vulnerability-detector

New in version 3.2.0.

This section covers the configuration for the Vulnerability detection module.

Options

Options

Allowed values

enabled

yes, no

interval

A positive number (seconds)

run_on_start

yes, no

ignore_time

A positive number (seconds)

provider

A valid vulnerability vendor

enabled

Enables the module.

Default value

no

Allowed values

yes, no

interval

Time between vulnerabilities scans.

Default value

5m

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and vulnerabilities scans immediately when service is started.

Default value

yes

Allowed values

yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value

6 hours

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

provider

Note

The NVD provider must be always enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.

Configuration block to specify vulnerability updates.

Allowed tags

name

Defines a vulnerability information provider.

Allowed values

canonical

debian

redhat

msu

nvd

Allowed values

enabled

Enables the vulnerability provider update.

Default value

no

Allowed values

yes, no

os

Feed to update.

Allowed values

provider

feed

canonical

trusty / 14

xenial / 16

bionic / 18

focal / 20

debian

stretch / 9

buster / 10

redhat

5

6

7

8

msu

Does not use this option.

nvd

Does not use this option.

Allowed tags

update_interval

How often the vulnerability database is updated. It has priority over the update_interval option of the provider block.

Default value

The value indicated by the update_interval option of the provider block.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

url

Defines the link to an alternative OVAL files.

Allowed values

Link to download the OVAL file obtained from Canonical , Debian or Red Hat.

path

Defines the path to an alternative OVAL file.

Allowed values

Path where the OVAL file obtained from Canonical , Debian or Red Hat is located.

port

Defines the connection port when using the url attribute.

Allowed values

A valid port.

allow

Defines compatibility with unsupported systems.

Allowed values

A valid operating system not supported by default. You can find a guide on how to set it up here.

update_interval

How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of <os>.

Default value

1 hour.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

download_timeout

Download timeout in seconds.

Default value

300

Allowed values

A positive number to indicate the timeout in seconds.

update_from_year

Year from which the provider will be updated.

Default value

Allowed values

provider

value

redhat

Does not use this option.

nvd

A valid year greater or equal than 2002.

msu

Does not use this option.

canonical

Does not use this option.

debian

Does not use this option.

url

Defines the link to an alternative feed files.

Allowed values

provider

value

redhat

Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here.

nvd

Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here.

msu

Parameterized link to download the feed file obtained from Wazuh feed. You can find a guide on how to set it up here.

canonical

Use the url attribute of <os> instead.

debian

Parameterized link to download the feed files obtained from Debian Security Tracker. You can find a guide on how to set it up here.

Allowed tags

start

Defines the first value which the tag will be substituted.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

end

Defines the last value which the tag will be substituted.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

port

Defines the connection port.

Allowed values | A valid port.

path

Defines the path to an alternative feed files.

Allowed values

provider

value

redhat

Path with regular expression that matches the feed files obtained from Red Hat Security Data API.

nvd

Path with regular expression that matches the feed files obtained from National Vulnerability Database.

msu

Path with regular expression that matches the feed file obtained from Wazuh feed.

canonical

Use the path attribute of <os> instead.

debian

Path with regular expression that matches the feed files obtained from Debian Security Tracker.

Example of configuration

The following configuration will update the vulnerability database for Ubuntu, Debian, Redhat and Microsoft Windows.

<vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>no</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>no</enabled>
      <os>stretch</os>
      <os>buster</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>no</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

</vulnerability-detector>

Note

See the Vulnerability detector section to obtain more information about this module.