DigitalRoss's questions -server

DigitalRoss

Asked: 2016-04-21 14:24:40 +0800 CST

security audit flags redhat/centos package version numbers despite patches

3

Redhat has this policy of backporting security fixes.

But then when RHEL and CentOS sites get audited, the auditors invariably just list the package versions or ask ssh what it's version number is, and then they fail you because you appear to be running a vulnerable version of, say, OpenSSH.

The only ways I can see to respond to this is are:

Compile a list of RHEL security advisories, which would presumably show that the apparently-old rpm is in fact patched. I bet the auditor wouldn't actually read it though.
Just install a newer package, even though it's pointless. This is a lot more difficult than it sounds, because the developer's package won't have init.d scripts and other integrations. And OpenSSH is hard to install on top of itself in a lights-out datacenter when it's your remote access method.

Is there a better idea?

There is something called OVAL. Redhat at least used to provide advisories in that format. Does it actually work on auditors?

DigitalRoss

Asked: 2012-02-08 14:57:02 +0800 CST

Find MAC addresses in /proc or somewhere despite bonding device?

10

Is there a way to get the original MAC addresses for eth0 and eth1?

A large array of servers have bonding interfaces managing backup switch connections and one is misbehaving. With bond0 active both MAC addresses are replaced and reported identically by ifconfig.

I want to search the server array for a MAC address I found in a Cisco device.

I would use dmesg(1) or /var/log/messages, but they have been rolled over for hundreds of days for most of the array.

DigitalRoss

Asked: 2010-03-19 10:28:03 +0800 CST

Network vulnerability and port scanning services

7

I'm setting up a periodic port scan and vulnerability scan for a medium-sized network implementing a customer-facing web application. The hosts run CentOS 5.4.

I've used tools like Nmap and OpenVAS, but our firewall rules have special cases for connections originating from our own facilities and servers, so really the scan should be done from the outside.

Rather than set up a VPS or EC2 server and configuring it with various tools, it seems like this could just be contracted out to a port and vulnerability scanning service. If they do it professionally they may be more up to date than something I set up and let run for a year...

Any recommendations or experience doing this?

security audit flags redhat/centos package version numbers despite patches

Find MAC addresses in /proc or somewhere despite bonding device?

Network vulnerability and port scanning services

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?