Wazuh - Deekshith19/Cybersec_lab GitHub Wiki
- Enable the Vulnerability Detector module by modifying the Wazuh server configuration file at /var/ossec/etc/ossec.conf.
Set the value for the <enabled> tag to yes for the Vulnerability Detector module and for every operating system you intend to scan.
Add Vulnerability Detector Code in config file
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<os>amazon-linux-2022</os>
<os>amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE OS vulnerabilities -->
<provider name="suse">
<enabled>yes</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Alma Linux OS vulnerabilities -->
<provider name="almalinux">
<enabled>yes</enabled>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
In our wazuh-server we have to make changes in ossec.conf file
It will start downloading all the Vulnerability databases of each and every OS
Running vulnerability scans in Wazuh requires enabling the Vulnerability Detector module and setting the configuration for the scan.
Change this conf with respect to the above screenshot: This conf is present in both agent and server location in agent.conf
As we open Wazuh server, it will show all the vulnerabilities after scanning the os
Here is the graphical representation of all vulnerabilities and no. of vulnerabilities in terms of severity
If we click the critical vulnerability, we will able to analyse
We have analysed Windows 11 also which is having
CVE (common vulnerability and exposure) doesn’t only include the malicious software, the outdated software which are present in the system is also considered as a CVE
We can navigate to Mitre Attack
We can view Security Events as performing any authentication failure
We have installed an .OVA file which contains wazuh server
Download Ova file in host os and load it in any hypervisor manager
Start it with required configuration but with 2 GB RAM also it works
- We can verify that our Wazuh-indexer is working or not
systemctl status wazuh-indexer
Ip Address of Wazuh Server - 192.168.166.57
Ip Address of Wazuh Agent - 192.168.231.128
- In Wazuh Manager we have to add the ip of wazuh server
- Start the wazuh agent in kali
- Status of wazuh Agent
- In Wazuh Dashboard / Wazuh Manager