John Hinton wrote: > On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote: >> >>> I haven't spoken with the hackerguardian people yet but it would be >>> nice if I could just say "I'm using CentOS 5.5" and have them factor >>> that into their report so that I can focus on any real issues. Are >>> there vulnerability scanning services that are more or less >>> sophisticated about this? >> I'd suggest you educate yourself on the PCI compliance issue, and query >> your prospective vendor(s) on what specific scans they run and/or how >> these are tuned to specific operating environments. >> >> I'd tend to suspect that vuln/pen testing is going to be based more on >> known vulnerabilities than your environment. > > Very good information, Ed. And yes, you will almost certainly be > fighting with the compliance company, as I have not yet seen any who > recognized CentOS. RHEL, yes. CentOS however does not hold the same > 'trusted standard' or clout as the major 'name brand' providers. Yes, If you do talk to Trustwave, and they're not too expensive, they *use* CentOS. > > I really think much of this is no more than smoking mirrors. For "smoke and mirrors" <snip> > up. The rest was just red tape and I started feeling one particular > compliance company was more into self promotion of their service by > showing these non-existent flaws. I suppose one could compare it to the They're all that way. <snip> mark