Am 07.01.2012 15:40, schrieb Kevin Kofler: > Reindl Harald wrote: >> if you have a big customer which hires a 3rd party auditor >> you are NOT in the poisiton to give such arguments or >> you can give them but you can not change ANYTHING in >> the fact that finally "fix it or shutdown the service" >> is what you have to do > > They need to fire the auditor who doesn't understand security at all. you know this, i know this but things are not so easy :-) >> if i need to know my version of sshd or any other service >> i make a "rpm -qa | grep package", if somebody else likes >> to know he has to tell the question as i have for foreign >> servers > > What's going to stop the auditor from running rpm -qa? (I assume a competent > auditor will request at least an unprivileged shell account to test for > local privilege escalation vulnerabilities.) I AM going to stop as long is i live nobody out there will get shell-access to a machine serving also other customers and it has to be enough exlduse mod_security for the scanner-ip while they initially wanted 2 class-c nets exluded which will never happen i know that they are incompetent becaue they are also classify default "robots.txt" with any Disallow as "medium" and has to be fixed - so yes they should be fired, but i can not make this decision for a customer :-(
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
