1 |
On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins <lperkins@×××××××.net> |
2 |
wrote: |
3 |
|
4 |
> When the security auditors come through and ask what standard I use for |
5 |
> securing my systems I'd like to have something to tell them. |
6 |
> |
7 |
> I've had a few suggestions like USGCB, etc. But looking at them they |
8 |
> all seem to start from the direction of "take a bloated, wide-open |
9 |
> Microsoft/Redhat default OS and do these things to make it 'secure' so |
10 |
> you can let several dozen users play around on it without fear." |
11 |
> |
12 |
> A lot of the stuff on the list doesn't apply to or would slightly |
13 |
> reduce the overall security of the device (I think I'll keep my default |
14 |
> umask at 077 thanks...) |
15 |
> |
16 |
> |
17 |
You could still use USGCB (or which ever standard the auditors regard |
18 |
highly) but then document the differences with a note explaining why. For |
19 |
USGCB I'd add another column to the spreadsheet with options of |
20 |
compliant/non compliant with mitigations/non compliant/not applicable and |
21 |
another column for notes. eg umask 077 would be compliant, and in the notes |
22 |
column "stricter than required". |
23 |
|
24 |
From their point of view they need to justify passing you, and USGCB states |
25 |
"these recommendations do not address site-specific configuration issues. |
26 |
Care must be taken when implementing these settings to address local |
27 |
operational and policy concerns" so deltas are expected. Don't worry if it |
28 |
seems like its all deltas... |