wodle name=”vulnerability-detector”

New in version 3.2.0.

XML section name

<wodle name="vulnerability-detector">
</wodle>

Configuration options of the Vulnerability detector wodle.

Options

Note

Since Wazuh 3.5 the options update_ubuntu_oval and update_redhat_oval are deprecated. It is recommended to use feed instead.

Options Allowed values
disabled yes, no
interval A positive number (seconds)
run_on_start yes, no
ignore_time A positive number (seconds)
feed An update configuration

disabled

Disable the Vulnerability detector wodle.

Default value no
Allowed values yes, no

interval

Time between vulnerabilities detections.

Default value 5m
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and detections immediately when service is started.

Default value yes
Allowed values yes, no

ignore_time

Time during which vulnerabilities that have already been alerted will be ignored.

Default value 6 hours
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

feed

Configuration block to specify vulnerability updates. Each feed has the tag name, this tag tells Vulnerability detector about the OS.

OS Value
Ubuntu ubuntu-12, ubuntu-14, ubuntu-16, ubuntu-18
Red Hat 5/6/7, CentOS 5/6/7, Amazon Linux 1/2 redhat
Debian debian-7, debian-8, debian-9

Example:

<feed name="ubuntu-18">
  ...
</feed>

Each feed has it own options, here you can see the allowed options:

disabled Disable the update configuration.
Allowed values yes, no
update_interval How often the vulnerability database is updated.
Default value 1 hour.
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
url Link to an alternative OVAL file.
Allowed values Links to feed DB obtained from Red Hat API, Canonical or Debian.
Allowed tags port Server port where the OVAL file is located.
Allowed values Any valid port. Default is 443.
path Path to an alternative OVAL file.
Allowed values Path to OVAL file obtained from Red Hat, Canonical or Debian.
allow Allows you to use the vulnerability database with agents with different operating system.
Allowed values List of operating systems that will allow the use of this OVAL. Example: “linux mint-12, ubuntu-17”.
update_from_year Only for Red Hat. The feed will be updated from this year.
Default value 2010
Allowed values A valid year and greater than 1998.

Example of configuration

The following configuration allows you to use the vulnerability database for Debian 9, Red Hat (since 2018) and Ubuntu 18 agents. It also allows you to extract vulnerabilities from agents with Linux Mint 18.X and Ubuntu 17.X using the Ubuntu 18 vulnerability database.

<wodle name="vulnerability-detector">
  <disabled>yes</disabled>
  <interval>5m</interval>
  <ignore_time>6h</ignore_time>
  <run_on_start>yes</run_on_start>
  <feed name="ubuntu-18">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
    <allow>linux mint-18, ubuntu-17</allow>
  </feed>
  <feed name="redhat">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
    <update_from_year>2014</update_from_year>
  </feed>
  <feed name="debian-9">
    <disabled>no</disabled>
    <update_interval>1h</update_interval>
  </feed>
</wodle>

Note

See the Vulnerability detector section to obtain more information about this module.