Vulnerability management
Goals
- Know what you run (inventory)
- Patch quickly (prioritize internet-facing and critical systems)
- Detect regressions (scanning + monitoring)
Patch management (basics)
Debian/Ubuntu:
sudo apt update
sudo apt upgrade
sudo apt list --upgradable
RHEL/Fedora:
sudo dnf upgrade
sudo dnf updateinfo list security
Kernel and reboot awareness
Check if reboot is needed (varies by distro/tools):
needs-restarting -r (yum-utils/dnf-utils)checkrestart (debian-goodies)
Scanning (conceptual)
- Host scanners (OpenVAS/Greenbone, Nessus)
- Container image scanners (Trivy, Grype)
- SBOM generation and dependency scanning
Prioritization
- Exploitable + exposed beats “high CVSS but unreachable”
- Patch auth, SSH, web servers, VPNs first
- Track exceptions with owner + expiry date