Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update VD POC #7215

Merged
merged 7 commits into from
Apr 19, 2024
Merged

Update VD POC #7215

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4c60ca5
CL:
GabrielEValenzuela Apr 15, 2024
50fb51a
CL:
GabrielEValenzuela Apr 16, 2024
f4792bd
CL:
GabrielEValenzuela Apr 18, 2024
8045021
CL:
GabrielEValenzuela Apr 18, 2024
3ef3511
CL:
GabrielEValenzuela Apr 19, 2024
3471ca5
CL:
GabrielEValenzuela Apr 19, 2024
7baf087
Add changes from review
javimed Apr 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added source/images/poc/vulnerabilities-events-new-vuln.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added source/images/poc/vulnerabilities-events-solve-vuln.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed source/images/poc/vulnerabilities-ubuntu-alerts.png
View file
Open in desktop
Binary file not shown.
Binary file removed source/images/poc/vulnerabilities-windows-alerts.png
View file
Open in desktop
Binary file not shown.
34 changes: 28 additions & 6 deletions source/proof-of-concept-guide/poc-vulnerability-detection.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,10 @@ Infrastructure
+===============+============================================================================================================================================+
| Ubuntu 22.04 | The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Linux endpoint. |
Copy link
Member

@javimed javimed Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the purpose of having this Endpoint? We're not later showing any vulnerabilities for this endpoint.

+---------------+--------------------------------------------------------------------------------------------------------------------------------------------+
| Windows 11 | The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Windows endpoint. |
| Debian 12 | The vulnerability detection module checks for vulnerabilities in the operating system and installed applications in this Linux endpoint. |
+---------------+--------------------------------------------------------------------------------------------------------------------------------------------+


Configuration
-------------

Expand Down Expand Up @@ -51,12 +52,33 @@ The Vulnerability Detection module is enabled by default. You can perform the fo

$ sudo systemctl restart wazuh-manager


Test the configuration
----------------------

You don’t have to perform any action. Wazuh detects the vulnerable packages installed in the Ubuntu endpoint automatically. The time it takes to detect vulnerabilities depends on the Syscollector :doc:`interval </user-manual/reference/ossec-conf/wodle-syscollector>` configured in the ``ossec.conf`` file.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above. We're saying vulnerable packages get automatically detected but don't show a results visualization below.


#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y``.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y``.
#. Install ``vim`` in the Debian endpoint with ``sudo apt install vim -y`` to install a vulnerable package. Wait until the syscollector runs a new scan.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this going to work? Is the default version vulnerable?


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

#. Wait until the syscollector runs a new scan.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Wait until the syscollector runs a new scan.


GabrielEValenzuela marked this conversation as resolved.
Show resolved Hide resolved
#. Delete the package with ``sudo apt purge vim -y``.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Delete the package with ``sudo apt purge vim -y``.
#. Delete the package with ``sudo apt purge vim -y`` to fix the vulnerability.


Visualize the alerts
--------------------

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability Detection module, select Events, and click on any vulnerability to expand the document.
You can visualize detected vulnerabilities data in the Wazuh dashboard. Go to **Vulnerability Detection** and select **Events** to see a list of all vulnerable packages detected after the first scan.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could add a step to filter specific Vim alerts to quickly find them. This will save scrolling down allowing to display the Events tab at top in the screenshots.


- New vulnerability detected:

.. thumbnail:: /images/poc/vulnerabilities-events-new-vuln.png
:title: Detected vulnerabilities on Debian. Vulnerable vim package example
:align: center
:width: 80%

- New vulnerability solved:

.. thumbnail:: /images/poc/vulnerabilities-ubuntu-alerts.png
:title: Detected vulnerabilities on Ubuntu alerts
:align: center
:width: 80%
.. thumbnail:: /images/poc/vulnerabilities-events-solve-vuln.png
:title: Solved vulnerabilities on Debian. Vulnerable vim package example
:align: center
:width: 80%
Loading