Reindl Harald wrote:
if you have a big customer which hires a 3rd party auditor
you are NOT in the poisiton to give such arguments or
you can give them but you can not change ANYTHING in
the fact that finally "fix it or shutdown the service"
is what you have to do
They need to fire the auditor who doesn't understand security at all.
if i need to know my version of sshd or any other service
i make a "rpm -qa | grep package", if somebody else likes
to know he has to tell the question as i have for foreign
servers
What's going to stop the auditor from running rpm -qa? (I assume a competent
auditor will request at least an unprivileged shell account to test for
local privilege escalation vulnerabilities.)
Kevin Kofler