Compliance and Vulnerability Scanning

[DevLinux]

I'm curious if anybody out there is doing any compliance and vulnerability scanning of their Gentoo servers?

I looked at the Gentoo Security Handbook. No mention I could see of anything there and a banner says the handbook hasn't been touched in a decade. Tried searching the forums. Nessus and Greenbone Vulnerability Manager don't do compliance scanning in the free versions. Nessus is a $2500 product for the pro version and GVM requires buying a hardware appliance.

Just wanted to see what others were doing. This is for a home network so while I don't mind paying, price has to be reasonable.

[ShadowCat8]

Greetings,

Well, for server vulnerability scanning, I have been looking at the community version of Qualys.

Pros:

• It's free.
  
• It knows about Gentoo as it's own distro.
  
• When you have it configured the way you want, it's reporting is very thorough.

Cons:

• Community version access only lasts for six-month blocks at a time. To renew/extend, you have to contact a sales rep.
  
• Configuration can seem overwhelming. I have used Qualys in the past to scan websites I was working on for vulnerabilities and it can be a lot of configuration to get to the tests you want/need.
  
• As far as full server scanning, the community version only allows one server to be scanned and tested, IIRC.

That's what I have so far as I have been trying to get my community account extended (READ: re-activated) for full server scanning to test a new server image I have developed with Gentoo.

I will post again as soon as I know more.
_________________
________________________

"As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality."

-- Albert Einstein

[Goverp]