Re: service version disclosure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Reindl Harald wrote:
> if you have a big customer which hires a 3rd party auditor
> you are NOT in the poisiton to give such arguments or
> you can give them but you can not change ANYTHING in
> the fact that finally "fix it or shutdown the service"
> is what you have to do

They need to fire the auditor who doesn't understand security at all.

> if i need to know my version of sshd or any other service
> i make a "rpm -qa | grep package", if somebody else likes
> to know he has to tell the question as i have for foreign
> servers

What's going to stop the auditor from running rpm -qa? (I assume a competent 
auditor will request at least an unprivileged shell account to test for 
local privilege escalation vulnerabilities.)

        Kevin Kofler

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux