Good evening dear engineers, can we automatically correct the vulnerabilities detected with openvas? is it possible to do it by connecting openvas and ansible or can openvas do it on its own?
Hi there,
Short answer: No it can’t.
Long answer: Greenbone/OpenVAS - by itself - is not designed to automatically fix the reported vulnerabilities. What it does instead is provide you with a solution or mitigation to fix the vulnerabilities yourself as there would be way too many solutions to consider that would have to be automated (e.g. downloading fixes, closing ports, restricting user access, etc. etc.). That’s not something that Greenbone/OpenVAS was designed for.
Cheers,
ad
2 Likes
Okay. Thank you. then is there a tool capable of detecting the vulnerabilities, downloading the patches according to the vulnerabilities detected and deploying these patches in order to correct these flaws. or do you have to combine several tools? if so, what tools for example?
Don’t have any example tools at hand. But in general I would be very careful with automatic patching on productive systems. This can go very fast very wrong as updates might brake your installations due to bugs in the updates itself or incompatibilities with your setup/configuration, etc. This might be acceptable for your home network but probably less so if it affects e.g. the billing systems of your company…
2 Likes
indeed, it is not safe to deploy patches directly in a production environment. you therefore need a test environment. But implementing an automatic detection and correction solution for vulnerabilities in Windows systems is a project that I must defend. So can you offer me a palliative solution by obviously offering me tools capable of performing these tasks?
As previously discussed GVM doesn’t provide such a functionality and the “Vulnerability Tests” category isn’t the correct place for discussion such topics anyway so i have moved this topic into the best fitting category for now.
Related to your last question i don’t think that anyone at Greenbone can / will give any recommendations for 3rdparty software providing such a feature (if a software providing such a functionality even exists).
Your best bet is probably that some one from the community is having some knowledge / experience if something like this exists and is sharing it with you.
Okay, thank you.