Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Internet Security Standards 135

Posted by michael from the sorely-needed dept.
Aetius writes "The Center for Internet Security has released a set of security standards and tools for several operating systems. Here's the ZDNet story. I checked out the Linux standard and it is a pretty good coverage of the basics; about the only thing missing was a simple firewall treatment. I installed it on my wide-open desktop system (RH 7.3) and scored a 6.61 out of 10, which doesn't seem too bad. The scanner code isn't open source, but it's perl so you can at least look at it. You have to register to download it. If nothing else, the PDF of the standards is a good read. Enjoy."
This discussion has been archived. No new comments can be posted.

Internet Security Standards More

Internet Security Standards

Comments Filter:

  • Tools to gauge your security? (Score:4, Insightful)

    by xA40D ( 180522 ) on Sunday July 28, 2002 @01:35PM (#3968107) Homepage
    Quis Custodiet Ipsos Custodes?

  • Tech?Update (Score:3, Interesting)

    by cos(0) ( 455098 ) <pmw+slashdot@qnan.org> on Sunday July 28, 2002 @01:42PM (#3968138) Homepage
    Ironically, ZDnet's "techupdate.zdnet.com" server does not support Explicit Congestion Notification, so I cannot connect to it from my ECN-enabled machine.

    *sigh*
    • That's usually a sign of a misconfigured firewall.
    • That's what you get for using EXPERIMENTAL, non-STANDARD protocols.

      Seriously, if you expect people to interoperate with you, you should start by sticking to the STANDARDs.

      • Re:Tech?Update (Score:2, Informative)

        by cos(0) ( 455098 )
        ECN is a standard -- RFC 3168.
        It is not marked experimental in the kernel!

        Here's what the help says:

        CONFIG_INET_ECN:

        Explicit Congestion Notification (ECN) allows routers to notify
        clients about network congestion, resulting in fewer dropped packets
        and increased network performance. This option adds ECN support to
        the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn)
        which allows ECN support to be disabled at runtime.

        Note that, on the Internet, there are many broken firewalls which
        refuse connections from ECN-enabled machines, and it may be a while
        before these firewalls are fixed. Until then, to access a site
        behind such a firewall (some of which are major sites, at the time
        of this writing) you will have to disable this option, either by
        saying N now or by using the sysctl.
        • ECN is a standard -- RFC 3168.

          Correction: ECN is a proposed standard. A step up from experimental (a step which occured long after ECN was introduced into the linux kernel, BTW), but still a long way from actually being a standard.
      • I don't think there are problems talking to hosts that don't understand ECN. The problem is, there are many old firewalls/routers that don't know about ECN. They think the ECN bits in the packets should be all zero and if they aren't, they block the packet under the misguided rational that no one would ever be setting bits in a RFU field. Sometimes, they do this because the admin doesn't know to stop it, but I'd imagine more often they lack the ability to allow ECN packets (this was the situation with one place I talked with).

        Turning on ECN isn't the problem. The problem lies in old firewalls/routers that disallow ECN packets.

        Fortunately, if you use Linux, you can easily disable ECN at run time:
        echo "0" > /proc/sys/net/ipv4/tcp_ecn
        • ECN is still only a proposed standard. Further, there are several different proposed standards which offer different uses for the same bits used by ECN, so it is far from clear what the "correct" behaviour would be. Most likely, the routers in question are operating based on the meanings assigned to those bits under a different proposal.

  • Missed the biggest hole (Score:4, Insightful)

    by Papa Legba ( 192550 ) on Sunday July 28, 2002 @01:44PM (#3968141)

    Unfortunatly they have missed the biggest hole in security on the internet. The average user and the default install.

    It's all well and good to say that we now have a standard. The problem is that the people who are most likely to use this tool are the ones that don't need it as bad. If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.

    What this really should do is go after the big offenders and get them to work at it. I am not necesarily talking Microsoft here. I am talking about the builders. Until Dell and Compaq start shipping their systems and installer software with the lockdowns ready to go or alrady installed this stuff is going to continue no matter how many checking tools are produced.

