Vulnerability scanner

adisirbu · January 19, 2024, 10:27am

Hello, community.

Do you know if Checkmk has any vulnerabilities scanner or options / plugins / services for performing that or plans for future versions?
We are using an enterprise version (.cme) and we are interested in vulnerability checking for Windows Server (IIS hosting), but also general vulnerability scanning for Windows 10 / 11 machines.

Thank you in advance!

joerg.mohar · January 19, 2024, 2:57pm

Hello Adrian ! This is a complete different and very complex IT Branch/Area…as CMK is focused on Infrastructure and Application Monitoring as it is. We (as a global wholesaler) have dedicated Applications/Teams which combine this very complex Area…like Qualys or Trellix…and throw Reportings to the Server Owner. The Result of those “findings” are forwarded as local checks to CMK.

robin.gierse · January 19, 2024, 9:25pm

I cannot speak for our product management, but we do believe in a “best of breed” approach, which means to use the best tool for the job. Checkmk does infrastructure monitoring and we excel at it.

Other monitoring areas like network monitoring, log management, vulnerability scanning and so on are entirely different topics. And while you can integrate them into Checkmk for e.g., notifications, we will probably not cover those areas in the foreseeable future.

TL;DR: Choose a vulnerability scanner with at decent track record and stick to Checkmk for your infrastructure monitoring needs.

adisirbu · January 23, 2024, 10:53am

Thank you, Joerg and Robin, much appreciated. It is what we suspected, but we wanted to check in case there was a super useful tool that we had not discovered yet.

Tom201023 · January 28, 2024, 9:34pm

Hi Adrian,

I can understand your request, had a similar need and researched my options in Checkmk. This is what I have found:

For Debian and Ubuntu Linux, you can check the update status using the “APT Updates” rule
For openSUSE, check out the “zypper” rule
For RH/CentOS, there is a “Linux System Updates” as well as a “YUM” check ion the Exchange
For Windows, the “WSUS” check provides similar functionality.
The Exchange offers a “Windows Patch Day” check plugin

For some antivirus vendors, you can check if the signature database is up to date. Checkmk has some checks, but please also look on the Exchange. I have seen ClamAV and Palo Alto

And you can check, if Checkmk is up to date with the “Checkmk Update” check.

I know, this is only a part of the feature set of a host-based vulnerability scanner feature set. But I hope it helps a little.

Cheers, Tom

Tom201023 · January 28, 2024, 10:05pm

Hi Adrian,
Just as an afterthought, what functionality do you expect from a host-based vulnerability scanner? In my mind, it should have:

OS update checking
Check for application updates
Check for known vulnerabilities (e.g. by checking against published CVEs)
Misconfiguration detection (e.g. against a standard like CIS)

Anything else you think is missing?
Tom

Glowsome · January 29, 2024, 12:59am

Just my few cents,

Its not a vulnerability scanner, but for linux there is a hardening/audit package which will given you alot of information/indications: Lynis

Glowsome

adisirbu · February 1, 2024, 2:52pm

Hello Tom and thank you for the ideas. What we had in mind when we asked about vulnerability scanning is something similar to Wazuh. I understand though that it is almost an entirely different field, so I see why Checkmk prefers to leave it to other professionals and just integrate the results into the Checkmk notifications.

system · January 31, 2025, 2:53pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.