Andrew Tsen on 15 Jan 2010 07:49:11 -0800 |
This maybe a little off topic, but had any of you run into being PCI compliant with any of your Linux servers that are running LAMP with native RPM or DEB packages? As you know those package versions are often behind with the latest/real version numbers. (example: PHP/5.2.4-2ubuntu5.10 where the latest tar ball available is PHP 5.2.12). We get scanned by a 3rd party vendor that -supposedly- run checks against our web servers and one of the methods they use to determine if we are vulnerable or not is that they verify our software versions. This in my opinion is a bad scan since they aren't trying any of the exploits against our servers so they assume we are not patched. Then I would have to go through the process of appealing their scans and provide documentation that the software version we are running is patched by the vendor whether it is in RPM or DEB packages. Often I m appealing on openssh, openssl, php and apache2 versions. I m contemplating on starting to use tar balls and compile and re-do the whole LAMP setup instead of using apt, etc. Any thoughts or suggestions? Aside from switching the vendor that is scanning our network. Thanks in advance. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|