service version disclosure
Kevin Kofler
kevin.kofler at chello.at
Sat Jan 7 14:40:33 UTC 2012
Reindl Harald wrote:
> if you have a big customer which hires a 3rd party auditor
> you are NOT in the poisiton to give such arguments or
> you can give them but you can not change ANYTHING in
> the fact that finally "fix it or shutdown the service"
> is what you have to do
They need to fire the auditor who doesn't understand security at all.
> if i need to know my version of sshd or any other service
> i make a "rpm -qa | grep package", if somebody else likes
> to know he has to tell the question as i have for foreign
> servers
What's going to stop the auditor from running rpm -qa? (I assume a competent
auditor will request at least an unprivileged shell account to test for
local privilege escalation vulnerabilities.)
Kevin Kofler
More information about the devel
mailing list