We are currently working our way through a PCI compliance assessment on our server running CentOS.
We are getting a lot of 'severe' issues with suggested fixes. The suggestions to rectify the issues are mostly to update the packages to the latest version. Sound advice I thought, until I ran 'sudo yum update', then ran that scan again and frustratingly the issues hadn't gone.
I spoke to our hosting provider (it's a dedicated server) and they said that although the version is up to date it will have various patches that fix known security issues.
They suggested running a changelog command for the packages and then appealing each of the severe issues flagged on the scan. So I went to create an appeal for the first issue and it asked for the version of the package, the patch level and the reason I feel we're exempt.
So, in CentOS what's the simplest way of showing the version number and patch level for each individual installed package?
rpm -q <package name>
will give you the software version number as well as the package release number, but you will need to investigate the contents ofrpm --changelog <package name>
in order to determine which patches have been applied.To list all packages:
To list all packages matching a simple pattern:
Your PCI auditor is an idiot (quel surprise). They just run an automated tool like nessus, which does nothing but compare the service's reported version against a list of vulnerabilities against the upstream version -- they don't say "hey, this is patchlevel N of this package, RedHat already patched that for all known vulnerabilities".
Ultimately, you'll have to get the list of CVEs that the report says you're vulnerable to (if the auditor can't even give you that... well, they are idiots, so you're already screwed) and then dig through the CentOS changelogs to see that they've been fixed (there might also be a security reports system you can look through). RHN has some sort of CVE lookup service, but since you're not paying for RHEL, you presumably won't have access to it.