is there a way to lookup (in logs, reports or api) the vulnerability checks that were run for an asset. Our agent scans are done using the template Full audit without Web Spider.
We have a non standard linux distribution and our authenticated scans returned incorrect fingerprinting. the agent scan was more successful.
the inability to report on what the machine was actually checked for at a vulnerability level increases the risk that there are gaps in coverage for specific vulnerabilities
You can certainly go to the scan logs and see each vulnerability check that was ran. By going to the scan itself and downloading the scan log there will be a separate line for each check performed.
The fingerprinting is going to be seperate from the vulnerability checks performed though and if I had to guess, the fingerprinting was inaccurate due to an unauthenticated scan. I would check the scan and look specifically for the assets that had a bad fingerprint and check the authentication status.
Is there any difference in fingerprinting done via R7 agent and an authenticated scan ?
No, as long as the credentials supplied have the proper permissions then the authenticated scan and the agent are checking the same criteria for OS fingerprinting.
Thank You John. Is there a fingerprint xml file that needs to be customized for non standard distributions? Came across this discussion RedHat Apache Banner OS Finger Print
I wouldn’t say that anything needs changed per se but depending on the non standard distribution you have you could create a custom fingerprint xml like @brian_w_gray did in the thread you linked to.
Like @brent_cook said, the custom template would take precedence over the built ins and should give you more accurate fingerprinting.