Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manual testing - Deprecate Debian Stretch in Vulnerability Detector #3171

Closed
2 tasks done
MarcelKemp opened this issue Aug 11, 2022 · 3 comments
Closed
2 tasks done

Manual testing - Deprecate Debian Stretch in Vulnerability Detector #3171

MarcelKemp opened this issue Aug 11, 2022 · 3 comments
Assignees
@Deblintrake09
Labels
feature/vuln-detector manual-testing

Comments

@MarcelKemp
Copy link
Member

MarcelKemp commented Aug 11, 2022
edited by Deblintrake09
Loading

Target version Related issue Related PR
4.4 wazuh/wazuh#14354 wazuh/wazuh#14542

Description

With the changes applied in PR wazuh/wazuh#14542, the support for Debian Stretch in Vulnerablity Detector has been removed, so it is necessary to check that even with this change the other options of the module work correctly.

Proposed checks

  • VD works as expected with Debian block active (no stretch specified).
  • VD shows the Warning and does not scan the agent when specifying stretch.

Steps to reproduce

Without the changes, when trying to scan a Debian Stretch agent, the following Warning will occur, as there is no vulnerability in the JSON feed:

WARNING: (5575): Unavailable vulnerability data for the agent '254' OS. Skipping it.

Configuration and considerations

Default VD configuration by activating the Debian block.
And specify (or not) the <os>stretch</os> target.
@jmv74211 jmv74211 added this to the Core PRs approval - 4.4.0 milestone Aug 11, 2022
@damarisg damarisg assigned damarisg and Deblintrake09 and unassigned damarisg Aug 11, 2022
Deblintrake09 added a commit that referenced this issue Aug 11, 2022
@Deblintrake09
remove: Delete Debian Stretch VDT Support #3171
1e4b5be
@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Aug 11, 2022
edited by jmv74211
Loading

Review data

Tester PR commit
@Deblintrake09 2b22023

Testing environment

OS OS version Deployment Image/AMI Notes
Centos 8 <LOCAL | Vagrant qactl/centos_8
Debian Stretch <LOCAL | Vagrant debian/stretch64

Tested packages

wazuh-manager wazuh-agent
.rpm Manager .deb agent

Status

  • In progress
  • Pending Review
  • Team leader approved
  • Manager approved

@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Aug 11, 2022
edited
Loading

Task results

Fresh Install

VD works as expected with Debian block active (no stretch). 🟢
  • Install Manager
  • Connect Debian Stretch Agent 
    # uname -a
Linux stretch 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux

 # /var/ossec/bin/agent-auth -m 10.0.10.2 -A Stretch
 2022/08/12 12:27:27 agent-auth: INFO: Started (pid: 909).
 2022/08/12 12:27:27 agent-auth: INFO: Requesting a key from server: 10.0.10.2
 2022/08/12 12:27:27 agent-auth: INFO: No authentication password provided
 2022/08/12 12:27:27 agent-auth: INFO: Using agent name as: Stretch
 2022/08/12 12:27:27 agent-auth: INFO: Waiting for server reply
 2022/08/12 12:27:27 agent-auth: INFO: Valid key received
  • Start Agent 
    Starting Wazuh v4.4.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
  • Wait for Vulnerability Scan 
    2022/08/12 13:12:10 wazuh-modulesd:vulnerability-detector[3362] wm_vuln_detector.c:8178 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.
2022/08/12 13:12:10 wazuh-modulesd:vulnerability-detector[3362] wm_vuln_detector.c:5842 at wm_vuldet_collect_agents_to_scan(): DEBUG: (5434): Agent '001' has an unsupported OS version: 'Debian'
2022/08/12 13:12:10 wazuh-modulesd:vulnerability-detector[3362] wm_vuln_detector.c:2679 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/08/12 13:12:10 wazuh-modulesd:vulnerability-detector[3362] wm_vuln_detector.c:8193 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.
2022/08/12 13:12:10 wazuh-modulesd:vulnerability-detector[3362] wm_vuln_detector.c:8240 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds...
  • Check modules is still running 
    # /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • Check no segfault occurred 🟢
VD works as expected with Debian block active (Stretch os added). 🟢