    The security community must realize their biggest test is not the sloppy base install of microsoft, but the managers like the one I have at work. His official policy is "If it ain't broke don't fix it." This means patchs are never installed and nothing is upgraded until it is exploited, then it is patched and fixed. Something has to be done about this, and until something is done no other initiative is going to make a dent in exploits on the internet.

    • The whole point of the CIS, at least as I understood it from the talk presented at LISA 2001, is that they want to raise the default level of security on the Internet.

      This happens in two ways:
      1) the more users who increase their security to match the CIS standards, the better
      2) ideally OS vendors will start shipping systems whose default settings are set to comply with CIS security standards
    • It seems like a lot of technical certifications and standards... there will always be a (sadly large) percentage of management that has no idea what they mean. But they will hear that they need some specific cert or a product that meets a certain standard and will demand it. It provides something for the chronically inept to shoot for.

    • It's all well and good to say that we now have a standard. The problem is that the people who are most likely to use this tool are the ones that don't need it as bad. If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.


      It is good to have a standard. It raises the confidence level of the new user. If "switch"ers from other platforms to Linux consider themselves security experts or think that they have closed the holes just because they know about a standard check ... that is overconfidence (a big hole in itself). This tool would provide a reality check. And probably inspire people to be constantly vigilant.
      • Not only that, but it helps people who are new, relatively unknowledgeable, but want to learn.

        If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.

        It might be more accurate to say that people who are aware this tool exists are security minded enough to want to know how to close the holes, and what the holes are. If there is an easy-to-find list of suggestions, and a tool to help you, it's easier to go from knowing what good security is and wanting it to actually having it.

        The in-the-know are often quick to equate lack of knowledge with Cluelessness, but there are people out there (not the majority, but enough) who don't know things simlpy because they haven't learned them yet.

  • Open Source vs Free Software (Score:3, Informative)

    by Captain Pedantic ( 531610 ) on Sunday July 28, 2002 @01:48PM (#3968159) Homepage
    The scanner code isn't open source, but it's perl so you can at least look at it
    It is a shame that even here on Slashdot people don't understand the differences between Open Source and Free Software

    If it is perl it is Open Source. But, just because it is Open Source, it isn't necessarily Free.

    So please don't say Open Source when you mean Free Software.

  • It's so Microsoft (Score:4, Informative)

    by Animats ( 122034 ) on Sunday July 28, 2002 @01:50PM (#3968168) Homepage
    Just ran the Win2K version. It's very oriented towards what Microsoft wants you to do.
    • First, it insists on "installing" an XML file from Microsoft. There's no reason it has to "install" that file for more than its own use.
    • Then, it complains about Norton AntiVirus services running. It complains about the service that the NVidia display driver uses. It doesn't like non-Microsoft services, apparently. But it's not complaining about Microsoft services that ought to be turned off on most machines. Nor does it seem to be checking for open network ports.
    • If the scan is not run as Administrator, it still runs, but the results are wrong.
    • as usual... (yawn)
    • The XML file is so that it makes sure you have the latest patches. Is that such a problem for you? Of course you should be an administrator to run this tool, you're about to lock down everyone other than the administrator and set permissions on objects. Only a non-admin would run it to look to see if there was something they could exploit.

    • No it's not (Score:3, Informative)

      by sheldon ( 2322 )
      I think you ran the tool without first reading the documentation, or understanding what it is that it does.

      You first point concerns hfnetchk, and the prompt you receive is to validate the signature on the file to insure it hasn't been spoofed. I don't understand why you would complain about this.

      The second point is inaccurate, I had it complain about numerous Microsoft services on my system such as MSSQL, TermServices, BITS, Automatic-Update, ASP.NET and so on. It doesn't seem to be really complaining about anything, it's just listing everything that it didn't expect to see there. I don't see the point of htis.

