https://access.redhat.com/security/updates/backporting/?sc_cid=3093
Yes an unintelligent scan will through lots of vulnerability errors. Yes, most of those will be false positives. Rob Marti > -----Original Message----- > From: rhelv5-list-boun...@redhat.com [mailto:rhelv5-list- > boun...@redhat.com] On Behalf Of James Harrison > Sent: Thursday, July 28, 2011 9:44 AM > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > Subject: Re: [rhelv5-list] Is RHEL 5.7 PCI compliant? > > Thanks for the quick reply everyone. > > I understand its not the whole OS and all machines and its all in the > implementation and we do have an auditor, however, scans show httpd > 2.2.14 as having vulnerabilities. Will the httpd 2.2.3 supplied by RH throw up > all kinds of vulnerabilities, because of its lower patch level? > > > ________________________________ > > From: "Kinzel, David" <david.kin...@encana.com> > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list <rhelv5- > l...@redhat.com> > Sent: Thursday, 28 July 2011, 14:46 > Subject: Re: [rhelv5-list] Is RHEL 5.7 PCI compliant? > > >Hi, > > > >It's practically impossible for us to really answer that. The OS > >itself does not have to be PCI-compliant, but it is the implementation > >that needs to be. > > Agreed. You need to go hire yourself an auditor if you are dealing with PCI > compliance. There is much more to PCI compliance than just operating > system and service settings. From purely an operating system perspective > you are probably half way there by going by the common SOX > recommendations (file permissions, user account locking, password strength, > etc), but that is only half the battle. PCI covers vastly greater ground than > that. > > > > >For example, HTTPD, if using SSL, must be configured for SSLv3 or > >TLSv1, and that is available, but you must have configured it that way. > > > >RHEL5 supports databases, but you must implement database encryption if > >it holds sensitive customer information, that is part of your > >implementation, not the OS compliancy. > > > >Marco > > > >On Thu, Jul 28, 2011 at 10:15 AM, James Harrison > ><jamesaharriso...@yahoo.co.uk> wrote: > >> Hi, > >> > >> Really important problem. We do have license mail/phone > >support, but don't > >> want any record of the problem on the RHN account!! > >> > >> We are going through PCI compliance process. > >> > >> We are using RHEL 5. Is RHEL 5 PCI compliant? > >> > >> I am looking at httpd in particular. httpd is at 2.2.3. > >> > >> Tha > >> > >> _______________________________________________ > >> rhelv5-list mailing list > >> rhelv5-list@redhat.com > >> https://www.redhat.com/mailman/listinfo/rhelv5-list > >> > >> > > > > > > > >-- > >*Microsoft MVP - Windows PowerShell > >https://mvp.support.microsoft.com/profile/Marco.Shaw > >*Co-Author - Sams Windows PowerShell Unleashed 2nd Edition *Blog - > >http://marcoshaw.blogspot.com > > > >_______________________________________________ > >rhelv5-list mailing list > >rhelv5-list@redhat.com > >https://www.redhat.com/mailman/listinfo/rhelv5-list > > > > This email communication and any files transmitted with it may contain > confidential and or proprietary information and is provided for the use of the > intended recipient only. Any review, retransmission or dissemination of this > information by anyone other than the intended recipient is prohibited. If > you receive this email in error, please contact the sender and delete this > communication and any copies immediately. Thank you. > http://www.encana.com > > > _______________________________________________ > rhelv5-list mailing list > rhelv5-list@redhat.com > https://www.redhat.com/mailman/listinfo/rhelv5-list > > _______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
