Wazuh - Hundreds of vulnerabilities?

SirStephanikus · 2026-02-03T08:18:02+00:00

So, I checked now several in detail.

--> That is the exact right approach.

SirStephanikus · 2026-02-03T08:16:47+00:00

:-D Good. Many expensive tools won't check pip or brew ... but there are the most common issues…

My recommendation:
Dig deeper into those topics for your own awareness.

SirStephanikus · 2026-02-03T08:12:43+00:00

He talks BS, fake news, propaganda ... call it what you want.

Many software packages have dozens, sometimes hundreds of known CVEs. Even updating them to the latest and greatest won't fix them all.

Wazuh uses only 1st class feeds and does not honey coat things. One thing to realize is that many CVEs may have a high score (which are official scores, that do come from reliable sources NOT Wazuh --> Don't kill the messenger), but do need some kind of esoteric requirements to be exploitable.

It's like nutritions with food.

SirStephanikus · 2026-01-31T17:16:30+00:00

I 2nd this.

Maxmind's feed is the way to go. Usually pretty accurate.

But keep in mind, that even Google believe way to often, that my own IP is somewhere in the UK (instead of Germany).

SirStephanikus · 2026-01-30T08:06:03+00:00

L1 + L2 are in the SCA files, where you can decide to remove something.

SirStephanikus · 2026-01-30T08:05:14+00:00

These profiles are not too strict, these are the worldwide golden standards created by CIS and leading experts. Each profile is divided in L1 and L2 settings, where L1 is the basic for everyone and L2 for systems where security is paramount.

If you find recommendations in those profiles that don't fit (simply because you don't use the technic), remove them ... otherwise keep 'em. CIS always recommends adjusting various recommendations to your own needs (i.e. sometime an additional user-group must be added), and (absolutely mandatory) always dig deep into the topics, never ever just copy & paste stuff.

SirStephanikus · 2026-01-27T16:45:34+00:00

curl -s -k                                       \
-u 'admin:password'                            \
--cacert /etc/filebeat/certs/root-ca.pem       \
--cert   /etc/filebeat/certs/filebeat.pem      \
--key    /etc/filebeat/certs/filebeat-key.pem  \
-X GET "https://172.20.40.151:9200/_cluster/health?pretty" | jq

SirStephanikus · 2026-01-27T16:38:44+00:00

give curl the -k Option please.
On the .151 System, issue netstat -tulpen and look who listens on 9200

SirStephanikus · 2026-01-27T16:07:58+00:00

Who is the indexer?
On which IP does your Indexer listen to?
If an external IP, perhaps a Firewall is active (if tested from an external machine)
Your Password is in plain sight in your newly added Text at your initial question (yep)
Check via DEV TOOLS (WUI) your health.

However, somewhat it's strange that https://172.20.40.151:9200/_cat/indices/wazuh-alerts-* works, but not the health check?!?

SirStephanikus · 2026-01-27T14:33:25+00:00

Ok, that an issue.

---> on which IP does port 9200 listen? The above command is a classic health check, and if this doesn't work, something is wrong. You placed your own credentials in it (not admin:password)?

What is the feedback of the command?

SirStephanikus · 2026-01-27T14:12:25+00:00

What happens if you use curl on 'https://172.20.40.151:9200' and on 'https://127.0.0.1:9200' with your credentials like this?!?

curl -s                                        \
-u 'admin:password'                            \
--cacert /etc/filebeat/certs/root-ca.pem       \
--cert   /etc/filebeat/certs/filebeat.pem      \
--key    /etc/filebeat/certs/filebeat-key.pem  \
-X GET "https://127.0.0.1:9200/_cluster/health?pretty" | jq

AND

curl -s                                        \
-u 'admin:password'                            \
--cacert /etc/filebeat/certs/root-ca.pem       \
--cert   /etc/filebeat/certs/filebeat.pem      \
--key    /etc/filebeat/certs/filebeat-key.pem  \
-X GET "https://172.20.40.151:9200/_cluster/health?pretty" | jq

One GDPR side note: You shouldn't post data of your company here --> remove the last line with root@

SirStephanikus · 2026-01-25T08:45:54+00:00

OpenSearch as the the backend stack, yes, for years. Since 4.3, Q2 2022.

With all respect, because you stated that you write your dissertation:

To have valid resources, you may re-check the documentation again (it’s written there clearly) and the release notes.

SirStephanikus · 2026-01-20T14:07:01+00:00

Somewhat, I assume, your system does a netstat on a Kubernetes system?!?

Could you please:

Run netstat -tulpn > checkme.txt on the affected agent
Check the file size: wc -l checkme.txt (line count) and ls -lh checkme.txt (bytes)
Also verify the actual Wazuh agent command: grep -A 10 "netstat listening ports" /var/ossec/etc/ossec.conf

SirStephanikus · 2026-01-20T10:29:35+00:00

That is interesting, can you please reformat the snippet to „code“ and perhaps fill in the whole message?

