wodle name=”vulnerability-detector”

New in version 3.2.0.

XML section name

<wodle name="vulnerability-detector">
</wodle>

Configuration options of the Vulnerability detector wodle.

Options

Note

Since Wazuh 3.5 the options update_ubuntu_oval and update_redhat_oval are deprecated. It is recommended to use feed instead.

Options

Allowed values

disabled

yes, no

interval

A positive number (seconds)

run_on_start

yes, no

ignore_time

A positive number (seconds)

feed

An update configuration

disabled

Disable the Vulnerability detector wodle.

Default value

no

Allowed values

yes, no

interval

Time between vulnerabilities detections.

Default value

5m

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and detections immediately when service is started.

Default value

yes

Allowed values

yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value

6 hours

Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

feed

Configuration block to specify vulnerability updates.

Allowed tags

name

Valid distribution separated with a hyphen from its version. Example: ubuntu-18.

Allowed values

ubuntu

12

14

16

18

redhat

5

Valid for scan agents with Red Hat 5 and CentOS 5.

6

Valid for scan agents with Red Hat 6 and CentOS 6.

7

Valid for scan agents with Red Hat 7, CentOS 7 and Amazon Linux 1/2.

debian

7

8

9

Allowed values

disabled

Disable the update configuration.

Allowed values

yes, no

update_interval

How often the vulnerability database is updated.

Default value

1 hour.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

url

Link to an alternative OVAL file.

Allowed values

Links to OVAL file obtained from Red Hat, Canonical or Debian. The download server must use HTTPS.

Allowed tags

port

Server port where the OVAL file is located.

Allowed values

Any valid port. Default is 443.

path

Path to an alternative OVAL file.

Allowed values

Path to OVAL file obtained from Red Hat, Canonical or Debian.

allow

Allows you to use the vulnerability database with agents with different operating system.

Allowed values

List of operating systems that will allow the use of this OVAL. Example: “linux mint-12, ubuntu-17”.

Example of configuration

The following configuration allows you to use the vulnerability database for Debian 9, Red Hat 7 and Ubuntu 16 agents. It also allows you to extract vulnerabilities from agents with Linux Mint 18.X and Ubuntu 15.X using the Ubuntu 16 vulnerability database.

<wodle name="vulnerability-detector">
  <disabled>no</disabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <feed name="debian-9">
    <disabled>no</disabled>
    <path>/home/debian-9-oval.xml</path>
    <update_interval>1h</update_interval>
  </feed>
  <feed name="redhat-7">
    <disabled>no</disabled>
    <url port="443">https://myserver.com/redhat-7-oval.xml</url>
    <update_interval>1h</update_interval>
  </feed>
  <feed name="ubuntu-16">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
    <allow>linux mint-18, ubuntu-15</allow>
  </feed>
</wodle>

Note

See the Vulnerability detector section to obtain more information about this module.