How do I mitigate false positives with Control Compliance Suite Vulnerability Manager - CCS VM?

book

Article ID: 181093

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Issue/Introduction

 

Resolution

(1) "How do I mitigate "vulnerable version" false positives on assets?"
----------------------------------------------------------------------------

Many "vulnerable version" false positives on Linux assets are due to backporting, which is the action of applying a certain software modification (patch) to an older version of the software than it was initially created for. It is part of the maintenance step in the software development process.

If you provide CCSVM with valid login credentials (does not necessarily need to be root), it should be able to authenticate to the scanned systems and obtain detailed information about installed applications, including configuration issues and missing security patches. As the result, authenticated scans findings are more comprehensive and have fewer false  positives than anonymous scans.  The manner in which an authenticated scanner collects data differs across operating systems and scanning tools:The scanner can use SSH to interactively login to a Linux host to run shell-level commands that would enumerate installed packages and gather other relevant data. The scanner examining a Windows host will usually authenticate remotely using Windows domain or local credentials to obtain patch and configuration data from the registry and the file system. SNMP can be used to authenticate to network devices, if necessary. CCSVM can also authenticate to databases, which might use a protocol such as SQL*Net. CCSVM will also need access to the /etc folder and all files and folders contained within it.  For Sun devices we will also need access to /var/sadm/ and all files and folders within it.  The following are some other commands that CCSVM will try to run when logging into a Unix-based machine (this is not a full list, but some of the more important ones that may be restricted for some users):
lslpp -cL (AIX)ifconfig –a (*nix)showrev –p (Sun)pkginfo –x (Sun)dpkg –l (for Debian)rpm –qa (for RedHat)uname –a (*nix)

Lastly if valid credentials are used you can modify a scan template to correlate reliable checks, thus increasing the accuracy of your results. To enable correlation, perform the following steps:

1. Access the scan template by clicking the Administration tab and then clicking the manage link for Scan Templates.

2. Copy the scan template that you're using.

3. Click the Vulnerability Checks link in the template configuration.

4. Select the option labeled correlate reliable checks with regular checks.