On Fri, 2011-02-18 at 15:51 -0500, John Hinton wrote: > Very good information, Ed. And yes, you will almost certainly be > fighting with the compliance company, as I have not yet seen any who > recognized CentOS. RHEL, yes. CentOS however does not hold the same > 'trusted standard' or clout as the major 'name brand' providers. Yes, > the trouble is the versioning numbers used by RH. If the system 'is' RH, > most of the time those 'exceptions' are noted by the scanner but you may > find yourself trying to 'teach them' a lot. Hopefully they have improved > on this front. McAfee (after they acquired HackerSafe) Secure recognizes the backported fixes. Even on CentOS... > I really think much of this is no more than smoking mirrors. For > instance they do not ask about username/password policies and obviously > do not scan for such. So this scanning leaves a lot to be desired. After > I met all scan problems, my affected clients discovered they just > answered a question wrong and found that since CC processing was not > actually happening on my systems, but instead through other processors, > this all went away and ended the need to address the same issues > (backports) for the same applications, sometimes still under the same > version, just due to a new scan. Basically a huge waste of my time. But > I must admit, I did learn of just a couple of areas which I did tighten > up. The rest was just red tape and I started feeling one particular > compliance company was more into self promotion of their service by > showing these non-existent flaws. I suppose one could compare it to the > AV companies that allow broken virus sigs to set off alarms. "We just > saved your computer <!--from this item that had no potential of harming > your computer-->." Regarding CC processing, check version 2.0 of the DSS. On page 7, referring to the scope, I found the term, "processed, stored or transmitted", so that may (or may not) change how you approach it. > But, if you must, I did find the Nessus output was fairly close to what > the compliance companies found and gave me a bit of time to tune systems > before the real scan. It has been a while, but I think Nessus found some > things I thought more important, which the commercial scanner did not > mention. > > And hey, if you do breeze through with CentOS being recognized as a RHEL > clone, I would love to hear about that back to this list. Yep - McAfee is just fine with it... -I _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos