| 1 |
On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins <lperkins@×××××××.net> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> When the security auditors come through and ask what standard I use for |
| 5 |
> securing my systems I'd like to have something to tell them. |
| 6 |
> |
| 7 |
> I've had a few suggestions like USGCB, etc. But looking at them they |
| 8 |
> all seem to start from the direction of "take a bloated, wide-open |
| 9 |
> Microsoft/Redhat default OS and do these things to make it 'secure' so |
| 10 |
> you can let several dozen users play around on it without fear." |
| 11 |
> |
| 12 |
> A lot of the stuff on the list doesn't apply to or would slightly |
| 13 |
> reduce the overall security of the device (I think I'll keep my default |
| 14 |
> umask at 077 thanks...) |
| 15 |
> |
| 16 |
> |
| 17 |
You could still use USGCB (or which ever standard the auditors regard |
| 18 |
highly) but then document the differences with a note explaining why. For |
| 19 |
USGCB I'd add another column to the spreadsheet with options of |
| 20 |
compliant/non compliant with mitigations/non compliant/not applicable and |
| 21 |
another column for notes. eg umask 077 would be compliant, and in the notes |
| 22 |
column "stricter than required". |
| 23 |
|
| 24 |
From their point of view they need to justify passing you, and USGCB states |
| 25 |
"these recommendations do not address site-specific configuration issues. |
| 26 |
Care must be taken when implementing these settings to address local |
| 27 |
operational and policy concerns" so deltas are expected. Don't worry if it |
| 28 |
seems like its all deltas... |
Archives