Exclude Vulnerability reports for specific packages

From time to time you will receive false positives when running the vulnerability detection in Wazuh.

This is caused by CVE information where a broken package has e.g. version number 2.24. Usually distributions won’t higher the version number within a release (like Debian Stretch) and just fix the package but keep the version number.

If you are sure the package is already fixed and want to get rid of the warnings, create a whitelist file in /var/ossec/etc/lists/ called e.g. vuln-whitelist.

As it’s content put the CVS’s reported by Wazuh in this format (example for Debian 8-10):

CVE-2016-0705:Fixed by Debian
CVE-2016-2182:Fixed by Debian
CVE-2016-2842:Fixed by Debian
CVE-2017-12424:Fixed by Debian
CVE-2017-6519:Fixed by Debian
CVE-2018-6551:Fixed by Debian
CVE-2019-1010022:Fixed by Debian
CVE-2019-9893:Fixed by Debian

Go to ossec.conf and search for lists. Directly under <list>etc/lists/security-eventchannel</list> put <list>etc/lists/vuln-whitelist</list>.

With the command /var/ossec/bin/ossec-makelists you can compile those lists. Remeber to always execute the command for every update.

Now it’s time to disable the CVE’s with a local rule in /var/ossec/etc/rules in file local_rules.xml:

<group name=“vulnerability-detector,“>
  <rule id=“100003″ level=“0″>
    <list field=“vulnerability.cve“ lookup=“match_key“>etc/lists/vuln-whitelist</list>
    <description>Vulnerability Whitelist</description>

Since everything is in place we now can restart the service via /var/ossec/bin/ossec-control restart.