[CentOS] security compliance vs. old software versions

Wed Jun 30 21:00:36 UTC 2010
Bill Campbell <centos at celestial.com>

On Wed, Jun 30, 2010, Frank Cox wrote:
>On Wed, 2010-06-30 at 15:14 -0400, m.roth at 5-cent.us wrote:
>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>> the
>> printers, and left it off. This, of course, slows things down a lot,
>> but
>> it's "Secure".
>The point is that the security scan is supposed to be verifying that
>your setup is, in fact, secure.  If you change your setup before running
>the scan, and then change it back immediately afterward, how is that
>verifying that your setup is, in fact, secure?  What you scanned != what
>you are actually using.

There are fundamental problems with the PCI compliance checking that I've
seen.  I've had them say that sites accept SSLv2 when they explicitly don't
as a real test shows (e.d. use openssl in client mode to attempt to connect
using that protocol).

The one that really frosts me is that the systems we support use a
combination of tcp_wrappers, swatch, and software I've written that
automatically blocks IP addresses which exhibit malicious behaviour,
similar to fail2ban, but using a DNSRBL to automatically block sites have
been identified as attackers.

The PCI testers get blocked because of what appear to be cracking attempts,
then have the gall to say that the site fails because it appears to have
active firewalls.  Well DUH!

INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Democracy is the theory that the common people know what they
want and deserve to get it good and hard. == H.L. Mencken