Upguard (formerly ScriptRock) recently announced a new, free, vulnerability scanner available within their solution. Years ago, Nessus was the defacto tool here but more recently has been commercialized. OpenVAS seems to be the new hotness for Open Source vulnerability scanning but is yet another product to introduce into the environment. In my previous two posts (compare / policies) I added two nodes to ScriptRock, I’ll use these again for testing the vulnerability scanner. If you have not already add a couple of hosts to ScriptRock before you proceed.
If you have been using ScriptRock for a while, ensure the agents on your nodes have been updated to at least v3.3
In the Nodes section, click on one of the hosts - I’ll pick on my Domain Controller again. In the upper right hand corner click the Scan pull down menu and select Vulnerability Scan (beta).
You have several options to control the vulnerability scan, for example you may not care about scanning for 5 year old vulnerabilities on a system you actively update, so in the time range field for example you could just select “Added in the last two weeks” or change the severity level to only high severity items - whatever range your SLAs/KPIs require you scan for (or that pesky auditor) there is likely an option in ScriptRock to verify you are/are not vulnerable.
Now that I have everything set (Top 100 / Only 9-10 / Added in the last two weeks) simply click Scan this node and let the work be done for you and click View Scan
If, like me you are clean…you should come back to your node details page with no scary red creatures on it, however if you have vulnerabilities you should seem something similar to this:
That’s all for today folks, at this point I can recommend the vulnerability scanner to complement existing solutions you may already have in place. As the folks at ScriptRock enhance this feature, you might find it ready for production in the near future once it leaves beta. I am hoping they add the ability to do vulnerability scans on multiple nodes, scan on a schedule, and produce dedicated reports to get those auditors off your back easily.
Please note that the vulnerability scanner is still in beta, and functionality and/or reporting may change.