wodle name=”vulnerability-detector”

New in version 3.2.0.

XML section name

<wodle name="vulnerability-detector">
</wodle>

Configuration options of the Vulnerability detector wodle.

Options

Note

Since Wazuh 3.5 the options update_ubuntu_oval and update_redhat_oval are deprecated. It is recommended to use feed instead.

Options

Allowed values

disabled

yes, no

interval

A positive number (seconds)

run_on_start

yes, no

ignore_time

A positive number (seconds)

feed

An update configuration

disabled

Disable the Vulnerability detector wodle.

Default value

no

Allowed values

yes, no

interval

Time between vulnerabilities detections.

Default value

5m

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and detections immediately when service is started.

Default value

yes

Allowed values

yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value

6 hours

Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

feed

Configuration block to specify vulnerability updates. Each feed has the tag name, this tag tells Vulnerability detector about the OS.

OS

Value

Ubuntu

ubuntu-12, ubuntu-14, ubuntu-16, ubuntu-18

Red Hat 5/6/7

redhat

CentOS 5/6/7

redhat

Amazon Linux 1/2

redhat

Debian

debian-7, debian-8, debian-9

Example:

<feed name="ubuntu-18">
  ...
</feed>

Each feed has it own options, here you can see the allowed options:

disabled

Disable the update configuration.

Allowed values

yes, no

update_interval

How often the vulnerability database is updated.

Default value

1 hour.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

url

Link to an alternative OVAL file.

Allowed values

Links to OVAL file obtained from Red Hat, Canonical or Debian. The download server must use HTTPS.

Allowed tags

port

Server port where the OVAL file is located.

Allowed values

Any valid port. Default is 443.

path

Path to an alternative OVAL file.

Allowed values

Path to OVAL file obtained from Red Hat, Canonical or Debian.

allow

Allows you to use the vulnerability database with agents with different operating system.

Allowed values

List of operating systems that will allow the use of this OVAL. Example: “linux mint-12, ubuntu-17”.

update_from_year

Only for Red Hat. The feed will be updated from this year.

Default value

2010

Allowed values

A valid year and greater than 1998.

Example of configuration

The following configuration allows you to use the vulnerability database for Debian 9, Red Hat (since 2018) and Ubuntu 18 agents. It also allows you to extract vulnerabilities from agents with Linux Mint 18.X and Ubuntu 17.X using the Ubuntu 18 vulnerability database.

<wodle name="vulnerability-detector">
  <disabled>yes</disabled>
  <interval>5m</interval>
  <ignore_time>6h</ignore_time>
  <run_on_start>yes</run_on_start>
  <feed name="ubuntu-18">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
    <allow>linux mint-18, ubuntu-17</allow>
  </feed>
  <feed name="redhat">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
    <update_from_year>2014</update_from_year>
  </feed>
  <feed name="debian-9">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
  </feed>
</wodle>

Note

See the Vulnerability detector section to obtain more information about this module.