Of the many software packages installed on your Red Hat, CentOS, and/or Ubuntu systems, which ones have known vulnerabilities that might impact your security posture? Wazuh helps you answer this question with the syscollector and vulnerability-detector modules. On each agent, syscollector can scan the system for the presence and version of all software packages. This information is submitted to the Wazuh manager where it is stored in an agent-specific database for later assessment. On the Wazuh manager, vulnerability-detector maintains a fresh copy of the desired CVE sources of vulnerability data, and periodically compares agent packages with the relevant CVE database and generates alerts on matches.
In this lab, we will configure syscollector to run on wazuh-server and on both of the Linux agents. We will also configurevulnerability-detector on wazuh-server to periodically scan the collected inventory data for known vulnerable packages. We will observe relevant log messages and vulnerability alerts in Kibana including a dashboard dedicated to this. We will also interact with the Wazuh API to more deeply mine the inventory data, and even take a look at the databases where it is stored.
Configure syscollector for the Linux agents
In /var/ossec/etc/shared/linux/agent.conf on wazuh-server, just before the open-scap wodle configuration section, insert the following so each Linux agent will scan itself.
<wodle name="syscollector"> <disabled>no</disabled> <interval>1d</interval> <scan_on_start>yes</scan_on_start> <hardware>yes</hardware> <os>yes</os> <packages>yes</packages> </wodle>
Run verify-agent-conf to confirm no errors were introduced into agent.conf.
Configure vulnerability-detector and syscollector on wazuh-server
In ossec.conf on wazuh-server, just before the open-scap wodle configuration section, insert the following so that it will inventory its own software plus scan all collected software inventories against published CVEs, alerting where there are matches:
<wodle name="vulnerability-detector"> <disabled>no</disabled> <interval>5m</interval> <run_on_start>yes</run_on_start> <feed name="ubuntu-18"> <disabled>no</disabled> <update_interval>1h</update_interval> </feed> </wodle>
Restart the Wazuh manager. This will also cause the agents to restart as they pick up their new configuration:
- For Systemd:
systemctl restart wazuh-manager
Look at the logs
The vulnerability-detector module generates logs on the manager, and syscollector does as well on the manager and agents.
Try grep syscollector: /var/ossec/logs/ossec.log on the manager and on an agent:
2018/02/23 00:55:33 wazuh-modulesd:syscollector: INFO: Module started. 2018/02/23 00:55:34 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2018/02/23 00:55:35 wazuh-modulesd:syscollector: INFO: Evaluation finished.
and try grep vulnerability-detector: /var/ossec/logs/ossec.log on the manager
2018/02/23 00:55:33 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Red Hat Enterprise Linux 7 DB update... 2018/02/23 00:55:33 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning. 2018/02/23 00:55:33 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
See the alerts in Kibana
Search Kibana for location:"vulnerability-detector" AND data.vulnerability.severity:"High", selecting some of the more helpful fields for viewing like below:
Expand one of the records to see all the information available:
Look deeper with the Wazuh API:
Up to now we have only seen the Wazuh API enable the Wazuh Kibana App to interface directly with the Wazuh manager. However, you can also access the API directly from your own scripts or from the command line with curl. This is especially helpful here as full software inventory data is not stored in Elasticsearch or visible in Kibana – only the CVE match alerts are. The actual inventory data is kept in agent-specific databases on the Wazuh manager. To see that, plus other information collected by syscollector, you can mine the Wazuh API. Not only are software packages inventoried, but basic hardware and operating system data is also tracked.
- Run
agent_control -lon wazuh-server to list your agents as you will need to query the API by agent id number:
Wazuh agent_control. List of available agents: ID: 000, Name: wazuh-server (server), IP: localhost, Active/Local ID: 001, Name: linux-agent, IP: any, Active ID: 002, Name: elastic-server, IP: any, Active ID: 003, Name: windows-agent, IP: any, Active
- On wazuh-server, query the Wazuh API for scanned hardware data about agent 002.
# curl -u wazuhapiuser:wazuhlab -k -X GET "https://localhost:55000/syscollector/002/hardware?pretty"The results should look like this:
{ "error": 0, "data": { "board_serial": "unknown", "ram": { "total": 8009024, "free": 156764 }, "cpu": { "cores": 2, "mhz": 2400.188, "name": "Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz" }, "scan": { "id": 1794797325, "time": "2018/02/18 02:05:31" } } }
- Next, query the Wazuh API for scanned OS data about agent 002.
# curl -u wazuhapiuser:wazuhlab -k -X GET "https://localhost:55000/syscollector/002/os?pretty"The results should look like this:
{ "error": 0, "data": { "sysname": "Linux", "version": "#1 SMP Thu Jan 25 20:13:58 UTC 2018", "architecture": "x86_64", "scan": { "id": 1524588903, "time": "2018/02/23 01:12:21" }, "release": "3.10.0-693.17.1.el7.x86_64", "hostname": "elastic-server", "os": { "version": "7 (Core)", "name": "CentOS Linux" } } }
- You can also query the software inventory data in many ways. Let’s list the versions of wget on all of our Linux systems:
# curl -u wazuhapiuser:wazuhlab -k -X GET "https://localhost:55000/syscollector/packages?pretty&search=wget"
A Passionate Techie 