wodle name=”vulnerability-detector”

New in version 3.2.0.

XML section name

<wodle name="vulnerability-detector">
</wodle>

Configuration options of the Vulnerability detector wodle.

Options

Note

Since Wazuh 3.5 the options update_ubuntu_oval and update_redhat_oval are deprecated. It is recommended to use feed instead.

Options Allowed values
disabled yes, no
interval A positive number (seconds)
run_on_start yes, no
ignore_time A positive number (seconds)
feed An update configuration

disabled

Disable the Vulnerability detector wodle.

Default value no
Allowed values yes, no

interval

Time between vulnerabilities detections.

Default value 5m
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and detections immediately when service is started.

Default value yes
Allowed values yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value 6 hours
Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

feed

Configuration block to specify vulnerability updates.

Allowed tags name Valid distribution separated with a hyphen from its version (except Red Hat). Example: ubuntu-18.
Allowed values OS Version Note
ubuntu 12  
14  
16  
18  
redhat Not required Valid for scan agents with Red Hat or CentOS 5/6/7 and Amazon Linux 1/2.
debian 7  
8  
9  
Allowed values disabled Disable the update configuration.
Allowed values yes, no
update_interval How often the vulnerability database is updated.
Default value 1 hour.
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
url Link to an alternative OVAL file.
Allowed values Links to OVAL file obtained from Red Hat, Canonical or Debian. The download server must use HTTPS.
Allowed tags port Server port where the OVAL file is located.
Allowed values Any valid port. Default is 443.
path Path to an alternative OVAL file.
Allowed values Path to OVAL file obtained from Red Hat, Canonical or Debian.
allow Allows you to use the vulnerability database with agents with different operating system.
Allowed values List of operating systems that will allow the use of this OVAL. Example: “linux mint-12, ubuntu-17”.
update_from_year (Only for Red Hat) The feed will be updated from this year.
Default value 2010
Allowed values A valid year and greater than 1998.

Example of configuration

The following configuration allows you to use the vulnerability database for Debian 9, Red Hat 7 and Ubuntu 16 agents. It also allows you to extract vulnerabilities from agents with Linux Mint 18.X and Ubuntu 15.X using the Ubuntu 16 vulnerability database.

<wodle name="vulnerability-detector">
  <disabled>yes</disabled>
  <interval>5m</interval>
  <ignore_time>6h</ignore_time>
  <run_on_start>yes</run_on_start>
  <feed name="ubuntu-18">
    <disabled>yes</disabled>
    <update_interval>1h</update_interval>
  </feed>
  <feed name="redhat">
    <disabled>yes</disabled>
    <update_interval>1h</update_interval>
    <update_from_year>2014</update_from_year>
  </feed>
  <feed name="debian-9">
    <disabled>yes</disabled>
    <update_interval>1h</update_interval>
  </feed>
</wodle>

Note

See the Vulnerability detector section to obtain more information about this module.