Educause Security Discussion mailing list archives
Re: False positives scanning Red Hat servers running Apache
From: Bill Ogle <info () COMPLYGUARDNETWORKS COM>
Date: Thu, 26 Apr 2007 15:11:49 -0400
Your Linux admin is 100% correct regarding back porting as common practice. It is done for more reasons than he indicates. At the same time is he partially correct regarding the scanner and his declaration of false positive. Firstly, the scanner did accurately identify the environment. Further, it recognized a version of Red Hat that is the correct information communicated by the software. The scanners from most vendors function the same in this regard because they all draw on the common knowledge body like NIST, OVAL, Mitre.org, CERT and others. Please note there is a lag time between when a patch becomes public record and the knowledge bodies are updated. Sometimes, depending on the quality of the scanner, further down in the report will be a "low" or "info" discovery that may well articulate the correct version of the software. Certainly the scanner report indicated that that port or IP needed some attention. It accomplished its task. If you are running a configurable scanner, add a script to cover the discovery. If not, recognize this will happen each time to scan. One final suggestion: if you need a good commercial scanner that is approved by the financial services industry, check our the scan vendors at http://www.pcisecuritystandards.org. or do a Google for " PCI testing". -----Original Message----- From: Clifford Collins [mailto:Collinsc () FRANKLIN EDU] Sent: Thursday, April 26, 2007 10:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] False positives scanning Red Hat servers running Apache I've recently been scanning some servers on our campus that have returned known vulnerabilities for Apache. I forwarded the results to our Linux systems administrator. He investigated the claims and declared them as false positives. His explanation was that Red Hat "backports" patches to stable versions rather than deploying the newer version because newer versions can introduce new features or changes that render an existing server non-functional. He was also critical of the scanner for failing to detect the patches and relying on the reported version number from a web query. Has anybody encountered this problem? Is there a solution or a product that can detect undeclared patches on a Red Hat server without actually doing a penetration test? Is there a query that will yield the patch level? Your suggestions and comments are welcome! Clifford A. Collins Network Security Administrator Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"
Current thread:
- False positives scanning Red Hat servers running Apache Clifford Collins (Apr 26)
- <Possible follow-ups>
- Re: False positives scanning Red Hat servers running Apache Julian Y. Koh (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Wyman Miles (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Aaron Lafferty (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Allison Henry (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Wyman Miles (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Steve Brukbacher (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Russell Fulton (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Clifford Collins (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Bill Ogle (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Mark Rogowski (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Chris Green (Apr 30)
- Re: False positives scanning Red Hat servers running Apache Wyman Miles (Apr 30)