Vulnerability scanning¶
Runbook for configuring Wazuh’s vulnerability detection module. Wazuh agents inventory all installed packages on each host and compare them against the National Vulnerability Database and vendor security advisories. Confirmed findings are reported as alerts and forwarded to DefectDojo for remediation tracking. This provides a host-level view of vulnerability exposure that complements the container-level scanning performed by Trivy.
Enabling vulnerability detection¶
Vulnerability detection is configured on the Wazuh manager. Edit /var/ossec/etc/ossec.conf:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>focal</os>
<os>jammy</os>
<os>noble</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>yes</enabled>
<os>bookworm</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
The interval of 5 minutes means the module checks for new vulnerability data every 5 minutes. min_full_scan_interval of 6 hours triggers a full re-scan of all agents at least twice per day.
The Debian bookworm provider uses Debian’s official security advisory feed, which is authoritative for packages from the Debian repository. The NVD provider catches vulnerabilities in third-party software not covered by the OS vendor feed.
Syscollector¶
Vulnerability detection depends on Syscollector, which inventories installed packages on each agent. Syscollector must be enabled in the agent group configuration:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
packages>yes</packages> enables package inventory. Without this, the vulnerability detector has nothing to compare against the CVE feeds.
After enabling Syscollector, view the package inventory for an agent in the Wazuh dashboard: navigate to the agent, then Inventory Data, then Packages.
DefectDojo integration¶
Critical and High findings are automatically forwarded to DefectDojo for tracking. This is implemented via a Wazuh integration script at /var/ossec/integrations/custom-defectdojo.py:
#!/usr/bin/env python3
import json
import sys
import requests
alert = json.loads(sys.stdin.read())
rule_id = alert.get('rule', {}).get('id', '')
level = alert.get('rule', {}).get('level', 0)
# Only forward vulnerability alerts (rule group: vulnerability-detector)
if 'vulnerability-detector' not in alert.get('rule', {}).get('groups', []):
sys.exit(0)
# Only forward High and Critical
severity = alert.get('data', {}).get('vulnerability', {}).get('severity', 'Low')
if severity not in ('High', 'Critical'):
sys.exit(0)
defectdojo_url = 'https://defectdojo.golemtrust.am/api/v2/vulnerabilities/'
api_key = open('/var/ossec/integrations/.defectdojo-key').read().strip()
payload = {
'title': alert['data']['vulnerability']['title'],
'cve': alert['data']['vulnerability']['cve'],
'severity': severity.lower(),
'description': json.dumps(alert['data']['vulnerability'], indent=2),
'product_name': 'Infrastructure',
'engagement_name': alert['agent']['name'],
'auto_create_context': True,
}
requests.post(
defectdojo_url,
json=payload,
headers={'Authorization': f'Token {api_key}'},
timeout=10
)
Register the integration in ossec.conf:
<integration>
<name>custom-defectdojo.py</name>
<group>vulnerability-detector</group>
<alert_format>json</alert_format>
</integration>
The DefectDojo API key is stored at /var/ossec/integrations/.defectdojo-key with permissions 0400, owned by wazuh. Retrieve it from Vault at kv/golemtrust/defectdojo-api-key.
Custom vulnerability rules¶
Wazuh’s built-in vulnerability rules (rule IDs 23500-23510) cover the standard severities. Add custom rules to adjust alert levels for Golem Trust’s response tiers:
<!-- Escalate Critical CVEs to level 15 (immediate page) -->
<rule id="100100" level="15" overwrite="yes">
<if_sid>23503</if_sid>
<description>Critical vulnerability detected - immediate response required</description>
<mitre>
<id>T1190</id>
</mitre>
</rule>
Rule level 15 in Wazuh is the maximum severity. This ensures Critical CVEs trigger PagerDuty notification immediately, even outside working hours.
Reviewing vulnerability findings¶
Navigate to the Wazuh dashboard, then Vulnerabilities. The overview shows vulnerability counts by severity across all agents.
Sort by CVSS score to identify the most critical findings. Filter by agent to review a specific host.
Cross-reference Wazuh vulnerability findings with the vulnerability register (see the vulnerability management runbook). A finding that appears in Wazuh but is not in the register means it was not caught by Trivy (which scans containers, not the host OS) and needs to be added to the register.
Weekly, Cheery reviews the Wazuh vulnerability dashboard and the DefectDojo queue for unacknowledged High and Critical findings. Any finding older than the remediation deadline in the vulnerability management runbook that is still open is escalated to Ludmilla.