I am trying to use Compliance scanning to serach for specific CPEs to determine whether servers are at risk of vulnerabilities. I have the Compliance Policy and Audit set up and they work because I can detect other CPEs but is there any way I can tell whether the scan will find a particular CPE using an unauthenticated scan or whether the CPE can only be detected with an authenticated scan?
My problem is that Authenticated scans need to target very small targets in order that they use the correct credentials, but to scan a large network that is not practical so I need to run unauthenticated.
You can restrict what vulnerabilities and misconfigurations your compliance policy is looking for. In order to do that, you have to create a new policy or clone an existing one and go from there.
For example, if you want to use only parts of the IT-Grundschutz policy, simply clone it by clicking on the sheep icon and then edit your clone so it fits your requirements:
You could then create one unauthenticated and one authenticated scan using your modified policy so you can determine how high the visibility of the chosen vulnerability is.
Hi @TreAtW, thank you for your detailed reply, but that’s not my problem. I have a compliance policy that I know will report on just the CPE I am interested in. My question is whether there is any way I can know whether the CPE will be detected by an unauthenticated scan or whether it can only be found using an authenticated one?
So if a CPE can only be detected by an authenticated scan, there’s no point me running full-network unauthenticated scans because they will always return “nothing found” even if the CPE is in use on every device. The compliance scan is only useful if the CPE can be found by the type of scan I am doing but running a scan doesn’t tell me because I can’t tell the difference between a false negative result or a true negative result.
Hey djr, thanks for clarifying the issue, seems like I misunderstood your initial post.
To find out whether the vulnerability can be found with an unauthenticated scan, why not run both an authenticated and unauthenticated scan on a known vulnerable host and compare the results?
Yes but that relies on having a known configuration which in this case i don’t and there would be a significant amount of resource needed to set a system up every time I wanted to loook for something. Not to mention that I’m a network guy, for me to spin up and build a server running a suite of software just for this, really isn’t going to happen.
I was hoping there may be some metadata somewhere in the greenbone feed data that would allow me to work this out form first principles rather than by trial and error.
I was hoping there may be some metadata somewhere in the greenbone feed data that would allow me to work this out form first principles rather than by trial and error.
You can check whether there is a detection for the product in the Product Detection VT family. As a rule of thumb checks with “HTTP” or “SNMP” in their name can be done unauthenticated/remotely. Other checks may also work remotely, you can double check this via the quality of detection (QoD) type listed on their details page. Authenticated and remote/unauthenticated checks are marked there, also cf. https://docs.greenbone.net/GSM-Manual/gos-22.04/en/reports.html#quality-of-detection-concept.
Alternatively, if the CPE has a CVE linked to it, and a VT for the CVE exists, you could check the QoD of that VT. This is only relevant for vulnerability scans though, not so much for audits and/or discovery scans.
You can then run a scan with the “Discovery” scan config, or a minimal vulnerability scan with a custom scan config to get an overview of your network.
Thank you @Martin I can see how that can help me, so I have made some notes for next time I need to do it. Unfortunately the product I want isn’t listed in the Product Detection NVTs. There is a CVE out against it but it seems no NVT yet.
Yes but that relies on having a known configuration which in this case i don’t and there would be a significant amount of resource needed to set a system up every time I wanted to loook for something. Not to mention that I’m a network guy, for me to spin up and build a server running a suite of software just for this, really isn’t going to happen.