We are having issues with vulnerability detection on our RHEL 6 estate, wondering if anyone else is scanning any RHEL 6 boxes on a regular basis?
Issue resolved in the latest signature release, still (incorrectly) tagged our RHEL 6.9 hosts as EUS but that no longer surpresses the vulnerabilities it finds... logic prevails...YAY
Hi Dan,You can explain your query here else can contact support directly.
I have a support call open just wondering if anyone else has had this issue.
We scan RHEL all day long. every supported version (and some no longer supported versions). We use a linux auth file with username and password, and others use SSH key pair with passphrase. the accounts are part of the sudoers file. We are not seeing any issues right now.
I'm resurrecting this thread because we have a major issue with Qualys detecting our RHEL versions as on Extended Update Support.
Basically there is a piece of code in the application that issues 'subscription-manager list --consumed 2>&1'
Now the command subscription-manager list --consumed basically shows the entitlement of the bulk RHEL license... we have a premium support deal which includes several EUS packages among other things but we don't have any EUS hosts utilising these licenses.
However since the output of our subscription-manager list --consumed refers to EUS packages Qualys issues our hosts with the QID 45233 'Red Hat Host on Extended Update Support, despite all our RHEL boxes being on mainstream support channel ( productid 69 ).
This effectively suppresses some of the QID's for RHEL that are found post scan processing.
This effects every version of RHEL in support (5,6,7) and will affect your estate if you list any EUS packages in your subscription-manager list --consumed.
Be warned, unless you are correlating results you may be oblivious to the fact that your risk management decisions are based on incorrect data.
If you utilise RHEL scanning in Qualys I urge you to run subscription-manager list --consumed to check if you have EUS entitlement, especially if you know you have a Premium Support package.
If you do scan RHEL pay particular attention to the latest RHSA releases especially kernel updates and make sure they are being detected on you hosts as expected... ours havn't been for months!
We do the same here as Red Beard. We scan RHEL 6 and 7 with no issues.
Ok thanks for letting me know, thats interesting, we are on EU1 so different platform but even so you would expect common code..
We regularly scan RHEL 6 and 7 boxes using ssh key authentication and everything had been working fine.
Our problem occured at the end of last year when we noticed we werent recieving kernel update vulnerabilities from Qualys for our RHEL 6.9 hosts.
Checking on the hosts themselves we could clearly see that there we were running vulnerable kernel versions, Qualys scans would even enumerate the version correctly in informational... but would not show the relevant vulnerability.
Apparantly the issue is to do with Extended Update Support detection and somehow RHEL 6.9 has been flagged as EUS (incorrectly), it was because RHEL 6.9 was EUS that Qualys was supressing the missing kernel patches!
Firstly RHEL 6.9 is not EUS!
Secondly even if it was why would you want to scan for vulnerabilities on a host and then supress them depending on what support lifecylcle they were in? if it's vulnerable it's vulnerable !
Strange behaviour from Qualys but hope it is finally being resolved now after a month long argument about RHEL 6.9 being EUS :S
We have over 100 hosts identified as having 1 or more Red Hat Security Advisory (RHSA) this is confirmed in our local Satellite server, however only a handfull of these are ever being reported in our daily VM scans.
All hosts had previously been reporting correctly.
I have opened a case with support, but if anyone has experienced any similar issues please let me know .
Sample Host:xrcxxxx01 - xxx.17.128.xxx[cid:image001.jpg@01D3D7CD.386E0C00]
RHSA -> QIDQID Title Sub Category Category CVE ID Vendor Reference CVSS Base CVSS3 Base Modified Published236730 Red Hat Update for python-paramiko (RHSA-2018:1124) - 04/17/2018 at 10:22:13 (GMT+0100)236707 Red Hat Update for libvorbis (RHSA-2018:0649) 04/09/2018 at 09:50:34 (GMT+0100)236684 Red Hat Update for kernel (RHSA-2018:0512) 03/15/2018 at 12:12:23 (GMT+0100)236667 Red Hat Update for dhcp (RHSA-2018:0469) 03/12/2018 at 12:30:20 (GMT+0100)
So at the very least this host should have the following QID's 236730, 236707, 236684, 236667 which do not appear in the authenticated scan report.
Retrieving data ...