[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Fri Feb 18 21:30:53 UTC 2011
Eero Volotinen <eero.volotinen at iki.fi>

2011/2/18 John Hinton <webmaster at ew3d.com>:
> On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
>>
>>> I haven't spoken with the hackerguardian people yet but it would be
>>> nice if I could just say "I'm using CentOS 5.5" and have them factor
>>> that into their report so that I can focus on any real issues. Are
>>> there vulnerability scanning services that are more or less
>>> sophisticated about this?
>> I'd suggest you educate yourself on the PCI compliance issue, and query
>> your prospective vendor(s) on what specific scans they run and/or how
>> these are tuned to specific operating environments.
>>
>> I'd tend to suspect that vuln/pen testing is going to be based more on
>> known vulnerabilities than your environment.
>
> Very good information, Ed. And yes, you will almost certainly be
> fighting with the compliance company, as I have not yet seen any who
> recognized CentOS. RHEL, yes. CentOS however does not hold the same
> 'trusted standard' or clout as the major 'name brand' providers. Yes,
> the trouble is the versioning numbers used by RH. If the system 'is' RH,
> most of the time those 'exceptions' are noted by the scanner but you may
> find yourself trying to 'teach them' a lot. Hopefully they have improved
> on this front.
>
> I really think much of this is no more than smoking mirrors. For
> instance they do not ask about username/password policies and obviously
> do not scan for such. So this scanning leaves a lot to be desired. After
> I met all scan problems, my affected clients discovered they just
> answered a question wrong and found that since CC processing was not
> actually happening on my systems, but instead through other processors,
> this all went away and ended the need to address the same issues
> (backports) for the same applications, sometimes still under the same
> version, just due to a new scan. Basically a huge waste of my time. But
> I must admit, I did learn of just a couple of areas which I did tighten
> up. The rest was just red tape and I started feeling one particular
> compliance company was more into self promotion of their service by
> showing these non-existent flaws. I suppose one could compare it to the
> AV companies that allow broken virus sigs to set off alarms. "We just
> saved your computer <!--from this item that had no potential of harming
> your computer-->."
>
> But, if you must, I did find the Nessus output was fairly close to what
> the compliance companies found and gave me a bit of time to tune systems
> before the real scan. It has been a while, but I think Nessus found some
> things I thought more important, which the commercial scanner did not
> mention.

Buy nessus professional feed and download pci compliancy checks for nessus.
It gives you the good "baseline" for configurations and things that
need to fixed..

--
Eero