[CentOS] security compliance vs. old software versions

Wed Jun 30 23:30:56 UTC 2010
Kwan Lowe <kwan.lowe at gmail.com>

On Wed, Jun 30, 2010 at 5:02 PM,  <m.roth at 5-cent.us> wrote:

> Frank, I'm not sure of the object of your part of the conversation, me, or
> the security team that I have to deal with. I'm also feeling as though
> we're talking past each other. They ran the scan. My manager handed the
> response handling of it to me. As part of what I did, I had to turn off
> the laser printers access to their own h/d/ramdisk, thus afflicting the
> printers. I did not turn the access back on, so some of the capabilities
> and speed of these printerSSS is utterly wasted, and for what? Someone
> might get through the gov't firewall, and fill up the h/d on the printer?
> Someone might run the trays out of paper?

The copy machine requirements are relatively recent, though the
problem has been around for years. Apparently the hard drives inside
the copiers store faxes and images going back for months (depends on
capacity and configuration).  Though I usually scoff at the latest
"massive problems" that make the news, this one did have me worried.
There was a TV expose' that showed how easily one could purchase a
used copy machine, disassemble the hard drive, then have access to
months of confidential information that got stored on the hard drive.
I *never* considered that making a copy at a Kinko's could leave my
private information in someone's hands.

>
> To me, this indicates that they have *no* concept of what they're
> requiring, that they've included treating printers as though they were
> servers or workstations.

Right, the scanners rarely have any idea of what it is that they're
requesting. They've often asked me for screenshots of a Putty session
to "verify" that a setting is correct. In essence, they are trusting
the person providing the information to comply with the requirement.

And of course the other problem is that the requirements are rather vague.

> But then, they also had problems with several servers that another admin
> takes care of, complaining that they could allow certain kinds of access,
> which would be true of any *Nix variant... but don't exactly work in VMS.
> One size of security does *not* fit all.

For many compliance efforts, showing that a problem is mitigated by
other controls is sometimes enough for compliance.