Linux Vulnerability Management (Beta)

In this article, you will find:

  • Navigation guidance for accessing the newly updated device vulnerabilities areas

  • Guides for installing the device vulnerability agent onto Linux machines, running vulnerability scans, and reviewing scan results.

IMPORTANT: This feature is currently in beta, and only accessible to a limited set of customers using Linux machines. If you would like access to this feature, experience any issues when using this tool, or wish to provide feedback, please contact a member of our support team.

Accessing the New Device Vulnerabilities Page

The updated Device Vulnerability Management feature is located within the Device Vulnerabilities area of the OneClickComply platform. To access the Device Vulnerabilities area, navigate to Scanning > Vulnerability Management > Device Vulnerabilities, as shown below:

Navigation guidance for accessing the Device Vulnerabilities area

From here, navigate to the Install tab. If your account has been given access to the Linux Scanner, a new banner will be present at the top of the page, with a button to Try Beta, as shown below:

Access to Linux Scanner banner

Installing the Agent

Once the Try Beta option is selected, you will be taken to a new Device Vulnerabilities area. If this is your first time accessing this page, or you have not installed the agent on a device, you will see a page similar to the following:

Example of default device vulnerability view

To begin installing the agent onto your devices, select either the Install Agent tab at the top of the page, or the Install Agent button in the Devices window. Either option will bring up the installation guidance, as shown below:

Installing the beta Linux vulnerability detection agent

Note: This beta view is currently limited to Linux devices. Support for macOS and Windows devices will be introduced in a future update.

The agents are deployed to devices through an Install Command. You can create your unique install command by selecting the Operating System of the device(s), the Package Format, and the specific Architecture of the machine(s).

Once you have selected the relevant options, press the Generate Install Command button to open a new page and receive your unique command, as shown in the example below:

Example of the agent install page

On this new page you will find the following information:

Wazuh Group ID: Your organisation's unique UUID, which our support team uses to easily identify your account and triage any issues.

Install Command: Your custom installation command, tailored to the device parameters you selected on the previous page.

Underneath these two sections, you will find the Next Steps to complete the installation process. Simply open Command Prompt (cmd) on your target device, run the install command, and the agent will automatically register itself.

Starting a New Scan

Once the agent is installed, navigate to the Devices tab at the top of the page. Here, you will see a complete list of all devices registered to your organisation's UUID, as shown below:

Example screenshot of connected Linux devices

On this page, you will find an overview of your registered devices and their overall health. As shown in the example above, you can see the following information:

  • Device Name: The unique identifier for that specific device.

  • Operating System: The operating system the device is currently running.

  • Status Tag: Indicates the current communication state of the agent. You will see one of three statuses:

    • Active: The agent is connected to the manager and actively sending event data.

    • Disconnected: The manager has lost contact with this agent. The device may be powered off, disconnected from the network, or the agent service has stopped.

    • Not Started: The agent is installed, but no scans have been run on it yet.

  • Scan Total: Shows exactly how many scans have been run on the specific device (including Completed, In Progress, or Failed scans).

  • Vulnerability Warning: Displays how many open vulnerabilities are currently detected on the device. If a device has a clean scan, or if a previously detected vulnerability is remediated and scanned again, no vulnerability warning will be displayed.

To begin a scan of the device, select the Scan button located on the right hand side of the window, as shown below:

Starting a new vulnerability scan

Reviewing and Resolving Vulnerabilities

To view the results of completed scans, simply click on the desired device. This will open a new window detailing all of the scans that have taken place on the device. Please see an example of this view below:

Viewing completed scan results

This page provides a complete history of every scan run on the device. You can easily filter the list using the All, Completed, Failed, and In Progress tabs at the top.

For each individual scan, you will see detailed information, including:

  • Status: The current state of the scan (based on the tabs above).

  • Date and Time: Exactly when the scan was initiated.

  • Duration: The total time the scan took to finish.

  • Findings: The number of vulnerabilities identified during that specific scan

A new scan can be triggered by selecting the New Scan button, located at the top right of the page.

To view a specific scan in more detail, simple click on relevant row in the Scan History table. This will open new view, providing more granular information about what was detected. Please find an example below:

Viewing more detailed scan results

As shown in the example above, a recently completed scan will display all detected vulnerable applications. Each of these vulnerabilities will typically have multiple CVEs (Common Vulnerabilities and Exposures) attached to it. These attached CVEs include specific risk scores and are categorised by their severity status (Critical, High, Medium, and Low) which are highlighted in visually distinct boxes at the top of the page.

Most importantly, a recommended fix for the vulnerability will be listed underneath the name of the application. In the example above, all of the identified vulnerabilities are associated with an outdated version of Firefox, so a recommendation to ‘Update firefox (147.01-1) to version 148.0 or later’ has been provided.

An example of a vulnerable application and suggested fix

Additionally, selecting the vulnerable application will open a list of all detected CVEs, allowing you to see the specific details about each vulnerability, the overall severity, and the score given to the issue.

If a vulnerability has been resolved, any subsequent scans will detect that the issue has been actioned, and the vulnerability will not appear in future scans unless a new vulnerability is identified.