  • Install Manager

  • Connect Debian Stretch Agent

    # uname -a
Linux stretch 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux

 # /var/ossec/bin/agent-auth -m 10.0.10.2 -A Stretch
2022/08/12 12:27:27 agent-auth: INFO: Started (pid: 909).
2022/08/12 12:27:27 agent-auth: INFO: Requesting a key from server: 10.0.10.2
2022/08/12 12:27:27 agent-auth: INFO: No authentication password provided
2022/08/12 12:27:27 agent-auth: INFO: Using agent name as: Stretch
2022/08/12 12:27:27 agent-auth: INFO: Waiting for server reply
2022/08/12 12:27:27 agent-auth: INFO: Valid key received

  • Start Agent

    Starting Wazuh v4.4.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

  • Add Stretch os in VDT
    imagen

  • Restart Wazuh and check messages

    2022/08/12 13:14:04 wazuh-modulesd[3836] wmodules-vuln-detector.c:662 at wm_vuldet_read_provider(): DEBUG: Added debian (buster) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2022/08/12 13:14:04 wazuh-modulesd[3836] wmodules-vuln-detector.c:662 at wm_vuldet_read_provider(): DEBUG: Added debian (bullseye) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2022/08/12 13:14:04 wazuh-modulesd[3836] wmodules-vuln-detector.c:188 at wm_vuldet_set_feed_version(): WARNING: Debian Stretch is no longer supported.
2022/08/12 13:14:04 wazuh-modulesd[3836] wmodules-vuln-detector.c:720 at wm_vuldet_read_provider(): DEBUG: Added msu feed. Interval: 3600s | Multi path: 'none' | Multi url: 'none' | Update since: 0 | Timeout: 300s
2022/08/12 13:14:04 wazuh-modulesd[3836] wmodules-vuln-detector.c:720 at wm_vuldet_read_provider(): DEBUG: Added nvd feed. Interval: 3600s | Multi path: 'none' | Multi url: 'none' | Update since: 2010 | Timeout: 300s
2022/08/12 13:14:04 wazuh-modulesd[3836] main.c:87 at main(): INFO: Started (pid: 3840).
2022/08/12 13:14:04 wazuh-modulesd[3836] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
.
.
.
2022/08/12 13:17:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:8240 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds...
2022/08/12 13:18:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:8178 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.
2022/08/12 13:18:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:5842 at wm_vuldet_collect_agents_to_scan(): DEBUG: (5434): Agent '001' has an unsupported OS version: 'Debian'
2022/08/12 13:18:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:2679 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/08/12 13:18:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:8193 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.
2022/08/12 13:18:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:8240 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds...

  • Check modules is still running

    # /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

  • Check no segfault occurred 🟢

Update 4.4 to dev branch

VD works as expected with Debian block active (no stretch). 🟢
  • Install Manager 4.4
  • Connect Debian Stretch Agent 
    # uname -a
Linux stretch 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux

 # /var/ossec/bin/agent-auth -m 172.31.10.128 -A Stretch
2022/08/12 20:58:41 agent-auth: INFO: Started (pid: 3154).
2022/08/12 20:58:41 agent-auth: INFO: Requesting a key from server: 172.31.10.128
2022/08/12 20:58:42 agent-auth: INFO: No authentication password provided
2022/08/12 20:58:42 agent-auth: INFO: Using agent name as: Stretch
2022/08/12 20:58:42 agent-auth: INFO: Waiting for server reply
2022/08/12 20:58:42 agent-auth: INFO: Valid key received
  • Start Agent 
    Starting Wazuh v4.4.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
  • Wait for Vulnerability scan 
    2022/08/12 21:18:44 wazuh-modulesd:vulnerability-detector[11134] wm_vuln_detector.c:7749 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.
2022/08/12 21:18:45 wazuh-modulesd:vulnerability-detector[11134] wm_vuln_detector.c:2537 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/08/12 21:18:45 wazuh-modulesd:vulnerability-detector[11134] wm_vuln_detector.c:2537 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '001' OS. Skipping it.
2022/08/12 21:18:45 wazuh-modulesd:vulnerability-detector[11134] wm_vuln_detector.c:7764 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.
2022/08/12 21:18:45 wazuh-modulesd:vulnerability-detector[11134] wm_vuln_detector.c:7811 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds...
  • Upgrade manager with dev branch 
    Updating:
wazuh-manager          x86_64          4.4.0-0.commit2b22023           @commandline          116 M

