ContextQMD
Back to Wazuh

Configuration

docs/ref/modules/vulnerability-scanner/configuration.md

4.14.43.2 KB
Original Source

Configuration

The Vulnerability Scanner has a dedicated configuration block with minimal options. The module works out of the box and is triggered by InventorySync sessions (Start/DataValue/DataContext) produced from Syscollector inventory. It performs the detection of vulnerabilities and then indexes the results through the Indexer Connector, while also emitting engine alerts through the internal queue.

All the XML configuration blocks mentioned in this section are present in the main configuration file /var/wazuh-manager/etc/wazuh-manager.conf.

xml
<vulnerability-detection>
    <enabled>yes</enabled>
    <feed-update-interval>60m</feed-update-interval>
    <!--<offline-url>file:///home/vagrant/content_custom.json</offline-url>-->
</vulnerability-detection>

feed-update-interval: Default and minimum value, 60 min.

offline-url: Option hidden by default to generate a CVE database from offline content. It won't be updated.

InventorySync dependency: VD runs when InventorySync sessions end. Ensure the inventory_sync module is enabled on the manager so VD receives Start/DataValue/DataContext batches.

Connection to Wazuh Indexer

As mentioned above, the Vulnerability Scanner delegates indexing to the Indexer Connector module. It processes inventory batches (OS, packages, hotfixes) against the local CVE database and indexes detections into wazuh-states-vulnerabilities.

  • Default Indexer Connector configuration block
xml
  <indexer>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/var/wazuh-manager/etc/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/var/wazuh-manager/etc/certs/manager.pem</certificate>
      <key>/var/wazuh-manager/etc/certs/manager-key.pem</key>
    </ssl>
  </indexer>

It is important to verify the green status of the Wazuh Indexer with a request to the GET /_cluster/health endpoint.

  • e.g. Response
json
{
  "cluster_name": "wazuh-cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 1,
  "number_of_data_nodes": 1,
  "discovered_master": true,
  "discovered_cluster_manager": true,
  "active_primary_shards": 15,
  "active_shards": 15,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100
}

Currently, the module does not allow insecure connections, so it is important to verify carefully the indexer connector configuration

The connection can be easily tested using the CURL command line with the right arguments. It is relevant to mention once again that the module does not support insecure connections, so using the -k option won't help to properly configure the Indexer Connector component.

console
curl --cacert <root_CA_path> https://<indexer-ip>:9200/_cluster/health

If client authentication is enabled, include the client certificate and key:

console
curl --cacert <root_CA_path> --cert <cert_path> --key <key_path> https://<indexer-ip>:9200/_cluster/health