Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in the vulnerabilities module of Wazuh server #905

Closed
Desvelao opened this issue Jan 17, 2024 · 1 comment · Fixed by #906
Closed

Error in the vulnerabilities module of Wazuh server #905

Desvelao opened this issue Jan 17, 2024 · 1 comment · Fixed by #906
Assignees
@teddytpc1

Comments

@Desvelao
Copy link
Member

Desvelao commented Jan 17, 2024
edited
Loading

Wazuh version Component Install type Install method Platform
4.8 Puppet package package Linux 

Description

The vulnerabilities module doesn't work correctly after installing a Wazuh server through the Wazuh module for Puppet.
The setting feed-update-intervalhas an unexpected value.

Step to reproduce

  1. Create the file /etc/puppetlabs/code/environments/production/manifests/stack.pp with the following content in the puppet server:
$puppetmaster  = '172-31-44-21'
$indexerhost   = '172.31.33.220'
$serverhost    = '172.31.32.95'
$dashboardhost = '172.31.43.88'
$indexer_node1_name = 'node1'
$master_name = 'master'
$indexer_cluster_size = '1'
$indexer_discovery_hosts = [$indexerhost]
$indexer_cluster_initial_master_nodes = [$indexerhost]
$indexer_cluster_CN = [$indexer_node1_name]
# Define stage for order execution
stage { 'certificates': }
stage { 'repo': }
stage { 'indexerdeploy': }
stage { 'securityadmin': }
stage { 'dashboard': }
stage { 'manager': }
Stage[certificates] -> Stage[repo] -> Stage[indexerdeploy] -> Stage[securityadmin] -> Stage[manager] -> Stage[dashboard]
Exec {
timeout => 0,
}
node "ip-172-31-44-21.ec2.internal" {
  class { 'wazuh::certificates':
    indexer_certs => [["$indexer_node1_name","$indexerhost" ]],
    manager_master_certs => [["$master_name","$serverhost"]],
    dashboard_certs => ["$dashboardhost"],
    stage => certificates
  }
  class { 'wazuh::repo':
    stage => repo
  }
}
node "ip-172-31-33-220.ec2.internal" {
  class { 'wazuh::repo':
    stage => repo
  }
  class { 'wazuh::indexer':
    indexer_node_name => "$indexer_node1_name",
    indexer_network_host => "$indexerhost",
    indexer_node_max_local_storage_nodes => "$indexer_cluster_size",
    indexer_discovery_hosts => $indexer_discovery_hosts,
    indexer_cluster_initial_master_nodes => $indexer_cluster_initial_master_nodes,
    indexer_cluster_CN => $indexer_cluster_CN,
    stage => indexerdeploy
  }
  class { 'wazuh::securityadmin':
    indexer_network_host => "$indexerhost",
    stage => securityadmin
  }
}
node "ip-172-31-32-95.ec2.internal" {
  class { 'wazuh::repo':
    stage => repo
  }
  class { 'wazuh::manager':
    ossec_cluster_name => 'wazuh-cluster',
    ossec_cluster_node_name => 'wazuh-master',
    ossec_cluster_node_type => 'master',
    ossec_cluster_key => '01234567890123456789012345678912',
    ossec_cluster_bind_addr => "$serverhost",
    ossec_cluster_nodes => ["$serverhost"],
    ossec_cluster_disabled => 'no',
    stage => manager
  }
  class { 'wazuh::filebeat_oss':
    filebeat_oss_indexer_ip => "$indexerhost",
    wazuh_node_name => "$master_name",
    stage => manager
  }
}

node "ip-172-31-43-88.ec2.internal" {
  class { 'wazuh::repo':
    stage => repo,
  }
  class { 'wazuh::dashboard':
    indexer_server_ip  => "$indexerhost",
    manager_api_host   => "$serverhost",
    stage => dashboard
  }
}

node "ip-172-31-39-213.ec2.internal" {
  class { "wazuh::agent":
    wazuh_register_endpoint => "$serverhost",
    wazuh_reporting_endpoint => "$serverhost"
  }
}
  1. Execute the command in the Wazuh server instance and check the output: 
    # puppet agent -t
  2. Check the logs related to vulnerabilities module of Wazuh server: 
    grep -iE "vuln|inde" /var/ossec/logs/ossec.log

Evidence

The error comes out in the review the Wazuh server logs after the installation output of the following command:

[root@ip-172-31-32-95 ec2-user]# grep -iE "vuln|inde" /var/ossec/logs/ossec.log 
2024/01/15 15:06:55 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/01/15 15:06:56 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Invalid feed update interval.
2024/01/15 15:27:53 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/01/15 16:12:59 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/01/15 16:12:59 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Invalid feed update interval.
2024/01/15 16:27:51 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/01/15 17:01:32 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/01/15 17:01:32 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Invalid feed update interval.
2024/01/15 17:02:22 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/01/15 17:02:40 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/01/15 17:02:41 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Invalid feed update interval.
2024/01/15 17:12:47 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/01/15 17:20:53 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/01/15 17:20:54 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Invalid feed update interval.
2024/01/15 17:27:52 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/01/17 12:03:56 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/01/17 12:03:56 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::start: Invalid feed update interval.

Regarding the Wazuh server configuration:

[root@ip-172-31-32-95 ec2-user]# grep -C3 detection /var/ossec/etc/ossec.conf 
  
  </sca>
    
  # Configuration for Vulnerability detection
<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>yes</feed-update-interval>
</vulnerability-detection>

I fixed the feed-update-interval closing tag related to #899, but the value is unexpected. This seems to be related to https://github.com/wazuh/wazuh-puppet/blob/v4.8.0-alpha2/templates/fragments/_vulnerability_detection.erb#L5.

Expected results

The vulnerabilities module of the Wazuh server should work correctly when this is enabled.
@Desvelao Desvelao mentioned this issue Jan 17, 2024
Closed
2 tasks
@teddytpc1 teddytpc1 self-assigned this Jan 17, 2024
@teddytpc1 teddytpc1 mentioned this issue Jan 17, 2024
Merged
@teddytpc1 teddytpc1 linked a pull request Jan 17, 2024 that will close this issue
VD update interval variable fixed #906
Merged
@teddytpc1
Copy link
Member

This was fixed and the correct variable will be used.

@juliamagan juliamagan mentioned this issue Jan 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@teddytpc1 teddytpc1

Labels
None yet
Projects
No open projects
Release 4.8.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

VD update interval variable fixed wazuh/wazuh-puppet
2 participants
@teddytpc1 @Desvelao