Merge pull request #6140 from wazuh/6138-vulnerability-detection-guid…

…e-update Section update: Vulnerability detection guide
wazuh · Jun 5, 2023 · 597bc7e · 597bc7e
2 parents 8c334de + 639639d
commit 597bc7e
Show file tree

Hide file tree

Showing 6 changed files with 143 additions and 12 deletions.
diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js
@@ -251,6 +251,7 @@ newUrls['4.4'] = [
   '/user-manual/capabilities/system-calls-monitoring/use-cases/monitoring-commands-run-as-root.html',
   '/user-manual/capabilities/system-calls-monitoring/use-cases/privilege-abuse.html',
   '/user-manual/capabilities/wazuh-archives.html',
+  '/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html',
 ];
 
 /* Pages removed in 4.4 */

diff --git a/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst b/source/user-manual/capabilities/vulnerability-detection/cpe-helper.rst
@@ -157,7 +157,7 @@ The Vulnerability Detector module converts the dictionary entries to the CPE for
 +------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 
 How to translate a Windows program to CPE format
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+------------------------------------------------
 
 To include a Windows program in the CPE helper dictionary, it's necessary to know the vendor, product name, and program version present in the Wazuh software inventory. After this, it's necessary to look for the CPE that is suitable for the program to configure the dictionary entry with the appropriate values.
 
@@ -380,7 +380,7 @@ In this guide, we generate dictionary entries for *Skype* and *Skype for Busines
       The product `Skype for Business Basic 2016 - en-us` matches both ``^Skype for Business`` and ``^Skype`` patterns. However, the Vulnerability Detector uses the first because it sorts the entries by priority from top to bottom.
 
 Products whose version does not change between updates
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+------------------------------------------------------
 
 For some software products, generally from Microsoft, users cannot confirm vulnerabilities by consulting the National Vulnerability Database. These products do not change their visible version between updates, so the Vulnerability Detector cannot tell when the products are no longer vulnerable.
 
@@ -563,7 +563,7 @@ The Vulnerability Detector can automate this search using the CPE Helper and the
       }
 
 Products with update field
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+--------------------------
 
 Often, the product version isn't enough to decide if a specific CVE affects a program. In some cases, you also need to consider the `update` component of the CPE name. This section presents a use case for the CVE-2022-23277 vulnerability affecting Microsoft Exchange Server.
 

diff --git a/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst b/source/user-manual/capabilities/vulnerability-detection/how-it-works.rst
@@ -6,7 +6,7 @@
 How it works
 ============
 
-To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Also, the Wazuh server builds a global vulnerability database from publicly available CVE repositories. It uses this database to cross-correlate this information with the application inventory data of the agent. The database location is ``/var/ossec/queue/vulnerabilities/cve.db``, and users can query the database using ``SQLite``:
+To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Also, the Wazuh server builds a global :doc:`vulnerability database </user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database>` from publicly available CVE repositories. It uses this database to cross-correlate this information with the application inventory data of the agent:
 
 #. Start SQLite and open the vulnerability database using the following command.
 

diff --git a/source/user-manual/capabilities/vulnerability-detection/index.rst b/source/user-manual/capabilities/vulnerability-detection/index.rst
@@ -6,7 +6,9 @@
 Vulnerability detection
 =======================
 
-Wazuh Vulnerability Detector module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using Wazuh’s native integration with external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), SUSE Linux Enterprise, Microsoft, and the National Vulnerability Database (NVD).
+Vulnerabilities are security flaws in computer systems that threat actors can exploit to gain unauthorized access to these systems. After exploitation, malware and threat actors may be able to perform remote code execution, exfiltrate data, and carry out other malicious activities. Therefore, organizations must have strategies or security solutions that promptly detect vulnerabilities in their network before bad actors exploit them. Prompt detection and remediation of vulnerabilities in a network help to strengthen its overall security posture.
+
+The Wazuh Vulnerability Detector module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using Wazuh native integration with external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD).
 
