vulnerability-detector

New in version 3.2.0.

This section covers the configuration for the Vulnerability detection module.

Options

Note

The options update_ubuntu_oval/update_redhat_oval (since 3.5) and feed (since 3.11) are deprecated. It is recommended to use provider instead.

Options

Allowed values

enabled

yes, no

interval

A positive number (seconds)

run_on_start

yes, no

ignore_time

A positive number (seconds)

provider

A valid vulnerability vendor

enabled

Enables the module.

Default value

no

Allowed values

yes, no

interval

Time between vulnerabilities scans.

Default value

5m

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and vulnerabilities scans immediately when service is started.

Default value

yes

Allowed values

yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value

6 hours

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

provider

Note

(Since 3.13.0) For Linux agents the NVD must be always enabled. Otherwise, the scanner will not work properly.

Configuration block to specify vulnerability updates.

Allowed tags

name

Defines a vulnerability information provider.

Allowed values

canonical

debian

redhat

nvd

Allowed values

enabled

Enables the vulnerability provider update.

Default value

no

Allowed values

yes, no

os

Feed to update.

Allowed values

provider

feed

canonical

trusty / 14

xenial / 16

bionic / 18

focal / 20

debian

wheezy / 7

jessie / 8

stretch / 9

buster / 10

redhat

Does not use this option.

nvd

Does not use this option.

Allowed tags

update_interval

How often the vulnerability database is updated. It has priority over the update_interval option of the provider block.

Default value

The value indicated by the update_interval option of the provider block.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

url

Defines the link to an alternative OVAL files.

Allowed values

Link to download the OVAL file obtained from Canonical or Debian.

path

Defines the path to an alternative OVAL file.

Allowed values

Path where the OVAL file obtained from Canonical or Debian is located.

port

Defines the connection port when using the url attribute.

Allowed values

A valid port.

allow

Defines compatibility with unsupported systems.

Allowed values

A valid operating system not supported by default. You can find a guide on how to set it up here.

update_interval

How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of <os>.

Default value

1 hour.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

download_timeout

Download timeout in seconds.

Default value

300

Allowed values

A positive number to indicate the timeout in seconds.

update_from_year

Year from which the provider will be updated.

Default value

Allowed values

provider

value

redhat

A valid year greater or equal than 1999.

nvd

A valid year greater or equal than 2002.

canonical

Does not use this option.

debian

Does not use this option.

allow

Defines compatibility with unsupported systems.

Allowed values

provider

value

redhat

A valid operating system not supported by default. You can find a guide on how to set it up here.

nvd

Does not use this option.

canonical

Use the allow attribute of <os> instead.

debian

Use the allow attribute of <os> instead.

Allowed tags

replaced_os

Defines the version of Red Hat that will replace the unsupported system.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

url

Defines the link to an alternative feed files.

Allowed values

provider

value

redhat

Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here.

nvd

Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here.

canonical

Use the url attribute of <os> instead.

debian

Use the url attribute of <os> instead.

Allowed tags

start

Defines the first value which the tag will be substituted.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

end

Defines the last value which the tag will be substituted.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

port

Defines the connection port.

Allowed values | A valid port.

path

Defines the path to an alternative feed files.

Allowed values

provider

value

redhat

Path with regular expression that matches the feed files obtained from Red Hat Security Data API.

nvd

Path with regular expression that matches the feed files obtained from National Vulnerability Database.

canonical

Use the path attribute of <os> instead.

debian

Use the path attribute of <os> instead.

Example of configuration

The following configuration will update the vulnerability database for Ubuntu, Debian, Redhat and Microsoft Windows.

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>

    <provider name="canonical">
        <enabled>yes</enabled>
        <os>trusty</os>
        <os>xenial</os>
        <os>bionic</os>
        <os>focal</os>
        <update_interval>1h</update_interval>
    </provider>

    <provider name="debian">
        <enabled>yes</enabled>
        <os>wheezy</os>
        <os>stretch</os>
        <os>jessie</os>
        <os>buster</os>
        <update_interval>1h</update_interval>
    </provider>

    <provider name="redhat">
        <enabled>yes</enabled>
        <update_from_year>2010</update_from_year>
        <update_interval>1h</update_interval>
    </provider>

    <provider name="nvd">
        <enabled>yes</enabled>
        <update_from_year>2010</update_from_year>
        <update_interval>1h</update_interval>
    </provider>

</vulnerability-detector>

Note

See the Vulnerability detector section to obtain more information about this module.