[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Fri Feb 18 20:51:33 UTC 2011
John Hinton <webmaster at ew3d.com>

On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
>
>> I haven't spoken with the hackerguardian people yet but it would be
>> nice if I could just say "I'm using CentOS 5.5" and have them factor
>> that into their report so that I can focus on any real issues. Are
>> there vulnerability scanning services that are more or less
>> sophisticated about this?
> I'd suggest you educate yourself on the PCI compliance issue, and query
> your prospective vendor(s) on what specific scans they run and/or how
> these are tuned to specific operating environments.
>
> I'd tend to suspect that vuln/pen testing is going to be based more on
> known vulnerabilities than your environment.

Very good information, Ed. And yes, you will almost certainly be 
fighting with the compliance company, as I have not yet seen any who 
recognized CentOS. RHEL, yes. CentOS however does not hold the same 
'trusted standard' or clout as the major 'name brand' providers. Yes, 
the trouble is the versioning numbers used by RH. If the system 'is' RH, 
most of the time those 'exceptions' are noted by the scanner but you may 
find yourself trying to 'teach them' a lot. Hopefully they have improved 
on this front.

I really think much of this is no more than smoking mirrors. For 
instance they do not ask about username/password policies and obviously 
do not scan for such. So this scanning leaves a lot to be desired. After 
I met all scan problems, my affected clients discovered they just 
answered a question wrong and found that since CC processing was not 
actually happening on my systems, but instead through other processors, 
this all went away and ended the need to address the same issues 
(backports) for the same applications, sometimes still under the same 
version, just due to a new scan. Basically a huge waste of my time. But 
I must admit, I did learn of just a couple of areas which I did tighten 
up. The rest was just red tape and I started feeling one particular 
compliance company was more into self promotion of their service by 
showing these non-existent flaws. I suppose one could compare it to the 
AV companies that allow broken virus sigs to set off alarms. "We just 
saved your computer <!--from this item that had no potential of harming 
your computer-->."

But, if you must, I did find the Nessus output was fairly close to what 
the compliance companies found and gave me a bit of time to tune systems 
before the real scan. It has been a while, but I think Nessus found some 
things I thought more important, which the commercial scanner did not 
mention.

And hey, if you do breeze through with CentOS being recognized as a RHEL 
clone, I would love to hear about that back to this list.

-- 
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions