Vulnerability Detection is not working as expected in Demo environment

[Rebits]

Test information

Main release stage issue	https://github.com/wazuh/wazuh/issues/23246
Version	4.8.0
Release candidate	RC 1
Tag	https://github.com/wazuh/wazuh-qa/tree/v4.8.0-rc1

Description

This issue addresses concerns regarding vulnerability detection in the Demo environment. It has been observed that vulnerability detection is not functioning correctly for Debian agents, and there are unexpected behaviors when toggling the vulnerability detection feature. Further investigation is necessary to identify the root causes of these issues.

Problem Statement

• Vulnerability detection is failing to report vulnerabilities for Debian agents.
• Enabling and disabling vulnerability detection is leading to unexpected behavior, potentially removing already detected RHEL vulnerabilities.

Test Requirements

Environment

Access to the Demo environment is necessary. Credentials can be obtained from the devops team .

• https://github.com/wazuh/internal-devel-requests/issues/1124

Configuration

The environment should have enabled the wazuh-modulesd debug mode. This will provide more detailed logs for analysis.

Tests Cases

T1: Basic Vulnerability Detection

Description: Verify if vulnerability detection triggers vulnerabilities for all agents of the Demo Environment, having the vulnerability detection module enabled when agents were registered. Initial conditions: Initially, vulnerability detection is enabled, and all agents are registered while this module remains active.

ID	Description	Status
T1.1	Basic vulnerability detection for Debian agent	:green_circle:
T1.2	Basic vulnerability detection for RHEL agent	:green_circle:
T1.3	Basic vulnerability detection for centOS agent	:green_circle:
T1.4	Basic vulnerability detection for Windows Server agent	:green_circle:

T2: Assess Vulnerability Detection Re-Scan Behavior

Description: Verify if re-scan mechanism works as expected when a vulnerability detection is enabled once agents have been already registered.

Initial conditions: At the outset, vulnerability detection remains disabled, and all agents are registered while this module remains in its deactivated state.

ID	Description	Status
T2.1	Vulnerability detection for Debian agent when re-scan is triggered	:red_circle:
T2.2	Vulnerability detection for RHEL agent when re-scan is triggered	:red_circle:

Conclusion :red_circle:

Multiple issues were detected in the demo environment

• https://github.com/wazuh/wazuh-dashboard-plugins/issues/6655
• https://github.com/wazuh/wazuh-dashboard-plugins/issues/6654
• https://github.com/wazuh/wazuh/issues/23328
• https://github.com/wazuh/wazuh/issues/23346

[Rebits]

T1: Basic Vulnerability Detection

ID	Description	Status
T1.1	Basic vulnerability detection for Debian agent	:green_circle:
T1.2	Basic vulnerability detection for RHEL agent	:green_circle:
T1.3	Basic vulnerability detection for centOS agent	:green_circle:
T1.4	Basic vulnerability detection for Windows Server agent	:green_circle:

Description

Initially, the Demo environment comprised a RHEL and a Debian agent. Vulnerability scans on these agents did not detect any vulnerabilities. However, the remaining agents exhibited triggered vulnerabilities.

[!NOTE] No vulnerabilities were detected for RHEL agent

Upon assessing the current status of the manager, it was observed that removing and re-registering the agents resolved the issue.

It's likely that the reported errors are specifically related to the re-scan mechanism. This will be further investigated in the T2 cases.

---

After a few hours, after restraint manager and worker several times for other tests cases, vulnerabilities were detected for RHEL but not for Debian agent:

[Rebits]

T2: Assess Vulnerability Detection Re-Scan Behavior :red_circle:

ID	Description	Status
T2.1	Vulnerability detection for Debian agent when re-scan is triggered	:red_circle:
T2.2	Vulnerability detection for RHEL agent when re-scan is triggered	:red_circle:

Description

In an environment where all agents are linked and Vulnerability Detection is actively running, our next steps involve disabling the Vulnerability Detection module. We'll initiate this process via the dashboard, starting with the worker nodes and then proceeding to the master node.

Subsequently, we'll undertake the crucial task of backing up agents's client keys and then removing them from both Debian and RHEL agents. Before removal, we'll ensure to rename them within the configuration settings as 'RHEL-4' and 'Debian-4' respectively.

