On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes, the trouble is the versioning numbers used by RH. If the system 'is' RH, most of the time those 'exceptions' are noted by the scanner but you may find yourself trying to 'teach them' a lot. Hopefully they have improved on this front.
I really think much of this is no more than smoking mirrors. For instance they do not ask about username/password policies and obviously do not scan for such. So this scanning leaves a lot to be desired. After I met all scan problems, my affected clients discovered they just answered a question wrong and found that since CC processing was not actually happening on my systems, but instead through other processors, this all went away and ended the need to address the same issues (backports) for the same applications, sometimes still under the same version, just due to a new scan. Basically a huge waste of my time. But I must admit, I did learn of just a couple of areas which I did tighten up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the AV companies that allow broken virus sigs to set off alarms. "We just saved your computer <!--from this item that had no potential of harming your computer-->."
But, if you must, I did find the Nessus output was fairly close to what the compliance companies found and gave me a bit of time to tune systems before the real scan. It has been a while, but I think Nessus found some things I thought more important, which the commercial scanner did not mention.
And hey, if you do breeze through with CentOS being recognized as a RHEL clone, I would love to hear about that back to this list.