So, I’m dealing with a security audit of our web server right now, since we have a new customer who jumped over that needs it for regulatory reasons. While there’s nothing dreadfully serious about the results, I’m mad as hell at the fact that Red Hat Enterprise Server’s wonderful, magical up2date utility has apparently *not* been functioning correctly. It won’t even run from the CLI. Grrr.
Therein lies my biggest frigging frustration with (a) Linux, and (b) computers in general. If I had the level of reliability that these machines tend to have, I’d be fired. I know I’m committing some anthropomorphism here, but, come on. I’m in a “time to live on an island” mode at the moment. UPDATE: Apparently, it was running correctly. The security audit performed by Qualys isn’t quite as comprehensive as it appears. Many of the vulnerabilities found by the scan are determined by testing version numbers, which Qualys finds simply by making a connection to the socket a program is listening on. This is not the same as testing for a vulnerability (and thank the lord they don’t do that — I’d be really pissed if they started poking into vulnerabilities, for testing purposes or not. Since RedHat back-ports patches, rather than upgrading versions, this means that what looks bad to Qualsys is actually just a version of the software that is stable, but patched.
This is what happens when automatic tools are used to perform security checks. Silly testing.