-1

Im configuring my server and using trivy to scan for vulnerabilities. Trivy finds a lot of high and critical vulnerabilites with cve codes attached wether i run it on the server or on containers images i will run on the server.

I would like to find an automatic way to correct these cve.

To be more specific : i have run apt update, apt upgrade and apt dist-upgrade, but trivy still finds a lot of high and critical vulnerabilities.

I have tried to look for "vulnerability remediation" on google, but i dont find much automatic vulnerability patchers out there. It's mainly about scanning, which is already good but i dont really know what to do with what trivy is telling me...

Is there any open source/free tools to do so ?

Thank you

user19413311
  • 13
  • 4

1 Answers1

0

Aside from patching and keeping your system up to date, which you apparently already do (might I suggest implementing unattended_upgrades while you're at it) - Reducing the amount of CVEs found for your system will work two distinct ways:

  1. Reduce your attack surface - remove all packages which you do not explicitly require - apt autoremove will do that for system packages, but for container images you might want to update those to more current versions as well. This is least effort from your side.
  2. Consider configuring the packages responsible for the CVEs according to their respective security best practices. After all it is all about your threat model and certain configurations may or may not be desirable in your specific environment. This is the more work intensive part for you, since there is no real way to automate this out of the box - except for the usage of Ansible roles like this one, which picks some sane defaults for some system services

EDIT: The purpose of apt autoremove according to the man pages:

autoremove is used to remove packages that were automatically installed to satisfy dependencies for other packages and are now no longer needed.

YoshiMbele
  • 116
  • 4
  • thank you...is apt autoremove consistent and reliable? I have already set most of this ansible role, but it is nice to see some ansible role are already exist. It's a shame there is no central ansible playbooks for cve following their release... – user19413311 Jun 29 '22 at 09:50
  • I have added additional information on `apt autoremove` in my answer. There will probably never be holistic ansible playbooks to fix all CVE's since there are also other mitigation possibilities aside from patching. – YoshiMbele Jun 29 '22 at 10:00