vulnerability-detector

This section covers the configuration for the Vulnerability detection module.

Options

Options

Allowed values

enabled

yes, no

interval

A positive number (seconds)

run_on_start

yes, no

min_full_scan_interval

A positive number (seconds)

retry_interval

A positive number (seconds)

provider

A valid vulnerability vendor

enabled

Enables the module.

Default value

no

Allowed values

yes, no

interval

Time between vulnerabilities scans.

Default value

5m

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and vulnerabilities scans immediately when the service is started.

Default value

yes

Allowed values

yes, no

min_full_scan_interval

The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a full scan will be performed only if the CVEs database has changed.

Default value

6 hours

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

retry_interval

The time to wait after a scan is completed to retry the agents that had a problem being scanned.

Default value

30 seconds

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours), or d (days).

provider

Note

The NVD provider must always be enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.

Configuration block to specify vulnerability updates.

Allowed tags

name

Defines a vulnerability information provider.

Allowed values

canonical

debian

redhat

arch

alas

msu

suse

nvd

Allowed values

enabled

Enables the vulnerability provider update.

Default value

no

Allowed values

yes, no

os

Feed to update.

Allowed values

provider

feed

canonical

trusty / 14

xenial / 16

bionic / 18

focal / 20

jammy / 22

debian

buster / 10

bullseye / 11

alas

amazon-linux / 1

amazon-linux-2 / 2

redhat

5

6

7

8

9

suse

11-server

11-desktop

12-server

12-desktop

15-server

15-desktop

arch

Does not use this option.

msu

Does not use this option.

nvd

Does not use this option.

Allowed tags

update_interval

How often the vulnerability database is updated. It has priority over the update_interval option of the provider block.

Default value

The value indicated by the update_interval option of the provider block.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

url

Defines the link to an alternative OVAL or ALAS files.

Allowed values

Link to the feed to be downloaded. See offline update for more information.

path

Defines the path to an alternative OVAL or ALAS file.

Allowed values

Path where the feed is located. See offline update for more information.

port

Defines the connection port when using the url attribute.

Allowed values

A valid port.

allow

Defines compatibility with unsupported systems.

Allowed values

A valid operating system not supported by default. You can find a guide on how to set it up here.

update_interval

How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of <os>.

Default value

1 hour.

Allowed values

A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

download_timeout

Download timeout in seconds.

Default value

300

Allowed values

A positive number to indicate the timeout in seconds.

update_from_year

Year from which the provider will be updated.

Default value

Allowed values

provider

value

redhat

Does not use this option.

nvd

A valid year greater or equal than 2002.

arch

Does not use this option.

alas

Does not use this option.

msu

Does not use this option.

suse

Does not use this option.

canonical

Does not use this option.

debian

Does not use this option.

url

Defines the link to an alternative feed files.

Allowed values

provider

value

redhat

Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here.

nvd

Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here.

arch

Parameterized link to download the feed file obtained from Arch Security. You can find a guide on how to set it up here.

msu

Parameterized link to download the feed file obtained from Wazuh feed. You can find a guide on how to set it up here.

debian

Parameterized link to download the feed files obtained from Debian Security Tracker. You can find a guide on how to set it up here.

Allowed tags

start

Defines the first value which the tag will be substituted.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

end

Defines the last value for which the tag will be substituted.

Allowed values | A numeric value that in substitution with the tag forms a valid link.

port

Defines the connection port.

Allowed values | A valid port.

path

Defines the path to an alternative feed file.

Allowed values

provider

value

redhat

Path with regular expression that matches the feed files obtained from Red Hat Security Data API.

nvd

Path with regular expression that matches the feed files obtained from National Vulnerability Database.

arch

Path with regular expression that matches the feed file obtained from Arch Security.

msu

Path with regular expression that matches the feed file obtained from Wazuh feed.

debian

Path with regular expression that matches the feed files obtained from Debian Security Tracker.

Example of configuration

The following configuration updates the vulnerability database for Ubuntu, Debian, Red Hat, Amazon Linux, Arch, and Microsoft Windows.

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>yes</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
        <enabled>yes</enabled>
        <os>amazon-linux</os>
        <os>amazon-linux-2</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE Linux Enterprise OS vulnerabilities -->
    <provider name="suse">
      <enabled>yes</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

</vulnerability-detector>

Note

See the Vulnerability detector section to obtain more information about this module.