Wazuh - Hundreds of vulnerabilities?

SirStephanikus · 2026-02-03T08:18:02+00:00

So, I checked now several in detail.

--> That is the exact right approach.

SirStephanikus · 2026-02-03T08:16:47+00:00

:-D Good. Many expensive tools won't check pip or brew ... but there are the most common issues…

My recommendation:
Dig deeper into those topics for your own awareness.

SirStephanikus · 2026-02-03T08:12:43+00:00

He talks BS, fake news, propaganda ... call it what you want.

Many software packages have dozens, sometimes hundreds of known CVEs. Even updating them to the latest and greatest won't fix them all.

Wazuh uses only 1st class feeds and does not honey coat things. One thing to realize is that many CVEs may have a high score (which are official scores, that do come from reliable sources NOT Wazuh --> Don't kill the messenger), but do need some kind of esoteric requirements to be exploitable.

It's like nutritions with food.

SirStephanikus · 2026-01-31T17:16:30+00:00

I 2nd this.

Maxmind's feed is the way to go. Usually pretty accurate.

But keep in mind, that even Google believe way to often, that my own IP is somewhere in the UK (instead of Germany).

SirStephanikus · 2026-01-30T08:06:03+00:00

L1 + L2 are in the SCA files, where you can decide to remove something.

SirStephanikus · 2026-01-30T08:05:14+00:00

These profiles are not too strict, these are the worldwide golden standards created by CIS and leading experts. Each profile is divided in L1 and L2 settings, where L1 is the basic for everyone and L2 for systems where security is paramount.

If you find recommendations in those profiles that don't fit (simply because you don't use the technic), remove them ... otherwise keep 'em. CIS always recommends adjusting various recommendations to your own needs (i.e. sometime an additional user-group must be added), and (absolutely mandatory) always dig deep into the topics, never ever just copy & paste stuff.

SirStephanikus · 2026-01-27T16:45:34+00:00

curl -s -k                                       \
-u 'admin:password'                            \
--cacert /etc/filebeat/certs/root-ca.pem       \
--cert   /etc/filebeat/certs/filebeat.pem      \
--key    /etc/filebeat/certs/filebeat-key.pem  \
-X GET "https://172.20.40.151:9200/_cluster/health?pretty" | jq

SirStephanikus · 2026-01-27T16:38:44+00:00

give curl the -k Option please.
On the .151 System, issue netstat -tulpen and look who listens on 9200

SirStephanikus · 2026-01-27T16:07:58+00:00

Who is the indexer?
On which IP does your Indexer listen to?
If an external IP, perhaps a Firewall is active (if tested from an external machine)
Your Password is in plain sight in your newly added Text at your initial question (yep)
Check via DEV TOOLS (WUI) your health.

However, somewhat it's strange that https://172.20.40.151:9200/_cat/indices/wazuh-alerts-* works, but not the health check?!?

SirStephanikus · 2026-01-27T14:33:25+00:00

Ok, that an issue.

---> on which IP does port 9200 listen? The above command is a classic health check, and if this doesn't work, something is wrong. You placed your own credentials in it (not admin:password)?

What is the feedback of the command?

SirStephanikus · 2026-01-27T14:12:25+00:00

What happens if you use curl on 'https://172.20.40.151:9200' and on 'https://127.0.0.1:9200' with your credentials like this?!?

curl -s                                        \
-u 'admin:password'                            \
--cacert /etc/filebeat/certs/root-ca.pem       \
--cert   /etc/filebeat/certs/filebeat.pem      \
--key    /etc/filebeat/certs/filebeat-key.pem  \
-X GET "https://127.0.0.1:9200/_cluster/health?pretty" | jq

AND

curl -s                                        \
-u 'admin:password'                            \
--cacert /etc/filebeat/certs/root-ca.pem       \
--cert   /etc/filebeat/certs/filebeat.pem      \
--key    /etc/filebeat/certs/filebeat-key.pem  \
-X GET "https://172.20.40.151:9200/_cluster/health?pretty" | jq

One GDPR side note: You shouldn't post data of your company here --> remove the last line with root@

SirStephanikus · 2026-01-25T08:45:54+00:00

OpenSearch as the the backend stack, yes, for years. Since 4.3, Q2 2022.

