security talk & philosophizing



GVM – Package Scanning

According to the GVM documentation, when you set up a scanner you can add credentials and escalated privileges. The purpose of these credentials, is to allow administrative/root access to a machine, in order to scan the installed packages. Version information of all installed packages is then cross referenced to know CVE’s. The result is a very deep report on what libraries or packages need to be updated. It also provides insight into installed packages or software that may no longer be needed.

While some argue that credential scanning is a way to simulate threats with credentials (what is vulnerable to that level of access), the primary reason to use credentials in scanning is to know what packages and installed software is requiring updates based upon known CVE’s.

Package scanning assists the DevOps teams in knowing what updates are required across various endpoints. Servers, for example, are created using Puppet or similar recipe installers. Using the same recipe, a VM can be stood up in a pre-live environment, reflecting a live source. Running scans against this pre-live machine, will give insight into what updates and patches that will need to be rolled out to production.

Setting up Credential Scanning

Official documents are available at https://docs.greenbone.net/GSM-Manual/gos-21.04/en/scanning.html

The general idea is that when creating a scan in GVM, there is a section for adding credentials. You can setup SSH credentials for a user that GVM can login with. This user should have enough privileges to check the packages installed – usually this requires full administrative privilege.

Once you have an SSH user with appropriate privileges, you can either use a password, or SSH key. I recommend the key, and it will be stored in GVM. It’s best that this user is limited to only existing in pre-live test environments.

The above screenshot shows the form where the credentials are listed. Clicking the “New” icon (icon of a page with a star in the upper right corner), will load a form to create a new set of credentials.

There are several choices in the form for creating a new Credential. You can use authorization by username + password, username + SSH Key, Client Certificate, SNMP, S/MIME Certificate, PGP Encryption Key and password only.

Once the credentials are setup, the scan can commence. After the Scan, you can run a CVE scan (GVM has a separate scanner that cross references results against known CVEs). It will provide much more data than a regular (without credentials) scan. Packages that are installed, and requiring patches or updates, are listed by CVE and each item opens to details on the package:

If the preference is to list the vulnerable packages by package, the initial report will do that (before running a CVE scan). The results will show the package, severity score, IP info, etc. Clicking into an entry will provide greater detail.

Conclusion

Threat focused vulnerability scans are necessary, but also necessary are internal (credential) vulnerability scans. Credential based scans will allow the scanner to log in with appropriate access levels and perform analysis of installed packages. Version data is collected, and the results can be cross-referenced with the CVE scanner for insight into what needs to be updated on the machine. This function of the vulnerability scanner supports the DEV OPS teams that require analysis and insight into what packages need to be updated. These tests can be run in a pre-live environment that is using the same deploy scripts as production. Analysis and reports generated will indicate what mitigation/updates are required in a production server/environment.