- bookworm
- 1h
-
-
-To use a local feed file, add the ``path`` attribute accompanying the ``os`` option as follows.
-
-.. code-block:: xml
-
-
- yes
- buster
- bullseye
- bookworm
- 1h
-
-
-Debian Security Tracker JSON feed
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To perform an offline update, you must download the corresponding file.
-
-+------------+--------------------------------------------------------------------------------------------+
-| OS | Files |
-+============+============================================================================================+
-| ALL | `Debian Security Tracker JSON `_ |
-+------------+--------------------------------------------------------------------------------------------+
-
-To update the vulnerability feeds from a user-defined repository, use a configuration similar to the following.
-
-.. code-block:: xml
-
-
- yes
- http://local_repo/security_tracker_local.json
- 1h
-
-
-To use a local feed file, use the ``path`` attribute.
-
-.. code-block:: xml
-
-
- yes
- /local_path/security_tracker_local.json
- 1h
-
-
-Red Hat
--------
-
-The Vulnerability Detector module currently fetches the Red Hat vulnerabilities from two different sources. Each supported Red Hat version has:
-
-- OVAL file
-- JSON feed
-
-These sources have global information about the affected packages for each distribution.
-
-.. note::
-
- Both sources are necessary for the proper functioning of the scanner. Below is the procedure to configure each source for an offline update.
-
-RedHat OVAL feeds
-^^^^^^^^^^^^^^^^^
-
-To do an offline update of the RedHat OVAL feeds, you must download the corresponding files.
-
-+------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| OS | Files |
-+============+==========================================================================================================================================+
-| 5 | `com.redhat.rhsa-RHEL5.xml.bz2 `_ |
-+------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| 6 | `rhel-6-including-unpatched.oval.xml.bz2 `__ |
-+------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| 7 | `rhel-7-including-unpatched.oval.xml.bz2 `__ |
-+------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| 8 | `rhel-8-including-unpatched.oval.xml.bz2 `__ |
-+------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| 9 | `rhel-9-including-unpatched.oval.xml.bz2 `__ |
-+------------+------------------------------------------------------------------------------------------------------------------------------------------+
-
-To fetch the vulnerability feeds from a user-defined repository, use a configuration similar to the following.
-
-.. code-block:: xml
-
-
- yes
- 5
- 6
- 7
- 8
- 9
- 1h
-
-
-Alternatively, the feeds can be loaded from a local path. To achieve this, use the ``path`` attribute as this example shows.
-
-.. code-block:: xml
-
-
- yes
- 5
- 6
- 7
- 8
- 9
- 1h
-
-
-Red Hat Security Data JSON feed
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides an `update script `__ that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.
-
-How to use the update script
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-#. Create a directory for the feeds.
-
- .. code-block:: console
-
- # mkdir /local_path/rh-feed
-
-#. Run the script indicating the target path.
-
- .. code-block:: console
-
- # ./rh-generator.sh /local_path/rh-feed
-
- The script might output an error message like the following.
-
- .. code-block:: console
- :class: output
-
- Page download failed (504), retrying...
-
- The error message indicates that the Red Hat servers may be temporarily unavailable to you. Regardless, the script keeps trying to finish the download until it acquires the full feed.
-
-Finally, the feed is in a succession of numbered files whose names follow the format ``redhat-feed.json``. To update locally, you must set the path of those files with a regular expression such as the following.
-
-.. code-block:: xml
-
-
- yes
- /local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$
- 1h
-
-
-If you want to upload these files to a local server, they must follow the same numeric sequence that the script downloaded them in. To indicate the numerical range, you must indicate their position with the ``[-]`` tag helped by the ``start`` and ``end`` attributes. For example, use the following configuration if the previous script returned 15 files.
-
-.. code-block:: xml
-
-
- yes
- http://local_repo/rh-feed/redhat-feed[-].json
- 1h
-
-
-Arch
-----
-
-To perform an offline update of the Arch feed, download the corresponding JSON file.
-
-+------------+--------------------------------------------------------------------------------------------+
-| OS | Files |
-+============+============================================================================================+
-| Rolling | `all.json `_ |
-+------------+--------------------------------------------------------------------------------------------+
-
-To fetch the vulnerability feed from a user-defined repository; configure your Wazuh server in a similar way as shown in this example.