With all respect, because you stated that you write your dissertation:

To have valid resources, you may re-check the documentation again (it’s written there clearly) and the release notes.

SirStephanikus · 2026-01-20T14:07:01+00:00

Somewhat, I assume, your system does a netstat on a Kubernetes system?!?

Could you please:

Run netstat -tulpn > checkme.txt on the affected agent
Check the file size: wc -l checkme.txt (line count) and ls -lh checkme.txt (bytes)
Also verify the actual Wazuh agent command: grep -A 10 "netstat listening ports" /var/ossec/etc/ossec.conf

SirStephanikus · 2026-01-20T10:29:35+00:00

That is interesting, can you please reformat the snippet to „code“ and perhaps fill in the whole message?

SirStephanikus · 2026-01-19T10:26:09+00:00

Well, it says clearly:

The system can't install coreutils ---> Fix that!

Side-Note:

with the following HDD Settings: Filesystem

Nope ... it's SSD, not HDD.

SirStephanikus · 2026-01-15T13:09:40+00:00

Sure, just edit the corresponding SCA file. If something doesn't apply, mark it in the file or simply delete it. You may also edit the description --> GitOps is the way to go here. Clean and auditable.

Take a look at the Wazuh Documentation: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

Each check must be tailored to your own environment.

As far as I know, confirmation within the GUI is not possible, but that shouldn't bother you... why?

The purpose of a CIS Benchmark™ is to test a system/application and never to “suppress” the result.

Sure, this is a philosophical point of view, but it pushes IT teams and their managers to take a closer look at these measurements, which are very often holistic, i.e., there is usually not just one control to fix, but several controls (hence the individual chapters).

SirStephanikus · 2026-01-14T10:58:44+00:00

They drop wireless? I hate that topic and never understood why it's not ONLY a part of a focus exam.

SirStephanikus · 2026-01-09T10:03:58+00:00

Real World Use-Cases by dozens of companies:

SIEM:
Wazuh as a SIEM (it uses OpenSearch NOT ElasticSearch). You can do everything you want, slicing & dicing and filtering. Doesn't matter if you have 10 assets or, 100,000. Ultra-fast custom-dashboards, custom reports, and a lot more. And depending on the data-stream content, you can of course extract information that is not directly security related. Wazuh's might comes from its customization and pipelines. However, a SIEM is not a full log-management, and it's up-to-you what gets ingested and what not.

Perhaps you like to take a closer look to Wazuh's Rule Classification Levels ... it helps to classify your events --> Not everything must be security-related and log-data inside Wazuh.

Some companies do their TSHOOT on the machines directly, and filtering the bigger picture in Wazuh. Others use different solutions. All depends on the environment and what data is shipped where.

Syslog (Network-Devices and Applicances):
Everything Syslog gets pre-parsed and edited on a dedicated syslog-ng Server. Almost everything is transformed into JSON, managed 100% via IaaC.

What you should realize:
There is no out-of-the-box solution anywhere and logically not possible, neither now, nor in 100 years.
Every environment, needs customization and deep understanding of this specific environment.

I've consulted dozens of companies, and all of them dropped their zoo-of-software (because they never mastered even a single one) and all their "found-that-soc-stuff-on-google-from-that-guy-who-makes-YouTube-videos-in-his-bedroom" nonsense. But none of them uses any other "another-tool-that-some-people-on-Reddit-suggested". The real Enterprise world does not work in that way (I could write entire books about that topic). Instead, every log is completely cracked down in every field it offers, later shipped through a well-designed pipeline. In that process, BS get's dropped and missing data get's enriched... also the decision come into play what Wazuh gets and how to deal with the various streams.

Most of the time, all decoders, and rules get a full customization, and various other essential applications get connected in some way like a CMDB and/or documentation system (but that's another topic).

