----- Original Message -----
From: "Su Zhang" <westlifezs(a)gmail.com>
To: "SCAP Security Guide" <scap-security-guide(a)lists.fedorahosted.org>
Sent: Tuesday, November 17, 2015 2:08:52 AM
Subject: are there any vulnerable images available that can be detected by the scanner?
Hello all,
I am looking for an image with old version also with lots of
vulnerabilities. However, even though I could find old images, they are not
considered as vulnerable images by the scanner. All the tests are false
based my experiences so far. For example, I followed the instruction at
http://www.open-scap.org/resources/documentation/perform-vulnerability-sc...
With that instruction, I scanned a centOS6 published in 2011 (image url:
http://archive.kernel.org/centos-vault/6.0/isos/i386/CentOS-6.0-i386-Live...).
Surprisingly, no vulnerability is detected (all the vulnerability
validations are false).....
The tutorial is for RHEL6, the CVE feed listed there only applies to RHEL6.
The vulnerabilities it can find are RHEL6 vulnerabilities, you won't
find those in any CentOS6 image. It cannot find CentOS6 vulnerabilities.
Try it with an old RHEL6 version.
Am I doing something wrong or those old images are super safe?
No, the images are not super safe.
--
Martin Preisler
Security Technologies | Red Hat, Inc.