Redhat has this policy of backporting security fixes.
But then when RHEL and CentOS sites get audited, the auditors invariably just list the package versions or ask ssh
what it's version number is, and then they fail you because you appear to be running a vulnerable version of, say, OpenSSH.
The only ways I can see to respond to this is are:
- Compile a list of RHEL security advisories, which would presumably show that the apparently-old rpm is in fact patched. I bet the auditor wouldn't actually read it though.
- Just install a newer package, even though it's pointless. This is a lot more difficult than it sounds, because the developer's package won't have
init.d
scripts and other integrations. And OpenSSH is hard to install on top of itself in a lights-out datacenter when it's your remote access method.
Is there a better idea?
There is something called OVAL. Redhat at least used to provide advisories in that format. Does it actually work on auditors?
0 Answers