Re: Is anybody else dealing with Security Metrics?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2/7/07, John Hinton <webmaster@xxxxxxxx> wrote:
Seems that some of the credit card processors demand the use of Security
Metrics to test their web hosting for meeting a fairly good security
standard.

First, it doesn't matter if they do online credit card processing or
not, just credit card processing period. This makes some sense, as
someone could hack in a form pretending to ask for this information...
so there is at least some risk.. and we all no credit card companies
ultimately want to achieve 0 risk. ;)

Anyway, the frustration is this and early on their reports even talked
about it. Redhat doesn't follow the normal numbering system for a lot of
their security updates for various packages. PHP is a great example of
the time. Security Metrics says I must be running 5.1 due to exploits in
earlier versions due to CANXXXX whereas Redhat has clearly addressed the
issue, sent out a patch and generally we have it installed 2 to 6 months
before SM starts a failing process.

---- The real question ----

Basically, I was wondering if there were many of you 'jumping through
these same hoops'? If there are, perhaps we as a group could do
something to get them to check for CentOS and then look for RHEL
versions in hopes of ending these hassles.

---- end real question ----

I have found that by contacting SM, they will make a correction to a
test once they know what you are running, but this seems to come up with
each and every test. And the testing is done by domain, not by server,
so you have to deal with each domain tested with the exact same crap..
which amounts to jumping through a hoop.

Also, I've come to realize that some of what they ask that you do,
equates to having your locked car in the driveway with the keys in your
pocket.. this fails... But, if you put those keys in a different locked
car beside it in the driveway and put the keys to that car in your
pocket, it passes. Very sad......

And never once have they considered talking about the very basics like a
good password policy. :(

One other thing that bothers me about them is they 'sell appliances'.
So, if your server/host can't pass or doesn't want to deal with it, we
can 'sell' them something, making more money which to me seems like a
conflict of interest for someone operating under the guise of security.

Try adding this to your http.conf:
ServerSignature Off
ServerTokens Prod

It will no longer show versions and modules.  I had a similar issue
thanks to backporting.

Grant
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux