[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    Re: are there any vulnerable images available that can be detected by the scanner?
From:       Martin Preisler <mpreisle () redhat ! com>
Date:       2015-11-19 12:52:26
Message-ID: 1995547342.11730866.1447937546666.JavaMail.zimbra () redhat ! com
[Download RAW message or body]

----- Original Message -----
> From: "Su Zhang" <westlifezs@gmail.com>
> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org>
> Sent: Tuesday, November 17, 2015 2:08:52 AM
> Subject: are there any vulnerable images available that can be detected by the scanner?
> 
> Hello all,
> 
> I am looking for an image with old version also with lots of
> vulnerabilities. However, even though I could find old images, they are not
> considered as vulnerable images by the scanner. All the tests are false
> based my experiences so far. For example, I followed the instruction at
> http://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/
> 
> With that instruction, I scanned a centOS6 published in 2011 (image url:
> http://archive.kernel.org/centos-vault/6.0/isos/i386/CentOS-6.0-i386-LiveCD.iso).
> Surprisingly, no vulnerability is detected (all the vulnerability
> validations are false).....

The tutorial is for RHEL6, the CVE feed listed there only applies to RHEL6.
The vulnerabilities it can find are RHEL6 vulnerabilities, you won't
find those in any CentOS6 image. It cannot find CentOS6 vulnerabilities.

Try it with an old RHEL6 version.

> Am I doing something wrong or those old images are super safe?

No, the images are not super safe.

-- 
Martin Preisler
Security Technologies | Red Hat, Inc.
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/
[prev in list] [next in list] [prev in thread] [next in thread]