On Wed, Jun 30, 2010, Frank Cox wrote: > >On Wed, 2010-06-30 at 15:14 -0400, m.roth@xxxxxxxxx wrote: >> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on >> the >> printers, and left it off. This, of course, slows things down a lot, >> but >> it's "Secure". > >The point is that the security scan is supposed to be verifying that >your setup is, in fact, secure. If you change your setup before running >the scan, and then change it back immediately afterward, how is that >verifying that your setup is, in fact, secure? What you scanned != what >you are actually using. There are fundamental problems with the PCI compliance checking that I've seen. I've had them say that sites accept SSLv2 when they explicitly don't as a real test shows (e.d. use openssl in client mode to attempt to connect using that protocol). The one that really frosts me is that the systems we support use a combination of tcp_wrappers, swatch, and software I've written that automatically blocks IP addresses which exhibit malicious behaviour, similar to fail2ban, but using a DNSRBL to automatically block sites have been identified as attackers. The PCI testers get blocked because of what appear to be cracking attempts, then have the gall to say that the site fails because it appears to have active firewalls. Well DUH! Bill -- INTERNET: bill@xxxxxxxxxxxxx Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 Democracy is the theory that the common people know what they want and deserve to get it good and hard. == H.L. Mencken _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos