Supported OS Distributions
App Infrastructure Protection (AIP) currently supports the Vulnerability Assessment feature on the following Linux distros:
For more information, see System Requirements.
Vulnerability Assessment Overview
AIP runs a daily Vulnerability Assessment that analyzes all packages that are installed on the operating system (OS) against the Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database (NVD) run by the National Institute of Standards and Technology (NIST).
For each vulnerability, the severity score is based only on the Common Vulnerability Scoring System v2 (CVSS v2) used by the NVD. The severity can be high (H), medium (M), or low (L) as determined by the NVD.
At the end of the assessment, AIP displays a list of vulnerable packages, associated CVEs, and impacted servers. As a security management best practice, AIP recommends that you review and analyze the assessment results, using the suggested documentation provided by the supported OS security notices and NVD articles. AIP will not manage or remediate package vulnerabilities on your behalf.
The assessment flags and displays only CVEs that are registered in the NVD. If a vulnerability is not registered in the NVD, AIP does not log it in the Vulnerabilities tab in your AIP Cloud Security Platform (CSP). Once a vulnerability is registered in the NVD, AIP begins to scan for the CVE within one day of its registration.
You can view information about flagged vulnerabilities in your AIP environment in the Servers > Vulnerabilities tab. In the CVE column, click the link for the vulnerability you want to investigate. The corresponding CVE details page opens on the NVD website.
AIP analyzes vulnerabilities by matching the NVD CVE name with the actual package name listed in the OS documentation. If there is a discrepancy between the name of the CVE in the NVD data records and the package name, AIP will not be able to flag the CVE given the nature of our NVD-based approach to vulnerability assessment.
Example: AIP does not flag policykit (ubuntu) because the NVD refers to that package with its updated name, polkit.
Vulnerability Assessment Results
AIP provides a holistic understanding of potential vulnerabilities by assessing all packages installed using the package manager. AIP will not remediate or manage package vulnerabilities on your behalf.
You can resolve these vulnerabilities at the host level or suppress the vulnerability within AIP.
If you find vulnerabilities and deem them low risk, such as OS-defined will not fix/low priority, etc., you have the ability to suppress the vulnerability. Learn more about Suppressing Vulnerabilities.
To resolve the vulnerability at the host level, implement the suggested remediation steps according to the supported OS security notice. Confirm on the next daily scan that you are no longer vulnerable.
For more information see the NVD Frequently Asked Questions or A Complete Guide to the Common Vulnerability Scoring System v2.
Subscribe to Assessment Results
Vulnerability assessments occur within 15 minutes of package collection. AIP collects packages at the following times:
- Daily between 12:00 a.m. and 2:00 a.m. UTC.
- The first time an Agent starts and connects to the AIP platform.
You can subscribe to a daily vulnerability report email. To enable these reports, go to Settings > General Settings tab > Notifications Settings section.
Vulnerability Package Assessment Workflow
This image depicts the flow of the AIP Agent detecting packages, cross-referencing them against more than two million identified CVEs.
For this illustration, we use "TS" to refer to AIP.
Select the image to enlarge it.