Greenbone Linux Distribution Coverage #267
Replies: 2 comments
-
|
I would suppose that Amazon Linux, Photon OS, and Mariner are all considered "enterprise" too then. I'm a somewhat heavy user of Debian/Ubuntu for classic servers, but have been using Photon for container hosts since I already have some direct VMware supplied OVAs which are Photon. That said, I was just considering a switch away from Photon and had been eying Mariner (aka Azure Linux). 🤔 |
Beta Was this translation helpful? Give feedback.
-
|
I looked back at the notus feeds from the evaluation I did of their enterprise feeds a few months ago. The only additional linux distros are:
Noteable by their absence are RedHat and CentOS. Curious .... |
Beta Was this translation helpful? Give feedback.
-
For those who may not be aware, the community feeds from Greenbone have certain limitations. Several years ago, Greenbone began differentiating more clearly between their community feed and the Enterprise feed by excluding NVTs related to "Enterprise" elements. This move is understandable as a strategy to distinguish the products they offer, given that they are a commercial, for-profit company. I greatly value their contributions to the open source community and recognize the need for some of these distinctions, although I do not agree with all of them.
One of my primary requirements is for my vulnerability scanner to identify any vulnerable packages that need updating on the hosts I scan. With the GB update to version 22.04, the notus-scanner was introduced. This tool checks all installed packages against the latest versions available from the vendors. (As long as that info is included in the feed.)
Knowing exactly what is and what is not covered can be a challenge. They do have a "Feed Comparison" page, but it does not go into great detail on what is covered and what is not. For Linux distributions covered by notus, I was able to look at the feed data and found that only the following Distributions are covered by the community feed:
If your distribution is not in this list, then the OpenVAS scanner will not be able to verify package versions via notus with the community feed.
This brings up my particular point of contention; my preferred Linux distribution, Rocky Linux. Greenbone classifies this free and open-source distribution as an Enterprise product, which means content specific to Rocky Linux is not included in the community feed. I raised this issue on their forum, but unfortunately, they have no plans to revise this policy (see forum post here). I first considered a subscription to their Enterprise feed. Unfortunately, I found the pricing prohibitively expensive, at a minimum of €12,500 per month! To me, this suggests an intention to limit access to the feed.
What to do? Despite listing the .notus format specification as "open and part of the documentation", I struggled to find the documentation and had to rely on existing .notus files as examples (discussion thread here). I started looking into it, and after some minor hurdles, I managed to successfully create .notus files for Rocky Linux using metadata available via the RockyLinux API and the NVD. I plan to include these files in my container distribution, updating them bi-monthly.
If you are interested in more frequent updates, please consider our subscription options here, which are far more affordable than the Enterprise feed. ;) And if you are already a subscriber, and your Linux distro of choice is missing, please let me know. I wrote my tools to be adaptable to pulling from other distribution's meta-data APIs.
-Scott
Beta Was this translation helpful? Give feedback.
All reactions