Add a NIST Validated CVE Scanner for use in disconnectecd networks
dgmorrisjr opened this issue · 6 comments
For environments without internet access, we would still like the ability to perform CVE scans of managed hosts. Having a scanner that has been NIST Validated would also benefit for use in US Govt organizations. NIST Validated products are here: https://csrc.nist.gov/projects/scap-validation-program/validated-products-and-modules. OpenSCAP may serve as a good starting point. Would like input from others on views of OpenSCAP vs other tools. Pros/Cons, etc. This is related to #412.
@dgmorrisjr it looks like vulners isn't able to do offline scanning unless you pay for their commercial product:
@basepi is CVE auditing of non-internet connected hosts in the roadmap still?
I have a few ideas and if I can get them working I will submit a PR.
It's not a priority for us at the moment, though we would like to support it. I figured we'd go with something openscap related, as @dgmorrisjr recommended. Though keeping it up to date will be a whole different thing unless we can consume someone else's service.
@dgmorrisjr have you used oscap before?
While I have it our platform. I’ve been using an older version of hubblestack that lets me use the downloaded files from vulnrs.com. I’ve been thinking abt upgrading to use the latest Hubble and then build a module for openscap. Just haven’t had the time.
@dgmorrisjr my team has submitted a PR you might be interested in
Long term we would like to be able to point it at a local copy (either cached locally or on the system) of the xml files for the CVE definitions.
This isn't NIST validated, but it does fill the need for air gapped environments.