Our in-house security specialist is having issues scanning our systems running Alma Linux 9 for vulnerabilities.
We have found some useful bits for the previous version of Alma Linux 8 but nothing yet for Alma Linux 9
could someone give us a hand with that?
One could read “issues” as “scan fails to find vulnerabilities”. Is that what you mean?
nessus local checks work for almalinux 8/9, so compliance, portscans, ssh commands will work.
patch checking has only been implemented for 8 so far:
i just ran a scan and found 41 info-level vulns, but its only stuff like qemu detection, software list, mac/ip list etc.
The main problem is that he uses nessus to scan our servers and the tool does not go deep enough to check if security fixes have been applied. He only tells us that php, http, etc version is out of that and should be the last one. This means that we have to compile from the developers’ source instead of using the version provided from Alma Linux and installed it automatically by dnf /yum.
We have tried to splain to him that the version provided from Alma Linux repos has all the security fixes even though is not the cutting edge version, but he wants to check it himself. It is because of that that we are trying to get a solution and therefore my question here.
Thanks to both!
That is as it should be. However, running a tool that says:
“Has vulnerability X because version is not Y” is not a check.
The check would be to test whether he can actually exploit the X.
Plan B would be to check whether Red Hat has released fix or mitigation for X and whether at least one of them is in the system.
Obviously a tool that merely reports false positives rather than facts has limited use.
Which has probably way worse consequences than trusting ‘dnf up’.
someone needs a new security specialist by the sounds of things if he doesn’t understand that redhat backports fixes without changing version numbers.
you could ask him to try to exploit the vulnerabilities - which nessus doesn’t do.
absolutely do not compile php from source (or install from some dodgy repo) are you going to do that every few days when new vulns are found?!
Well, he is a Windows guy, he also has someone on top of him to report to, you know, no one wants to be the guilty if something happens
I am testing our systems at the moment trying to exploit them with kali, and they seem OK, of course, you are never 100 % safe, but I think they are as much as they can be today. But, as I said, he needs his fancy reports from his probably expensive tool.
I see Windows license as permit to blame Microsoft.
With open source we are safer than what we pay, but we get the blame too to sweeten the pot …