Updated:
  wazuh-manager-4.4.0-0.commit2b22023.x86_64                                                        

Done!
  • Wait for Vulnerability scan 
    2022/08/12 21:45:02 wazuh-modulesd:vulnerability-detector[11875] wm_vuln_detector.c:8178 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.
2022/08/12 21:45:02 wazuh-modulesd:vulnerability-detector[11875] wm_vuln_detector.c:5842 at wm_vuldet_collect_agents_to_scan(): DEBUG: (5434): Agent '001' has an unsupported OS version: 'Debian'
2022/08/12 21:45:02 wazuh-modulesd:vulnerability-detector[11875] wm_vuln_detector.c:2679 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/08/12 21:45:02 wazuh-modulesd:vulnerability-detector[11875] wm_vuln_detector.c:8193 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.
2022/08/12 21:45:02 wazuh-modulesd:vulnerability-detector[11875] wm_vuln_detector.c:8240 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds...
  • Check modules is still running 
    # /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...
  • Check no segfault occurred 🟢
VD works as expected with Debian block active (Stretch os added). 🟢

  • Install Manager

  • Connect Debian Stretch Agent

    # uname -a
Linux stretch 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux

 # /var/ossec/bin/agent-auth -m 172.31.10.128 -A Stretch
2022/08/12 20:58:41 agent-auth: INFO: Started (pid: 3154).
2022/08/12 20:58:41 agent-auth: INFO: Requesting a key from server: 172.31.10.128
2022/08/12 20:58:42 agent-auth: INFO: No authentication password provided
2022/08/12 20:58:42 agent-auth: INFO: Using agent name as: Stretch
2022/08/12 20:58:42 agent-auth: INFO: Waiting for server reply
2022/08/12 20:58:42 agent-auth: INFO: Valid key received

  • Start Agent

  • Add Stretch os in VDT
    imagen

  • Restart Wazuh and check messages

    2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-osquery-monitor.c:78 at wm_osquery_monitor_read(): DEBUG: Logpath read: /var/log/osquery/osqueryd.results.log
2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): DEBUG: configPath read: /etc/osquery/osquery.conf
2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-vuln-detector.c:662 at wm_vuldet_read_provider(): DEBUG: Added debian (buster) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-vuln-detector.c:662 at wm_vuldet_read_provider(): DEBUG: Added debian (bullseye) feed. Interval: 3600s | Path: 'none' | Url: 'none' | Timeout: 300s
2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-vuln-detector.c:188 at wm_vuldet_set_feed_version(): WARNING: Debian Stretch is no longer supported.
2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-vuln-detector.c:720 at wm_vuldet_read_provider(): DEBUG: Added msu feed. Interval: 3600s | Multi path: 'none' | Multi url: 'none' | Update since: 0 | Timeout: 300s
2022/08/12 22:07:59 wazuh-modulesd[14172] wmodules-vuln-detector.c:720 at wm_vuldet_read_provider(): DEBUG: Added nvd feed. Interval: 3600s | Multi path: 'none' | Multi url: 'none' | Update since: 2010 | Timeout: 300s

.
.
.
2022/08/12 22:18:09 wazuh-modulesd:vulnerability-detector[14422] wm_vuln_detector.c:8178 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.
2022/08/12 22:18:10 wazuh-modulesd:vulnerability-detector[14422] wm_vuln_detector.c:5842 at wm_vuldet_collect_agents_to_scan(): DEBUG: (5434): Agent '001' has an unsupported OS version: 'Debian'
2022/08/12 22:18:10 wazuh-modulesd:vulnerability-detector[14422] wm_vuln_detector.c:2679 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/08/12 22:18:10 wazuh-modulesd:vulnerability-detector[14422] wm_vuln_detector.c:8193 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.
2022/08/12 22:18:10 wazuh-modulesd:vulnerability-detector[14422] wm_vuln_detector.c:8240 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds...

