Patch & Configuration Auditing

Tenable Network Security solutions may be used to perform specific patch audits for security vulnerabilities. A patch audit identifies a specific missing patch on a system such as a server, router or database. Patch auditing is an excellent complement to vulnerability scanning because of its high speed and accuracy. For example, to perform a full port scan, a network scan has to send a packet to every port and wait for a response. With a credentialed audit, Tenable Nessus can ask the operating system for a list of open ports, which is much faster and has less impact on the network.

Tenable Nessus may be used to identify missing patches by providing it credentials so that it can log into the system being audited. Nessus supports dozens of operating systems including Windows®, Red Hat®, FreeBSD, Solaris and more. It also supports patch auditing in hundreds of applications such as Thunderbird, Skype, McAfee Antivirus, iTunes and Java. Nessus can also perform patch audits of databases such as Oracle, MS SQL and MySQL. In 2010, Tenable added support for Nessus to log into Cisco routers to perform patch audits of IOS.

In addition, Nessus can interact with patch management systems from Red Hat, Microsoft® and VMware® to retrieve status information for devices being managed by those systems. Patch management integration, unique to Nessus, enables easy scanning of devices that are otherwise difficult to assess – perhaps because of the lack of credentials or limited network connectivity. Incorporating patch information in standardized Nessus reports makes audit and compliance checks easier, and helps resolve confusion between network security and IT operations teams on the status of patched systems.

Tenable Nessus can also be used to audit the configuration of Windows systems, Unix systems, databases and Cisco routers. Tenable Network Security offers many different audit policies that have been certified by the U.S. Government or by the Center for Internet Security. These audit policies reflect system hardening best practices for operating systems, applications, databases and network equipment.

The Tenable Passive Vulnerability Scanner also may be used to sniff network traffic and identify missing patches in applications such as Firefox, Skype and iTunes. While performing protocols analysis, the Tenable Passive Vulnerability Scanner analyzes network traffic to identify vulnerabilities in many client-side email, web, chat and file sharing applications. If you do not have credentials to perform a patch audit with Tenable Nessus or can't scan as often as you'd like, passive real-time monitoring provides instant analysis of any missing vulnerabilities.