Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update VD POC #7215

Merged
merged 7 commits into from
Apr 19, 2024
Merged

Update VD POC #7215

merged 7 commits into from
Apr 19, 2024

Conversation

GabrielEValenzuela
Copy link
Member

Objective

This PR aims to enhance the precision and usability of the Proof of Concept (POC) documentation for our Vulnerability Detection system. By expanding the documentation to include more detailed sections and illustrative examples, we intend to provide clearer guidance and better support for users engaging with our vulnerability detection tools.

Description

  • Feedback on our existing POC documentation for the Vulnerability Detection system indicated that QA/users often encounter ambiguities and lack sufficient detail to effectively utilize the system. To address these concerns, we have undertaken a comprehensive enhancement of the documentation.
  • Key improvements include:
    • Expanded Sections: Each section of the documentation now contains a more detailed description, outlining the purpose and functionality with greater clarity. This includes elaborating on the system's architecture, configuration options, and operational procedures.
    • Illustrative Examples: We've added practical examples to demonstrate common use cases and scenarios. These examples are designed to help users better understand how to configure and use the system for optimal vulnerability detection.
    • Enhanced Formatting: The documentation is formatted in Markdown for improved readability and easier navigation. This includes the use of headers, lists, code blocks, and tables where appropriate, making the content more accessible and user-friendly.

@GabrielEValenzuela
CL:
4c60ca5 
- Improve POC.
@GabrielEValenzuela
CL:
50fb51a 
- Fix review comments.
@GabrielEValenzuela
CL:
f4792bd 
- Refactor PoC.
@GabrielEValenzuela GabrielEValenzuela self-assigned this Apr 18, 2024
@Dwordcito Dwordcito requested review from javimed and rauldpm April 18, 2024 19:52
@GabrielEValenzuela
CL:
8045021 
- Refactor PoC. Apply review comments.
@javimed javimed linked an issue Apr 18, 2024 that may be closed by this pull request
Enhance precision of the vulnerability detection POC documentation #7183
Closed
@javimed javimed added level/task Task issue type/enhancement Enhancement issue labels Apr 18, 2024
javimed
javimed requested changes Apr 18, 2024
View reviewed changes
Copy link
Member

@javimed javimed left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The related #7183 issue requires steps to install vulnerable packages in order to trigger alerts. We're not installing a vulnerable Firefox version but using one installed by default. We're not patching or uninstalling Firefox to show solved vulnerabilities either. Are we ok with this approach? Aren't we going to explain in the "Test the configuration" sub-section that installing Firefox 116 or similar is required to see the alerts?

source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated Show resolved Hide resolved
source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated Show resolved Hide resolved
source/proof-of-concept-guide/poc-vulnerability-detection.rst Show resolved Hide resolved
source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated Show resolved Hide resolved
source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated Show resolved Hide resolved
source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated Show resolved Hide resolved
@Dwordcito Dwordcito requested a review from javimed April 19, 2024 00:31
@GabrielEValenzuela
CL:
3ef3511 
- Refactor PoC. Apply review comments.
javimed
javimed requested changes Apr 19, 2024
View reviewed changes
source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated
@@ -20,9 +20,10 @@ Infrastructure
+===============+============================================================================================================================================+
| Ubuntu 22.04 | The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Linux endpoint. |
Copy link
Member

@javimed javimed Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the purpose of having this Endpoint? We're not later showing any vulnerabilities for this endpoint.

source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated
Test the configuration
----------------------

You don’t have to perform any action. Wazuh detects the vulnerable packages installed in the Ubuntu endpoint automatically. The time it takes to detect vulnerabilities depends on the Syscollector :doc:`interval </user-manual/reference/ossec-conf/wodle-syscollector>` configured in the ``ossec.conf`` file.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above. We're saying vulnerable packages get automatically detected but don't show a results visualization below.

source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated

You don’t have to perform any action. Wazuh detects the vulnerable packages installed in the Ubuntu endpoint automatically. The time it takes to detect vulnerabilities depends on the Syscollector :doc:`interval </user-manual/reference/ossec-conf/wodle-syscollector>` configured in the ``ossec.conf`` file.

#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y``.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y``.
#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y`` to install a vulnerable package. Wait until the syscollector runs a new scan.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this going to work? Is the default version vulnerable?

source/proof-of-concept-guide/poc-vulnerability-detection.rst
You don’t have to perform any action. Wazuh detects the vulnerable packages installed in the Ubuntu endpoint automatically. The time it takes to detect vulnerabilities depends on the Syscollector :doc:`interval </user-manual/reference/ossec-conf/wodle-syscollector>` configured in the ``ossec.conf`` file.

#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y``.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated

#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y``.

#. Wait until the syscollector runs a new scan.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Wait until the syscollector runs a new scan.

source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated

#. Wait until the syscollector runs a new scan.

#. Delete the package with ``sudo apt purge vim -y``.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Delete the package with ``sudo apt purge vim -y``.
#. Delete the package with ``sudo apt purge vim -y`` to fix the vulnerability.

source/proof-of-concept-guide/poc-vulnerability-detection.rst Outdated
Visualize the alerts
--------------------

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability Detection module, select Events, and click on any vulnerability to expand the document.
You can visualize detected vulnerabilities data in the Wazuh dashboard. Go to **Vulnerability Detection** and select **Events** to see a list of all vulnerable packages detected after the first scan.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could add a step to filter specific Vim alerts to quickly find them. This will save scrolling down allowing to display the Events tab at top in the screenshots.

@GabrielEValenzuela
CL:
3471ca5 
- Refactor PoC. Apply review comments.
@Dwordcito Dwordcito requested a review from javimed April 19, 2024 17:10
@javimed javimed merged commit 822ea93 into 4.8.0 Apr 19, 2024
3 checks passed
@javimed javimed deleted the enhancement/7183-improve-poc-vd branch April 19, 2024 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javimed javimed javimed approved these changes

@MiguelazoDS MiguelazoDS MiguelazoDS approved these changes

@rauldpm rauldpm Awaiting requested review from rauldpm

Assignees

@GabrielEValenzuela GabrielEValenzuela

Labels
level/task Task issue type/enhancement Enhancement issue
Projects
No open projects
Release 4.8.0
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhance precision of the vulnerability detection POC documentation
3 participants
@GabrielEValenzuela @MiguelazoDS @javimed