  • Check modules is still running

    # /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

  • Check no segfault occurred 🟢

VD works as expected for other Debian OS version - Monitor Buster agent. 🟢

  • Connect Debian Buster Agent

    # uname -a
Linux debian10.localdomain 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux

# /var/ossec/bin/agent-auth -m 10.0.10.2 -A Buster
2022/08/18 18:54:32 agent-auth: INFO: Started (pid: 2328).
2022/08/18 18:54:32 agent-auth: INFO: Requesting a key from server: 10.0.10.2
2022/08/18 18:54:32 agent-auth: INFO: No authentication password provided
2022/08/18 18:54:32 agent-auth: INFO: Using agent name as: Buster
2022/08/18 18:54:32 agent-auth: INFO: Waiting for server reply
2022/08/18 18:54:32 agent-auth: INFO: Valid key received

# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: c3 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: Buster, IP: any, Active
   ID: 002, Name: stretch, IP: any, Active

  • Start Agent

  • Add Stretch os in VDT
    imagen

  • Restart Wazuh and check messages

    2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:8178 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:5867 at wm_vuldet_collect_agents_to_scan(): INFO: (5700): Unable to get the OS information for agent '000'. Inventory data may not yet be synchronized.
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[6236] wm_vuln_detector.c:5842 at wm_vuldet_collect_agents_to_scan(): DEBUG: (5434): Agent '002' has an unsupported OS version: 'Debian'
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:2698 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5491): A baseline scan will be run on agent '001'
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:5408 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software.
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:6429 at wm_vuldet_discard_kernel_package(): DEBUG: (5574): Discarded Linux Kernel package '4.19.0-20-amd64' ('not running') for agent '001'
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:6429 at wm_vuldet_discard_kernel_package(): DEBUG: (5574): Discarded Linux Kernel package 'amd64' ('not running') for agent '001'
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:2726 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities.
2022/08/18 19:14:29 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:2313 at wm_vuldet_linux_oval_vulnerabilities(): DEBUG: (5456): Analyzing OVAL vulnerabilities for agent '001'
.
.
.
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:1574 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5468): The 'vim-tiny' package (2:8.1.0875-5+deb10u2) from agent '001' is vulnerable to 'CVE-2022-1621'. Condition: 'Package unfixed'
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:1574 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5468): The 'xxd' package (2:8.1.0875-5+deb10u2) from agent '001' is vulnerable to 'CVE-2022-1621'. Condition: 'Package unfixed'
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:1602 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5482): A total of '532' vulnerabilities have been reported for agent '001' thanks to the 'NVD' feed.
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:1603 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5482): A total of '639' vulnerabilities have been reported for agent '001' thanks to the 'vendor' feed.
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:1605 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5469): A total of '643' vulnerabilities have been reported for agent '001'
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:1606 at wm_vuldet_process_agent_vulnerabilities(): DEBUG: (5470): It took '31' seconds to 'report' vulnerabilities in agent '001'
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:2745 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001'
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:2746 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '43' seconds to 'scan' vulnerabilities in agent '001'
2022/08/18 19:15:12 wazuh-modulesd:vulnerability-detector[5576] wm_vuln_detector.c:8193 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.

