It has come to our attention that people are paying for PCI Compliance checks and, often, not getting value for money. A simple automated tool is run that produces a long report, most of which is erroneous or misleading when applied to Red Hat or CentOS operating systems that are regularly updated.
We use CentOS Linux which is developed from Red Hat Enterprise and it gets security patches applied nightly using yum (via the command 'yum -y update' being applied from the root crontab).
PCI Compliance scanners that fail to understand the importance of backporting security patches will inevitably throw up many false positives.
Red Hat have this to say about backporting and security (and the exact same thing applies to CentOS linux too):
"...some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes."
See the entire article about backporting here:
Open Port Issues
A simple "vulnerability scan" can throw false positives when scanning for open ports. We have some services enabled on our servers which are discovered by PCI Compliance scanning but are NOT OPEN TO PUBLIC ATTACK. Ports such as 21 (FTP) and 3306 (mySQL) are ONLY open on our servers to the IP addresses we have specified (our office IP addresses). This means there is NO SECURITY risk from these ports, despite showing up in a simple scan.