Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
The question here is about patching, not securing.
Then nessus is the wrong tool as it is a vulnerability scanner not patch auditor. If you want to audit patches use powershell
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
You can also run NIST specific audits with nessus.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
Ah, gotcha
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
You can also run NIST specific audits with nessus.
Well it does some things I “think” Nessus doesn’t. It will scan VMs without an agent or logging in from the hypervisor. OpenSCAP also has all of RHELs gardening rules baked in like sysctl configs and things like AIDE.
-
Haha it’s only somewhat decent with gardening rules. It has many better hardening rules.
-
Here is an example of patching not being good enough. This needs an additional reg key.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529