-
-.. code-block:: xml
-
-
- yes
- http://local_repo/security.archlinux.org/issues/all.json
- 1h
-
-
-Alternatively, you can load the feeds from a local path, and you must set it with a POSIX regular expression as shown in this example.
-
-.. code-block:: xml
-
-
- yes
- /local_path/all\.json$
- 1h
-
-
-ALAS
-----
-
-The module currently fetches vulnerability feeds for Amazon Linux systems from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, you must download them from the corresponding Wazuh repository.
-
-+-------------------+------------------------------------------------------------------------------------------------+
-| OS | Files |
-+===================+================================================================================================+
-| Amazon Linux | `alas.json.gz `_ |
-+-------------------+------------------------------------------------------------------------------------------------+
-| Amazon Linux 2 | `alas2.json.gz `_ |
-+-------------------+------------------------------------------------------------------------------------------------+
-| Amazon Linux 2022 | `alas2022.json.gz `_ |
-+-------------------+------------------------------------------------------------------------------------------------+
-| Amazon Linux 2023 | `alas2023.json.gz `_ |
-+-------------------+------------------------------------------------------------------------------------------------+
-
-Then, place them accordingly in the custom location.
-
-.. code-block:: xml
-
-
- yes
- amazon-linux
- amazon-linux-2
- amazon-linux-2022
- amazon-linux-2023
- 1h
-
-
-Alternatively, you can load the feeds from a local path with the ``path`` attribute, as shown in this example.
-
-.. code-block:: xml
-
-
- yes
- amazon-linux
- amazon-linux-2
- amazon-linux-2022
- amazon-linux-2023
- 1h
-
-
-SUSE
-----
-
-Currently, the SUSE Linux vulnerabilities are fetched from one OVAL file for each supported SUSE Linux version.
-
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-| OS | Files |
-+================+======================================================================================================================================+
-| SLES 11 | `suse.linux.enterprise.server.11.xml.gz `_ |
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-| SLED 11 | `suse.linux.enterprise.desktop.11.xml.gz `_ |
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-| SLES 12 | `suse.linux.enterprise.server.12.xml.gz `_ |
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-| SLED 12 | `suse.linux.enterprise.desktop.12.xml.gz `_ |
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-| SLES 15 | `suse.linux.enterprise.server.15.xml.gz `_ |
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-| SLED 15 | `suse.linux.enterprise.desktop.15.xml.gz `_ |
-+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
-
-Feeds can be fetched from a custom repository using the `url` attribute for each supported OS, as shown in this example:
-
-.. code-block:: xml
-
-
- yes
- 11-server
- 11-desktop
- 12-server
- 12-desktop
- 15-server
- 15-desktop
- 1h
-
-
-Alternatively, they also can be loaded from a local path as follows:
-
-.. code-block:: xml
-
-
- yes
- 11-server
- 11-desktop
- 12-server
- 12-desktop
- 15-server
- 15-desktop
- 1h
-
-
-AlmaLinux
----------
-
-Currently, the module fetches AlmaLinux vulnerabilities from one OVAL file for each supported AlmaLinux version.
-
-+-------------------+------------------------------------------------------------------------------------------------+
-| OS | Files |
-+===================+================================================================================================+
-| AlmaLinux 8 | `org.almalinux.alsa-8.xml `_ |
-+-------------------+------------------------------------------------------------------------------------------------+
-| AlmaLinux 9 | `org.almalinux.alsa-9.xml `_ |
-+-------------------+------------------------------------------------------------------------------------------------+
-
-To fetch feeds from a custom repository you can use the ``url`` attribute for each supported OS, as shown in this example:
-
-.. code-block:: xml
-
-
- yes
- 8
- 9
- 1h
-
-
-Alternatively, you can load the feeds from a local path with the ``path`` attribute, as shown in this example.
-
-.. code-block:: xml
-
-
- yes
- 8
- 9
- 1h
-
-
-National Vulnerability Database
--------------------------------
-
-To perform an offline update of the National Vulnerability Database, you must get the feed from `complete_nvd_feed.json.gz `__ (`sha256 `__) and place it in a user-defined repository.
-
-.. code-block:: xml
-
-
- yes
- http://local_repo/complete_nvd_feed.json.gz
- 1h
-
-
-To update locally, set the path of the downloaded files using a POSIX regular expression, for example:
-
-.. code-block:: xml
-
-
- yes
- /local_path/nvd-feed/complete_nvd_feed\.json\.gz$
- 1h
-
-
-MSU
----
-
-To perform an offline update of the MSU, you must get the feed from `msu-updates.json.gz `__ (`sha256 `__) and place it in a user-defined repository.
-
-.. code-block:: xml
-
-
- yes
- http://local_repo/msu-updates.json.gz
- 1h
-
-
-To update locally, set the path of the downloaded files using a POSIX regular expression, for example:
-
-.. code-block:: xml
-
-
- yes
- /local_path/msu-updates\.json\.gz$
- 1h
-
-
-Sample Configuration
---------------------
-
-.. code-block:: xml
-
-
-
- yes
- 5m
- 6h
- yes
-
-
-
- yes
- jammy
- focal
- bionic
- xenial
- trusty
- 1h
-
-
-
-
- yes
- buster
- bullseye
- bookworm
- /local_path/security_tracker_local.json
- 1h
-
-
-
-
- yes
- 5
- 6
- 7
- 8
- 9
- /local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$
- 1h
-
-
-
-
- yes
- /local_path/all\.json$
- 1h
-
-
-
-
- yes
- 11-server
- 11-desktop
- 12-server
- 12-desktop
- 15-server
- 15-desktop
- 1h
-
-
-
-
- yes
- amazon-linux
- amazon-linux-2
- amazon-linux-2023
- 1h
-
-
-
-
- yes
- 8
- 9
- 1h
-
-
-
-
- yes
- /local_path/msu-updates\.json\.gz$
- 1h
-
-
-
-
- yes
- /local_path/nvd-feed/complete_nvd_feed\.json\.gz$
- 1h
-
-
-
+ .. include:: /_templates/installations/manager/restart_wazuh_manager.rst
diff --git a/source/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst b/source/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst
deleted file mode 100644
index 2aa38335fe..0000000000
--- a/source/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst
+++ /dev/null
@@ -1,127 +0,0 @@
-.. Copyright (C) 2015, Wazuh, Inc.
-
-.. meta::
- :description: You can find the vulnerability database on the Wazuh server and query it using SQLite. Learn more about it in this section of our documentation.
-
-Querying the vulnerability database
-===================================
-
-You can find the vulnerability database at ``/var/ossec/queue/vulnerabilities/cve.db`` on the Wazuh server and query it using ``SQLite``. ``SQLite`` provides an interface that you can use to interact with SQL databases.
-
-Perform the following steps to query the vulnerability database using SQLite.
-
-#. Start ``SQLite`` and open the vulnerability database using the following command:
-
- .. code-block:: console
-
- # sqlite3 /var/ossec/queue/vulnerabilities/cve.db
-
-#. List the tables in the database using the following command:
-
- .. code-block:: sqlite3
-
- sqlite> .tables
-
-#. Retrieve all the data in a table by running the following command:
-
- .. code-block:: sqlite3
-
- sqlite> SELECT * from ;
-
-Replace ```` with the name of the table you are interested in.
-
-.. Warning::
- Don’t make changes to the database. It can lead to issues when the Vulnerability Detector module is running a scan.
-
-Use Case: Find all KBs that patch a specified CVE for Windows endpoints
------------------------------------------------------------------------
-
-In this example, you will see how to find all Windows Knowledge Base (KB) updates that patch a specific vulnerability on Windows endpoints from the vulnerability database. You can achieve this using ``SQLite`` on the Wazuh server.
-
-#. Start ``SQLite`` and open the vulnerability database using the following command:
-
- .. code-block:: console
-
- # sqlite3 /var/ossec/queue/vulnerabilities/cve.db
-
-#. Run ``.mode line`` in the SQLite prompt to configure the SQLite output format.
-
-#. Run the following command to view all the details of the chosen CVE and operating system:
-
- .. code-block:: sqlite3
-
- sqlite> SELECT * FROM msu WHERE cveid = "" AND PRODUCT LIKE "%%";
-
- Where:
-
- - ```` is a string from the operating system name. It displays result for only the specified operating system.
- - ```` is the identifier for the CVE.
