View Categories

Vulnerability Detection

2 min read

Overview #

Argus uses the Vulnerability Detection module to identify vulnerabilities in applications and operating systems running on endpoints. This guide demonstrates how Argus detects unpatched Common Vulnerabilities and Exposures (CVEs) in a monitored endpoint.

System Setup #

Infrastructure #

Endpoint:

Debian 12 – The vulnerability detection module checks for vulnerabilities in this endpoint.

Configuration #

The Vulnerability Detection module is enabled by default. Follow these steps to ensure it is properly configured on the Argus server:

1. Edit Configuration File:

Open the /var/ossec/etc/ossec.conf file and verify the following settings:

2. Configure Indexer Connection:

Ensure the indexer settings are properly configured. By default, the host is set to 0.0.0.0:

Replace 0.0.0.0 with the IP address or hostname of your Argus indexer node. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.

Ensure the Filebeat certificate and key match the files in /etc/filebeat/certs.

If using an Argus indexer cluster, add a <host> entry for each node. For example:

The vulnerability detection module prioritizes reporting to the first node in the list and switches to the next node if unavailable.

3. Restart Argus Manager:

If changes were made to the configuration, restart the Argus manager:

Testing the Configuration #

Note – Detection time depends on the Syscollector interval value configured in ossec.conf. To reduce waiting times during testing, refer to the System Inventory capability configuration.

Steps #

1. Install Vulnerable Package:

Install a vulnerable version of Vim (e.g., `2:9.0.1378-2` or earlier) on the Debian endpoint:

2. Wait for Syscollector Scan:

Allow Syscollector to run a new scan.

3. Fix the Vulnerability:

Remove the Vim package:

Wait for Syscollector to run another scan.

Troubleshooting #

If the Syscollector scan completes but the Argus dashboard doesn’t reflect the changes, the abuse control mechanism might be delaying the indexation of the agent’s vulnerabilities. This mechanism imposes a non-configurable 30-minute time window.

Viewing Vulnerabilities #

You can visualize detected vulnerabilities on the Argus dashboard:

1. Active Vulnerabilities:

Navigate to Vulnerability Detection > Inventory and use the search bar to filter active vulnerabilities for the Vim package:

   package.name:vim

2. Vulnerability Alerts:

Switch to Events to see alerts from the last system inventory scan. Add the following filters:

   data.vulnerability.package.name: vim

   – Active Vulnerability Alerts:

     data.vulnerability.package.name: vim AND data.vulnerability.status:Active

   – Solved Vulnerability Alerts:

     data.vulnerability.package.name: vim AND data.vulnerability.status:Solved

By following these steps, Argus can effectively identify and manage vulnerabilities on monitored endpoints, ensuring a secure environment.

Leave a Reply

Your email address will not be published. Required fields are marked *