On 02/18/2011 03:09 PM, Michael B Allen wrote:
Hackerguiardian is a commercial service (it's actually "COMODO CA Limited"). Their scan looks thorough. Obviously they're just matching up version numbers with CVE notices but I have a feeling most of these guys are going to be doing the same thing. I was just hoping one would be more sophisticated about the fact that ALL of their "Fail" items I've checked so far are things that were backported or fixed by Redhat.
Probably not. I've yet to see any vulnerability scanning service that does much above running nessus in safe mode (which only does banner grabs).
If you're prepared to monkey around with the scanner people, you can request waivers, false positives, etc from the various companies, proving that you're patched against the CVEs they're looking for.
If there is a really competent vendor out there, and if you're comfortable with it, ask them to run a more thorough scan against your box.
I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary.
I would have marked that "other than satisfactory" in an audit. There are AV products for Linux, and on a personal level, rootkit checks and file integrity checks on a public CC handling server are a good idea.
I would *very* strongly recommmend that you talk to the bank or agency that's asking you for this, and ask them for recommendations.
If you mean my merchant account service, they claim to be the largest Authorized.Net reseller, they sanity checked my SAQC and thought I would be ready for approval as soon as I get a good scan.
So trustwave and Qualys ... I'll check them out.
Thanks,
I'm faintly surprised they aren't in the scam racket of mandating you use a certain vendor, or one of a select few.