[SATLUG] Open Source IA process

Daniel J. Givens daniel at rugmonster.org
Tue Apr 1 06:27:57 CDT 2008

R P Herrold wrote:
> On Mon, 31 Mar 2008, Sean I wrote:
>> Don't you LOVE IA validations....I just had to take 24 RHEL 4.5
>> Servers through it...they passed with flying colors but security still
>> whined about few problems beyond my control (It is not my fault redhat
>> backports their crap).
> I guess I am confused -- if the RHEL (or CentOS) units passed with
> flying colors, why is it Red Hat's fault that the scanner used by
> 'security' looked at version strings, rather than the actual exploit.
> The 'crap' if any, seems to be in the imprecision of the alleged tool
> doing the scanning, or the shallowness of the training of the person
> running the scanner;  you as the sysadmin can point to the CVE fixes for
> any package -- say: openssh -- trivially:
>     rpm -q --changelog openssg | grep CVE

I've seen this from auditors as well. They are given a set of tools and
told to run them. When version numbers don't match up, they freak out
and the admins are left to attempt to explain the concept of
back-porting. The problem is that it can get quite cumbersome to account
for all those CVE's when the install starts getting long in the tooth.
Imagine a RHEL2 box, with an errata page dating back to 2003, and having
to account for every CVE since then:


More information about the SATLUG mailing list