[CentOS] Recommendation for a Good Vulnerability Scanning Service?
Ian Forde
ianforde at gmail.com
Mon Feb 21 00:01:44 UTC 2011
On Fri, 2011-02-18 at 15:51 -0500, John Hinton wrote:
> Very good information, Ed. And yes, you will almost certainly be
> fighting with the compliance company, as I have not yet seen any who
> recognized CentOS. RHEL, yes. CentOS however does not hold the same
> 'trusted standard' or clout as the major 'name brand' providers. Yes,
> the trouble is the versioning numbers used by RH. If the system 'is' RH,
> most of the time those 'exceptions' are noted by the scanner but you may
> find yourself trying to 'teach them' a lot. Hopefully they have improved
> on this front.
McAfee (after they acquired HackerSafe) Secure recognizes the backported
fixes. Even on CentOS...
> I really think much of this is no more than smoking mirrors. For
> instance they do not ask about username/password policies and obviously
> do not scan for such. So this scanning leaves a lot to be desired. After
> I met all scan problems, my affected clients discovered they just
> answered a question wrong and found that since CC processing was not
> actually happening on my systems, but instead through other processors,
> this all went away and ended the need to address the same issues
> (backports) for the same applications, sometimes still under the same
> version, just due to a new scan. Basically a huge waste of my time. But
> I must admit, I did learn of just a couple of areas which I did tighten
> up. The rest was just red tape and I started feeling one particular
> compliance company was more into self promotion of their service by
> showing these non-existent flaws. I suppose one could compare it to the
> AV companies that allow broken virus sigs to set off alarms. "We just
> saved your computer <!--from this item that had no potential of harming
> your computer-->."
Regarding CC processing, check version 2.0 of the DSS. On page 7,
referring to the scope, I found the term, "processed, stored or
transmitted", so that may (or may not) change how you approach it.
> But, if you must, I did find the Nessus output was fairly close to what
> the compliance companies found and gave me a bit of time to tune systems
> before the real scan. It has been a while, but I think Nessus found some
> things I thought more important, which the commercial scanner did not
> mention.
>
> And hey, if you do breeze through with CentOS being recognized as a RHEL
> clone, I would love to hear about that back to this list.
Yep - McAfee is just fine with it...
-I
More information about the CentOS
mailing list