Skip to content

Latest commit

 

History

History
392 lines (342 loc) · 70.1 KB

vuln-detector.rst

File metadata and controls

392 lines (342 loc) · 70.1 KB
Raw

vulnerability-detector

This section covers the configuration for the /user-manual/capabilities/vulnerability-detection/index module.

XML section name

<vulnerability-detector>
</vulnerability-detector>

Options

Options Allowed values
enabled yes, no
interval A positive number (seconds)
run_on_start yes, no
min_full_scan_interval A positive number (seconds)
retry_interval A positive number (seconds)
provider A valid vulnerability vendor

enabled

Enables the module.

Default value no
Allowed values yes, no

interval

Time between vulnerabilities scans.

Default value 5m
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

run_on_start

Runs updates and vulnerabilities scans immediately when the service is started.

Default value yes
Allowed values yes, no

min_full_scan_interval

The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a full scan </user-manual/capabilities/vulnerability-detection/scan-types> will be performed only if the CVEs database has changed.

Default value 6 hours
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

retry_interval

The time to wait after a scan is completed to retry the agents that had a problem being scanned.

Default value 30 seconds
Allowed values A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours), or d (days).

provider

Note

The NVD provider must always be enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.

Configuration block to specify vulnerability updates.

Allowed tags

+

name

Defines a vulnerability information provider.

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

canonical

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | debian |

Allowed values +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

redhat

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | arch | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | alas | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | msu | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | suse | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | almalinux | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | nvd |

Allowed values

enabled +

---------------------------+

os +

---------------------------+

update_interval

---------------------------+

download_timeout

---------------------------+

url

---------------------------+

path

Enables the vulnerability provider update.

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Default value | no

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Allowed values | yes, no

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Feed to update.

--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
provider | feed

+

canonical

trusty / 14

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

xenial / 16

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

bionic / 18

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

focal / 20

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

jammy / 22
Allowed values +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
             | buster / 10
             +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
debian | bullseye / 11
             +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
             | bookworm / 12

+ alas +

amazon-linux / 1

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

amazon-linux-2 / 2

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

amazon-linux-2022 / 2022

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

amazon-linux-2023 / 2023

+

redhat

5

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

6

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

7

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

8

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

9

+

suse +

11-server

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

11-desktop

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

12-server

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

12-desktop

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

15-server

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

15-desktop
almalinux +

8

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

9
arch Does not use this option.
msu Does not use this option.
nvd Does not use this option.
--------------------+--------------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Allowed tags | | How often the vulnerability database is updated. It has priority over the update_interval option of the provider block.
                    +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
update_interval | Default value | The value indicated by the update_interval option of the provider block.
                    +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
                    | Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
url +

Defines the link to

--------------------+

Allowed values

 an alternative OVAL or ALAS files. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Link to the feed to be downloaded. See offline update<../../capabilities/vulnerability-detection/offline-update> for more information.
path +

Defines the path to

--------------------+

Allowed values

 an alternative OVAL or ALAS file. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Path where the feed is located. See offline update<../../capabilities/vulnerability-detection/offline-update> for more information.
port +

Defines the connecti

--------------------+

Allowed values

 on port when using the url attribute. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ A valid port.
allow +

Defines compatibilit

--------------------+

Allowed values

 y with unsupported systems. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ A valid operating system not supported by default. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/allow-os>.
--------------------+---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of <os>.

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Default value | 1 hour.

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Download timeout in seconds.

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Default value | 300

--------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Allowed values | A positive number to indicate the timeout in seconds.

--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Defines the link to an alternative feed files.

--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
provider | value
redhat Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update>.
Allowed values | nvd | Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update>.
arch Parameterized link to download the feed file obtained from Arch Security. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update>.
msu Parameterized link to download the feed file obtained from Wazuh feed. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update>.
debian Parameterized link to download the feed files obtained from Debian Security Tracker. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update>.
--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
             | Defines the first value which the tag will be substituted.
start +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
             | Allowed values | A numeric value that in substitution with the tag forms a valid link.
Allowed tags +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
             | Defines the last value for which the tag will be substituted.
end +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
             | Allowed values | A numeric value that in substitution with the tag forms a valid link.
port +

Defines the connection port.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Allowed values | A valid port.
--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Defines the path to an alternative feed file.

--------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
provider | value
redhat

Path with regular expression that matches the feed files obtained from Red Hat Security Data API.
Allowed values | nvd | Path with regular expression that matches the feed files obtained from National Vulnerability Database.
arch

Path with regular expression that matches the feed file obtained from Arch Security.
msu

Path with regular expression that matches the feed file obtained from Wazuh feed.
debian

Path with regular expression that matches the feed files obtained from Debian Security Tracker.

Example of configuration

The following configuration updates the vulnerability database for Ubuntu, Debian, Red Hat, Amazon Linux, Arch, and Microsoft Windows.

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>yes</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <os>bookworm</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
        <enabled>yes</enabled>
        <os>amazon-linux</os>
        <os>amazon-linux-2</os>
        <os>amazon-linux-2022</os>
        <os>amazon-linux-2023</os>
        <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE Linux Enterprise OS vulnerabilities -->
    <provider name="suse">
      <enabled>yes</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- AlmaLinux OS vulnerabilities -->
    <provider name="almalinux">
      <enabled>yes</enabled>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

</vulnerability-detector>

Note

See the Vulnerability detector section<../../capabilities/vulnerability-detection/index> to obtain more information about this module.