[CentOS] security compliance vs. old software versions

Wed Jun 30 22:03:41 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 6/30/2010 4:39 PM, m.roth at 5-cent.us wrote:
>> companies/business units/administrators police themselves so you need
>> metrics for someone else to test with.  And even internally you need to
>> document why the failure of any standard check should be overlooked.
>
> No, the security people should have defined requirements specifically for
> our environment, rather than using something that's designed, say, for a
> std. corporate IT dept.

I like the sentiment, but the people making the situation-specific rules 
would need to know more than the people actually doing the work which 
doesn't seem likely to happen.  And there's some value in making 
everyone follow the same rules.

-- 
   Les Mikesell
    lesmikesell at gmail.com