ContextQMD
Back to Wazuh

Configuration

docs/ref/modules/vulnerability-scanner/configuration.md

4.14.52.8 KB
Original Source

Configuration

The Vulnerability Scanner has a dedicated configuration block with minimal options to configure. The module is simple and works out of the box, and it does not require specific settings. The module performs the detection of vulnerabilities and then delegates the responsibility of indexing to another module.

All the XML configuration blocks mentioned in this section are present in the main configuration file /var/ossec/etc/ossec.conf.

xml
<vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
    <!--<offline-url>file:///home/vagrant/content_custom.json</offline-url>-->
</vulnerability-detection>

feed-update-interval: Default and minimum value, 60 min.

offline-url: Option hidden by default to generate a CVE database from offline content. It won't be updated.

Connection to Wazuh Indexer

As mentioned above, the Vulnerability Scanner delegates the indexing to the Indexer Connector module. It receives OS and package events that will be processed against a local CVE database and hotfix information (only for Windows) to detect vulnerabilities that will be indexed through the indexer connector.

  • Default Indexer Connector configuration block
xml
  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://0.0.0.0:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>

It is important to verify the green status of the Wazuh Indexer with a request to the GET /_cluster/health endpoint.

  • e.g. Response
json
{
  "cluster_name": "wazuh-cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 1,
  "number_of_data_nodes": 1,
  "discovered_master": true,
  "discovered_cluster_manager": true,
  "active_primary_shards": 15,
  "active_shards": 15,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100
}

Currently, the module does not allow insecure connections, so it is important to verify carefully the indexer connector configuration

The connection can be easily tested using the CURL command line with the right arguments. It is relevant to mention once again that the module does not support insecure connections, so using the -k option won't help to properly configure the Indexer Connector component.

console
curl --cacert <root_CA_path> --cert <cert_path> --key <key_path> https://<indexer-ip>:9200/_cluster/health