On 02/18/2011 03:09 PM, Michael B Allen wrote: > Hackerguiardian is a commercial service (it's actually "COMODO CA > Limited"). Their scan looks thorough. Obviously they're just matching > up version numbers with CVE notices but I have a feeling most of these > guys are going to be doing the same thing. I was just hoping one would > be more sophisticated about the fact that ALL of their "Fail" items > I've checked so far are things that were backported or fixed by > Redhat. Probably not. I've yet to see any vulnerability scanning service that does much above running nessus in safe mode (which only does banner grabs). If you're prepared to monkey around with the scanner people, you can request waivers, false positives, etc from the various companies, proving that you're patched against the CVEs they're looking for. If there is a really competent vendor out there, and if you're comfortable with it, ask them to run a more thorough scan against your box. > I just had to add N/A for > questions like the "do you run anti-virus software" and explain that > everything goes through the one Linux machine for which no anti-virus > software exists or is necessary. I would have marked that "other than satisfactory" in an audit. There are AV products for Linux, and on a personal level, rootkit checks and file integrity checks on a public CC handling server are a good idea. >> I would *very* strongly recommmend that you talk to the bank or agency >> that's asking you for this, and ask them for recommendations. > > If you mean my merchant account service, they claim to be the largest > Authorized.Net reseller, they sanity checked my SAQC and thought I > would be ready for approval as soon as I get a good scan. > > So trustwave and Qualys ... I'll check them out. > > Thanks, I'm faintly surprised they aren't in the scam racket of mandating you use a certain vendor, or one of a select few. -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire