Why Auditing and Vulnerability Scanning are Different Things

As the author of Lynis, we hear often the question: It is like Nessus, right? It seems that everything is compared with Nessus, especially when it comes to Linux security. Surprise, it is not. Let’s get things straight, and talk about the benefits of both.

Vulnerability Scanning

Scanners like Nessus and OpenVAS are great tools. You drop a system in the network and start scanning. The scanner then usually starts with a ping sweep to detect which systems are alive and providing services. Next step is determining these services, so they can be followed up with more in-depth tests.

Vulnerability scanners are comprehensive and at the same time “stupid”. They don’t exactly know what is on a system, so they have to try. No surprise that your log files are filled with attempts for non-existing files, or ports that are closed.

Vulnerability Classification

If vulnerability scanning is level 1 of the game, then vulnerability classification is the next one. After the scanner is done with scanning, you get a big list of (possible) findings.

Let’s say you are running Apache 2.4.6. So the vulnerability scanner tells you about this vulnerability, with the advice to start patching. You might be surprised and thinking that your software patching process should have covered this. Not much later you discover it was actually patched, with a security update from your Linux distribution. The scanner actually provided you with a “false positive”. It thought you were vulnerable because it didn’t know better. The reason for this to happen is simple, it used the version from a banner displayed by the Apache web server.

Benefits of vulnerability scanners

Besides a few downsides of vulnerability scanning, the simplicity of deployment is a benefit. No installation is needed on the systems, and it can do a lot of tests on all kind of devices.

Linux Auditing

So back to Lynis and the comparison with Nessus. Lynis is a security auditing tool for systems running Linux or a UNIX derivative like *BSD and Mac OS X. It is host-based, meaning you have to run it on the system itself. Because you are doing so, it knows almost everything happening on the system. From your NTP servers used for time synchronization, up to running processes, and what packages you have installed.

The goal of an auditing tool is completely different to vulnerabilities: it does a health check of the system. If we compare it with an apple: a vulnerability scanner looks for bad spots on the outside, the auditing tool looks from the core of the apple towards the outside. So auditing tools like Lynis go much more in-depth. The cost is that it has to run on the system and that it has to be tailored to the platform being scanned. No surprise that we didn’t work on a Windows version yet, as that is a completely different league.

That the main goal of an auditing tool is to perform a health check, doesn’t mean it is limited to that. It can actually also find vulnerabilities. Lynis can detect outdated packages, without having to maintain a database of “bad” versions. Instead, it uses the package manager to get these details. It is more accurate and usually up-to-date than someone having to update a list manually.

What if we combine things?

If you want a true checkup of your network, you want to combine generic vulnerability scanning, with an in-depth system audit. This way you can get the best out of both solutions. The vulnerability scanner searches continuously for bad spots on the outside. The auditing tool helps you with system hardening from the inside. Do this on an ongoing basis, and you have already some corner pieces of the security puzzle in place.

For now, keep on scanning with both types of scanners. But remember, Nessus and OpenVAS are great tools, but you want to extend it with in-depth scanner Lynis.

Happy hardening!

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon