Ron Mansolino on 15 Jan 2010 18:34:24 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

Are they doing a vulnerability scan, or a software audit?
I'll look through our PCI library to see how the applicable requirement is worded.

On Fri, Jan 15, 2010 at 10:48 AM, Andrew Tsen <> wrote:
This maybe a little off topic, but had any of you run into being PCI
compliant with any of your Linux servers that are running LAMP with
native RPM or DEB packages?

As you know those package versions are often behind with the
latest/real version numbers.  (example: PHP/5.2.4-2ubuntu5.10 where
the latest tar ball available is PHP 5.2.12).

We get scanned by a 3rd party vendor that -supposedly- run checks
against our web servers and one of the methods they use to determine
if we are vulnerable or not is that they verify our software versions.
 This in my opinion is a bad scan since they aren't trying any of the
exploits against our servers so they assume we are not patched.

Then I would have to go through the process of appealing their scans
and provide documentation that the software version we are running is
patched by the vendor whether it is in RPM or DEB packages.

Often I m appealing on openssh, openssl, php and apache2 versions.

I m contemplating on starting to use tar balls and compile and re-do
the whole LAMP setup instead of using apt, etc.

Any thoughts or suggestions?  Aside from switching the vendor that is
scanning our network.

Thanks in advance.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --