DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Security Vulnerability Scanners on Enterprise Linux

Security Vulnerability Scanners on Enterprise Linux

Is your current enterprise security system finding and patching all your vulnerabilities? Probably not. Read on for more.

Colin Hamilton user avatar by
Colin Hamilton
·
Apr. 10, 17 · Tutorial
Like (3)
Save
Tweet
Share
2.57K Views

Join the DZone community and get the full member experience.

Join For Free

Colin Hamilton coming at you again from the SUSE team. In this post, I want to discuss security vulnerability scanners and their role in an Enterprise Linux environment like SUSE. This role is a common pitfall I’ve seen that leads customers to our support team.

So what’s the problem? Well, vulnerability scanners are kinda dumb. I don’t mean in the childish “I don’t like this tool so it’s dumb” kind of way. I mean that its functionality is very simple and also very error prone. Why? These scanners don’t actually check for vulnerabilities.

Yup, you heard me right. These aren’t tools that will try to exploit the vulnerability to verify if it’s there or not. That kind of testing would put stress on systems not desired in a production environment and wouldn’t be cost-effective. So what does it actually do? It goes off of package versions. To clarify though, not OS distribution specific package versions. It checks upstream version numbers. So, unless the OS you have happens to be the upstream source of the vulnerability, chances are very high that the package version is going to be different than what the scanner is looking for. If the difference is a lower version number than the one the scanner has listed as fixing the exploitation, it’s going to flag it as vulnerable.

This is a problem for many Linux distributions but this ends up being a particular problem for enterprise distributions like SUSE. The reason for that is that in order to maintain enterprise level stability, versions are not upgraded too quickly. SUSE wants to make sure that the version has shown a history of stability first, that it’s been tested, and that it meets SUSE’s enterprise level criteria.

So what does SUSE do when there is a security vulnerability patch in a later version? We back-patch. This means that we’ll take the particular section of code in the patch that fixes the vulnerability and apply it to the older version of the package that is already in our enterprise distribution. That way we can continue to maintain enterprise level stability while also patching security vulnerabilities. However, this means that there’s a lot of potential for false-positives with those vulnerability scanners.

Now that you know why this is a common pitfall, here’s what I recommend to help you most quickly identify if we’ve actually patched the vulnerability or not. First off, any real established security vulnerability will be given a CVE number. Find this number and then head on over to this URL.

From there you can run a search on the page for the CVE in question and click on the link associated with that CVE. After that, you’ll see SUSE’s current public information on that vulnerability. If we’ve patched it, the page will list package versions specific to the various versions of supported SUSE Linux Enterprise with the patch. You can compare those versions to your system to see if the vulnerability is fixed.

Also, if there is a compliance company you’re working through, you can provide them with these CVE link(s) to show them that the scanner is incorrect and that your system is patched to that vulnerability.

Lastly, if the compliance company is being picky and the web page is not enough, you can run the following  rpm command on the relevant package (after being patched to the necessary or later version) in order to grab the changelog that will also confirm the CVE is fixed:

 # rpm -q –changelog package > package-changelog.txt 

Replace “package” in the above command with the name of the package in question. That command will place the text of the changelog for that package into the txt file. The txt file will be saved into the directory you ran the command. You can run a pwd command if you aren’t sure which directory you are in. In our changelogs, it is listed if we have back-patched a particular CVE vulnerability. Give the compliance company that txt file for specific evidence of the patch.

Thanks for reading and, as always, I hope I’ve changed your lives forever and that this paradigm shift in your lives will mean less work for me. 

Vulnerability security Linux (operating system)

Published at DZone with permission of Colin Hamilton, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Iptables Basic Commands for Novice
  • The Future of Cloud Engineering Evolves
  • Key Considerations When Implementing Virtual Kubernetes Clusters
  • ChatGPT Prompts for Agile Practitioners

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: