Update CCS setup blog to work with Vulnerability Scanner

[MiguelazoDS]

Description

A user reported that the scanner was not working properly

After troubleshooting, the user shared the configuration used for the UI stack. Cross-Cluster Search detailed here.

CCS architecture

Conclusion

The manager was properly configured and the indexer directly connected to the manager has the information indexed, but the dashboard could not display the information in the dashboard.

DoD

This issue was created to investigate this setup and find a solution or the required changes through all the components to make this work.

[MiguelazoDS]

Research

Environment

Following step by step the guide here https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search

CCS environment

• Centos 9 (wazuh-indexer, wazuh-dashboard)

Cluster A

• Manager: Ubuntu Jammy (wazuh-server, wazuh-indexer)
• Agent : Arch Linux

Deployment

• Indices indexer CCS environment

• Indices indexer Cluster A

• Indexed vulnerabilities

root@jammy:/home/vagrant/wazuh# curl -k -u admin:admin -XGET https://192.168.33.70:9200/wazuh-states-vulnerabilities-jammy/_search
{"took":1,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"wazuh-states-vulnerabilities-jammy","_id":"001_6f70d338e7db6bd7014f520b47ac02dfcbeb83a2_CVE-2020-15078","_score":1.0,"_source":{"agent":{"id":"001","name":"archlinux","type":"wazuh","version":"v4.9.0"},"host":{"os":{"full":"Arch Linux ","kernel":"6.10.0-arch1-2","name":"Arch Linux","platform":"arch","type":"arch","version":".rolling"}},"package":{"architecture":"x86_64","description":"An easy-to-use, robust and highly configurable VPN (Virtual Private Network)","name":"openvpn","size":1552249,"type":"pacman","version":"2.5.1-1"},"vulnerability":{"category":"Packages","classification":"CVSS","description":"OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.","detected_at":"2024-10-02T21:20:49.713Z","enumeration":"CVE","id":"CVE-2020-15078","published_at":"2021-04-26T14:15:08Z","reference":"https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements, https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html, https://community.openvpn.net/openvpn/wiki/CVE-2020-15078, https://security.gentoo.org/glsa/202105-25, https://usn.ubuntu.com/usn/usn-4933-1, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/","scanner":{"vendor":"Wazuh"},"score":{"base":5.0,"version":"2.0"},"severity":"Medium"},"wazuh":{"cluster":{"name":"jammy"},"schema":{"version":"1.0.0"}}}}]}}

• Agent connected

• After adding the indices in cluster A

Unable to visualize the dashboard

[MiguelazoDS]

Solution

Thanks to the indexer and dashboard teams' help, we could figure out how to fix this. It is just a setting we needed to tweak.

• If we check Dashboard Management -> Dashboard Management -> Index Patterns we can see no index for vulnerabilities.

• we just need to modify the index pattern for vulnerabilities in Dashboard Management -> App Settings
  with this value *:wazuh-states-vulnerabilities-*

Where the first '*' matches any indexer in any cluster.

• We can go then to the vulnerability dashboard

and verify the index pattern is now created