On 6 January 2012 22:31, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > Am 07.01.2012 06:13, schrieb Stephen John Smoogen: >> On 6 January 2012 21:46, Kevin Kofler <kevin.kofler@xxxxxxxxx> wrote: >>> Reindl Harald wrote: >>>> would it not be a good idea to NOT disclosure service versions? >>>> https://bugzilla.redhat.com/show_bug.cgi?id=718133 >>>> >>>> you will more and more have the "problem" of 3rd party >>>> security scans to your servers and currently in the case >>>> of openssh the only solution is to tkae the F16-src-rpm >>>> and rebuild it for your F15 machines >>> >>> If the scan is looking at the version to determine vulnerability, it is >>> completely broken, useless and unsupportable, because fixes can be >>> backported. > > if you have a big customer which hires a 3rd party auditor > you are NOT in the poisiton to give such arguments or > you can give them but you can not change ANYTHING in > the fact that finally "fix it or shutdown the service" > is what you have to do Yes, if you have a big customer that is the case. I have been on the receiving end of that "shutdown the service". In the case you are mentioning, turning off warnings will not "fix" the problem. Many auditors will use a secondary set of tools on systems that have no version and then will label such systems at fault for falsifying data. >> I am going with Kevin on this one. The real hacking tools check to see >> if a vulnerability works or not. The broken "audit" scanners only >> check to see if a header is this or that. Not putting the header only >> gets you past the auditors and doesn't stop the real hacker from >> getting in if the vulnerability is there. > > that is not the point > the point is why in the wolrd must we spit out versions? Versions can be useful in everything from debugging to security scanning. The difference is whether or not the auditor is going to do a deep scan or not. > yes, i know it is security by obscurity > but does it hurt? I have seen several breakins where the system administrator turned off versions thinking that would protect him from breakins. > if i need to know my version of sshd or any other service > i make a "rpm -qa | grep package", if somebody else likes > to know he has to tell the question as i have for foreign > servers The good auditing tools will make a best guess for a service using either fingerprints or active vulnerability scans to figure out what is running. Now in any case you have a customer who has an audit and they need this fixed. What you need to do is find out what will fix it for that customer without making it worse for them. If the audit rules are they need to run the latest software, then they need to run the latest software because it can cause larger problems if the audit finds that the versions "lied to the auditors" what was run. [In some audits this is not the case, but more seem to be going to this method.] Other audits rules of engagement will want versions not to be printed. In those cases a custom set of packages are usually required if it is hard coded in the software. -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