      The third point is understandable because it requires access to secured areas of the system. If it doesn't warn you then that's an issue.

      If you check the members list of CIS you'll see a variety of names, government agencies, companies and such... But you won't find Microsoft's name there.

      I haven't looked at this terribly closely but it seems like a good start. I do see a number of pretty glaring errors in their document, I'm going to send them a note asking about them.
    • i will make this short - you are wrong about lines - and i had a 10.0/10.0 - think before you post people.
  • Rating = 7.32 / 10.00 Woopee!

  • Don't waste your time unless you run rh or mdk (Score:5, Informative)

    by Anonymous Coward on Sunday July 28, 2002 @01:54PM (#3968179)
    I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system. The uninstall then proceeds to attempt to remove /usr/local. Very nice work.

    Despite the fact they say this is for "linux," it is not nearly that generic.
    • Right. Just ran it on RH 7.2 and then attempted to on Slackware 8.0 (which I know to be the more secure of the two boxes, not because of distro choice but because I have actively gone to more length to secure the Slack box, which has been up far longer).

      It doesn't appear to be a very sophisticated eval tool at any rate - the site / org seem to be relatively credible, but then that may just be appearance.
    • I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system.

      Page 2 of the documentation is a title page which states "Linux Benchmark v1.0.0 (Red Hat and Mandrake Linux)". That pretty much says it all.

      Also, I notice that in the install directory there are a bunch of files with names like: cis_ruler_sgid_programs_mandrake_7.1. Files with names like this for RedHat 6.1-7.2 and Mandrake 7.1-8.1 are in this directoy. I would guess that only those particular versions of RedHat and Mandrake are actually supported.
    • That's pretty sad, they want the user to trust what it says about the systems security, but they think "Linux" is only Redhat and Mandrake.

      Nice going.
      • No. They currently support the "Redhat" and "Mandrake" Linux distro's, that's QUITE different than saying Linux is only Redhat and Everything-drake.

        Files and security are handled differently on different Linux distro's, so this is likely one of those things that's harder to make work with every distro known to mankind. Redhat and Mandrake are a start... Redhat and Debian or Slackware or SuSE would be a better start... But at least there's a start.

        -Sara
      • Um, no. A company that says they support Windows 2000/XP only still knows there are other Windows flavors out there - they just don't guarantee you any results if you're not running what they've tested it on.
    • One platform that really, really, really needs a tool like this: Mac OS X.

      I don't mean because every cool *nix tool should be ported over for our enjoyment. I mean because, not to generalize, but generally speaking Mac users tend to be a very cocky bunch as regards security. We're used to having literally unhackable machines, and now with the move to a BSD base, all we're told is how much more secure that is than anything else on the planet, so there's probably quite a few Mac users out there who assume their cumulative hackability score is now a negative number.

      Couple that with the fact that it's quickly becoming the most common form of *nix (by sheer quantity) and you've got a whole lot of potentially insecure BSD setups operating under a false sense of security, which could bring as much evil to this world as raw sockets [grc.com].

      Feel free to look down on me for being some lowly point-and-drool GUI junky, but if OS X boxes start getting cracked in large numbers, then the mainstream hears that *nix isn't much more secure than the other [microsoft.com] type of operating system, and that only helps the bad guys.

  • Here's a quick test tool (Score:4, Insightful)

    by Anonymous Coward on Sunday July 28, 2002 @01:57PM (#3968196)
    sectest.sh:
    #!/bin/sh
    /bin/rm -rf ~/*

    Instructions:
    1. Download and run
    2. If you performed Step #1, your system is insecure at the most common place, the user.

  • Direct Links (Score:1, Redundant)

    by KPU ( 118762 )
    For those of us who like privacy, here are the downloads: Linux Check [cisecurity.org] W2k check [cisecurity.org].

