Andrew Tsen on 15 Jan 2010 08:25:21 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

On Fri, Jan 15, 2010 at 11:02 AM, Randall A Sindlinger
<> wrote:
> You're *paying* them to do this?  All they're basically doing is remotely
> duplicating the info you can get out of `rpm -qa` if I'm understanding what
> you're saying correctly.

They are also our credit card merchant so the service is included in
the merchant fee.

We've spoken with them and asked if we can get their algorithm or
logic of the scan, and of course, they can't provide this information.

> You need a vendor that does real vulnerability checks.  Or harden your
> system a bit more so that the versions of apps aren't exposed (that's
> good advice anyway).  Then either your current vendor will be forced
> to do the work they should be doing in the first place, or they'll
> come out looking ignorant and incompetent if they can't.

Good advice about not exposing versions - I'll look into that.

> Oh, fwiw, I don't think rolling out your own updates independant of the
> distribution you're using is worthwhile.  There's usually a good reason
> the updates aren't in the repo yet (such as unfinished regression testing,
> a known bug in the interaction of the new version of, say,  php and the
> version of your distro, etc).  ymmv, of course.

I totally understand and I m not looking forward to compiling from
source with every new version/vulnerabilities that are published.

Still poking around to see if others may have run into similar situation.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --