Adapt vulnerability detector docs to the new module refactor

source/_static/js/redirects.js

@@ -64,10 +64,40 @@ removedUrls['x.y'] = [
 
 /* *** RELEASE 4.8 ****/
 
+/* Pages added in 4.8 */
+
 newUrls['4.8'] = [
   '/release-notes/release-4-8-0.html',
 ];
 
+/* Pages no longer available in 4.8 */
+
+removedUrls['4.8'] = [
+  '/user-manual/capabilities/vulnerability-detection/cpe-helper.html',
+  '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html',
+  '/user-manual/capabilities/vulnerability-detection/scan-types.html',
+];
+
+/* Redirections from 4.7 to 4.8  */
+
+redirections.push(
+  {
+    'target': ['4.7=>4.8'],
+    '4.7': '/user-manual/capabilities/vulnerability-detection/cpe-helper.html',
+    '4.8': '/user-manual/capabilities/vulnerability-detection/index.html',
+  },
+  {
+    'target': ['4.7=>4.8'],
+    '4.7': '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html',
+    '4.8': '/user-manual/capabilities/vulnerability-detection/index.html',
+  },
+  {
+    'target': ['4.7=>4.8'],
+    '4.7': '/user-manual/capabilities/vulnerability-detection/scan-types.html',
+    '4.8': '/user-manual/capabilities/vulnerability-detection/index.html',
+  },
+);
+
 /* *** RELEASE 4.7 ****/
 
 /* Pages added in 4.7 */

source/_variables/replacements.py

@@ -33,6 +33,8 @@
     "|DEB_AGENT_URL|" : "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent",
     "|DEB_MANAGER_URL|" : "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-manager/wazuh-manager",
     #
+    "|CTI_URL|" : "https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0",
+    #
     # === Global and Wazuh version (wazuh agent, manager, indexer, and dashboard)
     "|WAZUH_CURRENT_MAJOR|" : "4.x",
     "|WAZUH_CURRENT_MINOR|" : version,

source/compliance/hipaa/vulnerability-detection.rst

@@ -1,57 +1,67 @@
 .. Copyright (C) 2015, Wazuh, Inc.
 
 .. meta::
-  :description: The Vulnerability Detector module helps in meeting HIPAA compliance. Learn more about it in this section of the Wazuh documentation.
+  :description: The Vulnerability Detection module helps in meeting HIPAA compliance. Learn more about it in this section of the Wazuh documentation.
 
 Vulnerability detection
 =======================
 
-Wazuh detects vulnerabilities in the applications installed on monitored endpoints using the Vulnerability Detector module. It performs a software audit by building a global vulnerability database from vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. Wazuh cross-correlates these feeds with data from the endpoint application inventory. 
+Wazuh detects vulnerabilities in the applications installed on monitored endpoints using the Vulnerability Detection module. It performs a software audit by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.
 
-The Vulnerability Detector module helps to implement the following HIPAA section:
+The Vulnerability Detection module helps to implement the following HIPAA section:
 
 - **Security Management Process §164.308(a)(1) - Risk Analysis**: *“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”*
 
    This section of the HIPAA standard requires identifying risks and vulnerabilities affecting systems containing healthcare information.
 
-   The Wazuh Vulnerability Detector module assists in meeting aspects of this HIPAA section. The Vulnerability Detector module scans an endpoint for vulnerable applications/packages and missing OS updates. Refer to the :doc:`vulnerability detection </user-manual/capabilities/vulnerability-detection/index>` section of our documentation for more details on configuring vulnerability scans.
+   The Wazuh Vulnerability Detection module assists in meeting aspects of this HIPAA section. The Vulnerability Detection module checks for vulnerable applications/packages and missing OS updates in an endpoint. Refer to the :doc:`vulnerability detection </user-manual/capabilities/vulnerability-detection/index>` section of our documentation for more details on configuring vulnerability detection.
 
 Use case: Detect vulnerabilities
 --------------------------------
 
-In this use case, you configure Wazuh to detect vulnerabilities on an Ubuntu 20.04 endpoint (bionic) with the following steps:
-
-#. Modify the highlighted lines in the Wazuh server configuration file (``/var/ossec/etc/ossec.conf``) using a text editor. This enables vulnerability detection for the specific OS version (in this case Ubuntu bionic):
-
-      .. code-block:: console
-        :emphasize-lines: 2,6
-
-         <vulnerability-detector>
-            <enabled>yes</enabled>
-            <interval>5m</interval>
-            <run_on_start>yes</run_on_start>
-            <provider name="canonical">
-               <enabled>yes</enabled>
-               <os>bionic</os>
-               <update_interval>1h</update_interval>
-            </provider>
-         </vulnerability-detector>
-
-
-#. Restart the Wazuh server to apply the changes:
+In this use case, you configure Wazuh to detect vulnerabilities on a Debian endpoint with the following steps:
+
+#. Edit the Wazuh server configuration file ``/var/ossec/etc/ossec.conf``. Make sure the module is enabled.
+
+   .. code-block:: xml
+      :emphasize-lines: 2
+
+      <vulnerability-detection>
+        <enabled>yes</enabled>
+        <index-status>yes</index-status>
+        <feed-update-interval>60m</feed-update-interval>
+      </vulnerability-detection>
+
+      <indexer>
+        <enabled>yes</enabled>
+        <hosts>
+          <host>https://0.0.0.0:9200</host>
+        </hosts>
+        <username>admin</username>
+        <password>admin</password>
+        <ssl>
+          <certificate_authorities>
+            <ca>/etc/filebeat/certs/root-ca.pem</ca>
+          </certificate_authorities>
+          <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
+          <key>/etc/filebeat/certs/filebeat-key.pem</key>
+        </ssl>
+      </indexer>
+
+#. If you made changes, restart the Wazuh manager to apply them.
 
       .. include:: /_templates/common/restart_manager.rst
 
-   The Vulnerability Detector module runs scans on startup when ``run_on_start`` is enabled or periodically (defined by interval). After the scan, you can view the results on the Wazuh dashboard, which includes information about vulnerable packages on the monitored endpoint. In this case, the vim software installed on the endpoint has vulnerabilities. You can also see the date and time of the most recent vulnerability scan.
+You can view the results on the Wazuh dashboard, which includes information about vulnerable packages on the monitored endpoint. In this case, the vim software installed on the endpoint has vulnerabilities.
 
-   .. thumbnail:: /images/compliance/hipaa/06-vulnerability-detection.png    
-      :title: In this case, the vim software installed on the endpoint has vulnerabilities 
-      :align: center
-      :width: 80%
+.. thumbnail:: /images/compliance/hipaa/06-vulnerability-detection.png
+   :title: In this case, the vim software installed on the endpoint has vulnerabilities
+   :align: center
+   :width: 80%
 
-   When you select any of the vulnerabilities, the dashboard shows an overview of the issues detected and their status on the agent.
+When you select any of the vulnerabilities, the dashboard shows an overview of the issues detected.
 
-   .. thumbnail:: /images/compliance/hipaa/07-vulnerability-detection.png    
-      :title: The dashboard shows an overview of the issues detected and their status on the agent 
-      :align: center
-      :width: 80%
+.. thumbnail:: /images/compliance/hipaa/07-vulnerability-detection.png
+   :title: The dashboard shows an overview of the issues detected and their status on the agent
+   :align: center
+   :width: 80%

source/compliance/nist/vulnerability-detection.rst

@@ -1,29 +1,27 @@
 .. Copyright (C) 2015, Wazuh, Inc.
 
 .. meta::
-  :description: The Wazuh Vulnerability Detector module performs a software audit of monitored endpoints. Learn more about it in this section of the documentation.
+  :description: The Wazuh Vulnerability Detection module performs a software audit of monitored endpoints. Learn more about it in this section of the documentation.
 
 Vulnerability detection
 =======================
 
-The Wazuh Vulnerability Detector module performs a software audit. It identifies vulnerabilities in the operating system and installed applications in monitored endpoints. The module builds a global vulnerability database from vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, ALAS (Amazon Linux Advisories Security), Microsoft, and the National Vulnerability Database. Then it cross-correlates these feeds with data from the endpoint application inventory. 
+The Wazuh Vulnerability Detection module performs a software audit. It identifies vulnerabilities in the operating system and installed applications in monitored endpoints. The module queries our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.
 
-The :doc:`Vulnerability Detector </user-manual/capabilities/vulnerability-detection/index>` module helps to implement the following NIST 800-53 controls:
+The :doc:`Vulnerability Detection </user-manual/capabilities/vulnerability-detection/index>` module helps to implement the following NIST 800-53 controls:
 
 - **RA-5 Vulnerability monitoring and scanning**: *“Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automation Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).”*
 
 - **SC-38 Operations security**: *“Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.”*
 
-The Wazuh Vulnerability Detector module assists with the above requirements by scanning an endpoint for vulnerable applications/packages and missing OS updates.
+The Wazuh Vulnerability Detection module assists with the above requirements by checking for vulnerable applications/packages and missing OS updates in an endpoint.
 
