[CentOS] security compliance vs. old software versions

Tue Jul 6 20:49:09 UTC 2010
John Jasen <jjasen at realityfailure.org>

John Hinton wrote:
> On 6/30/2010 8:54 PM, John Jasen wrote:
>> Well, I'm a security admin, so of course protection is more important
>> than utility! :)
>> But seriously, the assessment tools provide information on your
>> environment, based on certain standard metrics. Its (HOPEFULLY! PCI
>> compliance notwithstanding ....) up to the people who end up reading
>> them to fix the environment, determine that its not a problem, or accept
>> the risk that was discovered.
> Sorry to drag this back out to the front... I've been beyond busy and 
> just now catching up.
> One of the things that is blaring to me in these 'security' scans is 
> that there is no check of passwords. We can jump through every hoop in 
> the world to provide a 'secure' environment, yet without 'verifying' 
> with the client a quality password and password policy, this is simply a 
> moot point. Yes, one would hope... but if they don't check this how do 
> they know? I have had requests for password changes to the most ignorant 
> and guessable things. We don't allow any of our users to set their 
> passwords, but I do wonder about these supposedly 'secure' sites.

Well, security assessment tools should just be a part of your holistic
security posture. Hopefully, if passwords are a concern, you've set
requirements for complex password in your authentication system, and are
routinely running password scans against them.

FWIW, nessus does have a check for stupid default passwords for default

-- John E. Jasen (jjasen at realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire