Security Audit Failures

This guide will help you address problems commonly associated with third party security audit and their failure. There are two main types of failures you can have with security audits. The first is due to the fact that security audits attack ClearOS and a well configured ClearOS server won't stand for that sort of thing. The second failure you can have is that the security auditing company reports any number of vulnerabilities which you will need to answer. Both of these issues are discussed in this guide.

The security audit fails to run

“It's like they can't even see my server”

Security audits usually fail against ClearOS because they use the same regimen of 'attacks' against your server that hackers to to probe for weaknesses (essentially, that is what they are doing). In all likelihood, you are running ClearOS' Intrusion Detection and Intrusion Prevention System. As with other hackers, the IDS/IPS system will block these attacks by pro-actively firewalling the hack attempt.

This is part of the reason why a well configured ClearOS server is not vulnerable to the threats that hackers pose and when compromises do occur, it is usually because of poor implementation.

That being said, you will likely not pass the audit until you 'allow' the attack. You will need to either whitelist the attacking computer's IP address in the Intrusion Prevention module or disable the intrusion prevention module of ClearOS.

Before doing this, please firewall all ports except ones that are absolutely necessary for business. (This should be your recommended configuration anyways). ClearCenter recommends firewalling management ports like Webconfig and SSH properly to restricted locations using the 'Custom Firewall module'.

It is also recommended that you update ClearOS to a version that is NOT under end of life to ensure that you are receiving updates. You can also update your system manually before such a scan by running the following from command line:

yum update

They say I'm vulnerable

Your audit will likely present you will a number of 'failures' as indicated by a successful scan. The reason why this report can cause overwhelming is that the scanning company is not looking at actual vulnerabilities but rather known vulnerabilities with particular versions of thing. The scans that are typically done do NOT include an assessment of the actual source of code but only the version.

ClearOS updates software regularly to ensure that known vulnerabilities are addressed. For compatibility reasons, all security patches are 'back-ported' into existing version numbers. The reason why we do this is to ensure that software compatibility and reliability are maintained and that version conflicts do NOT occur. For this reason you may have a list of items that you need to answer as opposed to fix. In all likelihood, the vulnerability is already fixed or is NOT critical to ClearOS because it is NOT implemented.

Your auditing company will give you a list of CVE (Common Vulnerabilities and Expousures) numbers which coincide with issues already resolved by ClearCenter. ClearCenter is in the process of creating its own database of issues but since we use the same source code as another linux vendor, these issues can be addressed from their database for nearly every vulnerability listed (See the link section below).

If you have questions about a particular CVE, please contact ClearCenter's support staff.


content/en_us/kb_troubleshooting_security_audit_failures.txt · Last modified: 2015/02/28 20:15 (external edit)