-
- You can see an example below:
-
- .. code-block:: sqlite3
-
- sqlite> SELECT * FROM msu WHERE cveid = "CVE-2023-21524" AND PRODUCT LIKE "%Server 2022%";
-
- .. code-block:: none
- :class: output
- :emphasize-lines: 3,12
-
- CVEID = CVE-2023-21524
- PRODUCT = Windows Server 2022 (Server Core installation)
- PATCH = 5022291
- TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
- URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
- SUBTYPE = Security Update
- RESTART_REQUIRED = Yes
- CHECK_TYPE = 1
-
- CVEID = CVE-2023-21524
- PRODUCT = Windows Server 2022
- PATCH = 5022291
- TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
- URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
- SUBTYPE = Security Update
- RESTART_REQUIRED = Yes
- CHECK_TYPE = 1
-
-#. Run the command below to list all the KBs that patch ``KB5022291`` replaces. This will be a list of patches that are no longer necessary to install once a user installs ``KB5022291``.
-
- .. code-block:: sqlite3
-
- sqlite> SELECT patch FROM msu_supersedence WHERE super = "5022291";
-
- .. code-block:: console
- :class: output
-
- PATCH = 5010796
-
- PATCH = 5022291
-
- PATCH = 5022553
-
- PATCH = 5021656
-
- PATCH = 5021249
-
- PATCH = 5020436
-
- PATCH = 5020032
- ...
-
-#. Run the command below to get a list of all the patches that replaced ``KB5022291``. This list contains all the patches that resolve the same vulnerabilities as ``KB5022291`` when installed.
-
- .. code-block:: sqlite3
-
- sqlite> SELECT super FROM msu_supersedence WHERE patch = "5022291";
-
- .. code-block:: none
- :class: output
-
- SUPER = 5022291
- SUPER = 5022842
- SUPER = 5023705
- SUPER = 5025230
- SUPER = 5026370
-
-
diff --git a/source/user-manual/capabilities/vulnerability-detection/scan-types.rst b/source/user-manual/capabilities/vulnerability-detection/scan-types.rst
deleted file mode 100644
index 9fa3087cde..0000000000
--- a/source/user-manual/capabilities/vulnerability-detection/scan-types.rst
+++ /dev/null
@@ -1,22 +0,0 @@
-.. Copyright (C) 2015, Wazuh, Inc.
-
-.. meta::
- :description: Wazuh vulnerability detector has three different scan types. Learn more about it in this section of the documentation.
-
-Scan types
-==========
-
-Wazuh has three different types of scans.
-
-- **Baseline**: The Vulnerability Detector triggers this scan type the first time you enable the module. The Vulnerability Detector performs a full scan of the operating system and every package installed. It creates a CVE inventory and generates an alert for each vulnerability.
-- **Full scan**: The Vulnerability Detector scans every installed package and operating system in this scan type. It runs only when the configured ``min_full_scan_interval`` expires and when the CVEs database contains new information. As a result, Wazuh generates alerts when there is any update/change in the vulnerability inventory.
-- **Partial scan**: The Vulnerability Detector only scans new packages. As a result, Wazuh generates alerts when there is any update/change in the CVE inventory.
-
-A few considerations arise from this behavior:
-
-- The :ref:`min_full_scan_interval ` setting protects the manager performance by not running Full scans too often, especially when the manager receives many updates to the vulnerabilities feeds.
-- Every vulnerability in the agent vulnerabilities inventory is in three different states:
-
- - **VALID**: Indicates that the vulnerability is still present in the system.
- - **PENDING**: A Full scan is in progress, and the vulnerability needs to be confirmed.
- - **OBSOLETE**: Indicates that the vulnerability is no longer present in the system. The Vulnerability Detector generates removal alerts when any vulnerability enters this state.