Once the client keys are secured and renamed, we'll proceed to register the agents in the environment with the Vulnerability Detection disabled. Following this, as the agents reconnect, we'll re-enable the Vulnerability Detection module seamlessly

Results

After enabling the vulnerability detector module again, after 1:30 hours, vulnerabilities of new agents appear:

Debian

RHEL

However several issues were detected:

• No existing agent's vulnerabilities found in index
• Index unstable when vulnerability detection module is disabled and enabled again
• Vulnerabilities of some agents disappear suddely (Directly related to https://github.com/wazuh/wazuh/issues/23322#issuecomment-2101089209 )
• Inconsistent wazuh.cluster.name filter
• Debian agent includes Windows agent syscheck events

[Rebits]

No existing agent's vulnerabilities found in index :red_circle:

• Issue: https://github.com/wazuh/wazuh/issues/23346

Description

After registering new agents in the environment, we observed the following list of agents registered:

However, upon removing the default wazuh.cluster.name filter, vulnerabilities were detected for a non-existing Ubuntu agent with wazuh.cluster.name value set to 2:

The exact registration time of this old agent cannot be provided due to the previous use of a Demo instance. However, it has been more than 1 day since registration.

Steps to Reproduce

No steps to reproduce can be provided for now due this agent was already present in the environment

Expected Behavior

No vulnerabilities should be detected for non-existing agents.

[Rebits]

Vulnerabilities of some agents disappear suddely :red_circle:

• Issue: https://github.com/wazuh/wazuh/issues/23328

[!NOTE] After researching this issue, it seems directly related to https://github.com/wazuh/wazuh/issues/23322#issuecomment-2101089209

Description

No vulnerabilities were detected in Debian and RHEL9 agents during testing. These agents were initially deployed in the environment and replicating the same conditions with new agents proved unsuccessful, suggesting a unique setup at the environment's inception.

Various scenarios were tested, including:

• Restarting the master node concurrently with agent registration.
• Restarting the worker node concurrently with agent registration.
• Changing the manager before syscollector packages are dispatched to the original manager.

Despite these efforts, the absence of vulnerabilities remains consistent, hinting at specific conditions present at the environment's outset

After toggling the vulnerability detection module on both the master and worker nodes, please allow approximately 30 minutes for the expected vulnerabilities to manifest.

Few minutes later, vulnerabilities were automatically deleted

Steps to Reproduce

No steps to reproduce can be provided for now due this agent was already present in the environment

Expected behaviour

Vulnerability scan should detect vulnerabilities for all agents without the need of disabling and enabling vulnerability detection module.

[Rebits]

Index unstable when vulnerability detection module is disabled and enabled again :red_circle:

• Issue: https://github.com/wazuh/wazuh/issues/23328

Description

The vulnerabilities index seems to be unstable after enabling and disabling the vulnerability detection module in master and worker nodes. Vulnerabilities of the environment are being removed completely and generated again several times, leading into some agents without any vulnerability (Check https://github.com/wazuh/wazuh/issues/23322#issuecomment-2100941195 for more information). In this case the agent 013, created during the test end with no vulnerabilities detected:

Video

vuln_dissapear.webm

Steps to reproduce

• Deploy an environment of a few agents and a cluster of indexer and manager
• Enable vulnerability detection and wait until vulnerability scan finished to scan all agents
• Disable vulnerability detection module in both managers
• Register a new agent into one of the manager
• Enable vulnerability detection again
• Check that the vulnerabilities index first does not detect the vulnerabilities of the new agents, and them remove all the vulnerabilities. A few minutes later, vulnerabilities are regenerated and removed again.

Expected behavior

Vulnerability index should be stable in case of enabling and disabling the vulnerability detection module. It is expected the removal of the index, although this should be produced only one time, generating vulnerabilities for all the agents.

[Rebits]

Inconsistent wazuh.cluster.name filter :red_circle:

• Issue: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6654

Description

The default setting for the vulnerability detection dashboard incorporates a filter labeled wazuh.cluster.name set to the value "wazuh1". Initially, it appears this filter is not intended for modification. However, it is possible to deactivate this filter and apply negation by accessing the "Change all filters" menu.

Video

filter_inconsistent.webm

Steps to reproduce

• Go to Vulnerability Detection > Inventory
• Using "Change all filters" negate the wazuh.cluster.name filter
• Go to Vulnerability Deteciton > Dashboard
• Check that dashboard is not working as expected. In addition, cluster filter now is not negated.

[Rebits]

Debian agent includes Windows agent syscheck events :red_circle:

• Issue: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6655

Description

Difficult to replicate error appear in the Debian endpoint menu. In the FIM recent events menu appear some Windows agent events

Steps to reproduce

No steps to reproduce can be provided because this issue was impossible to reproduce

[santipadilla]

LGTM

[juliamagan]

LGTM