[CentOS] security compliance vs. old software versions
Ross Walker
rswwalker at gmail.com
Wed Jun 30 23:03:44 UTC 2010
On Jun 30, 2010, at 6:03 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
> On 6/30/2010 4:39 PM, m.roth at 5-cent.us wrote:
>>> companies/business units/administrators police themselves so you need
>>> metrics for someone else to test with. And even internally you need to
>>> document why the failure of any standard check should be overlooked.
>>
>> No, the security people should have defined requirements specifically for
>> our environment, rather than using something that's designed, say, for a
>> std. corporate IT dept.
>
> I like the sentiment, but the people making the situation-specific rules
> would need to know more than the people actually doing the work which
> doesn't seem likely to happen. And there's some value in making
> everyone follow the same rules.
Plus, one can also write up a detailed report for any given exception explaining why it is either not applicable for a given platform (including exploit test results) or that there is a definitive business reason why the exception must exist and that there are mitigating controls around it.
-Ross
More information about the CentOS
mailing list