Tony Placilla <aplacilla@xxxxxxx>
Sr. UNIX Systems Administrator
The Sheridan Libraries
Johns Hopkins University
>>> On Wed, Feb 13, 2008 at 10:01 AM, in message
<E2BB8074E5500C42984D980D4BD78EF901FAFEF4@xxxxxxxxxxxxxxxxxxxxx>, "Ross S. W.
Walker" <rwalker@xxxxxxxxxxxxx> wrote:
> Johnny Hughes wrote:
>>
>> Bob Boilard wrote:
>> > Hello all,
>> >
>> > I love CentOS, but I am seriously regretting selecting
>> Centos 4.4 for my
>> > production hosting servers. The current situation with
>> CentOS 4.4 and being
>> > stuck at Apache 2.0.52 is a huge problem because of the new
>> requirements for
>> > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI
>> > compliance scans. which means no ecommerce on any of these
>> servers - MAJOR
>> > ISSUE. So my question to the community is: when are new
>> Apache RPM's going
>> > to be released or at minimum a backported version that
>> plugs these security
>> > holes so we can pass PCI scans. Apache 2.0.52 has some
>> major issues that
>> > need to be dealt with?
>> >
>>
>> I am almost positive that this issue is one of the scan
>> software using
>> version numbers and not understanding that RHEL backports fixes.
>
> It is a big fear of mine that this may become more and more
> of an issue when government agencies start setting stricter
> and stricter software compliance guidelines.
>
> The agencies don't know what security backports vendor XYZ
> has implemented and frankly they don't care. All they have
> is a list of minimum version numbers that software must be
> at in order for it to be deemed "compliant".
>
> I think we will start seeing this in the PCI and HIPA
> compliance regulations first, but I wouldn't be surprised
> if it leaks out into GLBA and other regulations over time.
>
> I think it will be these compliance issues that may force
> upstream to change their strategy otherwise I can see this
> being a roadblock to RHEL/CentOS adoption in these
> industries in the future.
>
> -Ross
>
In a previous life I did PCI compliance for the company I worked for & I ran into this quite often. The scanners would only report on versions & we'd get "out of compliance" which caused no end of hand-wringing from the higher-ups.
However, the certifying parties we used had an appeals process & I could almost always boilerplate the output of
rpm -q --changelog httpd |grep -i cve
and send them proof of the backported fixes. They would then remove the "compliance failure"
Obviously IANAL & things could change with PCI certification vendors & such, but this might be worth investigating
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
