Overview #
Argus uses the Vulnerability Detection module to identify vulnerabilities in applications and operating systems running on endpoints. This guide demonstrates how Argus detects unpatched Common Vulnerabilities and Exposures (CVEs) in a monitored endpoint.
System Setup #
Infrastructure #
Endpoint:
Debian 12 – The vulnerability detection module checks for vulnerabilities in this endpoint.
Configuration #
The Vulnerability Detection module is enabled by default. Follow these steps to ensure it is properly configured on the Argus server:
1. Edit Configuration File:
Open the /var/ossec/etc/ossec.conf file and verify the following settings:
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
2. Configure Indexer Connection:
Ensure the indexer settings are properly configured. By default, the host is set to 0.0.0.0:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace 0.0.0.0 with the IP address or hostname of your Argus indexer node. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.
Ensure the Filebeat certificate and key match the files in /etc/filebeat/certs.
If using an Argus indexer cluster, add a <host> entry for each node. For example:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
The vulnerability detection module prioritizes reporting to the first node in the list and switches to the next node if unavailable.
3. Restart Argus Manager:
If changes were made to the configuration, restart the Argus manager:
sudo systemctl restart wazuh-manager
Testing the Configuration #
Note – Detection time depends on the Syscollector interval value configured in ossec.conf. To reduce waiting times during testing, refer to the System Inventory capability configuration.
Steps #
1. Install Vulnerable Package:
Install a vulnerable version of Vim (e.g., `2:9.0.1378-2` or earlier) on the Debian endpoint:
sudo apt install vim=<VERSION>
2. Wait for Syscollector Scan:
Allow Syscollector to run a new scan.
3. Fix the Vulnerability:
Remove the Vim package:
sudo apt remove vim
Wait for Syscollector to run another scan.
Troubleshooting #
If the Syscollector scan completes but the Argus dashboard doesn’t reflect the changes, the abuse control mechanism might be delaying the indexation of the agent’s vulnerabilities. This mechanism imposes a non-configurable 30-minute time window.
Viewing Vulnerabilities #
You can visualize detected vulnerabilities on the Argus dashboard:
1. Active Vulnerabilities:
Navigate to Vulnerability Detection > Inventory and use the search bar to filter active vulnerabilities for the Vim package:
package.name:vim
2. Vulnerability Alerts:
Switch to Events to see alerts from the last system inventory scan. Add the following filters:
data.vulnerability.package.name: vim
– Active Vulnerability Alerts:
data.vulnerability.package.name: vim AND data.vulnerability.status:Active
– Solved Vulnerability Alerts:
data.vulnerability.package.name: vim AND data.vulnerability.status:Solved
By following these steps, Argus can effectively identify and manage vulnerabilities on monitored endpoints, ensuring a secure environment.