Vulnerability issues with CENTOS 7 VMs

%3CLINGO-SUB%20id%3D%22lingo-sub-2550208%22%20slang%3D%22en-US%22%3EVulnerability%20issues%20with%20CENTOS%207%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2550208%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20got%20a%20bunch%20of%20CENTOS%207%20servers%20in%20our%20environment.%26nbsp%3B%20%26nbsp%3B%20Recently%20we've%20started%20using%20Security%20Center%20to%20try%20and%20make%20sure%20our%20servers%20are%20secure%20and%20we've%20got%20a%20lot%20of%20remediation%20work%20to%20do.%26nbsp%3B%20However%2C%20we're%20thinking%20that%20a%20bunch%20of%20these%20CENTOS%20alerts%20we%20are%20getting%20are%20false%20positives.%26nbsp%3B%20%26nbsp%3BOur%20CENTOS%20Servers%20are%20patched%20to%20the%20latest%20and%20greatest%20updates.%26nbsp%3B%20In%20fact%2C%20when%20I%20click%20on%20your%20remediation%20links%2C%20it%20tells%20me%20I%20need%20to%20be%20at%20the%20kernel%26nbsp%3B%3CSTRONG%3E3.10.0-1160.31.1.el7.x86_64.%26nbsp%3B%20%26nbsp%3B%3C%2FSTRONG%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20go%20to%20my%20CENTOS%20servers%20and%20run%20a%20yum%20-y%20update%20to%20see%20if%20there%20are%20any%20updates%20for%20these%20servers%2C%20they%20are%20completely%20up%20to%20date%20and%20when%20I%20run%20a%20uname%20-a%2C%20the%20kernel%20information%20comes%20back%20with%20this%3A%26nbsp%3B%26nbsp%3B%3CSTRONG%3E3.10.0-1160.31.1.el7.x86_64%3C%2FSTRONG%3E%26nbsp%3B%20so%20I%20know%20we%20are%20on%20the%20latest%20and%20greatest%20kernel%2C%20despite%20the%20fact%20that%20Azure%20is%20telling%20us%20we%20need%20to%20update%20our%20kernel%20for%20security%20purposes.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20I'm%20not%20sure%20what%20to%20do%20at%20this%20point.%26nbsp%3B%20%26nbsp%3BIs%20there%20a%20way%20for%20me%20to%20modify%20the%20alert%20so%20it%20can%20be%20resolved%3F%26nbsp%3B%20%26nbsp%3BDo%20I%20open%20a%20ticket%20with%20Azure%20to%20let%20them%20know%20that%20it%20appears%20there's%20a%20problem%3F%26nbsp%3B%20Attached%20is%20a%20sample%20screenshot%20of%20what%20I'm%20seeing.%26nbsp%3B%20%26nbsp%3BI%20haven't%20started%20investigating%20the%20Oracle%20Java%20SE%20stuff%20yet%2C%20just%20working%20on%20the%20CENTOS%20Security%20stuff.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20advise.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMatt%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2564786%22%20slang%3D%22en-US%22%3ERe%3A%20Vulnerability%20issues%20with%20CENTOS%207%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2564786%22%20slang%3D%22en-US%22%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1103714%22%20target%3D%22_blank%22%3E%40mraymus%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20guess%20you%20are%20using%20Defender%20for%20server.%20Can%20you%20maybe%20try%20to%20trigger%20the%20vulnerability%20scanner%20manually%20on%20a%20CentOS%20machine%2C%20and%20see%20if%20the%20results%20are%20still%20false-positives%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3Esudo%20%2Fusr%2Flocal%2Fqualys%2Fcloud-agent%2Fbin%2Fcloudagentctl.sh%20action%3Ddemand%20type%3Dvm%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20also%20set%20an%20exemption%20with%20an%20expiration%20date%20but%20I%20would%20first%20try%20to%20understand%20why%20it%20triggers%20using%20the%20manual%20scan%2C%20and%2For%20by%20contacting%20support%20indeed.%3CBR%20%2F%3E%3CBR%20%2F%3Ethank%20you%3C%2FLINGO-BODY%3E
Occasional Visitor

We've got a bunch of CENTOS 7 servers in our environment.    Recently we've started using Security Center to try and make sure our servers are secure and we've got a lot of remediation work to do.  However, we're thinking that a bunch of these CENTOS alerts we are getting are false positives.   Our CENTOS Servers are patched to the latest and greatest updates.  In fact, when I click on your remediation links, it tells me I need to be at the kernel 3.10.0-1160.31.1.el7.x86_64.      

 

When I go to my CENTOS servers and run a yum -y update to see if there are any updates for these servers, they are completely up to date and when I run a uname -a, the kernel information comes back with this:  3.10.0-1160.31.1.el7.x86_64  so I know we are on the latest and greatest kernel, despite the fact that Azure is telling us we need to update our kernel for security purposes. 

 

So, I'm not sure what to do at this point.   Is there a way for me to modify the alert so it can be resolved?   Do I open a ticket with Azure to let them know that it appears there's a problem?  Attached is a sample screenshot of what I'm seeing.   I haven't started investigating the Oracle Java SE stuff yet, just working on the CENTOS Security stuff.   

 

Please advise. 

 

Matt 

1 Reply
Hello @mraymus,

I guess you are using Defender for server. Can you maybe try to trigger the vulnerability scanner manually on a CentOS machine, and see if the results are still false-positives:

sudo /usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action=demand type=vm

You can also set an exemption with an expiration date but I would first try to understand why it triggers using the manual scan, and/or by contacting support indeed.

thank you