 .. topic:: Contents
 
@@ -19,3 +21,4 @@ Wazuh Vulnerability Detector module helps users discover vulnerabilities in the
       allow-os
       cpe-helper
       offline-update
+      querying-the-vulnerability-database
diff --git a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst
@@ -89,7 +89,7 @@ To update the vulnerability feed from a user-defined repository, use a configura
       <update_interval>1h</update_interval>
    </provider>
 
-To use a local feed file, add the path attribute accompanying the os option as follows.
+To use a local feed file, add the ``path`` attribute accompanying the ``os`` option as follows.
 
 .. code-block:: xml
 
@@ -106,7 +106,7 @@ Debian Security Tracker JSON feed
 To perform an offline update, you must download the corresponding file.
 
 +------------+--------------------------------------------------------------------------------------------+
-| OS         | File                                                                                       |
+| OS         | Files                                                                                      |
 +============+============================================================================================+
 | ALL        | `Debian Security Tracker JSON <https://security-tracker.debian.org/tracker/data/json>`_    |
 +------------+--------------------------------------------------------------------------------------------+
@@ -195,7 +195,7 @@ Alternatively, the feeds can be loaded from a local path. To achieve this, use t
 Red Hat Security Data JSON feed
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides a script that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.
+To perform an offline update, you must make requests to Redhat's API to get the feed pages starting from a specified date. Wazuh provides an `update script <https://github.com/wazuh/wazuh/blob/4.3/tools/vulnerability-detector/rh-generator.sh>`__ that automates the process of downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.
 
 How to use the update script
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -212,7 +212,7 @@ How to use the update script
 
       # ./rh-generator.sh /local_path/rh-feed
 
-   The script may output an error message like the following.
+   The script might output an error message like the following.
 
    .. code-block:: console
       :class: output
@@ -247,7 +247,7 @@ Arch
 To perform an offline update of the Arch feed, download the corresponding JSON file.
 
 +------------+--------------------------------------------------------------------------------------------+
-| OS         | File                                                                                       |
+| OS         | Files                                                                                      |
 +============+============================================================================================+
 | Rolling    | `all.json <https://security.archlinux.org/issues/all.json>`_                               |
 +------------+--------------------------------------------------------------------------------------------+
@@ -308,7 +308,7 @@ Alternatively, you can load the feeds from a local path with the ``path`` attrib
    </provider>
 
 SUSE
-^^^^
+----
 
 Currently, the SUSE Linux vulnerabilities are fetched from one OVAL file for each supported SUSE Linux version.
 
@@ -361,7 +361,7 @@ Alternatively, they also can be loaded from a local path as follows:
 National Vulnerability Database
 -------------------------------
 
-To perform an offline update of the National Vulnerability Database, you must request its feed stating a starting year. Wazuh provides a `script <https://github.com/wazuh/wazuh/blob/4.4/tools/vulnerability-detector/nvd-generator.sh>`__ that automates the process of downloading the feed and checking for server downtime.
+To perform an offline update of the National Vulnerability Database, you must request its feed stating a starting year. Wazuh provides an `update script <https://github.com/wazuh/wazuh/blob/4.4/tools/vulnerability-detector/nvd-generator.sh>`__ that automates the process of downloading the feed and checking for server downtime.
 
 How to use the update script
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

