[CentOS] security compliance vs. old software versions
John Jasen
jjasen at realityfailure.org
Tue Jul 6 20:49:09 UTC 2010
John Hinton wrote:
> On 6/30/2010 8:54 PM, John Jasen wrote:
>> Well, I'm a security admin, so of course protection is more important
>> than utility! :)
>>
>> But seriously, the assessment tools provide information on your
>> environment, based on certain standard metrics. Its (HOPEFULLY! PCI
>> compliance notwithstanding ....) up to the people who end up reading
>> them to fix the environment, determine that its not a problem, or accept
>> the risk that was discovered.
>>
>>
> Sorry to drag this back out to the front... I've been beyond busy and
> just now catching up.
>
> One of the things that is blaring to me in these 'security' scans is
> that there is no check of passwords. We can jump through every hoop in
> the world to provide a 'secure' environment, yet without 'verifying'
> with the client a quality password and password policy, this is simply a
> moot point. Yes, one would hope... but if they don't check this how do
> they know? I have had requests for password changes to the most ignorant
> and guessable things. We don't allow any of our users to set their
> passwords, but I do wonder about these supposedly 'secure' sites.
Well, security assessment tools should just be a part of your holistic
security posture. Hopefully, if passwords are a concern, you've set
requirements for complex password in your authentication system, and are
routinely running password scans against them.
FWIW, nessus does have a check for stupid default passwords for default
accounts.
--
-- John E. Jasen (jjasen at realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
More information about the CentOS
mailing list