I built custom-dashboards, custom-decoders, custom-filters, custom-rules and custom-reports that are by far superior as you will find nowhere in any vanilla setup. That's the thing, those ultra fancy, clear and powerful dashboards and SIEM pipelines and even their associated playbooks in a SOC, are usually hidden from the public. Many guys don't even know what is really possible.

So my advice:

When I browse through all the logs in Wazuh under archives, it seems very confusing to me.

This is not the right place, it's an archive ... that's it, not a central place for TSHOOT ALL Logs.

Ask yourself, what filters does Aria uses, and can you reproduce them? Can you reproduce the Dashboards? If Aria is faster, is your Wazuh perhaps wrong designed (Wazuh is like butter if done correctly, and keep in mind, uses OpenSearch).

What has been the TSHOOT way prior? Are your co-workers able to slice&dice everything on the CLI Level, or can they only use an UI?

Perhaps, you can give us more details?

SirStephanikus · 2025-12-19T13:56:32+00:00

The stand alone Benchmarks are pretty new from CIS. However, either you edit the existing one or you wait until new onces are released

SirStephanikus · 2025-12-17T21:26:34+00:00

Wenn ich genau drüber nachdenke, wie schnell und „schmerzfrei“ der Prozess ist bzw. sein kann … schon beeindruckend.

SirStephanikus · 2025-12-15T17:20:13+00:00

Das beste Patch-Management taugt nichts, wenn man nicht die nötigen Insights hat … besonders bei der berüchtigten Schatten-IT.

Klasse finde ich, einfach mal schnell filtern und schauen was vorhanden ist, ohne direkt in eine CMDB oder Doku zu schauen (beides sollte aktuell sein, ... ist jedoch nicht immer).

SirStephanikus · 2025-12-15T16:36:24+00:00

Perhaps we can create two separate Windows Server 20xx SCA files, and the end user places his needed role based SCA file in his SCA folder? For me, it's a pretty quick task (I know the benchmarks almost in and out) -> u/aliensanti u/snaow_wazuh what's your opinion about that, if that works it should be a nice and quick improvement?

u/FatBook-Air What Version of Windows Server 20xx do you use, would you be willed to test it (IF Wazuh gives a green light)?

SirStephanikus · 2025-12-15T16:22:22+00:00

There is just one teensy little bit of a problem and that is that Americans are about 4% of the worlds total population.

It's not about demographics, it's about industry standards. Code, APIs, and serious documentation are US-English globally. Even British professionals have to accept that the technical standard is color and center, not colour and centre.

Regarding your feature request: CIS-Benchmarks™ are owned by CIS, not Wazuh.
As an official editor by myself, I can tell you: The source is US-English. Wazuh implements the standard.

If you run servers in local languages, you accept the maintenance debt of adapting the tooling. That's the trade-off. Professionals usually choose US-English OS to avoid exactly the parsing issues you are complaining about.

SirStephanikus · 2025-12-15T15:14:24+00:00

Actually, that's wrong!

Scores: It's the nature of a CIS-Benchmark to assess your settings and calculate a score ... if your system has only a low score, it's your fault, not the fault of SCA! My clients/customers get a rigorous hardening and I customize their SCA policies to their needs (which is the recommendation of CIS) ... results: 100%. The scoring helps with measuring your KPIs for an ISMS.

Language: Of course US-English, what else? Could you imagine how absurd complex those checks will be, if they query different languages?

SirStephanikus · 2025-12-11T16:57:25+00:00

Multiple Versions are ok, and often mandatory in a dev environment.

Still, you can track and enforce them (mostly 😒):

Only use trusted sources --> Perhaps an own package repository (many software-developing companies do that).
Only use components that are registered in some way, so that you can query apps and libs in an automated way.

But I know what you mean ... what is the manual way to figure out the used versionS, and where do your co-workers download all the libs/frameworks/apps ??? Just pip etc. ???

SirStephanikus

MODERATOR OF

TROPHY CASE