2011/2/18 John Hinton <webmaster at ew3d.com>: > On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote: >> >>> I haven't spoken with the hackerguardian people yet but it would be >>> nice if I could just say "I'm using CentOS 5.5" and have them factor >>> that into their report so that I can focus on any real issues. Are >>> there vulnerability scanning services that are more or less >>> sophisticated about this? >> I'd suggest you educate yourself on the PCI compliance issue, and query >> your prospective vendor(s) on what specific scans they run and/or how >> these are tuned to specific operating environments. >> >> I'd tend to suspect that vuln/pen testing is going to be based more on >> known vulnerabilities than your environment. > > Very good information, Ed. And yes, you will almost certainly be > fighting with the compliance company, as I have not yet seen any who > recognized CentOS. RHEL, yes. CentOS however does not hold the same > 'trusted standard' or clout as the major 'name brand' providers. Yes, > the trouble is the versioning numbers used by RH. If the system 'is' RH, > most of the time those 'exceptions' are noted by the scanner but you may > find yourself trying to 'teach them' a lot. Hopefully they have improved > on this front. > > I really think much of this is no more than smoking mirrors. For > instance they do not ask about username/password policies and obviously > do not scan for such. So this scanning leaves a lot to be desired. After > I met all scan problems, my affected clients discovered they just > answered a question wrong and found that since CC processing was not > actually happening on my systems, but instead through other processors, > this all went away and ended the need to address the same issues > (backports) for the same applications, sometimes still under the same > version, just due to a new scan. Basically a huge waste of my time. But > I must admit, I did learn of just a couple of areas which I did tighten > up. The rest was just red tape and I started feeling one particular > compliance company was more into self promotion of their service by > showing these non-existent flaws. I suppose one could compare it to the > AV companies that allow broken virus sigs to set off alarms. "We just > saved your computer <!--from this item that had no potential of harming > your computer-->." > > But, if you must, I did find the Nessus output was fairly close to what > the compliance companies found and gave me a bit of time to tune systems > before the real scan. It has been a while, but I think Nessus found some > things I thought more important, which the commercial scanner did not > mention. Buy nessus professional feed and download pci compliancy checks for nessus. It gives you the good "baseline" for configurations and things that need to fixed.. -- Eero