As a internal security person (now a consultant for third parties): your approach is interesting, but still fails where all security tools do, who is going to install the agent on every box. The reason why every asset tracking solution is incomplete is because they are trying to correlate agent data and platform data. This is exacerbated by cloud computing since resources are much more transient and new servers lack gating by a governance org.
Complex AV tools are cool but they are so far down the chain of actually exploited vulns, they are not super useful most of the time. Usually the vulns used are old and just unpatched (check the latest DBIR data to see average age of exploited vuln). So a lot of time and effort goes into cajoling teams to update packages and having them say "we don't even call the vulnerable function."
My biggest issues:
-Asset inventory (SANS Top 20 #1)
-Software inventory (SANS Top 20 #2)
-Tagging of ownership (what does this box do and who do I call if it goes bump in the night)
To answer your other questions:
-Yes, but that is because we created it
-Yes, but only because we have tooling to do it across cloud envs
-No, we only look at deployed bins
-Signature based
-Getting useful code deployed to a box is hard enough, unless there a RCE this is so far down the list of threats on our threat model
-No idea, I assume pretty good since we use MITRE references, but making sure those are accurate to what we find is tough
Complex AV tools are cool but they are so far down the chain of actually exploited vulns, they are not super useful most of the time. Usually the vulns used are old and just unpatched (check the latest DBIR data to see average age of exploited vuln). So a lot of time and effort goes into cajoling teams to update packages and having them say "we don't even call the vulnerable function."
My biggest issues: -Asset inventory (SANS Top 20 #1)
-Software inventory (SANS Top 20 #2)
-Tagging of ownership (what does this box do and who do I call if it goes bump in the night)
To answer your other questions: -Yes, but that is because we created it
-Yes, but only because we have tooling to do it across cloud envs
-No, we only look at deployed bins
-Signature based
-Getting useful code deployed to a box is hard enough, unless there a RCE this is so far down the list of threats on our threat model
-No idea, I assume pretty good since we use MITRE references, but making sure those are accurate to what we find is tough
-Yes, all of them (Fedora, Ubuntu, Arch, Alpine)