[CentOS] security compliance vs. old software versions
Les Mikesell
lesmikesell at gmail.com
Wed Jun 30 21:28:35 UTC 2010
On 6/30/2010 4:02 PM, m.roth at 5-cent.us wrote:
>
> Frank, I'm not sure of the object of your part of the conversation, me, or
> the security team that I have to deal with. I'm also feeling as though
> we're talking past each other. They ran the scan. My manager handed the
> response handling of it to me. As part of what I did, I had to turn off
> the laser printers access to their own h/d/ramdisk, thus afflicting the
> printers. I did not turn the access back on, so some of the capabilities
> and speed of these printerSSS is utterly wasted, and for what? Someone
> might get through the gov't firewall, and fill up the h/d on the printer?
> Someone might run the trays out of paper?
Actually the problem with hd's on printer/scanner/fax machines is that
when you scrap the device, someone can pull the drives and easily
recover all the confidential info that has been through them that no one
thought about securing. You probably do have a policy about not
scrapping computers without removing or securely wiping the hard disks -
but all the same stuff ends up on the printers too.
> But then, they also had problems with several servers that another admin
> takes care of, complaining that they could allow certain kinds of access,
> which would be true of any *Nix variant... but don't exactly work in VMS.
> One size of security does *not* fit all.
True, but how would you do it better from a very high level - where you
want to end up with an unbiased audit that shows best practices are
being followed? We should probably know better by now than to let
companies/business units/administrators police themselves so you need
metrics for someone else to test with. And even internally you need to
document why the failure of any standard check should be overlooked.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list