There is a CVE audit which is not validating the version of the software (like many dumb security software), but verifies which patches are fixing a CVE and then analyze the system themselves.

Also there is OpenSCAP , which allows to audit systems based on openSCAP policies and then with salt state/formula to ensure that the machines comply to your security needs.