Hi, I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities. Can you help me on how to get security upgrades on top of my existing CentOS? # cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) Thanks for the help. -- Thanks & Regards, Venkateswara Rao Dokku.
2015-04-24 12:21 GMT+03:00 Venkateswara Rao Dokku <dvrao.584 at gmail.com>:> Hi, > > I was using CentOS 7 and when I ran some custom commercial security scan on > my machine, I found about 122 vulnerabilities. > > Can you help me on how to get security upgrades on top of my existing > CentOS? > > # cat /etc/redhat-release > CentOS Linux release 7.1.1503 (Core) > > Thanks for the help. >... and most of them are misconfiguration(s) of your os and some possibly false positives. use yum to apply latest security patches and then fix misconfiguration of os services and reboot machine & rescan -- Eero
On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:> Hi, > > I was using CentOS 7 and when I ran some custom commercial security scan on > my machine, I found about 122 vulnerabilities. > > Can you help me on how to get security upgrades on top of my existing > CentOS?The short answer: 'yum update' The long answer: nearly all commercial scanners test via version number, not actual vulnerabilities. You can take the list of 'vulnerable' packages and the related CVEs and 'rpm -q <package> --changelog | grep -i cve' to see that it's been addressed. Alternatively, upstream maintains a cve database at https://access.redhat.com/security/cve/ where you can search the CVE and match related (or newer) versions. I have a very long profanity-laden rant about commercial scanning software and practices that I'll spare folks from. TL;DR it's all terrible, and the vendors have little to no incentive for fixing it. Note: we (CentOS) do not validate CVE closure separately. We rebuild source provided by RH, assuming that they have done the due diligence. -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77
2015-04-24 15:31 GMT+03:00 Jim Perrin <jperrin at centos.org>:> > > On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote: > > Hi, > > > > I was using CentOS 7 and when I ran some custom commercial security scan > on > > my machine, I found about 122 vulnerabilities. > > > > Can you help me on how to get security upgrades on top of my existing > > CentOS? > > The short answer: 'yum update' > > The long answer: nearly all commercial scanners test via version number, > not actual vulnerabilities. You can take the list of 'vulnerable' > packages and the related CVEs and 'rpm -q <package> --changelog | grep > -i cve' to see that it's been addressed. >Usually security scanners like nessus, openvas .. detect os misconfigurations like weak ciphers and some basic os misconfigurations "easy" way to get PASS result is usually just turn off version numbers from services and disable weak ciphers like sslv3, sslv2 and so on... -- Eero
On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:> Hi, > > I was using CentOS 7 and when I ran some custom commercial security scan on > my machine, I found about 122 vulnerabilities. > > Can you help me on how to get security upgrades on top of my existing > CentOS? > > # cat /etc/redhat-release > CentOS Linux release 7.1.1503 (Core) > > Thanks for the help. >You will need to address each individual issue as one event an track it. Most security software for ubuntu does not understand the concept of Red hat backporting: https://access.redhat.com/security/updates/backporting/ Therefore, to check CentOS or RHEL properly for security issues, the software need to be designed to understand what version of a package that Red hat fixed an issue in via their backport .. not how it was fixed in the main upstream project code. As an example, here is CVE-2014-0226: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226 Red Hat fixes that in these updates: EL5 and EL6: https://rhn.redhat.com/errata/RHSA-2014-0920.html EL7: https://rhn.redhat.com/errata/RHSA-2014-0921.html That means, because of backporting, this issue is fixed in: EL5: httpd-2.2.3-87.el5_10.src.rpm EL6: httpd-2.2.15-31.el6_5.src.rpm EL7: httpd-2.4.6-18.el7_0.src.rpm If you look at the apache web page for vulnerabilities for httpd 2.2 (http://httpd.apache.org/security/vulnerabilities_22.html) and if you you search for CVE-2014-0226 you will find it is fixed in version 2.2.28 upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version 2.2.15. If your software thinks that in order to be protected for CVE-2014-0226 that you need version 2.2.28 opr higher apache, then your software kicks out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a fail. So, bottom line, your software has to know how Red Hat did backports for EL via backporting or it will give false positives. The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 .. Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know 2.4.10 is not needed because of a backport. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150424/462bad2e/attachment-0001.sig>
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:> I was using CentOS 7 and when I ran some custom commercial security scan on > my machine, I found about 122 vulnerabilities.That's why those scans are wasted money. From a security management point of view they neither help you nor your manager. Regards Alexander
On 4/24/2015 12:14 PM, Alexander Dalloz wrote:> Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku: >> I was using CentOS 7 and when I ran some custom commercial security >> scan on >> my machine, I found about 122 vulnerabilities. > > That's why those scans are wasted money. From a security management > point of view they neither help you nor your manager.I call it 'security by bullet list' -- john r pierce, recycling bits in santa cruz