[CentOS] Is anybody else dealing with Security Metrics?

Wed Feb 7 19:38:01 UTC 2007
Grant McChesney <grantmc at gmail.com>

On 2/7/07, John Hinton <webmaster at ew3d.com> wrote:
> Seems that some of the credit card processors demand the use of Security
> Metrics to test their web hosting for meeting a fairly good security
> standard.
>
> First, it doesn't matter if they do online credit card processing or
> not, just credit card processing period. This makes some sense, as
> someone could hack in a form pretending to ask for this information...
> so there is at least some risk.. and we all no credit card companies
> ultimately want to achieve 0 risk. ;)
>
> Anyway, the frustration is this and early on their reports even talked
> about it. Redhat doesn't follow the normal numbering system for a lot of
> their security updates for various packages. PHP is a great example of
> the time. Security Metrics says I must be running 5.1 due to exploits in
> earlier versions due to CANXXXX whereas Redhat has clearly addressed the
> issue, sent out a patch and generally we have it installed 2 to 6 months
> before SM starts a failing process.
>
> ---- The real question ----
>
> Basically, I was wondering if there were many of you 'jumping through
> these same hoops'? If there are, perhaps we as a group could do
> something to get them to check for CentOS and then look for RHEL
> versions in hopes of ending these hassles.
>
> ---- end real question ----
>
> I have found that by contacting SM, they will make a correction to a
> test once they know what you are running, but this seems to come up with
> each and every test. And the testing is done by domain, not by server,
> so you have to deal with each domain tested with the exact same crap..
> which amounts to jumping through a hoop.
>
> Also, I've come to realize that some of what they ask that you do,
> equates to having your locked car in the driveway with the keys in your
> pocket.. this fails... But, if you put those keys in a different locked
> car beside it in the driveway and put the keys to that car in your
> pocket, it passes. Very sad......
>
> And never once have they considered talking about the very basics like a
> good password policy. :(
>
> One other thing that bothers me about them is they 'sell appliances'.
> So, if your server/host can't pass or doesn't want to deal with it, we
> can 'sell' them something, making more money which to me seems like a
> conflict of interest for someone operating under the guise of security.

Try adding this to your http.conf:
ServerSignature Off
ServerTokens Prod

It will no longer show versions and modules.  I had a similar issue
thanks to backporting.

Grant