This is the documentation for Wazuh 3.11. Check out the docs for the latest version of Wazuh!

vulnerability-detector

New in version 3.2.0.

This section covers the configuration for the Vulnerability detection module.

XML section name

<vulnerability-detector>
</vulnerability-detector>

Options

Note

The options update_ubuntu_oval/update_redhat_oval (since 3.5) and feed (since 3.11) are deprecated. It is recommended to use provider instead.

Options Allowed values
enabled yes, no
interval A positive number (seconds)
run_on_start yes, no
ignore_time A positive number (seconds)
provider A valid vulnerability vendor

enabled

Enables the module.

Default value no
Allowed values yes, no

interval

Time between vulnerabilities scans.

Default value 5m
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and vulnerabilities scans immediately when service is started.

Default value yes
Allowed values yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value 6 hours
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

provider

Configuration block to specify vulnerability updates.

Allowed tags name Defines a vulnerability information provider.
Allowed values canonical
debian
redhat
nvd
Allowed values enabled Enables the vulnerability provider update.
Default value no
Allowed values yes, no
os Feed to update.
Allowed values provider feed
canonical precise / 12
trusty / 14
xenial / 16
bionic / 18
debian wheezy / 7
jessie / 8
stretch / 9
buster / 10
redhat Does not use this option.
nvd Does not use this option.
Allowed tags update_interval How often the vulnerability database is updated. It has priority over the update_interval option of the provider block.
Default value The value indicated by the update_interval option of the provider block.
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
url Defines the link to an alternative OVAL files.
Allowed values Link to download the OVAL file obtained from Canonical or Debian.
path Defines the path to an alternative OVAL file.
Allowed values Path where the OVAL file obtained from Canonical or Debian is located.
port Defines the connection port when using the url attribute.
Allowed values A valid port.
allow Defines compatibility with unsupported systems.
Allowed values A valid operating system not supported by default. You can find a guide on how to set it up here.
update_interval How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of <os>.
Default value 1 hour.
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
update_from_year Year from which the provider will be updated.
Default value
Allowed values provider value
redhat A valid year and greater than 1998.
nvd A valid year and greater than 2001.
canonical Does not use this option.
debian Does not use this option.
allow Defines compatibility with unsupported systems.
Allowed values provider value
redhat A valid operating system not supported by default. You can find a guide on how to set it up here.
nvd Does not use this option.
canonical Use the allow attribute of <os> instead.
debian Use the allow attribute of <os> instead.
Allowed tags replaced_os Defines the version of Red Hat that will replace the unsupported system.
Allowed values | A numeric value that in substitution with the tag forms a valid link.
url Defines the link to an alternative feed files.
Allowed values provider value
redhat Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here.
nvd Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here.
canonical Use the url attribute of <os> instead.
debian Use the url attribute of <os> instead.
Allowed tags start Defines the first value which the tag will be substituted.
Allowed values | A numeric value that in substitution with the tag forms a valid link.
end Defines the last value which the tag will be substituted.
Allowed values | A numeric value that in substitution with the tag forms a valid link.
port Defines the connection port.
Allowed values | A valid port.
path Defines the path to an alternative feed files.
Allowed values provider value
redhat Path with regular expression that matches the feed files obtained from Red Hat Security Data API.
nvd Path with regular expression that matches the feed files obtained from National Vulnerability Database.
canonical Use the path attribute of <os> instead.
debian Use the path attribute of <os> instead.

Example of configuration

The following configuration will update the vulnerability database for Ubuntu, Debian, Redhat and Microsoft Windows.

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>

    <provider name="canonical">
        <enabled>yes</enabled>
        <os>precise</os>
        <os>trusty</os>
        <os>xenial</os>
        <os>bionic</os>
        <update_interval>1h</update_interval>
    </provider>

    <provider name="debian">
        <enabled>yes</enabled>
        <os>wheezy</os>
        <os>stretch</os>
        <os>jessie</os>
        <os>buster</os>
        <update_interval>1h</update_interval>
    </provider>

    <provider name="redhat">
        <enabled>yes</enabled>
        <update_from_year>2010</update_from_year>
        <update_interval>1h</update_interval>
    </provider>

    <provider name="nvd">
        <enabled>yes</enabled>
        <update_from_year>2010</update_from_year>
        <update_interval>1h</update_interval>
    </provider>

</vulnerability-detector>

Note

See the Vulnerability detector section to obtain more information about this module.