Closed mauromalara closed 1 year ago
This agent is connected to the Worker node.
# grep -E ".*agent '004'" /var/ossec/logs/wazuh/2023/Aug/ossec-29.log
2023/08/29 20:22:56 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '004' vulnerabilities. 2023/08/29 20:22:56 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '004'
2. Check if there are vulnerable packages
sqlite> select * from vuln_cves;
3. Check if the info is being collected by Wazuh in the agent
<img width="1229" alt="image" src="https://github.com/wazuh/wazuh/assets/39094716/94f7a048-f62f-4a5b-8c9c-84adcf05e827">
4. Check if there are vulnerabilities in the manager database
sqlite> select target,count(*) from vulnerabilities group by target; Amazon-Linux|52428 Amazon-Linux-2|31394 BIONIC|24768 BULLSEYE|30356 BUSTER|30136 FOCAL|17859 JAMMY|16190 RHEL5|24936 RHEL6|85476 RHEL7|102786 RHEL8|113123 RHEL9|33927 TRUSTY|34522 XENIAL|31341
5. Check if the API returns vulnerabilities
<img width="903" alt="image" src="https://github.com/wazuh/wazuh/assets/39094716/a986c772-1c6a-4eb0-9d5e-c02691c592f6">
After analyzing deeper, we realized that no vulnerable packages were installed.
After installing Wazuh from scratch and installing a vulnerable package, the vulnerabilities started showing up in the first scan:
# yum list golang --show-duplicates
![image](https://github.com/wazuh/wazuh/assets/39094716/3dfaef9a-48b5-4e90-a475-9b5604a48d96)
---
On the other hand, we've tested the upgrade of the vuln package to a fixed version, and the vulnerability is shown as solved quickly:
. . Running transaction Updating : golang-src-1.20.7-1.amzn2.0.1.noarch 1/6 Updating : golang-bin-1.20.7-1.amzn2.0.1.x86_64 2/6 Updating : golang-1.20.7-1.amzn2.0.1.x86_64 3/6 Cleanup : golang-bin-1.16.15-1.amzn2.0.1.x86_64 4/6 Cleanup : golang-1.16.15-1.amzn2.0.1.x86_64 5/6 Cleanup : golang-src-1.16.15-1.amzn2.0.1.noarch 6/6 Verifying : golang-1.20.7-1.amzn2.0.1.x86_64 1/6 Verifying : golang-src-1.20.7-1.amzn2.0.1.noarch 2/6 Verifying : golang-bin-1.20.7-1.amzn2.0.1.x86_64 3/6 Verifying : golang-src-1.16.15-1.amzn2.0.1.noarch 4/6 Verifying : golang-1.16.15-1.amzn2.0.1.x86_64 5/6 Verifying : golang-bin-1.16.15-1.amzn2.0.1.x86_64 6/6
Updated: golang.x86_64 0:1.20.7-1.amzn2.0.1
Dependency Updated: golang-bin.x86_64 0:1.20.7-1.amzn2.0.1 golang-src.noarch 0:1.20.7-1.amzn2.0.1
Complete!
![image](https://github.com/wazuh/wazuh/assets/39094716/54cc66e5-ec37-4749-a8d4-7ff0b27ae782)
Closing as this is a bad report.
After testing Vulnerability Detector on a macOS Ventura 13.4.1 agent, we have observed that it works correctly.
The macOS agent had the following system information:
arm64|macOS|13.4.1|Ventura|13|4|1|Darwin|22.5.0
And in which, 25 vulnerabilities have been detected, of which 1 affects the macOS OS and the others affect packages:
Description
Wazuh does not report vulnerabilities of an agent installed on Amazon Linux 2 and macOS Ventura. This was found while testing Wazuh in this Release Testing issue.
Steps to reproduce
Check the results on macOS Ventura
Current results
Evidence
Expected results