vulnerability-detector
This section covers the configuration for the Vulnerability detection module.
Options
Options |
Allowed values |
---|---|
yes, no |
|
A positive number (seconds) |
|
yes, no |
|
A positive number (seconds) |
|
A positive number (seconds) |
|
A valid vulnerability vendor |
enabled
Enables the module.
Default value |
no |
Allowed values |
yes, no |
interval
Time between vulnerabilities scans.
Default value |
5m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
run_on_start
Runs updates and vulnerabilities scans immediately when the service is started.
Default value |
yes |
Allowed values |
yes, no |
min_full_scan_interval
The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a full scan will be performed only if the CVEs database has changed.
Default value |
6 hours |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
retry_interval
The time to wait after a scan is completed to retry the agents that had a problem being scanned.
Default value |
30 seconds |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours), or d (days). |
provider
Note
The NVD provider must always be enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.
Configuration block to specify vulnerability updates.
Allowed tags |
name |
Defines a vulnerability information provider. |
||||
Allowed values |
canonical |
|||||
debian |
||||||
redhat |
||||||
arch |
||||||
alas |
||||||
msu |
||||||
suse |
||||||
almalinux |
||||||
nvd |
||||||
Allowed values |
enabled |
Enables the vulnerability provider update. |
||||
Default value |
no |
|||||
Allowed values |
yes, no |
|||||
os |
Feed to update. |
|||||
Allowed values |
provider |
feed |
||||
canonical |
trusty / 14 |
|||||
xenial / 16 |
||||||
bionic / 18 |
||||||
focal / 20 |
||||||
jammy / 22 |
||||||
debian |
buster / 10 |
|||||
bullseye / 11 |
||||||
bookworm / 12 |
||||||
alas |
amazon-linux / 1 |
|||||
amazon-linux-2 / 2 |
||||||
amazon-linux-2022 / 2022 |
||||||
amazon-linux-2023 / 2023 |
||||||
redhat |
5 |
|||||
6 |
||||||
7 |
||||||
8 |
||||||
9 |
||||||
suse |
11-server |
|||||
11-desktop |
||||||
12-server |
||||||
12-desktop |
||||||
15-server |
||||||
15-desktop |
||||||
almalinux |
8 |
|||||
9 |
||||||
arch |
|
|||||
msu |
|
|||||
nvd |
|
|||||
Allowed tags |
update_interval |
How often the vulnerability database is updated. It has priority over the update_interval option of the provider block. |
||||
Default value |
The value indicated by the update_interval option of the provider block. |
|||||
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
|||||
url |
Defines the link to an alternative OVAL or ALAS files. |
|||||
Allowed values |
Link to the feed to be downloaded. See offline update for more information. |
|||||
path |
Defines the path to an alternative OVAL or ALAS file. |
|||||
Allowed values |
Path where the feed is located. See offline update for more information. |
|||||
port |
Defines the connection port when using the |
|||||
Allowed values |
A valid port. |
|||||
allow |
Defines compatibility with unsupported systems. |
|||||
Allowed values |
A valid operating system not supported by default. You can find a guide on how to set it up here. |
|||||
update_interval |
How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of |
|||||
Default value |
1 hour. |
|||||
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
|||||
download_timeout |
Download timeout in seconds. |
|||||
Default value |
300 |
|||||
Allowed values |
A positive number to indicate the timeout in seconds. |
|||||
url |
Defines the link to an alternative feed files. |
|||||
Allowed values |
provider |
value |
||||
redhat |
Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here. |
|||||
nvd |
Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here. |
|||||
arch |
Parameterized link to download the feed file obtained from Arch Security. You can find a guide on how to set it up here. |
|||||
msu |
Parameterized link to download the feed file obtained from Wazuh feed. You can find a guide on how to set it up here. |
|||||
debian |
Parameterized link to download the feed files obtained from Debian Security Tracker. You can find a guide on how to set it up here. |
|||||
Allowed tags |
start |
Defines the first value which the tag will be substituted. |
||||
Allowed values | A numeric value that in substitution with the tag forms a valid link. |
||||||
end |
Defines the last value for which the tag will be substituted. |
|||||
Allowed values | A numeric value that in substitution with the tag forms a valid link. |
||||||
port |
Defines the connection port. |
|||||
Allowed values | A valid port. |
||||||
path |
Defines the path to an alternative feed file. |
|||||
Allowed values |
provider |
value |
||||
redhat |
Path with regular expression that matches the feed files obtained from Red Hat Security Data API. |
|||||
nvd |
Path with regular expression that matches the feed files obtained from National Vulnerability Database. |
|||||
arch |
Path with regular expression that matches the feed file obtained from Arch Security. |
|||||
msu |
Path with regular expression that matches the feed file obtained from Wazuh feed. |
|||||
debian |
Path with regular expression that matches the feed files obtained from Debian Security Tracker. |
Example of configuration
The following configuration updates the vulnerability database for Ubuntu, Debian, Red Hat, Amazon Linux, Arch, and Microsoft Windows.
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<os>amazon-linux-2022</os>
<os>amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE Linux Enterprise OS vulnerabilities -->
<provider name="suse">
<enabled>yes</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- AlmaLinux OS vulnerabilities -->
<provider name="almalinux">
<enabled>yes</enabled>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
Note
See the Vulnerability detector section to obtain more information about this module.