wodle name="vulnerability-detector"
New in version 3.2.0.
Configuration options of the Vulnerability detector wodle.
Options
Note
Since Wazuh 3.5 the options update_ubuntu_oval
and update_redhat_oval
are deprecated. It is recommended to use feed
instead.
Options |
Allowed values |
---|---|
yes, no |
|
A positive number (seconds) |
|
yes, no |
|
A positive number (seconds) |
|
An update configuration |
disabled
Disable the Vulnerability detector wodle.
Default value |
no |
Allowed values |
yes, no |
interval
Time between vulnerabilities detections.
Default value |
5m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
run_on_start
Runs updates and detections immediately when service is started.
Default value |
yes |
Allowed values |
yes, no |
ignore_time
Time during which vulnerabilities that have already been alerted will be ignored.
Default value |
6 hours |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
feed
Configuration block to specify vulnerability updates. Each feed has the tag name, this tag tells Vulnerability detector about the OS.
OS |
Value |
Ubuntu |
ubuntu-12, ubuntu-14, ubuntu-16, ubuntu-18 |
Red Hat 5/6/7, CentOS 5/6/7, Amazon Linux 1/2 |
redhat |
Debian |
debian-7, debian-8, debian-9 |
Example:
<feed name="ubuntu-18">
...
</feed>
Each feed has it own options, here you can see the allowed options:
disabled |
Disable the update configuration. |
|||
Allowed values |
yes, no |
|||
update_interval |
How often the vulnerability database is updated. |
|||
Default value |
1 hour. |
|||
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
|||
url |
Link to an alternative OVAL file. |
|||
Allowed values |
Links to feed DB obtained from Red Hat API, Canonical or Debian. |
|||
Allowed tags |
port |
Server port where the OVAL file is located. |
||
Allowed values |
Any valid port. Default is 443. |
|||
path |
Path to an alternative OVAL file. |
|||
Allowed values |
Path to OVAL file obtained from Red Hat, Canonical or Debian. |
|||
allow |
Allows you to use the vulnerability database with agents with different operating system. |
|||
Allowed values |
List of operating systems that will allow the use of this OVAL. Example: "linux mint-12, ubuntu-17". |
|||
update_from_year |
Only for Red Hat. The feed will be updated from this year. |
|||
Default value |
2010 |
|||
Allowed values |
A valid year and greater than 1998. |
Example of configuration
The following configuration allows you to use the vulnerability database for Debian 9, Red Hat (since 2018) and Ubuntu 18 agents. It also allows you to extract vulnerabilities from agents with Linux Mint 18.X and Ubuntu 17.X using the Ubuntu 18 vulnerability database.
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>no</disabled>
<update_interval>1h</update_interval>
<allow>linux mint-18, ubuntu-17</allow>
</feed>
<feed name="redhat">
<disabled>no</disabled>
<update_interval>1h</update_interval>
<update_from_year>2014</update_from_year>
</feed>
<feed name="debian-9">
<disabled>no</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>
Note
See the Vulnerability detector section to obtain more information about this module.