[CentOS] Recommendation for a Good Vulnerability Scanning Service?

Mon Feb 21 00:01:44 UTC 2011
Ian Forde <ianforde at gmail.com>

On Fri, 2011-02-18 at 15:51 -0500, John Hinton wrote:
> Very good information, Ed. And yes, you will almost certainly be 
> fighting with the compliance company, as I have not yet seen any who 
> recognized CentOS. RHEL, yes. CentOS however does not hold the same 
> 'trusted standard' or clout as the major 'name brand' providers. Yes, 
> the trouble is the versioning numbers used by RH. If the system 'is' RH, 
> most of the time those 'exceptions' are noted by the scanner but you may 
> find yourself trying to 'teach them' a lot. Hopefully they have improved 
> on this front.

McAfee (after they acquired HackerSafe) Secure recognizes the backported
fixes.  Even on CentOS...

> I really think much of this is no more than smoking mirrors. For 
> instance they do not ask about username/password policies and obviously 
> do not scan for such. So this scanning leaves a lot to be desired. After 
> I met all scan problems, my affected clients discovered they just 
> answered a question wrong and found that since CC processing was not 
> actually happening on my systems, but instead through other processors, 
> this all went away and ended the need to address the same issues 
> (backports) for the same applications, sometimes still under the same 
> version, just due to a new scan. Basically a huge waste of my time. But 
> I must admit, I did learn of just a couple of areas which I did tighten 
> up. The rest was just red tape and I started feeling one particular 
> compliance company was more into self promotion of their service by 
> showing these non-existent flaws. I suppose one could compare it to the 
> AV companies that allow broken virus sigs to set off alarms. "We just 
> saved your computer <!--from this item that had no potential of harming 
> your computer-->."

Regarding CC processing, check version 2.0 of the DSS.  On page 7,
referring to the scope, I found the term, "processed, stored or
transmitted", so that may (or may not) change how you approach it.

> But, if you must, I did find the Nessus output was fairly close to what 
> the compliance companies found and gave me a bit of time to tune systems 
> before the real scan. It has been a while, but I think Nessus found some 
> things I thought more important, which the commercial scanner did not 
> mention.
> And hey, if you do breeze through with CentOS being recognized as a RHEL 
> clone, I would love to hear about that back to this list.

Yep - McAfee is just fine with it...