Wazuh Configuration for Vulnerabilities Detection at Endpoints!
In this article we have been configuring Wazuh for vulnerability detection which may help in Threat Detection and Response.
What is Vulnerability detection?
Vulnerabilities are security flaws in computer systems that threat actors can exploit to gain unauthorized access to these systems. After exploitation, malware and threat actors may be able to perform remote code execution, exfiltrate data, and carry out other malicious activities.
Organizations must have strategies or security solutions that promptly detect vulnerabilities in their network before bad actors exploit them.
How Wazuh Vulnerability Detection Module Help?
The Wazuh Vulnerability Detector module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoint. The module functions using Wazuh native integration with external vulnerability feeds from National Vulnerability Database (NVD) and other operating system vulnerabilities databases.
Step 1: Wazuh Server Configuration for Vulnerability Module Activation
Enable the Vulnerability Detector module in the /var/ossec/etc/ossec.conf
file on the Wazuh server:
Note: By Default, it is not enabled.
i. We have to enable vulnerability detection module & for Operating systems for which we want to get vulnerability feeds for detection purposes.
sudo -i
nano /var/ossec/etc/ossec.conf
ii. Restart the Wazuh manager to apply the configuration changes:
sudo systemctl restart wazuh-manager
Step 2: Test the configuration for Vulnerability Database
Now we have configured National Vulnerability Database for different OS’s as shown in above step whether database of vulnerabilities building or not.
cat /var/ossec/queue/vulnerabilities/cve.db
You will see that database creation will be in progress on terminal.
Step 3: Log checking for database feeds as shown below.
cat /var/ossec/logs/ossec.log
Now we can see that database is downloaded for National Vulnerability Database.
Step 3: Agent Configuration for Vulnerabilities Detection
Now we will configure our window 10/11 agent for vulnerability detections
We have to add some configuration settings to agent ossec.conf file as shown below.
i. Click on Type here to search > manage agent >open
ii. Click on View Tab > View Config
Following file will open and we have to add this:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
iii. Restart the wazuh-aget as shown below
- Click Manage Tab > Restart
Step 4: Vulnerability Checking on Wazuh Server Dashborad
If there will be any vulnerability on window 10 endpoint you will be notified by alerts and on Event tab.
As is my case there is no vulnerability detected as shown below but not the case for everyone as may be some vulnerable software or services running in your system so you will get alert by events.
Conclusion:
To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Wazuh has three different types of scans Baseline, full and partial scan for vulnerabilities. By Using this module we can get threat detection and intelligence to secure our environment by eliminating these indicators of compromise.