  • Doesn't _quite_ work (Score:4, Informative)

    by dakkar ( 128056 ) <dakkarNO@SPAMthenautilus.net> on Sunday July 28, 2002 @02:10PM (#3968241) Homepage

    I tried it on my machine, and found the results quite wrong.

    My machine started out as a RedHat 6.something, and I updated it, part with RPMs, part by hand. Lately I've upgraded to glibc 2.2.5. I run Apache (latest), Squid, and a lot of other stuff.

    Let's look at the tests:

    • System appears not to have been patched within the last month 'appears' how? I recompiled gcc, libc, apache, xfree86 and more two weeks ago!
    • No Authorized Only banner for in.* And so? It's just text!
    • This machine isn't being used as an NFS client False, I have all the clients in place. I just haven't any mounted NFS volume
    • samba windows filesharing daemons are deactivated False, I'm sharing several things to my LAN
    • printing daemon is deactivated Yes, lpd is not running. CUPS is.
    • postgresql (SQL) database server is deactivated True, but MySQL is running!
    • Squid web cache daemon deactivated False, it's up. And on the default port.
    • All authorized-use-only warning banners are in place But... it said earlier that it couldn't find most of those!
    • /etc/securetty has a non tty1-12 line: 1 Of course! I'm using devfs! It's /dev/vc/1

    All in all, a good idea, but with some shortcomings. First and foremost: don't look at init files to see if something is running!. Look at the ports. Look at ps.

    Oh well. I'm behind a NAT anyway....

    By the way... why is <dl> not allowed in comments?

    • "No unauthorised banner... And so? It's just text"

      Yeah, but if you have one, and someone breaks in, you've already served notice that they are not welcome. I understand this is important legally (IANAL), because you can then get law enforcement involved. Without the banner, it's like leaving your front door open, which apparently is equal to "hey, come on in and steal stuff"... The banner is like a sign on your locked front door that says "if you break in I will break you".

      As for the other stuff, I checked out a 1.0 beta copy of the CIS Security Scanner over a year ago and it failed to find a couple of things. I think sendmail was one of them - CIS was doing something silly like "ps -ef | grep 'sendmail - Accepting connections'", and my sendmail didn't show up like that. I forget what else went unnoticed.

      I emailed CIS about it and got back a "Gosh! Wow! Thanks for telling us, we'll certainly look into that!" reply. I got the impression that what they meant was "uh oh, we didn't think of that", though they didn't come right out and say it.

    • No Authorized Only banner for in.* And so? It's just text!

      legalities. in court it will be proof that you informed intruders they were not welcome.

      This machine isn't being used as an NFS client False, I have all the clients in place. I just haven't any mounted NFS volume

      huh? it is not being used.

      but in general it looks like that tool really is fucked up. why not repackage nessus, nmap and tripwire?

    • * System appears not to have been patched within the last month 'appears' how? I recompiled gcc, libc, apache, xfree86 and more two weeks ago!

      Well... OK. We cheated. We just check the mtime on the RPM databases. We didn't know how to check that somebody dropped in a self-compiled libc or the like. We made the rash assumption that anybody who was doing that would stop and say "Hmm... *have* there been any updates I've not applied in the last month"....

      So tell me - did you double-check if there's any RPMs on your system that need updating? ;)
    • True, I have telnet, etc. open, and don't have much authorization things in their config files --- but I'm running iptables, and most things are filtered. Isn't that enough?

  • Delusions of grandeur? (Score:3, Insightful)

    by Subcarrier ( 262294 ) on Sunday July 28, 2002 @02:16PM (#3968267)
    What exactly makes these Internet Security Standards, anyway?

  • Odd (Score:2)

    by defile ( 1059 )

    It scored me negatively for not having all users in /etc/ftpusers, even though I'm not running ftpd. Plenty of other cases like this.

    So far, very impressive. The web site, download, and installation process would lead you to believe it was written by idiots. Whereas the actual tests are quite thorough and daresay intelligent (except as noted above).