diff --git a/source/user-manual/reference/internal-options.rst b/source/user-manual/reference/internal-options.rst
index 183f173811..c5f98dac25 100644
--- a/source/user-manual/reference/internal-options.rst
+++ b/source/user-manual/reference/internal-options.rst
@@ -991,6 +991,23 @@ Security Configuration Assessment
| | Allowed values | Any integer between 1 and 300. |
+-----------------------------------+----------------+------------------------------------------------------------------------------------------------------------------+
+Vulnerability Detection
+-----------------------
+
++----------------------------------------------------+----------------+----------------------------------------------------------------------------------+
+| **vulnerability-detection.translation_lru_size** | Description | LRU cache size assigned for package translation process (in number of elements). |
++ +----------------+----------------------------------------------------------------------------------+
+| | Default value | 2048 |
++ +----------------+----------------------------------------------------------------------------------+
+| | Allowed values | Any integer between 1 and 100000 |
++----------------------------------------------------+----------------+----------------------------------------------------------------------------------+
+| **vulnerability-detection.osdata_lru_size** | Description | LRU cache size assigned for agents' OS data (in number of elements). |
++ +----------------+----------------------------------------------------------------------------------+
+| | Default value | 1000 |
++ +----------------+----------------------------------------------------------------------------------+
+| | Allowed values | Any integer between 1 and 100000 |
++----------------------------------------------------+----------------+----------------------------------------------------------------------------------+
+
Wazuh
-----
diff --git a/source/user-manual/reference/ossec-conf/index.rst b/source/user-manual/reference/ossec-conf/index.rst
index a231f61510..f96cec8469 100644
--- a/source/user-manual/reference/ossec-conf/index.rst
+++ b/source/user-manual/reference/ossec-conf/index.rst
@@ -59,6 +59,8 @@ Wazuh can be installed in two ways: as a manager by using the "server/manager" i
+---------------------------------------------------------------------+------------------------+
| :doc:`github ` | manager, agent |
+---------------------------------------------------------------------+------------------------+
+| :doc:`indexer ` | manager |
++---------------------------------------------------------------------+------------------------+
| :doc:`integration ` | manager |
+---------------------------------------------------------------------+------------------------+
| :doc:`labels ` | manager, agent |
@@ -91,7 +93,7 @@ Wazuh can be installed in two ways: as a manager by using the "server/manager" i
+---------------------------------------------------------------------+------------------------+
| :doc:`task-manager ` | manager |
+---------------------------------------------------------------------+------------------------+
-| :doc:`vulnerability-detector ` | manager |
+| :doc:`vulnerability-detection ` | manager |
+---------------------------------------------------------------------+------------------------+
| :doc:`wazuh_db ` | manager |
+---------------------------------------------------------------------+------------------------+
@@ -139,6 +141,7 @@ All of the above sections must be located within the top-level ```
email-alerts
global
github-module
+ indexer
integration
labels
localfile
@@ -158,12 +161,12 @@ All of the above sections must be located within the top-level ```
fluent-forward
gcp-pubsub
gcp-bucket
+ vuln-detector
wodle-openscap
wodle-command
wodle-ciscat
wodle-s3
wodle-syscollector
- vuln-detector
wazuh-db-config
wodle-osquery
wodle-docker
diff --git a/source/user-manual/reference/ossec-conf/indexer.rst b/source/user-manual/reference/ossec-conf/indexer.rst
new file mode 100644
index 0000000000..c4fa303e02
--- /dev/null
+++ b/source/user-manual/reference/ossec-conf/indexer.rst
@@ -0,0 +1,137 @@
+.. Copyright (C) 2015, Wazuh, Inc.
+
+.. meta::
+ :description:
+
+indexer
+=======
+
+.. topic:: XML section name
+
+ .. code-block:: xml
+
+
+
+
+Configure these options to forward inventory data to the Wazuh indexer.
+
+Options
+-------
+
+.. contents::
+ :local:
+ :depth: 1
+ :backlinks: none
+
+enabled
+^^^^^^^
+
+Enables forwarding inventory data to the Wazuh indexer.
+
++--------------------+-----------------------------+
+| **Default** | ``yes`` |
++--------------------+-----------------------------+
+| **Allowed values** | ``yes``, ``no`` |
++--------------------+-----------------------------+
+
+hosts
+^^^^^
+
+Wazuh indexer nodes to connect to. Use the ``host`` option for setting up each node connection.
+
+host
+~~~~
+
+Wazuh indexer node URL or IP address to connect to. For example, ``http://172.16.1.11`` or ``192.168.3.2:9230``.
+
++--------------------+-----------------------------+
+| **Default** | ``https://0.0.0.0:9200`` |
++--------------------+-----------------------------+
+| **Allowed values** | Any valid URL or IP address |
++--------------------+-----------------------------+
+
+username
+^^^^^^^^
+
+Specify the username to connect to the Wazuh indexer.
+
++--------------------+-----------------------------+
+| **Default** | ``admin`` |
++--------------------+-----------------------------+
+| **Allowed values** | Any valid username |
++--------------------+-----------------------------+
+
+password
+^^^^^^^^
+
+Specify the password to connect to the Wazuh indexer.
