Add documentation for vulnerability scanning best practices #394
Description
Summary
A customer asked about best practices for running vulnerability scans (e.g., Nessus) against VergeOS node clusters. There is currently no documentation covering this topic.
Customer Context
The customer is setting up automated Nessus scans across their hypervisors and was unsure whether scanning the management IP (web UI) is sufficient, or if they should also scan individual node NICs. Scanning the management IP appeared to work but only returned results for the web server itself.
Suggested Content
A KB article or product guide section covering:
- Recommended scan targets — Management IP (web UI) is the primary externally-reachable surface; individual node NICs handle internal fabric traffic and are not typically externally accessible
- Architecture context — VergeOS is a purpose-built, hardened hyperconverged OS, not a general-purpose Linux distro, so traditional vulnerability scanners may have limited plugin coverage
- Credentialed vs. uncredentialed scans — SSH is disabled by default and discouraged; document whether/how credentialed scanning is supported
- Patching/update guidance — VergeOS nodes are patched through the built-in update system (System > Updates), not traditional OS package management. Keeping the system updated is the primary way to address CVEs
- Compliance considerations — Guidance for customers who need to demonstrate hypervisor patching for audit/compliance purposes
Related Docs
docs/knowledge-base/posts/enable-ssh.md— SSH is disabled by defaultdocs/product-guide/system/running-updates.md— Built-in update processdocs/product-guide/networks/network-concepts.md— Network architecture (core, DMZ, external, internal)docs/product-guide/system/node-diagnostics.md— Built-in diagnostic tools