wazuh-trivy

Wazuh and Trivy integration to scan Docker image vulnerabilities.

Install

Create a custom script directory /var/ossec/custom-script/ and create a new file trivy_scan.sh.

Remote commands execution must be enabled in the agent (Docker host), file “local_internal_options.conf”:

# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=1

Edit /var/ossec/etc/shared/your_linux_docker_group/agent.conf and add the remote command:

<!-- Trivy container vulnerability scanner script -->
<wodle name="command">
  <disabled>no</disabled>
  <command>/bin/bash /var/ossec/etc/shared/trivy_scan.sh</command>
  <interval>12h</interval>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
</wodle>

Snyk Scan detection rules:

Create a file custom_decoders_trity.xml in the /var/ossec/etc/decoders/ directory.

<decoder name="trivy-decoder">
  <prematch>^Trivy:</prematch>
</decoder>
<decoder name="trivy-decoder-fields">
  <parent>trivy-decoder</parent>
  <regex offset="after_parent">"(\.+)","(\.+)","(\.+)","(\.+)","(\.+)"</regex>
  <order>image, package, version, vulnerability_id, severity</order>
</decoder>

Create a file custom_rules_trivy.xml in the /var/ossec/etc/rules/ directory:

<group name="trivy">
  <!-- Parent Rule for Trivy alerts -->
  <rule id="100101" level="0">
    <decoded_as>trivy-decoder</decoded_as>
    <description>Trivy alert detected.</description>
  </rule>

  <!-- This rule detects a critical severity vulnerability in a container image -->
  <rule id="100102" level="14">
    <if_sid>100101</if_sid>
    <field name="severity">Critical</field>
    <description>Trivy alert [Critical]: Vulnerabilty '$(vulnerability_id)' detected in package '$(package)' version '$(version)' on container image '$(image)'.</description>
  </rule>

  <!-- This rule detects a high severity vulnerability in a container image -->
  <rule id="100103" level="12">
    <if_sid>100101</if_sid>
    <field name="severity">High</field>
    <description>Trivy alert [High]: Vulnerabilty '$(vulnerability_id)' detected in package '$(package)' version '$(version)' on container image '$(image)'.</description>
  </rule>

  <!-- This rule detects a medium severity vulnerability in a container image -->
  <rule id="100104" level="7">
    <if_sid>100101</if_sid>
    <field name="severity">Medium</field>
    <description>Trivy alert [Medium]: Vulnerabilty '$(vulnerability_id)' detected in package '$(package)' version '$(version)' on container image '$(image)'.</description>
  </rule>

  <!-- This rule detects a low severity vulnerability in a container image -->
  <rule id="100105" level="4">
    <if_sid>100101</if_sid>
    <field name="severity">Low</field>
    <description>Trivy alert [Low]: Vulnerabilty '$(vulnerability_id)' detected in package '$(package)' version '$(version)' on container image '$(image)'.</description>
  </rule>

  <!-- This rule detects a negligible severity vulnerability in a container image -->
  <rule id="100106" level="1">
    <if_sid>100101</if_sid>
    <field name="severity">Negligible</field>
    <description>Trivy alert [Negligible]: Vulnerabilty '$(vulnerability_id)' detected in package '$(package)' version '$(version)' on container image '$(image)'.</description>
  </rule>

  <!-- This rule detects an unknown severity vulnerability in a container image -->
  <rule id="100107" level="7">
    <if_sid>100101</if_sid>
    <field name="severity">Unknown</field>
    <description>Trivy alert [Unknown]: Vulnerabilty '$(vulnerability_id)' detected in package '$(package)' version '$(version)' on container image '$(image)'.</description>
  </rule>
</group>

Dashboards

Critical vulnerabilities

1. Navigate to Explore > Discover.
2. Type rule.groups:trivy and rule.id:100102 in the filter bar and click Update.
3. Under Available fields, add the following fields as columns by hovering on each field agent.name, data.image, data.severity, data.vulnerability_id, data.package, and data.version and clicking the + icon beside it.
4. Save the query as Trivy [Critical vulnerabilities].

High vulnerabilities

1. Navigate to Explore > Discover.
2. Type rule.groups:trivy and rule.id:100103 in the filter bar and click Update.
3. Under Available fields, add the following fields as columns by hovering on each field agent.name, data.image, data.severity, data.vulnerability_id, data.package, and data.version and clicking the + icon beside it.
4. Save the query as Trivy [High vulnerabilities]. Ensure you select the Save as new search option.

Medium vulnerabilities

1. Navigate to Explore > Discover.
2. Type rule.groups:trivy and rule.id:100104 in the filter bar and click Update.
3. Under Available fields, add the following fields as columns by hovering on each field agent.name, data.image, data.severity, data.vulnerability_id, data.package, and data.version and clicking the + icon beside it.
4. Save the query as Trivy [Medium vulnerabilities]. Ensure you select the Save as new search option.

Low vulnerabilities

1. Navigate to Explore > Discover.
2. Type rule.groups:trivy and rule.id:100105 in the filter bar and click Update.
3. Under Available fields, add the following fields as columns by hovering on each field agent.name, data.image, data.severity, data.vulnerability_id, data.package, and data.version and clicking the + icon beside it.
4. Save the query as Trivy [Low vulnerabilities]. Ensure you select the Save as new search option.

Creating a custom dashboard

1. Navigate to Explore > Dashboards > Create New Dashboard.
2. Select Add an existing link and click the saved visualizations (Trivy [Critical vulnerabilities], Trivy [High vulnerabilities]. This will add the visualizations to the new dashboard.
3. Save the dashboard as Trivy container image vulnerabilities.