This section covers the configuration for the /user-manual/capabilities/vulnerability-detection/index
module.
XML section name
<vulnerability-detector>
</vulnerability-detector>
Enables the module.
Default value |
no |
Allowed values |
yes, no |
Time between vulnerabilities scans.
Default value |
5m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
Runs updates and vulnerabilities scans immediately when the service is started.
Default value |
yes |
Allowed values |
yes, no |
The time during which a full scan will not be performed even if the database of vulnerabilities is updated. When this time expires, a full scan </user-manual/capabilities/vulnerability-detection/scan-types>
will be performed only if the CVEs database has changed.
Default value |
6 hours |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days). |
The time to wait after a scan is completed to retry the agents that had a problem being scanned.
Default value |
30 seconds |
Allowed values |
A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours), or d (days). |
The NVD provider must always be enabled since it aggregates vulnerabilities for all the OS supported. Otherwise, the scanner will not work properly.
Configuration block to specify vulnerability updates.
Allowed tags
|
+
name |
Defines a vulnerability information provider.
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
canonical
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | debian |
- Allowed values +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
redhat
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | arch | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | alas | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | msu | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | suse | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | almalinux | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | nvd |
|
Allowed values
|
enabled +
---------------------------+
os +
---------------------------+
- update_interval
-
---------------------------+
- download_timeout
-
---------------------------+
url
---------------------------+
path
|
Enables the vulnerability provider update.
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Default value | no
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Allowed values | yes, no
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Feed to update.
- --------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
provider | feed
+
- canonical
-
|
trusty / 14
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
xenial / 16
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
bionic / 18
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
focal / 20
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
jammy / 22
|
- Allowed values +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| buster / 10
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
debian | bullseye / 11
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| bookworm / 12
+ alas +
|
amazon-linux / 1
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
amazon-linux-2 / 2
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
amazon-linux-2022 / 2022
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
amazon-linux-2023 / 2023
|
+
- redhat
-
|
5
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
6
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
7
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
8
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
9
|
+
suse +
|
11-server
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
11-desktop
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
12-server
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
12-desktop
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
15-server
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
15-desktop
|
almalinux + |
8
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
9
|
arch |
Does not use this option. |
msu |
Does not use this option. |
nvd |
Does not use this option. |
- --------------------+--------------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- Allowed tags | | How often the vulnerability database is updated. It has priority over the update_interval option of the provider block.
+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
update_interval | Default value | The value indicated by the update_interval option of the provider block.
+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
url + |
Defines the link to
- --------------------+
Allowed values
|
an alternative OVAL or ALAS files. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Link to the feed to be downloaded. See offline update<../../capabilities/vulnerability-detection/offline-update> for more information. |
path + |
Defines the path to
- --------------------+
Allowed values
|
an alternative OVAL or ALAS file. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Path where the feed is located. See offline update<../../capabilities/vulnerability-detection/offline-update> for more information. |
port + |
Defines the connecti
- --------------------+
Allowed values
|
on port when using the url attribute. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ A valid port. |
allow + |
Defines compatibilit
- --------------------+
Allowed values
|
y with unsupported systems. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ A valid operating system not supported by default. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/allow-os> . |
- --------------------+---------------------+--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
How often the vulnerabilities of the provider are updated. It can be overwritten by the attribute with the same name of <os> .
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Default value | 1 hour.
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Allowed values | A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Download timeout in seconds.
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Default value | 300
- --------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Allowed values | A positive number to indicate the timeout in seconds.
- --------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Defines the link to an alternative feed files.
- --------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
provider | value
redhat |
Parameterized link to download the feed files obtained from Red Hat Security Data API. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update> . |
- Allowed values | nvd | Parameterized link to download the feed files obtained from National Vulnerability Database. You can find a guide on how to set it up
here<../../capabilities/vulnerability-detection/offline-update> .
arch |
Parameterized link to download the feed file obtained from Arch Security. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update> . |
msu |
Parameterized link to download the feed file obtained from Wazuh feed. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update> . |
debian |
Parameterized link to download the feed files obtained from Debian Security Tracker. You can find a guide on how to set it up here<../../capabilities/vulnerability-detection/offline-update> . |
- --------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Defines the first value which the tag will be substituted.
start +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Allowed values | A numeric value that in substitution with the tag forms a valid link.
- Allowed tags +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Defines the last value for which the tag will be substituted.
end +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Allowed values | A numeric value that in substitution with the tag forms a valid link.
port + |
Defines the connection port.
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Allowed values | A valid port.
|
- --------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Defines the path to an alternative feed file.
- --------------------+--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
provider | value
- Allowed values | nvd | Path with regular expression that matches the feed files obtained from National Vulnerability Database.
arch |
Path with regular expression that matches the feed file obtained from Arch Security.
|
msu |
Path with regular expression that matches the feed file obtained from Wazuh feed.
|
debian |
Path with regular expression that matches the feed files obtained from Debian Security Tracker.
|
|
The following configuration updates the vulnerability database for Ubuntu, Debian, Red Hat, Amazon Linux, Arch, and Microsoft Windows.
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<os>amazon-linux-2022</os>
<os>amazon-linux-2023</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE Linux Enterprise OS vulnerabilities -->
<provider name="suse">
<enabled>yes</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- AlmaLinux OS vulnerabilities -->
<provider name="almalinux">
<enabled>yes</enabled>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
See the Vulnerability detector section<../../capabilities/vulnerability-detection/index>
to obtain more information about this module.