FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-13-2009, 02:59 PM
Matt McCants
 
Default Debian PCI Question

Greetings everyone!

Does anyone here have PCI audits being done on their Debian boxes? The
company I work for uses TrustKeeper and the one Debian box I've managed
to get my boss to allow keeps failing unjustly. Usually they fail us due
to version strings only (Saying anything less than the latest version is
insecure [hah!]), and when I appeal that, they fail us for reasons that
don't even affect us. In the latest test, they failed our Debian server
citing:

http://security-tracker.debian.org/tracker/CVE-2009-2699
http://security-tracker.debian.org/tracker/CVE-2009-3095
http://security-tracker.debian.org/tracker/CVE-2009-3094

The first is self explanatory, and as for mod_proxy_ftp, I don't even
have that loaded. My boss doesn't trust anything besides RedHat, and
this is not helping at all. I'm going to be calling TrustKeeper today
and see if I can talk to anyone about this.

Also I know I'm not alone in the world thinking that backporting
security fixes is much more secure than installing the latest versions.
Right?

Thanks for your time,
Matt


This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under law. If you are not the intended recipient(s), you are notified that the dissemination, distribution, or copying of this message is strictly prohibited, and that this message should be deleted from your system. The Free Lance-Star Publishing Company accepts no liability for the content of this message, or for the consequences of any actions taken on the basis of the information provided. If you receive this message in error, or are not the named recipient(s), please notify the sender and delete the document from your computer.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-13-2009, 09:33 PM
Florian Weimer
 
Default Debian PCI Question

* Matt McCants:

> Does anyone here have PCI audits being done on their Debian boxes?

Yes, we hear about that from time to time.

> The company I work for uses TrustKeeper and the one Debian box I've
> managed to get my boss to allow keeps failing unjustly. Usually they
> fail us due to version strings only (Saying anything less than the
> latest version is insecure [hah!]), and when I appeal that, they
> fail us for reasons that don't even affect us.

There are probably companies that provide a more thorough analysis.

> http://security-tracker.debian.org/tracker/CVE-2009-2699
> http://security-tracker.debian.org/tracker/CVE-2009-3095
> http://security-tracker.debian.org/tracker/CVE-2009-3094

> The first is self explanatory, and as for mod_proxy_ftp, I don't even
> have that loaded.

The other two are already fixed in stable-proposed-updates in
2.2.9-10+lenny5, so you could upgrade to that version.

The general issue is difficult to address, I'm afraid.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-14-2009, 03:50 AM
"Todd A. Jacobs"
 
Default Debian PCI Question

On Fri, Nov 13, 2009 at 10:59:34AM -0500, Matt McCants wrote:

> Does anyone here have PCI audits being done on their Debian boxes? The

I conduct (and remediate) PCI audits all the time. Your problem seems
political, not technical. PCI requires that systems be patched, not that
they are the latest-and-greatest software revisions.

Any audit process needs room for technical justification. If your boss
is using an audit as an excuse to ditch Debian for Red Hat...well, at
least he isn't trying to migrate you to Xandros.

Any good auditor should be able to provide you with an acceptable
remediation option. If you aren't being told what would remediate
whatever is making them unhappy, then you aren't getting your money's
worth, whether they are inside auditors our outside auditors.

Good luck!

--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 01:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org