I had a problem like that in 2005.  Fancy, high-falutin' Beltway Bandits (from Wash DC) came to scan our servers.  I got called in (taken from my normal busy routine) to address their concerns . . .

Bandit: "Yes, we see you have over 1200 Apache servers in the environment."

All eyes look at me.

Me: "We don't run Apache here."

You could hear a pin drop, which in a carpeted room, means it got real quiet.  The three bandits huddle together questioning their data.

Bandit: "Could you explain?"

Me: "We use IBM HTTP Server."

More bandit discussions.  "OK, thank you.  We'll let you know if there is anything else."

===================

Then there's the every two year audit question: "Please explain how LDAP enforces password change policy . . ."  What?  Do you think this is Active Directory?  Sigh . . .

Lolz.

Regards,

George Toft

On 6/12/2015 10:14 AM, Keith Smith wrote:

I do some work on a couple CentOS 6.6 servers. Payment Card Industry (PCI) scans seem to always see the server as vulnerable. I've have to submit for a review since the server is not really vulnerable.

I don't think a lot of people understand how RHEL maintains it's packages. I know I did not for a long time.  RedHat backports vulnerability fixes while maintaining the original version number.

Here is a great explanation : https://access.redhat.com/security/updates/backporting/?sc_cid=3093

Keith

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss