On 18 January 2012 20:06, <bsekle...@fedex.com> wrote: > For PCI compliance scanners, one is probably better off obfuscating the > version string by adding: > > ServerTokens Prod > > ...and then, if the scanner is half a loaf, it will attempt to exploit any > known CVEs independent of the discovered version string.
I deal with PCI Scans regularly. Very very very few of them will attempt to exploit anything. What they will do is attempt to detect the version of the program running on that port and spew out every single CVE that affects it. If you hide your version, they tend to spew out even more irrelevant CVE numbers for every possible version it could be. Your best defence is to look each vulnerability up in http://www.redhat.com/security/data/cve/, post the links, request they are marked as False Positives and then slap in the link explaining backporting as well in the orlorn hope it will educate them. IIt still amazes me though - I work for a top tier hosting company. If I make the statement "this is a fully patched RHEL 5.6 EUS OS, all outstanding patches have been addressed", I'm not making it up and still several PCI Scan Vendors want to argue the point with me for every single scan. And as far as I remember, the PCI DSS standard says that you need to install all vendor patches within a certain time scale. I don't believe it says that you need to patch every CVE immediately - PCI Scans are a licence to install a copy of Nessus and print money. -- Sam _______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