  • Check generated alerts in alerts.json

    {"timestamp":"2022-08-18T19:15:12.526+0000","rule":{"level":10,"description":"CVE-2022-1621 affects vim-common","id":"23505","firedtimes":363,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Buster","ip":"10.0.2.15"},"manager":{"name":"c3"},"id":"1660850112.2781267","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim-common","source":"vim","version":"2:8.1.0875-5+deb10u2","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2022-1621","title":"CVE-2022-1621 affects vim-common","rationale":"Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution","severity":"High","published":"2022-05-10","updated":"2022-07-21","cwe_reference":"CWE-787","status":"Active","type":"PACKAGE","references":["https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb","https:/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b","https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/","https://nvd.nist.gov/vuln/detail/CVE-2022-1621","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1621"],"assigner":"[email protected]","cve_version":"4.0"}},"location":"vulnerability-detector"}
{"timestamp":"2022-08-18T19:15:12.581+0000","rule":{"level":10,"description":"CVE-2022-1621 affects vim-runtime","id":"23505","firedtimes":364,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Buster","ip":"10.0.2.15"},"manager":{"name":"c3"},"id":"1660850112.2785244","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim-runtime","source":"vim","version":"2:8.1.0875-5+deb10u2","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2022-1621","title":"CVE-2022-1621 affects vim-runtime","rationale":"Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution","severity":"High","published":"2022-05-10","updated":"2022-07-21","cwe_reference":"CWE-787","status":"Active","type":"PACKAGE","references":["https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb","https:/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b","https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/","https://nvd.nist.gov/vuln/detail/CVE-2022-1621","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1621"],"assigner":"[email protected]","cve_version":"4.0"}},"location":"vulnerability-detector"}
{"timestamp":"2022-08-18T19:15:12.626+0000","rule":{"level":10,"description":"CVE-2022-1621 affects vim-tiny","id":"23505","firedtimes":365,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Buster","ip":"10.0.2.15"},"manager":{"name":"c3"},"id":"1660850112.2789226","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim-tiny","source":"vim","version":"2:8.1.0875-5+deb10u2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2022-1621","title":"CVE-2022-1621 affects vim-tiny","rationale":"Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution","severity":"High","published":"2022-05-10","updated":"2022-07-21","cwe_reference":"CWE-787","status":"Active","type":"PACKAGE","references":["https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb","https:/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b","https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/","https://nvd.nist.gov/vuln/detail/CVE-2022-1621","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1621"],"assigner":"[email protected]","cve_version":"4.0"}},"location":"vulnerability-detector"}
{"timestamp":"2022-08-18T19:15:12.671+0000","rule":{"level":10,"description":"CVE-2022-1621 affects xxd","id":"23505","firedtimes":366,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"Buster","ip":"10.0.2.15"},"manager":{"name":"c3"},"id":"1660850112.2793197","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"xxd","source":"vim","version":"2:8.1.0875-5+deb10u2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2022-1621","title":"CVE-2022-1621 affects xxd","rationale":"Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution","severity":"High","published":"2022-05-10","updated":"2022-07-21","cwe_reference":"CWE-787","status":"Active","type":"PACKAGE","references":["https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb","https:/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b","https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/","https://nvd.nist.gov/vuln/detail/CVE-2022-1621","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1621"],"assigner":"[email protected]","cve_version":"4.0"}},"location":"vulnerability-detector"}

  • Check modules is still running

    # /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

  • Check no segfault occurred 🟢

Deblintrake09 added a commit that referenced this issue Aug 16, 2022
@Deblintrake09
remove: Debian Jessie and Wheezy support #3171
dafc1ca
Deblintrake09 added a commit that referenced this issue Aug 16, 2022
@Deblintrake09
changelog: update Changelog.md #3171
3619a28
@jmv74211
Copy link
Contributor

jmv74211 commented Aug 22, 2022
edited
Loading

🟢 Everything seems to be working properly.

It is proposed an improvement of the following description log, since it is produced when a system already deprecated (stretch) has been put, the message indicates that it has an unsupported version of Debian, but not which one.

2022/08/12 13:18:09 wazuh-modulesd:vulnerability-detector[3836] wm_vuln_detector.c:5842 at wm_vuldet_collect_agents_to_scan(): DEBUG: (5434): Agent '001' has an unsupported OS version: 'Debian'

It will be discussed with the development team and it will be decided whether to create an enhancement issue or not.

Update: The following issue has been opened for this reason

This was referenced Aug 23, 2022
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Deblintrake09 Deblintrake09

Labels
feature/vuln-detector manual-testing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@damarisg @Deblintrake09 @jmv74211 @MarcelKemp