[CentOS] security compliance vs. old software versions

Wed Jun 30 21:53:45 UTC 2010
Jim Wildman <jim at rossberry.com>

But the point is that the original poster is NOT the one running the
scan.  And the results of the scan (complaining about
vulnerabilities based on version numbers) indicates that it is not a
true 'security' scan anyway.  For (almost) every CVE issued, there
is a way to mitigate the risk that does not involve installing "the
latest and greatest with all the new fixes".  It is at best a
superficial scan of the type that is sold to PHB's so they can
"check the box".

I've spent a lot of hours trying to educate auditors.

On Wed, 30 Jun 2010, Frank Cox wrote:

> The point is that the security scan is supposed to be verifying that
> your setup is, in fact, secure.  If you change your setup before running
> the scan, and then change it back immediately afterward, how is that
> verifying that your setup is, in fact, secure?  What you scanned != what
> you are actually using.
>
> If your purpose is simply to check off a box on a form, why not just
> write the Sooper Dooper Security Scanner yourself?
>

----------------------------------------------------------------------
Jim Wildman, CISSP, RHCE       jim at rossberry.com http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine