AnsweredAssumed Answered

Linux Authenticated Scans - Non Running Kernels

Question asked by Jordan Greene on Sep 12, 2018
Latest reply on May 6, 2020 by Adam Phillips

When Qualys performs an authenticated scan against a Linux host, it will flag all old kernel versions present on the machine, even if they aren't running. Since it's standard procedure to leave old kernel versions on a machine in the event a rollback is required, this results in a number of "vulnerabilities" detected that are not exploitable. I know Qualys has added the capability to filter these findings via report templates and API calls, but it still remains that these findings are present in the raw scan data. When we perform targeted scans (ex: new host build validation), we typically just review the raw scan results to give our approval to proceed. This works for a Windows host, but for a Linux host there's too much noise from the old kernels detected to be able to perform this quick review. It also hinders our review of existing hosts via AssetView as these findings are shown as vulnerabilities.


I'm curious how many people out there actually consider non-running kernels to be a vulnerability. Does anyone leave these findings in their reports, or are the majority of people just filtering them out? Personally I would like to see an option added to the option profile to allow customers to avoid detection of these non-running kernels in the first place but I'm curious what others are doing at their organizations.