I Hate PCI Scans

Submitted by izoox on Tue, 05/04/2010 - 16:48

So my cc processor started using a new PCI scanning company, 403 labs, and they totally suck. They found like just about every server, apache, openssh, postfix, dovecot... blah, to be at an old version. So I marked them as false positives because CentOS does back-porting.

Well they email me asking for the links to all the errata info for the patches that were applied... I have no idea where I would even find that! They said they can't accept my false positives without these links.

Do you guys know where those would be? I should have just turned off the version info banners instead of marking as false positives, but now they are suspicious of me or something.

Status: 
Active

Comments

Submitted by andreychek on Tue, 05/04/2010 - 17:11

Scanning companies are typically familiar with the idea that CentOS, RHEL, and other Linux distros backport security fixes into older software revisions. It's usually enough to say that you're using a current Linux distribution, with fully up to date software.

However, you can get a list of the security updates made for CentOS... I'm not seeing one jump out at me on the CentOS site, though I do see one here:

http://lwn.net/Alerts/CentOS/

Also, the RHEL one should be identical to the one for CentOS:

https://rhn.redhat.com/errata/rhel-server-errata.html

Submitted by izoox on Tue, 05/04/2010 - 17:19

Thanks. They apparently are more thorough than the others I guess. Like they are asking for proof of every single false positive, it's totally a waste of my time. Makes me want to use a distro that doesn't do back-porting.

Submitted by arjones85 on Tue, 05/04/2010 - 21:31

I work for a very large (and I do mean large) web hosting company as a systems administrator. We deal with PCI scans on a daily basis. The company themselves should have this information if you just provide them with the actual version numbers of the software they are complaining about. (Otherwise they wouldn't know what versions have what vulnerabilities, right?) They should not be making you track this information down.

But yes, in the future what I would do is firewall of their scanners in IPTables and only give them one piece of software to scan, such as Apache. Makes life simpler for you =)