I want to know how Firewall, SELinux or NFS services affects scan vulnerability tests.
I will run several scans with OpenVAS to the RHEL 7.3 client, I provided the root password to OpenVAS:
Finally I will export scan results as CSV with the option: “CSV Results”. With diff I will try to find differences beetween scans. I removed all columns except: IP, Hostname, Port, Port Protocol, CVSS, Severity,Solution Type, NVT Name.
I also want to obviate package updates.
Result number | Amount of Results | Amount of Results without logs | Amount of Results without update problems | Difference between previous result |
---|---|---|---|---|
1 | 204 | 176 | 3 | NA |
2 | 206 | 176 | 3 | 0 |
3 | 209 | 177 | 3 | 0 |
4 | 209 | 177 | 3 | 0 |
5 | 209 | 177 | 3 | 0 |
6 | 205 | 174 | -3 | 0 |
I compared first result with 2, 3, 4 and 5 scan respectively.
15a16 > 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC 137a139 > 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP)
15a16 > 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC 20a22,23 > 192.168.122.254,,,,5.0,Medium,VendorFix,QEMU <= 3.1.50 Denial of Service Vulnerability > 192.168.122.254,,,,0.0,Log,,QEMU Version Detection (Linux) 137a141 > 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP) 145a150 > 192.168.122.254,,,,0.0,Log,,Sun/Oracle OpenJDK Version Detection
15a16 > 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC 20a22,23 > 192.168.122.254,,,,5.0,Medium,VendorFix,QEMU <= 3.1.50 Denial of Service Vulnerability > 192.168.122.254,,,,0.0,Log,,QEMU Version Detection (Linux) 137a141 > 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP) 145a150 > 192.168.122.254,,,,0.0,Log,,Sun/Oracle OpenJDK Version Detection
15a16 > 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC 20a22,23 > 192.168.122.254,,,,5.0,Medium,VendorFix,QEMU <= 3.1.50 Denial of Service Vulnerability > 192.168.122.254,,,,0.0,Log,,QEMU Version Detection (Linux) 137a141 > 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP) 145a150 > 192.168.122.254,,,,0.0,Log,,Sun/Oracle OpenJDK Version Detection
Disable tcp timestamps:
echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.d/99-sysctl.conf sysctl -p
Restrict rpcbind:
echo "rpcbind: 192.168.122.14" >> /etc/hosts.allow echo "rpcbind: ALL" >> /etc/hosts.deny
SSH weak encryption and MAC algorithms:
MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
I noticed that with firewall up the scan can obtain the list of port mapper registered programs via RPC. I can fix those with TCP Wrappers instead firewall.
I noticed that SELinux doesn't make difference.