3

I have asked this question: False positive Apache version in scanner results on Centos I need additional clarification: Do you know if it is possible to configure Nessus to adopt Red Hat backport security updates? I want to prevent false positive reports from Nessus. Example of false positive report:

Apache 2.2 < 2.2.16 Multiple Vulnerabilities

Tried to find the answer here without success: http://www.tenable.com/plugins/67093 http://www.tenable.com/taxonomy/term/612

Community
  • 1
Michael
  • 1,457
  • 1
  • 18
  • 36
  • 1
    the answer is in your other question. The only practical way to do this, that springs to mind, is to run credentialed checking or manually run a patch level review. – Rory McCune Jan 07 '14 at 12:06
  • Is it only manual option for Nessus? – Michael Jan 07 '14 at 15:51
  • 1
    As of last May, "Linux local patch checking is still in the works" according to this announcement about Nessus' [Patch Report](http://www.tenable.com/blog/new-nessus-report-consolidates-missing-patches) – gowenfawr Jan 07 '14 at 18:58

1 Answers1

1

You would need to check the locally installed package version:

https://access.redhat.com/security/updates/backporting

As Red Hat back ports patches, so the Apache version sent by the web server will always appear to be "old" (since it is not incremented unless the entire package is rebased to a newer version, which is rare in Red Hat Enterprise Linux). You can cut down on false positives by setting the ServerTokens to "Prod" for example.

In general simply banner scanning (Apache HTTPD, SendMail, Postfix, etc.) will almost always result in a lot of false positives. It is much better to check the RPM's actually installed for example using the yum security plugin:

yum install yum-plugin-security

then make sure all available security updates are installed:

yum updateinfo list security all

for more information please see https://access.redhat.com/solutions/10021

Kurt
  • 266
  • 1
  • 6