+
++--------------------+-----------------------------+
+| **Default** | ``admin`` |
++--------------------+-----------------------------+
+| **Allowed values** | Any valid password |
++--------------------+-----------------------------+
+
+ssl
+^^^
+
+Configuration options for the SSL parameters.
+
+certificate_authorities
+~~~~~~~~~~~~~~~~~~~~~~~
+
+List of root certificate file paths for verification. Use the ``ca`` option for setting up each CA certificate file path.
+
+ca
+''
+
+CA certificate file path.
+
++--------------------+--------------------------------------+
+| **Default value** | ``/etc/filebeat/certs/root-ca.pem`` |
++--------------------+--------------------------------------+
+| **Allowed values** | Any valid file path |
++--------------------+--------------------------------------+
+
+certificate
+~~~~~~~~~~~
+
+The end-entity (leaf) certificate.
+
++--------------------+------------------------------------------------+
+| **Default value** | ``/etc/filebeat/certs/filebeat.pem`` |
++--------------------+------------------------------------------------+
+| **Allowed values** | Any valid file path |
++--------------------+------------------------------------------------+
+
+key
+~~~
+
+The certificate key used for authentication.
+
++--------------------+----------------------------------------------+
+| **Default value** | ``/etc/filebeat/certs/filebeat-key.pem`` |
++--------------------+----------------------------------------------+
+| **Allowed values** | Any valid file path |
++--------------------+----------------------------------------------+
+
+Configuration example
+---------------------
+
+.. code-block:: xml
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+
\ No newline at end of file
diff --git a/source/user-manual/reference/ossec-conf/vuln-detector.rst b/source/user-manual/reference/ossec-conf/vuln-detector.rst
index e619832db3..fae380e639 100644
--- a/source/user-manual/reference/ossec-conf/vuln-detector.rst
+++ b/source/user-manual/reference/ossec-conf/vuln-detector.rst
@@ -1,12 +1,10 @@
.. Copyright (C) 2015, Wazuh, Inc.
.. meta::
- :description: Learn more about the available options and how to configure the Vulnerability Detector module of Wazuh in this section of our documentation.
+ :description: Learn more about the available options and how to configure the vulnerability detection module of Wazuh in this section of our documentation.
-.. _vuln_detector:
-
-vulnerability-detector
-======================
+vulnerability-detection
+=======================
This section covers the configuration for the :doc:`/user-manual/capabilities/vulnerability-detection/index` module.
@@ -14,379 +12,103 @@ This section covers the configuration for the :doc:`/user-manual/capabilities/vu
.. code-block:: xml
-
-
+
+
Options
-------
-- `enabled`_
-- `interval`_
-- `run_on_start`_
-- `min_full_scan_interval`_
-- `retry_interval`_
-- `provider`_
-
-+---------------------------+-----------------------------+
-| Options | Allowed values |
-+===========================+=============================+
-| `enabled`_ | yes, no |
-+---------------------------+-----------------------------+
-| `interval`_ | A positive number (seconds) |
-+---------------------------+-----------------------------+
-| `run_on_start`_ | yes, no |
-+---------------------------+-----------------------------+
-| `min_full_scan_interval`_ | A positive number (seconds) |
-+---------------------------+-----------------------------+
-| `retry_interval`_ | A positive number (seconds) |
-+---------------------------+-----------------------------+
-| `provider`_ | A valid vulnerability vendor|
-+---------------------------+-----------------------------+
-
+.. contents::
+ :local:
+ :depth: 1
+ :backlinks: none
+
++---------------------------+------------------------------------+
+| Options | Allowed values |
++===========================+====================================+
+| `enabled`_ | ``yes``, ``no`` |
++---------------------------+------------------------------------+
+| `feed-update-interval`_ | Positive number + Time unit suffix |
++---------------------------+------------------------------------+
+| `index-status`_ | ``yes``, ``no`` |
++---------------------------+------------------------------------+
enabled
-^^^^^^^^
+^^^^^^^
-Enables the module.
+Enables the vulnerability detection module.
+--------------------+-----------------------------+
-| **Default value** | no |
+| **Default** | ``yes`` |
+--------------------+-----------------------------+
-| **Allowed values** | yes, no |
+| **Allowed values** | ``yes``, ``no`` |
+--------------------+-----------------------------+
-.. _vuln_det_interval:
+feed-update-interval
+^^^^^^^^^^^^^^^^^^^^
-interval
-^^^^^^^^
-
-Time between vulnerabilities scans.
