Scanning unsupported systems
Our Cyber Threat Intelligence (CTI) platform supports a comprehensive list of operating systems for vulnerability detection. Operating systems not in this list are unsupported systems. Examples of unsupported operating systems are Linux Mint and Oracle Linux. To detect vulnerabilities in unsupported operating systems, you must configure the Vulnerability Detection module to use existing vulnerability content documents for supported operating systems. You can do this using the allow
option. The allow
option indicates that the module can detect the vulnerabilities of an unsupported operating system using an alternative source.
This section explains how to extend support for unsupported operating systems.
Warning
This configuration can lead to false positives. The OS vendor of the unsupported operating system handles the package management and security patching independently of the configured source.
Checking the registered name of the operating system
The registered name of the operating system on which you have installed the ThreatLockDown agent is the name in the ThreatLockDown database. The operating system registered name may differ from what you expect. You can check the name using the steps below.
Generate a JSON Web Token (JWT) for authenticating to the ThreatLockDown server by running the following command. The default API credentials are
wazuh:wazuh
.# TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://<MANAGER_IP>:55000/security/user/authenticate?raw=true")
Run the command
echo $TOKEN
to confirm that the token was successfully generated. You should get an output like this:eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjQzMDExMjQ0LCJleHAiOjE2NDMwMTIxNDQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.Ad6zOZvx0BEV7K0J6s3pIXAXTWB-zdVfxaX2fotLfZMQkiYPMkwDaQHUFiOInsWJ_7KZV3y2BbhEs9-kBqlJAMvMAD0NDBPhEQ2qBd_iutZ7QWZECd6eYfIP83xGqH9iqS7uMI6fXOKr3w4aFV13Q6qsHSUQ1A-1LgDnnDGGaqF5ITYo
Run the following command to use the ThreatLockDown RESTful API endpoint GET /agents:
# curl -k -X GET "https://localhost:55000/agents?pretty=true&agents_list=<AGENT_ID>&select=os.name,os.major" -H "Authorization: Bearer $TOKEN"
Where <AGENT_ID> is the agent ID whose operating system we want to check, for example 005.
{ "data": { "affected_items": [{"os": {"major": "7", "name": "Oracle Linux Server"}, "id": "005"}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [], }, "message": "All selected agents information was returned", "error": 0, }
Alternatively run the following command to check the database manually:
# sqlite3 /var/ossec/queue/db/global.db "SELECT OS_NAME, OS_MAJOR FROM AGENT WHERE ID = <AGENTID>;"
Where <AGENTID> is the ID of the agent whose operating system we want to check, for example 5.
Oracle Linux Server|7
You need the name and major operating system version to configure the Vulnerability Detection module.
Configuring Vulnerability Detection module to include unsupported systems
Use the format OS_name-OS_major
with the allow
attribute to include the operating system. For example Oracle Linux Server-7
. Add a list of systems separated by commas to include more than one operating system.
For example, if you want to scan PopOS 18 and Linux Mint 19 using the vulnerability content documents for Canonical, add the following setting:
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
<os allow="Linux Mint-19,Pop!_OS-18">canonical</os>
</vulnerability-detection>
To scan Kali Linux 2023 using the vulnerability content documents for Debian, add the following setting:
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
<os allow="Kali GNU/Linux-2023">debian</os>
</vulnerability-detection>
You can also detect vulnerabilities in other operating systems using vulnerability content documents for Redhat. Additionally, you can use a substring of the operating system extracted from the agent in the second step. For this reason, you see Oracle Linux
instead of Oracle Linux Server
in the following example.
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
<os allow="Oracle Linux-7">redhat</os>
</vulnerability-detection>