The main problem is that he uses nessus to scan our servers and the tool does not go deep enough to check if security fixes have been applied. He only tells us that php, http, etc version is out of that and should be the last one. This means that we have to compile from the developers’ source instead of using the version provided from Alma Linux and installed it automatically by dnf /yum.
We have tried to splain to him that the version provided from Alma Linux repos has all the security fixes even though is not the cutting edge version, but he wants to check it himself. It is because of that that we are trying to get a solution and therefore my question here.
That is as it should be. However, running a tool that says: “Has vulnerability X because version is not Y” is not a check.
The check would be to test whether he can actually exploit the X.
Plan B would be to check whether Red Hat has released fix or mitigation for X and whether at least one of them is in the system.
Obviously a tool that merely reports false positives rather than facts has limited use.
Which has probably way worse consequences than trusting ‘dnf up’.
I am testing our systems at the moment trying to exploit them with kali, and they seem OK, of course, you are never 100 % safe, but I think they are as much as they can be today. But, as I said, he needs his fancy reports from his probably expensive tool.