Skip to content

Vulnerability Scanning Best Practices#

Overview#

Key Points

  • VergeOS is a purpose-built, hardened hyperconverged OS — not a general-purpose Linux distribution
  • The management IP (web UI) is the only externally-reachable scan target in a properly deployed environment
  • Traditional vulnerability scanners have limited plugin coverage for VergeOS
  • Patching is handled exclusively through the built-in VergeOS update system

This article covers how to approach scanning the VergeOS platform, what to expect from scan results, and how to demonstrate patching compliance for audits. For scanning workloads running inside VMs and tenants, apply your organization's standard scanning policies.

Prerequisites#

  • Administrative access to the VergeOS web UI
  • Familiarity with your organization's vulnerability scanning tool (e.g., Nessus, Qualys, Rapid7)
  • Understanding of VergeOS network concepts

VergeOS Security Architecture#

Before configuring scans, it helps to understand how VergeOS differs from a traditional hypervisor or Linux server:

  • Read-only overlay filesystem — VergeOS runs a specialized kernel with a read-only overlay. Unsanctioned packages or modifications are not persistent and can cause system instability. This significantly reduces the attack surface compared to general-purpose operating systems.
  • No traditional package management — There is no apt, yum, or similar package manager. All patching is delivered through the built-in update system.
  • SSH disabled by default — SSH access is not required for normal operation. The web UI provides full administrative access, and node diagnostics are available directly from the interface.
  • Minimal external surface — Only the management IP (web UI) is intended to be externally reachable. Node NICs handle internal fabric traffic (vSAN and inter-node communication) on the core network and are not exposed to external networks in a standard deployment.

Management IP (Web UI)#

The management IP is the only externally-reachable surface in a properly deployed VergeOS environment. Scanning this address provides results for:

  • The VergeOS web application and API
  • TLS certificate configuration
  • Any exposed network services

Start Here

For most compliance requirements, scanning the management IP is sufficient to demonstrate hypervisor vulnerability assessment.

Individual Node IPs#

Node IPs are used for internal fabric traffic and are not externally accessible in a standard deployment. Scanning them is unnecessary.

What About Tenant and VM Networks?#

Vulnerability scanning of workloads running inside VMs and tenants is separate from scanning the VergeOS platform itself. VMs are standard operating systems and should be scanned according to your normal policies. VergeOS provides network micro-segmentation to isolate workloads at the network level.

Configuring Your Scanner#

Use an uncredentialed network scan policy (e.g., Nessus "Basic Network Scan" or equivalent). Avoid Linux-specific audit policies — these rely on package enumeration via SSH and will produce misleading or empty results against VergeOS.

Recommended scanner settings:

  • Scan type: Uncredentialed / remote network scan
  • Target: Management IP address (HTTPS on port 443)
  • Disable: Linux/Unix credentialed patch audit plugins, local security checks
  • Enable: Web application checks, TLS/SSL auditing, service detection

Limited Plugin Coverage

Because VergeOS is not a standard Linux distribution, vulnerability scanners will return limited results. Many scanner plugins detect vulnerabilities in common OS packages (e.g., Debian, RHEL) and have no specific checks for the VergeOS platform. This is expected behavior, not an indication that the system is unscanned.

Typical scan results for a VergeOS management IP:

  • OS identification: unknown or inconclusive
  • Open ports: 443/tcp (HTTPS)
  • Findings: informational items related to the web server and TLS configuration

If your results look like this, the scan is working correctly. VergeOS has a minimal attack surface by design. If your auditor requires additional evidence beyond scan results, see Patching and Update Guidance below.

Scan Frequency#

Align scan frequency with your compliance framework requirements (e.g., quarterly for PCI-DSS, monthly for internal policy). Because VergeOS exposes a minimal attack surface, scan results are unlikely to change between platform updates — schedule scans after applying updates to capture the current state.

Credentialed vs. Uncredentialed Scans#

Uncredentialed scans against the management IP are the recommended approach. These scans identify exposed services and known vulnerabilities without requiring host-level access.

Credentialed scans require SSH access, which is disabled by default in VergeOS. Enabling SSH for routine scanning is not recommended.

If your compliance framework specifically requires credentialed scanning:

  1. Enable SSH only for the duration of the scan.
  2. Restrict SSH access to the scanner's source IP using firewall rules.
  3. Disable SSH immediately after the scan completes.
  4. Document the temporary access in your compliance records.

See Enabling System SSH Access for the full procedure.

Patching and Update Guidance#

VergeOS nodes are patched through the built-in update system, not through traditional OS package management. This is an important distinction for compliance and vulnerability remediation workflows.

Demonstrating Patch Compliance

For audit purposes, the following evidence can demonstrate that your VergeOS environment is patched and current:

  • Current version number — visible on the main dashboard and in System > Updates
  • Release notes — each VergeOS release documents security fixes (e.g., CVE-2024-6387 was addressed in the 4.12 release)
  • Update history — the Update Server Dashboard shows when updates were applied
  • Snapshot records — VergeOS can automatically create system snapshots before updates, providing a documented rollback point

Responding to Scanner-Reported CVEs#

When a scanner flags a CVE against the management interface:

  1. Check the release notes to determine if the CVE has been addressed in the current or a newer VergeOS version.
  2. If an update is available that addresses the CVE, apply it through System > Updates.
  3. If the CVE is not addressed in any available release, contact VergeOS Support to report the finding and request guidance.

Sample Compliance Language#

When documenting your hypervisor security posture for auditors, you can adapt the following:

"VergeOS is a purpose-built, hardened hyperconverged operating system with a read-only overlay filesystem and minimal external attack surface. The platform does not use traditional OS package management; all security patches are delivered through vendor-managed updates applied via the built-in update system. The current version [X.Y.Z] was applied on [date]. Release notes documenting CVE remediations for each version are available at docs.verge.io/release-notes."

Troubleshooting#

Common Issues

  • Problem: Scanner cannot identify the operating system

  • Solution: VergeOS is a custom OS and may not be fingerprinted by standard scanners. Note this in your compliance documentation as a hardened, purpose-built platform.

  • Problem: Credentialed scan requires SSH but it is disabled

  • Solution: See the Credentialed vs. Uncredentialed Scans section above. Enable SSH temporarily and with IP restrictions if required.

Additional Resources#

Feedback#

Need Help?

If you need further assistance or have any questions about this article, please don't hesitate to reach out to the VergeOS Support Team.