[CentOS] security compliance vs. old software versions

[m.roth at 5-cent.us]

Frank Cox wrote:
>
> On Wed, 2010-06-30 at 15:14 -0400, m.roth at 5-cent.us wrote:
>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>> the
>> printers, and left it off. This, of course, slows things down a lot,
>> but
>> it's "Secure".
>
> The point is that the security scan is supposed to be verifying that
> your setup is, in fact, secure.  If you change your setup before running
> the scan, and then change it back immediately afterward, how is that
> verifying that your setup is, in fact, secure?  What you scanned != what
> you are actually using.
>
> If your purpose is simply to check off a box on a form, why not just
> write the Sooper Dooper Security Scanner yourself?
<snip>
> You would gain just as much from that as what you're gaining right now,
> and it would take less effort on your part.

Frank, I'm not sure of the object of your part of the conversation, me, or
the security team that I have to deal with. I'm also feeling as though
we're talking past each other. They ran the scan. My manager handed the
response handling of it to me. As part of what I did, I had to turn off
the laser printers access to their own h/d/ramdisk, thus afflicting the
printers. I did not turn the access back on, so some of the capabilities
and speed of these printerSSS is utterly wasted, and for what? Someone
might get through the gov't firewall, and fill up the h/d on the printer?
Someone might run the trays out of paper?

To me, this indicates that they have *no* concept of what they're
requiring, that they've included treating printers as though they were
servers or workstations.

But then, they also had problems with several servers that another admin
takes care of, complaining that they could allow certain kinds of access,
which would be true of any *Nix variant... but don't exactly work in VMS.
One size of security does *not* fit all.

       mark