Scanning unsupported systems

Checking the registered name of the operating system

The registered name of the operating system on which you have installed the ThreatLockDown agent is the name in the ThreatLockDown database. The operating system registered name may differ from what you expect. You can check the name using the steps below.

1. Generate a JSON Web Token (JWT) for authenticating to the ThreatLockDown server by running the following command. The default API credentials are wazuh:wazuh.

   # TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://<MANAGER_IP>:55000/security/user/authenticate?raw=true")
   

   Run the command echo $TOKEN to confirm that the token was successfully generated. You should get an output like this:

   eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjQzMDExMjQ0LCJleHAiOjE2NDMwMTIxNDQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.Ad6zOZvx0BEV7K0J6s3pIXAXTWB-zdVfxaX2fotLfZMQkiYPMkwDaQHUFiOInsWJ_7KZV3y2BbhEs9-kBqlJAMvMAD0NDBPhEQ2qBd_iutZ7QWZECd6eYfIP83xGqH9iqS7uMI6fXOKr3w4aFV13Q6qsHSUQ1A-1LgDnnDGGaqF5ITYo
   

2. Run the following command to use the ThreatLockDown RESTful API endpoint GET /agents:

   # curl -k -X GET "https://localhost:55000/agents?pretty=true&agents_list=<AGENT_ID>&select=os.name,os.major" -H  "Authorization: Bearer $TOKEN"
   

   Where <AGENT_ID> is the agent ID whose operating system we want to check, for example 005.

   {
      "data": {
         "affected_items": [{"os": {"major": "7", "name": "Oracle Linux Server"}, "id": "005"}],
         "total_affected_items": 1,
         "total_failed_items": 0,
         "failed_items": [],
      },
      "message": "All selected agents information was returned",
      "error": 0,
   }
   

   Alternatively run the following command to check the database manually:

   # sqlite3 /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = <AGENTID>;"
   

   Where <AGENTID> is the ID of the agent whose operating system we want to check, for example 5.

   Oracle Linux Server|7
   

   You need the name and major operating system version to configure the Vulnerability Detection module.

Configuring Vulnerability Detection module to include unsupported systems

Use the format OS_name-OS_major with the allow attribute to include the operating system. For example Oracle Linux Server-7. Add a list of systems separated by commas to include more than one operating system.

For example, if you want to scan PopOS 18 and Linux Mint 19 using the vulnerability content documents for Canonical, add the following setting:

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <os allow="Linux Mint-19,Pop!_OS-18">canonical</os>
</vulnerability-detection>

To scan Kali Linux 2023 using the vulnerability content documents for Debian, add the following setting:

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <os allow="Kali GNU/Linux-2023">debian</os>
</vulnerability-detection>

You can also detect vulnerabilities in other operating systems using vulnerability content documents for Redhat. Additionally, you can use a substring of the operating system extracted from the agent in the second step. For this reason, you see Oracle Linux instead of Oracle Linux Server in the following example.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <os allow="Oracle Linux-7">redhat</os>
</vulnerability-detection>