vulnerability-detector
New in version 3.2.0.
This section covers the configuration for the Vulnerability detection module.
XML section name
<vulnerability-detector>
</vulnerability-detector>
Options
Options |
Allowed values |
|---|---|
yes, no |
|
A positive number (seconds) |
|
yes, no |
|
A positive number (seconds) |
|
A valid vulnerability vendor |
interval
Time between vulnerabilities scans.
Default value |
5m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
run_on_start
Runs updates and vulnerabilities scans immediately when service is started.
Default value |
yes |
Allowed values |
yes, no |
ignore_time
Time during which vulnerabilities that have already been alerted will be ignored.
Default value |
6 hours |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
provider
Note
The NVD provider must be always enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.
Configuration block to specify vulnerability updates.
Allowed tags |
name |
Defines a vulnerability information provider. |
||||
Allowed values |
canonical |
|||||
debian |
||||||
redhat |
||||||
msu |
||||||
nvd |
||||||
Allowed values |
enabled |
Enables the vulnerability provider update. |
||||
Default value |
no |
|||||
Allowed values |
yes, no |
|||||
os |
Feed to update. |
|||||
Allowed values |
provider |
feed |
||||
canonical |
trusty / 14 |
|||||
xenial / 16 |
||||||
bionic / 18 |
||||||
focal / 20 |
||||||
debian |
stretch / 9 |
|||||
buster / 10 |
||||||
redhat |
5 |
|||||
6 |
||||||
7 |
||||||
8 |
||||||
msu |
|
|||||
nvd |
|
|||||
Allowed tags |
update_interval |
How often the vulnerability database is updated. It has priority over the update_interval option of the provider block. |
||||
Default value |
The value indicated by the update_interval option of the provider block. |
|||||
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
|||||
url |
Defines the link to an alternative OVAL files. |
|||||
Allowed values |
Link to download the OVAL file obtained from Canonical , Debian or Red Hat. |
|||||
path |
Defines the path to an alternative OVAL file. |
|||||
Allowed values |
Path where the OVAL file obtained from Canonical , Debian or Red Hat is located. |
|||||
port |
Defines the connection port when using the |
|||||
Allowed values |
A valid port. |
|||||
allow |
Defines compatibility with unsupported systems. |
|||||
Allowed values |
A valid operating system not supported by default. You can find a guide on how to set it up here. |
|||||
update_interval |
How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of |
|||||
Default value |
1 hour. |
|||||
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
|||||
download_timeout |
Download timeout in seconds. |
|||||
Default value |
300 |
|||||
Allowed values |
A positive number to indicate the timeout in seconds. |
|||||
update_from_year |
Year from which the provider will be updated. |
|||||
Default value |
||||||
Allowed values |
provider |
value |
||||
redhat |
|
|||||
nvd |
A valid year greater or equal than 2002. |
|||||
msu |
|
|||||
canonical |
|
|||||
debian |
|
|||||
url |
Defines the link to an alternative feed files. |
|||||
Allowed values |
provider |
value |
||||
redhat |
Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here. |
|||||
nvd |
Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here. |
|||||
msu |
Parameterized link to download the feed file obtained from Wazuh feed. You can find a guide on how to set it up here. |
|||||
canonical |
Use the |
|||||
debian |
Parameterized link to download the feed files obtained from Debian Security Tracker. You can find a guide on how to set it up here. |
|||||
Allowed tags |
start |
Defines the first value which the tag will be substituted. |
||||
Allowed values | A numeric value that in substitution with the tag forms a valid link. |
||||||
end |
Defines the last value which the tag will be substituted. |
|||||
Allowed values | A numeric value that in substitution with the tag forms a valid link. |
||||||
port |
Defines the connection port. |
|||||
Allowed values | A valid port. |
||||||
path |
Defines the path to an alternative feed files. |
|||||
Allowed values |
provider |
value |
||||
redhat |
Path with regular expression that matches the feed files obtained from Red Hat Security Data API. |
|||||
nvd |
Path with regular expression that matches the feed files obtained from National Vulnerability Database. |
|||||
msu |
Path with regular expression that matches the feed file obtained from Wazuh feed. |
|||||
canonical |
Use the |
|||||
debian |
Path with regular expression that matches the feed files obtained from Debian Security Tracker. |
|||||
Example of configuration
The following configuration will update the vulnerability database for Ubuntu, Debian, Redhat and Microsoft Windows.
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
Note
See the Vulnerability detector section to obtain more information about this module.