Re: False positives scanning Red Hat servers running Apache

[Aaron Lafferty <lafferty () OAR NET>]

 It's a pretty common practice for redhat to do that.  It's annoying if you are vulnerability scanning, because short 
of logging into the box and figuring out what package is currently installed, or pen testing it... you just can't be 
sure what the case is.  If you get any other suggestions on how to figure this out, I would be interested in knowing 
what they are.

Oh... and Hi Clifford!

Thanks,
Aaron

 
> > > Clifford Collins <Collinsc () FRANKLIN EDU> 04/26/07 10:41 AM >>> 
I've recently been scanning some servers on our campus that have returned known vulnerabilities for Apache. I forwarded 
the results to our Linux systems administrator. He investigated the claims and declared them as false positives. His 
explanation was that Red Hat "backports" patches to stable versions rather than deploying the newer version because 
newer versions can introduce new features or changes that render an existing server non- functional.  He was also 
critical of the scanner for failing to detect the patches and relying on the reported version number from a web query.
 
Has anybody encountered this problem? Is there a solution or a product that can detect undeclared patches on a Red Hat 
server without actually doing a penetration test? Is there a query that will yield the patch level? Your suggestions 
and comments are welcome!
 
Clifford A. Collins
Network Security Administrator
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"