ClearOS is powered by a powerful updates engine designed to keep your system up to date. Sometimes you may get a report that can cast some doubt on the security of your system. Never fear, this support section will help you understand 3rd party analysis and reports and properly answer them. It will also help you navigate support channels to have custom answers so that you can pass certifications for PCI, HIPAA or others.
If you have an assessment, your first reaction may be to panic. Don't panic. Assessments are easy to navigate and you are in the right place to do that. To deal with an assessment, you need to understand the process. Assessments are usually run with a generic view on things and usually NEVER take into account the actual operating system running into account. These automated processes are rudimentary in their analysis. They will express themselves typically with a rating of severity and a list of the associated CVE (Common Vulnerability and Exposure). For this reason, this section exists. Your course of action will look like this:
- Issuance of report
- Analysis of reported CVEs
- Formulation of answers
- Acceptance of answers
Frequently, people get stuck are step one. You have in your possession a report that may be confusing, cryptic, and describe technologies and systems that you may not understand. You may have been told that you need to 'fix' these issues before you can receive certification. What you may not have been told is that you can analyze the report and simply answer line items that do not really affect you.
Looking at the document, you should see references to CVE numbers along with the statement of the problem and the risk that it poses. The CVE database will help you formulate answers. In this case, an answer is a formal rebuttal to a particular line item on the assessment.
Make a list of these CVEs. We usually suggest a spreadsheet for this purpose and then you can form your responses along side the listed CVE. Reference the ClearOS CVE database for more information. If you do NOT see your CVE listed please reference the Support Options section below and submit a support ticket according to the level of support that you have. If you do not have support you can upgrade your support agreement by contacting ClearCenter sales or you can purchase a one time support request for ClearOS Professional. Alternately, you can perform additional research using the following sites as references:
Types of Reports
There are several types of CVEs listed and answered. They may include:
- Impossible defects (Not applicable to ClearOS)
- Backported fixes
- Fix in progress
- Not an security defect
- Fixable through configuration
As you start to analyze the CVE database you will notice some CVEs reported by your audit as being ridiculously unconnected or impossibly assigned to your system. This happens because the report given to you may NOT include the fact that you are running ClearOS (a linux distribution) and not some other type of Operating System. Simply put, some services running on your system may indicate a version or port that isn't correctly correlated in the reported system.
For example, you may look into the CVE database on Redhat and not even see the CVE listed. Then you go to Mitre and you discover that the issue resides with a version of the software that you are using but instead of affecting the Linux version, it ONLY affects the Windows version. Your audit report doesn't take into account that you aren't running Windows at all and because it ONLY looks at version numbers, can falsely report that you have an issue.
Some issues will be reported by your audit because the audit only looks version number. This will look like a vulnerability even though the issue has already been dealt with if you are running the latest updates. The reason for this is that ClearOS uses backported fixes. This means that when we find an issue with a particular piece of software, we will put those fixes into the code WITHOUT incrementing the major version number (we increment the minor numbers which your audit software may NOT know). The reason why we do this is because we strive very hard to make sure that ClearOS is stable. Stability means that we keep the version numbers stable throughout the complete release cycle. This makes it so that program dependencies resolve properly. Under Linux distributions that DON'T use this method are quite subject to 'missing dependency' issues. If you have installed custom software from source code NOT in ClearOS repositories, you will understand this issue all too well.
Fix in progress
On rare occasions, we are aware of an issue and are working on a solution. If your CVE is positively listed in the ClearOS CVE database with this issue, you may need to take specific actions to reduce your risk. This can include shutting down the service which is exposed, or using customized code to provide a general fix to the issue. The CVE listed may contain directions on how to proceed. Check back to the entry for updates on the issue. Contact support for how best to proceed. See the below section for support options.
Not a security defect
In many cases, your report may include a CVE which we do NOT consider a defect. In the CVE we explain why we don't consider it a threat. In some cases, your audit report can contain ridiculous claims such as 'Your system is pingable' or 'Your system responds to traceroute requests'. Such claims fly in the face of RFC specifications which are REQUIRED for interoperability. Does running without these services provide 'better' security? Perhaps. But the implementation violates Internet standards (see RFC 1122).
ClearCenter will (where possible) refute or supply an answer if requested under terms of support.
In many instances, you merely need to answer the vulnerability claim in order to properly resolve the issue. Answers provided in the ClearOS CVE database can be used to form such answers. This means that you can copy and paste the answers in your reply. If a CVE or answer is not present, contact Support under the terms listed below for help on getting and updated response.
Getting answers accepted
In some cases, your auditor may push back on your answers supplied. ClearOS support stands ready to interface and defend ClearOS against claims that it is not secure in situations where it is. Contact Support under the terms listed below for help on getting ClearOS Engineers to go to bat for you with your auditors. We are here to serve you!
If you have been issued or required to have a report through a third party analysis company (like Security Metrics, Rapid 7, or others), you can use this guide and ClearCenter Support to form an appropriate response.
Additionally, you can use ClearCenter Professional services to resolve issues. For example, if you have a CVE that is being reported that is NOT on the list, please submit your request according to the support level of your ClearOS subscription below.
|Version/Subscription||ClearCenter Documentation||ClearCenter Exclusive Documentation||Chat and Email Support||Phone, Chat, and Email Support|
|ClearOS 6.x Community||Open||Not Available||Not Available||Not Available|
|ClearOS 6.x Pro Lite||Open||$325 per incident||$325 per incident||$250 per incident|
|ClearOS 6.x Pro Basic||Open||$325 per incident||$325 per incident||$250 per incident|
|ClearOS 6.x Pro Standard||Open||Included||Included||$250 per incident|
|ClearOS 6.x Pro Premium||Open||Included||Included||Included|
|ClearOS 7.x Community and Home||Open||Not Available||Not Available||Not Available|
|ClearOS 7.x Business||Open||See Support Matrix||See Support Matrix||See Support Matrix|
Notice of Copyright for CVE Descriptions
The following notice exists for all Descriptions in the CVE Database:
LICENSE The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Common Vulnerabilities and Exposures (CVE®) for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy.
DISCLAIMERS ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN “AS IS” BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.