Randall A Sindlinger on 15 Jan 2010 08:03:29 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

On Fri, Jan 15, 2010 at 10:48:30AM -0500, Andrew Tsen wrote:
> We get scanned by a 3rd party vendor that -supposedly- run checks
> against our web servers and one of the methods they use to determine
> if we are vulnerable or not is that they verify our software versions.
>  This in my opinion is a bad scan since they aren't trying any of the
> exploits against our servers so they assume we are not patched.
> Any thoughts or suggestions?  Aside from switching the vendor that is
> scanning our network.
> Thanks in advance.

You're *paying* them to do this?  All they're basically doing is remotely
duplicating the info you can get out of `rpm -qa` if I'm understanding what
you're saying correctly.

You need a vendor that does real vulnerability checks.  Or harden your 
system a bit more so that the versions of apps aren't exposed (that's
good advice anyway).  Then either your current vendor will be forced
to do the work they should be doing in the first place, or they'll 
come out looking ignorant and incompetent if they can't.

Oh, fwiw, I don't think rolling out your own updates independant of the
distribution you're using is worthwhile.  There's usually a good reason
the updates aren't in the repo yet (such as unfinished regression testing,
a known bug in the interaction of the new version of, say,  php and the
version of your distro, etc).  ymmv, of course.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug