The article discusses the challenges of providing vulnerability scanning services for customers' networks, highlighting two main approaches: deploying a locally-controlled VM or using a remote-controlled VM with centralized management. The first method involves preparing a VM such as Alienvault or Greenbone (OpenVAS) and having the customer deploy it in their network. This approach is cumbersome because it requires manual coordination and screen sharing for runtime checks and result retrieval. The second method uses higher-tier models of Greenbone Security Manager (GSM), where smaller sensors are controlled by a central GSM server, allowing centralized management and immediate access to scan results. However, this setup still relies on SSH connections from the master to the sensor, which can complicate customer interactions.
For sysadmins managing proxmox clusters, dockerized environments, Linux servers, or nginx deployments, choosing an efficient CVE scan workflow can significantly impact security and operational efficiency. A remote-controlled VM approach like Greenbone GSM allows sysadmins to conduct thorough scans without disrupting daily operations, unlike manual methods that require constant communication with customers. For example, a proxmox user might set up a Greenbone sensor as a template VM and use centralized management from their GSM400 instance, ensuring all hosts are scanned regularly without needing direct access.
- Locally-controlled VMs like Alienvault or Greenbone (OpenVAS) require significant manual intervention for coordination with the customer. This method can be time-consuming and less efficient due to the need for screen sharing, runtime checks, and result retrieval.
- The remote-controlled VM approach using higher-tier Greenbone Security Manager models like GSM25V controlled by a GSM400 offers centralized management, reducing manual effort. However, it necessitates proper SSH configurations from the master to the sensor for effective communication.
- Centralized scanning services such as those provided by Qualys offer an alternative to local VMs and SSH-configured remote control setups. These cloud-based solutions can simplify CVE scans without requiring extensive setup on-site, ideal for environments where minimal interaction is preferred.
- For sysadmins running Linux servers or nginx deployments, choosing a scanning solution that minimizes operational disruption is crucial. Using a centralized system like Greenbone GSM allows them to maintain control over scan schedules and results without needing constant customer engagement.
- Proxmox users can benefit from deploying a Greenbone sensor as part of their VM templates for automated security checks, leveraging the central management capabilities provided by higher-tier models. This setup ensures continuous monitoring with minimal manual intervention.
The choice between local and remote-controlled scanning impacts common homelab stacks using Proxmox (version 7.x), Docker (version 20.10.x), Linux servers (Ubuntu 20.04 LTS or CentOS 8), and nginx (version 1.19.x). Configuration files like /etc/default/scan-configs may need adjustments for SSH access in remote setups, while Proxmox users might update their template VM configurations to include security sensors.
- Configure a Greenbone Security Manager sensor (GSM25V) in your network and ensure it can be accessed via SSH from the GSM400 master server by updating /etc/ssh/sshd_config on the sensor VM.
- Pin the version of Qualys' cloud-based scanning software to 1.3.7 for consistent scan results across different environments, avoiding potential compatibility issues with older versions.
- Update your Proxmox template VMs (version 7.x) to include a pre-configured Greenbone sensor by modifying the virtual machine's template settings in the Proxmox web interface under 'Hardware' > 'Network'.