wodle name="vulnerability-detector"
New in version 3.2.0.
Configuration options of the Vulnerability detector wodle.
Options
Note
Since Wazuh 3.5 the options update_ubuntu_oval
and update_redhat_oval
are deprecated. It is recommended to use feed
instead.
Options |
Allowed values |
---|---|
yes, no |
|
A positive number (seconds) |
|
yes, no |
|
A positive number (seconds) |
|
An update configuration |
disabled
Disable the Vulnerability detector wodle.
Default value |
no |
Allowed values |
yes, no |
interval
Time between vulnerabilities detections.
Default value |
5m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
run_on_start
Runs updates and detections immediately when service is started.
Default value |
yes |
Allowed values |
yes, no |
ignore_time
Time during which vulnerabilities that have already been alerted will be ignored.
Default value |
6 hours |
Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
feed
Configuration block to specify vulnerability updates.
Allowed tags |
name |
Valid distribution separated with a hyphen from its version. Example: ubuntu-18. |
|||||
Allowed values |
ubuntu |
12 |
|||||
14 |
|||||||
16 |
|||||||
18 |
|||||||
redhat |
5 |
Valid for scan agents with Red Hat 5 and CentOS 5. |
|||||
6 |
Valid for scan agents with Red Hat 6 and CentOS 6. |
||||||
7 |
Valid for scan agents with Red Hat 7, CentOS 7 and Amazon Linux 1/2. |
||||||
debian |
7 |
||||||
8 |
|||||||
9 |
|||||||
Allowed values |
disabled |
Disable the update configuration. |
|||||
Allowed values |
yes, no |
||||||
update_interval |
How often the vulnerability database is updated. |
||||||
Default value |
1 hour. |
||||||
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
||||||
url |
Link to an alternative OVAL file. |
||||||
Allowed values |
Links to OVAL file obtained from Red Hat, Canonical or Debian. The download server must use HTTPS. |
||||||
Allowed tags |
port |
Server port where the OVAL file is located. |
|||||
Allowed values |
Any valid port. Default is 443. |
||||||
path |
Path to an alternative OVAL file. |
||||||
Allowed values |
Path to OVAL file obtained from Red Hat, Canonical or Debian. |
||||||
allow |
Allows you to use the vulnerability database with agents with different operating system. |
||||||
Allowed values |
List of operating systems that will allow the use of this OVAL. Example: "linux mint-12, ubuntu-17". |
Example of configuration
The following configuration allows you to use the vulnerability database for Debian 9, Red Hat 7 and Ubuntu 16 agents. It also allows you to extract vulnerabilities from agents with Linux Mint 18.X and Ubuntu 15.X using the Ubuntu 16 vulnerability database.
<wodle name="vulnerability-detector">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<feed name="debian-9">
<disabled>no</disabled>
<path>/home/debian-9-oval.xml</path>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat-7">
<disabled>no</disabled>
<url port="443">https://myserver.com/redhat-7-oval.xml</url>
<update_interval>1h</update_interval>
</feed>
<feed name="ubuntu-16">
<disabled>no</disabled>
<update_interval>1h</update_interval>
<allow>linux mint-18, ubuntu-15</allow>
</feed>
</wodle>
Note
See the Vulnerability detector section to obtain more information about this module.