On Fri, 2011-02-18 at 15:51 -0500, John Hinton wrote:
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes, the trouble is the versioning numbers used by RH. If the system 'is' RH, most of the time those 'exceptions' are noted by the scanner but you may find yourself trying to 'teach them' a lot. Hopefully they have improved on this front.
McAfee (after they acquired HackerSafe) Secure recognizes the backported fixes. Even on CentOS...
I really think much of this is no more than smoking mirrors. For instance they do not ask about username/password policies and obviously do not scan for such. So this scanning leaves a lot to be desired. After I met all scan problems, my affected clients discovered they just answered a question wrong and found that since CC processing was not actually happening on my systems, but instead through other processors, this all went away and ended the need to address the same issues (backports) for the same applications, sometimes still under the same version, just due to a new scan. Basically a huge waste of my time. But I must admit, I did learn of just a couple of areas which I did tighten up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the AV companies that allow broken virus sigs to set off alarms. "We just saved your computer <!--from this item that had no potential of harming your computer-->."
Regarding CC processing, check version 2.0 of the DSS. On page 7, referring to the scope, I found the term, "processed, stored or transmitted", so that may (or may not) change how you approach it.
But, if you must, I did find the Nessus output was fairly close to what the compliance companies found and gave me a bit of time to tune systems before the real scan. It has been a while, but I think Nessus found some things I thought more important, which the commercial scanner did not mention.
And hey, if you do breeze through with CentOS being recognized as a RHEL clone, I would love to hear about that back to this list.
Yep - McAfee is just fine with it...
-I