+Time interval for periodic feed updates.
-+--------------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| **Default value** | 5m |
-+--------------------+------------------------------------------------------------------------------------------------------------------------------------------+
-| **Allowed values** | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
-+--------------------+------------------------------------------------------------------------------------------------------------------------------------------+
++--------------------+------------------------------------------------------------------------------------------------------+
+| **Default** | ``60m`` |
++--------------------+------------------------------------------------------------------------------------------------------+
+| **Allowed values** | A positive number containing a time unit suffix character. For example ``2h`` for 2 hours |
++--------------------+------------------------------------------------------------------------------------------------------+
-.. _vuln_det_run_on_start:
-
-run_on_start
+index-status
^^^^^^^^^^^^
-Runs updates and vulnerabilities scans immediately when the service is started.
+Enables indexing of vulnerability inventory data.
-+----------------------+-----------+
-| **Default value** | yes |
-+----------------------+-----------+
-| **Allowed values** | yes, no |
-+----------------------+-----------+
-
-.. _vuln_det_min_full_scan_interval:
++--------------------+-----------------------------+
+| **Default** | ``yes`` |
++--------------------+-----------------------------+
+| **Allowed values** | ``yes``, ``no`` |
++--------------------+-----------------------------+
-min_full_scan_interval
-^^^^^^^^^^^^^^^^^^^^^^^
+interval
+^^^^^^^^
-The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a :doc:`full scan ` will be performed only if the CVEs database has changed.
+.. deprecated:: 4.8.0
-+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
-| **Default value** | 6 hours |
-+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
-| **Allowed values** | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
-+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
+run_on_start
+^^^^^^^^^^^^
-.. _retry_interval:
+.. deprecated:: 4.8.0
retry_interval
^^^^^^^^^^^^^^
-The time to wait after a scan is completed to retry the agents that had a problem being scanned.
-
-+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
-| **Default value** | 30 seconds |
-+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
-| **Allowed values** | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours), or d (days). |
-+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
+.. deprecated:: 4.8.0
provider
^^^^^^^^
-.. note:: The NVD provider must always be enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.
-
-Configuration block to specify vulnerability updates.
-
-+--------------------+---------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | Defines a vulnerability information provider. |
-| | +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | canonical |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | debian |
-| | | | |
-| **Allowed tags** | name | **Allowed values** +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | redhat |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | arch |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | alas |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | msu |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | suse |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | almalinux |
-| | | | |
-| | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | |
-| | | | nvd |
-| | | | |
-+--------------------+---------------------------+--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| **Allowed values** | | Enables the vulnerability provider update. |
-| | enabled +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | **Default value** | no |
-| | +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | **Allowed values** | yes, no |
-| +---------------------------+--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | Feed to update. |
-| | os +--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | **provider** | **feed** |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | trusty / 14 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | xenial / 16 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | canonical | bionic / 18 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | focal / 20 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | jammy / 22 |
-| | | **Allowed values** +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | buster / 10 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | debian | bullseye / 11 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | bookworm / 12 |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | amazon-linux / 1 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | alas | amazon-linux-2 / 2 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | amazon-linux-2022 / 2022 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | amazon-linux-2023 / 2023 |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 5 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 6 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | redhat | 7 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 8 |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 9 |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 11-server |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 11-desktop |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 12-server |
-| | | | suse +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 12-desktop |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 15-server |
-| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 15-desktop |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 8 |
-| | | | almalinux +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | 9 |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | arch | ``Does not use this option.`` |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | msu | ``Does not use this option.`` |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | nvd | ``Does not use this option.`` |
-| | +--------------------+--------------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | **Allowed tags** | | How often the vulnerability database is updated. It has priority over the `update_interval` option of the provider block. |
