Vulnerability Scanning
Overview
Vulnerability scanning identifies known CVEs (Common Vulnerabilities and Exposures) in installed packages on your Linux servers. Unlike compliance scanning (which checks configuration against CIS Benchmarks), vulnerability scanning detects outdated software with known security flaws.
SecureBaseline Cloud includes a built-in vulnerability scanning engine with multiple vulnerability databases.
Vulnerability Databases
| Database | Source | Content |
|---|---|---|
| NVD CVE | NIST | CVE entries (2020-2026) |
| OVAL | Ubuntu, Debian, RedHat, Oracle, Amazon, SUSE, Alpine | OS-specific vulnerability definitions |
| GOST | RedHat, Debian, Ubuntu | Security tracker data |
| ExploitDB | Offensive Security | Known exploits and POCs |
| CPE | NIST | Common Platform Enumeration |
| Metasploit | Rapid7 | Metasploit module mappings |
| MITRE ATT&CK | MITRE | Threat intelligence and technique mappings |
| CISA KEV | CISA | Known Exploited Vulnerabilities catalog |
| FSTEC BDU | FSTEC Russia | Russian vulnerability database (auto-synced every 24 hours) |
Running a Vulnerability Scan
- Navigate to Vulnerabilities
- Click New Scan
- Select target host(s)
- Click Start Scan
Scan duration depends on the number of installed packages (typically 2-5 minutes per host).
Understanding Results
Each finding includes:
| Field | Description |
|---|---|
| CVE ID | Unique vulnerability identifier (e.g., CVE-2024-1234) |
| Severity | Critical, High, Medium, or Low |
| Package | Affected package name and version |
| Fixed Version | Version with the fix (if available) |
| Exploit Available | Whether a public exploit exists |
| Patch Status | Whether a patch is available from the OS vendor |
| CVSS Score | Numerical severity score (0-10) |
Filtering and Search
Filter findings by:
- Severity level (Critical, High, Medium, Low)
- Exploit availability
- Patch availability
- Package name
- CVE ID
Trends
The Vulnerabilities page shows trends over time:
- Total CVE count per scan
- Severity distribution changes
- New vs. resolved vulnerabilities
Reports
Export vulnerability scan results in:
- JSON - machine-readable format for integration
- CSV - spreadsheet format for analysis
- PDF - printable report for compliance documentation
FSTEC BDU Integration
SecureBaseline Cloud integrates with the Russian FSTEC BDU (Bank of Threats and Vulnerabilities). The database syncs automatically:
- On startup - initial sync when API starts
- Every 24 hours - periodic background sync
- Manual trigger - available via admin API endpoint
FSTEC BDU data enriches vulnerability findings with Russian-language descriptions and FSTEC-specific identifiers.
CVE Database Updates
Vulnerability databases are pre-loaded into the VM image during Packer build. Updates occur:
- At VM image build time (all databases baked in)
- Via automatic sync on first boot (if databases are missing or corrupted)
- The scanning engine validates all databases on startup
See Also
- Remediation of compliance failures - automatically generate Ansible scripts to fix vulnerabilities and compliance gaps
- CIS Benchmark security hardening - apply full CIS configuration profiles to protect your servers
- Infrastructure security audit services - comprehensive security assessment including vulnerability and configuration analysis