diff --git a/...al/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst b/...al/capabilities/vulnerability-detection/querying-the-vulnerability-database.rst
@@ -0,0 +1,127 @@
+.. Copyright (C) 2015, Wazuh, Inc.
+
+.. meta::
+   :description: You can find the vulnerability database on the Wazuh server and query it using SQLite. Learn more about it in this section of our documentation.
+
+Querying the vulnerability database
+===================================
+
+You can find the vulnerability database at ``/var/ossec/queue/vulnerabilities/cve.db`` on the Wazuh server and query it using ``SQLite``. ``SQLite`` provides an interface that you can use to interact with SQL databases. 
+
+Perform the following steps to query the vulnerability database using SQLite.
+
+#. Start ``SQLite`` and open the vulnerability database using the following command:
+
+   .. code-block:: console
+
+      # sqlite3 /var/ossec/queue/vulnerabilities/cve.db
+
+#. List the tables in the database using the following command:
+
+   .. code-block:: sqlite3
+
+      sqlite> .tables
+
+#. Retrieve all the data in a table by running the following command:
+
+   .. code-block:: sqlite3
+
+      sqlite> SELECT * from <TABLE>;
+
+Replace ``<TABLE>`` with the name of the table you are interested in. 
+
+.. Warning::
+   Don’t make changes to the database. It can lead to issues when the Vulnerability Detector module is running a scan.
+
+Use Case: Find all KBs that patch a specified CVE for Windows endpoints
+-----------------------------------------------------------------------
+
+In this example, you will see how to find all Windows Knowledge Base (KB) updates that patch a specific vulnerability on Windows endpoints from the vulnerability database. You can achieve this using ``SQLite`` on the Wazuh server.
+
+#. Start ``SQLite`` and open the vulnerability database using the following command:
+
+   .. code-block:: console
+
+      # sqlite3 /var/ossec/queue/vulnerabilities/cve.db
+
+#. Run ``.mode line`` in the SQLite prompt to configure the SQLite output format.
+
+#. Run the following command to view all the details of the chosen CVE and operating system: 
+
+   .. code-block:: sqlite3
+
+      sqlite> SELECT * FROM msu WHERE cveid = "<CVE_ID>" AND PRODUCT LIKE "%<OS_IDENTIFIER>%";
+
+   Where:
+
+   - ``<OS_IDENTIFIER>`` is a string from the operating system name. It displays result for only the specified operating system.
+   - ``<CVE_ID>`` is the identifier for the CVE. 
+
+   You can see an example below:
+
+   .. code-block:: sqlite3
+
+      sqlite> SELECT * FROM msu WHERE cveid = "CVE-2023-21524" AND PRODUCT LIKE "%Server 2022%";
+
+   .. code-block:: none
+      :class: output
+      :emphasize-lines: 3,12       
+
+      CVEID = CVE-2023-21524
+               PRODUCT = Windows Server 2022 (Server Core installation)
+                 PATCH = 5022291
+                 TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
+                   URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
+               SUBTYPE = Security Update
+      RESTART_REQUIRED = Yes
+            CHECK_TYPE = 1
+   
+                 CVEID = CVE-2023-21524
+               PRODUCT = Windows Server 2022
+                 PATCH = 5022291
+                 TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
+                   URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
+               SUBTYPE = Security Update
+      RESTART_REQUIRED = Yes
+            CHECK_TYPE = 1
+
+#. Run the command below to list all the KBs that patch ``KB5022291`` replaces. This will be a list of patches that are no longer necessary to install once a user installs ``KB5022291``.
+
+   .. code-block:: sqlite3
+
+      sqlite> SELECT patch FROM msu_supersedence WHERE super = "5022291";
+
+   .. code-block:: console
+      :class: output
+
+      PATCH = 5010796
+
+      PATCH = 5022291
+
+      PATCH = 5022553
+
+      PATCH = 5021656
+
+      PATCH = 5021249
+
+      PATCH = 5020436
+
+      PATCH = 5020032
+      ...
+
+#. Run the command below to get a list of all the patches that replaced ``KB5022291``. This list contains all the patches that resolve the same vulnerabilities as ``KB5022291`` when installed. 
+
+   .. code-block:: sqlite3
+
+      sqlite> SELECT super FROM msu_supersedence WHERE patch = "5022291";
+
+   .. code-block:: none
+      :class: output
+
+      SUPER = 5022291
+      SUPER = 5022842
+      SUPER = 5023705
+      SUPER = 5025230
+      SUPER = 5026370
+
+