service version disclosure
Reindl Harald
h.reindl at thelounge.net
Sat Jan 7 14:49:06 UTC 2012
Am 07.01.2012 15:40, schrieb Kevin Kofler:
> Reindl Harald wrote:
>> if you have a big customer which hires a 3rd party auditor
>> you are NOT in the poisiton to give such arguments or
>> you can give them but you can not change ANYTHING in
>> the fact that finally "fix it or shutdown the service"
>> is what you have to do
>
> They need to fire the auditor who doesn't understand security at all.
you know this, i know this
but things are not so easy :-)
>> if i need to know my version of sshd or any other service
>> i make a "rpm -qa | grep package", if somebody else likes
>> to know he has to tell the question as i have for foreign
>> servers
>
> What's going to stop the auditor from running rpm -qa? (I assume a competent
> auditor will request at least an unprivileged shell account to test for
> local privilege escalation vulnerabilities.)
I AM going to stop
as long is i live nobody out there will get shell-access to
a machine serving also other customers and it has to be enough
exlduse mod_security for the scanner-ip while they initially
wanted 2 class-c nets exluded which will never happen
i know that they are incompetent becaue they are also classify
default "robots.txt" with any Disallow as "medium" and has to
be fixed - so yes they should be fired, but i can not make this
decision for a customer :-(
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120107/15ecf998/attachment.sig>
More information about the devel
mailing list