[CentOS] security compliance vs. old software versions

Wed Jun 30 23:03:44 UTC 2010
Ross Walker <rswwalker at gmail.com>

On Jun 30, 2010, at 6:03 PM, Les Mikesell <lesmikesell at gmail.com> wrote:

> On 6/30/2010 4:39 PM, m.roth at 5-cent.us wrote:
>>> companies/business units/administrators police themselves so you need
>>> metrics for someone else to test with.  And even internally you need to
>>> document why the failure of any standard check should be overlooked.
>> 
>> No, the security people should have defined requirements specifically for
>> our environment, rather than using something that's designed, say, for a
>> std. corporate IT dept.
> 
> I like the sentiment, but the people making the situation-specific rules 
> would need to know more than the people actually doing the work which 
> doesn't seem likely to happen.  And there's some value in making 
> everyone follow the same rules.

Plus, one can also write up a detailed report for any given exception explaining why it is either not applicable for a given platform (including exploit test results) or that there is a definitive business reason why the exception must exist and that there are mitigating controls around it.

-Ross