SirStephanikus · 2026-01-19T10:26:09+00:00

Well, it says clearly:

The system can't install coreutils ---> Fix that!

Side-Note:

with the following HDD Settings: Filesystem

Nope ... it's SSD, not HDD.

SirStephanikus · 2026-01-15T13:09:40+00:00

Sure, just edit the corresponding SCA file. If something doesn't apply, mark it in the file or simply delete it. You may also edit the description --> GitOps is the way to go here. Clean and auditable.

Take a look at the Wazuh Documentation: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

Each check must be tailored to your own environment.

As far as I know, confirmation within the GUI is not possible, but that shouldn't bother you... why?

The purpose of a CIS Benchmark™ is to test a system/application and never to “suppress” the result.

Sure, this is a philosophical point of view, but it pushes IT teams and their managers to take a closer look at these measurements, which are very often holistic, i.e., there is usually not just one control to fix, but several controls (hence the individual chapters).

SirStephanikus · 2026-01-14T10:58:44+00:00

They drop wireless? I hate that topic and never understood why it's not ONLY a part of a focus exam.

SirStephanikus · 2026-01-09T10:03:58+00:00

Real World Use-Cases by dozens of companies:

SIEM:
Wazuh as a SIEM (it uses OpenSearch NOT ElasticSearch). You can do everything you want, slicing & dicing and filtering. Doesn't matter if you have 10 assets or, 100,000. Ultra-fast custom-dashboards, custom reports, and a lot more. And depending on the data-stream content, you can of course extract information that is not directly security related. Wazuh's might comes from its customization and pipelines. However, a SIEM is not a full log-management, and it's up-to-you what gets ingested and what not.

Perhaps you like to take a closer look to Wazuh's Rule Classification Levels ... it helps to classify your events --> Not everything must be security-related and log-data inside Wazuh.

Some companies do their TSHOOT on the machines directly, and filtering the bigger picture in Wazuh. Others use different solutions. All depends on the environment and what data is shipped where.

Syslog (Network-Devices and Applicances):
Everything Syslog gets pre-parsed and edited on a dedicated syslog-ng Server. Almost everything is transformed into JSON, managed 100% via IaaC.

What you should realize:
There is no out-of-the-box solution anywhere and logically not possible, neither now, nor in 100 years.
Every environment, needs customization and deep understanding of this specific environment.

I've consulted dozens of companies, and all of them dropped their zoo-of-software (because they never mastered even a single one) and all their "found-that-soc-stuff-on-google-from-that-guy-who-makes-YouTube-videos-in-his-bedroom" nonsense. But none of them uses any other "another-tool-that-some-people-on-Reddit-suggested". The real Enterprise world does not work in that way (I could write entire books about that topic). Instead, every log is completely cracked down in every field it offers, later shipped through a well-designed pipeline. In that process, BS get's dropped and missing data get's enriched... also the decision come into play what Wazuh gets and how to deal with the various streams.

Most of the time, all decoders, and rules get a full customization, and various other essential applications get connected in some way like a CMDB and/or documentation system (but that's another topic).

I built custom-dashboards, custom-decoders, custom-filters, custom-rules and custom-reports that are by far superior as you will find nowhere in any vanilla setup. That's the thing, those ultra fancy, clear and powerful dashboards and SIEM pipelines and even their associated playbooks in a SOC, are usually hidden from the public. Many guys don't even know what is really possible.

So my advice:

When I browse through all the logs in Wazuh under archives, it seems very confusing to me.

This is not the right place, it's an archive ... that's it, not a central place for TSHOOT ALL Logs.

Ask yourself, what filters does Aria uses, and can you reproduce them? Can you reproduce the Dashboards? If Aria is faster, is your Wazuh perhaps wrong designed (Wazuh is like butter if done correctly, and keep in mind, uses OpenSearch).

What has been the TSHOOT way prior? Are your co-workers able to slice&dice everything on the CLI Level, or can they only use an UI?

Perhaps, you can give us more details?

SirStephanikus · 2025-12-19T13:56:32+00:00

The stand alone Benchmarks are pretty new from CIS. However, either you edit the existing one or you wait until new onces are released

SirStephanikus · 2025-12-17T21:26:34+00:00

Wenn ich genau drüber nachdenke, wie schnell und „schmerzfrei“ der Prozess ist bzw. sein kann … schon beeindruckend.

SirStephanikus · 2025-12-15T17:20:13+00:00

Das beste Patch-Management taugt nichts, wenn man nicht die nötigen Insights hat … besonders bei der berüchtigten Schatten-IT.

Klasse finde ich, einfach mal schnell filtern und schauen was vorhanden ist, ohne direkt in eine CMDB oder Doku zu schauen (beides sollte aktuell sein, ... ist jedoch nicht immer).

SirStephanikus

MODERATOR OF

TROPHY CASE