-| | | | +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | update_interval | **Default value** | The value indicated by the `update_interval` option of the provider block. |
-| | | | +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
-| | | +---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines the link to an alternative OVAL or ALAS files. |
-| | | | url +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | Link to the feed to be downloaded. See :doc:`offline update<../../capabilities/vulnerability-detection/offline-update>` for more information. |
-| | | +---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines the path to an alternative OVAL or ALAS file. |
-| | | | path +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | Path where the feed is located. See :doc:`offline update<../../capabilities/vulnerability-detection/offline-update>` for more information. |
-| | | +---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines the connection port when using the ``url`` attribute. |
-| | | | port +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | A valid port. |
-| | | +---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines compatibility with unsupported systems. |
-| | | | allow +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | A valid operating system not supported by default. You can find a guide on how to set it up :doc:`here<../../capabilities/vulnerability-detection/allow-os>`. |
-| +---------------------------+--------------------+---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of ````. |
-| | +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | update_interval | **Default value** | 1 hour. |
-| | +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | **Allowed values** | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
-| +---------------------------+--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | Download timeout in seconds. |
-| | +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | download_timeout | **Default value** | 300 |
-| | +--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | **Allowed values** | A positive number to indicate the timeout in seconds. |
-| +---------------------------+--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | Defines the link to an alternative feed files. |
-| | +--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | **provider** | **value** |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | redhat | Parameterized link to download the feed files obtained from `Red Hat Security Data API `_. You can find a guide on how to set it up :doc:`here<../../capabilities/vulnerability-detection/offline-update>`. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | url | **Allowed values** | nvd | Parameterized link to download the feed files obtained from `National Vulnerability Database `_. You can find a guide on how to set it up :doc:`here<../../capabilities/vulnerability-detection/offline-update>`. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | arch | Parameterized link to download the feed file obtained from `Arch Security `_. You can find a guide on how to set it up :doc:`here<../../capabilities/vulnerability-detection/offline-update>`. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | msu | Parameterized link to download the feed file obtained from `Wazuh feed `_. You can find a guide on how to set it up :doc:`here<../../capabilities/vulnerability-detection/offline-update>`. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | debian | Parameterized link to download the feed files obtained from `Debian Security Tracker `_. You can find a guide on how to set it up :doc:`here<../../capabilities/vulnerability-detection/offline-update>`. |
-| | +--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines the first value which the tag will be substituted. |
-| | | | start +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | A numeric value that in substitution with the tag forms a valid link. |
-| | | **Allowed tags** +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines the last value for which the tag will be substituted. |
-| | | | end +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | A numeric value that in substitution with the tag forms a valid link. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | Defines the connection port. |
-| | | | port +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | | **Allowed values** | A valid port. |
-| +---------------------------+--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | Defines the path to an alternative feed file. |
-| | +--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | **provider** | **value** |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | redhat | Path with regular expression that matches the feed files obtained from `Red Hat Security Data API `_. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | path | **Allowed values** | nvd | Path with regular expression that matches the feed files obtained from `National Vulnerability Database `_. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | arch | Path with regular expression that matches the feed file obtained from `Arch Security `_. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | msu | Path with regular expression that matches the feed file obtained from `Wazuh feed `_. |
-| | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| | | | debian | Path with regular expression that matches the feed files obtained from `Debian Security Tracker `_. |
-+--------------------+---------------------------+--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+.. deprecated:: 4.8.0
Example of configuration
------------------------
-The following configuration updates the vulnerability database for Ubuntu, Debian, Red Hat, Amazon Linux, Arch, and Microsoft Windows.
-
.. code-block:: xml
-
- yes
- 5m
- 6h
- yes
-
-
-
- yes
- trusty
- xenial
- bionic
- focal
- jammy
- 1h
-
-
-
-
- yes
- buster
- bullseye
- bookworm
- 1h
-
-
-
-
- yes
- 5
- 6
- 7
- 8
- 9
- 1h
-
-
-
-
- yes
- amazon-linux
- amazon-linux-2
- amazon-linux-2022
- amazon-linux-2023
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
- yes
- 11-server
- 11-desktop
- 12-server
- 12-desktop
- 15-server
- 15-desktop
- 1h
-
-
-
-
- yes
- 8
- 9
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
- yes
- 1h
-
-
-
-
-
-.. note:: See the :doc:`Vulnerability detector section<../../capabilities/vulnerability-detection/index>` to obtain more information about this module.
+
+ yes
+ yes
+ 60m
+
+
+
+ yes
+
+ https://0.0.0.0:9200
+
+ admin
+ admin
+
+
+ /etc/filebeat/certs/root-ca.pem
+
+ /etc/filebeat/certs/filebeat.pem
+ /etc/filebeat/certs/filebeat-key.pem
+
+