 Use case: Detect vulnerabilities on a Windows endpoint
 ------------------------------------------------------
 
 This use case shows how Wazuh helps meet the NIST **RA-5 Vulnerability monitoring and scanning** requirement using the Vulnerability detection module to identify system vulnerabilities.
 
-In this use case, you configure the Wazuh Vulnerability detector module to perform a vulnerability scan on a monitored Windows 10 endpoint. The **Vulnerability Detection** module of the Wazuh dashboard shows the result of the scan. 
-
-Follow the steps below to activate the Wazuh Vulnerability Detector module:
+In this use case, you make sure that a monitored Windows 10 endpoint is properly configured and the Wazuh Vulnerability detection module enabled. The **Vulnerability Detection** module of the Wazuh dashboard shows the result of the vulnerabilities detection.
 
 Windows endpoint
 ^^^^^^^^^^^^^^^^
@@ -54,54 +52,37 @@ Windows endpoint
 Wazuh server
 ^^^^^^^^^^^^
 
-#. Edit the ``<vulnerability-detector>`` block within the ``/var/ossec/etc/ossec.conf`` file and set ``<enabled>`` to ``yes``. This enables the vulnerability detector module.
+#. Edit the ``<vulnerability-detection>`` block within the ``/var/ossec/etc/ossec.conf`` file and make sure ``<enabled>`` is set to ``yes``. This enables the vulnerability detection module.
 
-   .. code-block:: xml   
+   .. code-block:: xml
       :emphasize-lines: 2
-
-      <vulnerability-detector>
-         <enabled>yes</enabled>
-         <interval>5m</interval>
-         <min_full_scan_interval>6h</min_full_scan_interval>
-         <run_on_start>yes</run_on_start>
-
-      </vulnerability-detector>
-
-   You can also set other options such as **<interval>** and **<run_on_start>**.
-
-#. Enable the ``<provider>`` options for ``msu`` and ``nvd`` in the ``<vulnerability-detector>`` block of the ``/var/ossec/etc/ossec.conf`` configuration file:
-
-   .. code-block:: xml   
-      :emphasize-lines: 3,10   
-
-      <!-- Windows OS vulnerabilities -->
-        <provider name="msu">
-          <enabled>yes</enabled>
-          <update_interval>1h</update_interval>
-        </provider>
-
-
-          <!-- Aggregate vulnerabilities -->
-          <provider name="nvd">
-            <enabled>yes</enabled>
-            <update_interval>1h</update_interval>
-          </provider>
-
-   Save the changes:
-
-   - ``msu``: Pulls CVEs from the Microsoft vulnerability updates database.
-   - ``nvd``: Pulls CVEs from the National Vulnerability Database.
-
-#. Restart the Wazuh server to apply the configuration changes:
+
+      <vulnerability-detection>
+        <enabled>yes</enabled>
+        <index-status>yes</index-status>
+        <feed-update-interval>60m</feed-update-interval>
+      </vulnerability-detection>
+
+      <indexer>
+        <enabled>yes</enabled>
+        <hosts>
+          <host>https://0.0.0.0:9200</host>
+        </hosts>
+        <username>admin</username>
+        <password>admin</password>
+        <ssl>
+          <certificate_authorities>
+            <ca>/etc/filebeat/certs/root-ca.pem</ca>
+          </certificate_authorities>
+          <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
+          <key>/etc/filebeat/certs/filebeat-key.pem</key>
+        </ssl>
+      </indexer>
+
+#. If you made changes, restart the Wazuh server to apply them.
 
    .. include:: /_templates/common/restart_manager.rst
 
 #. Go to  **Vulnerability Detection** on the Wazuh dashboard. Select the Windows agent to find vulnerable applications and packages.
 
-   .. thumbnail:: /images/compliance/nist/modules-vulnerabilities.png    
-      :title: Vulnerability Detection module
-      :alt: Vulnerability Detection module
-      :align: center
-      :width: 80%
-
-The alert details include the detection time, CVE number, and severity, amongst other information.
+The alert details include the CVE number and severity, amongst other information.