A lot of it depends on your workload on your i. If you're already deploying it for the rest of the network, it might still provide some value:
1. It won't do anything for your green screen/5250 applications. You'll need other things, e.g. integration with a SIEM using SRM. This would also require code changes to integrate this.
2. It's good at detecting change, eg a new service running or an old one disappearing. This might not necessarily be a sign of compromise, but if there's suddenly an additional service running on your IBM i that you didn't expect to be there, you probably want to take a look at that.
3. If you run Java (or other) web applications, the web app vulnerability scanner is very relevant. If you use Spring or other frameworks, those vulnerabilities become relevant to your IBM i, and if you've written web apps from scratch, the OWASP Top10 issues remain relevant. Since Java runs mostly under PASE, the generic exploit payloads that know how to deal with a Unix-like system will work on your IBM i as well.
4. It checks a compliance checkbox. If you're in a regulated industry, having visibility checks the box. It's going to be mostly meaningless from a technical perspective, but not having to spend valuable engineering/business time on fighting the auditors also has value.
False positives are more likely with systems they don't often see. When I point them at my VSEn deployment using the CSI TCP/IP stack, it finds all sorts of things that aren't there. You do have to triage those things.
/y
On 14/08/2024, 05:00, "MIDRANGE-L on behalf of Stuart MacIntosh" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx <mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of stuart@xxxxxxxxxxxx <mailto:stuart@xxxxxxxxxxxx>> wrote:
I've used Nessus although not with IBM i. Some of the issues it found
were irrelevant due to incorrect OS detection, did it detect the OS
correctly?
In my experience simply scanning some TCP/IP stacks/hosts with Nessus
was enough to reproduce issues with them or break applications. Nessus
is thorough and finds a lot. It finds too much sometimes, and there are
false positives to omit from reporting, conversely it may also miss
things especially for a niche OS like IBM i.
-Stuart
On 14/08/24 03:52, DEnglander--- via MIDRANGE-L wrote:
Does anyone use the Nessus vulnerability scanning software?
We have scanned our IBM i servers and the software is detecting a TCP/IP
vulnerability. I have created a case with IBM and they said that the
TCP/IP stack the vulnerability is referencing is not used by IBM.
Has anyone else experienced this?
Thank you
Doug
"CONFIDENTIALITY NOTICE: This e-mail transmission (and/or the attachments accompanying it) contain confidential information belonging to the sender. The information is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of the information is strictly prohibited. Any unauthorized interception of this transmission is illegal under the law. If you have received this transmission in error, please promptly notify the sender by reply e-mail, and then destroy all copies of the transmission."
midrange.com