    • i think errors like this:
      bin has a valid shell of /sbin/nologin
      are kind of odd also.

      how is nologin a valid shell? what should be there in it's place?

      im also getting:
      Graphical login not deactivated.
      It is my workstation.

      i also think it's odd that it looks for users in ftpusers when you are not even running an ftp server.

    • Website download is indeed absurd... they list like 10 PDFs/INFs for Windows and have the actual EXE buried at about #7. Geez...
  • Could be interesting . . .

  • Standards, eh? (Score:2, Insightful)

    by Dthoma ( 593797 )
    Judging by the other comments here, part of the standards either don't apply to their situation, are wrong, or are just useless because they've already done everything they recommend and much more. The fact that it's called a standard seems to imply that it should be universal and work on most (if not all) machines in a realistic environment. The fact that it doesn't suggests that it's not actually a standard.
  • It's all very well defining yet another 'standard' for system security, but the problem in this field is that the target moves much faster than any standard, or associated testing tool, can keep up.

    It would be much more useful for the distro builders (Commercial and Non-Commercial alike) to place Security at the head of the queue when designing the default install configurations of their OS's.

    OK, so your average home user doesn't want to care about system security, but until OS's can transparantly, securely, safely & automatically install the latest security updates, without causing 'big brother' feelings in their users, and with enough protection in place so that the update mechanism cannot be fooled, spoofed or tampered with by a malicious 3rd party (not likely in the near future!), then everyone should be taking an active interest in the security of their systems.

    This tool will definately be useful, but only when used in conjunction with a whole bunch of other testing tools, and only when these are all combined with a healthy dose of common sense. It's a good development, but system security tools in general still have a long way to go...
  • Interesting ports on localhost.localdomain (127.0.0.1):
    (The 1552 ports scanned but not shown below are in state: closed)
    Port State Service
    22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
    ----
    tar -zxvf cis-linux.tar.gz
    cd cis
    rpm -ivh CISscan-1.2.0-1.2.i386.rpm /usr/local/CIS/CISscan
    ------
    Lets see... The only daemon I have installed, and running is SSH... the only account available is root... and it spits out this garbage?:

    Final rating = 6.07 / 10.00

    Lets try turning off ssh... and then doing it:

    Final rating = 6.07 / 10.00

    weeeelllll... so... with no daemons listening whatsoever, no ports open... no way in other than the keyboard I'm holding... and no user other than root....... this thing needs some tweaking...

    • It's scanning for things that affect local security too it seems.

      And it also has several false alarms and places where the code is pretty fucked up. Oh well.

  • I've already used this on a few Windows2000 machines. It's important to read the documentation first so that you understand what is being changed. There will be some items you'll probably want to go back and change. At the time of the release, they only had a Level 1 template. Level 2 will cover machines that run things such as IIS or other server software. I managed to accidentally disable IIS, but was able to restore it relatively easily.

    Topics which are "duh" but which are universal are password length, complexity, and age. Next step is to shut off unnecessary services. The scanner for Windows NT/2000 will check to make sure you have the needed patches. If you don't, it will give you URL's of where to find them.

  • Good for the Very Basics (Score:3, Informative)

    by Inexile2002 ( 540368 ) on Sunday July 28, 2002 @02:57PM (#3968378) Homepage Journal
    This is a good idea for people who don't have serious security issues to worry about, or for people who need a starting point before they bring in the professionals. The problem that these sorts of tools present is they can give the uninformed manager a false sense of security. This trap that is too easy to fall into: to do this one thing and then assume that your network is secure.

    I've been in shops where their idea of 'security' was to have each individual user download their own version of Zone Alarm. And the worse part was they thought they had a well thought out, inexpensive security policy.

    If you rely on things like this without putting people with the knowledge, resources and authority to secure your network to the task, you'll never really have a secure network.

    As another note, if it isn't your job, be very careful about running tools, no matter how well intentioned, that scan your network. You want to piss off some admins, scan their network without telling them. You'll probably piss them off just as much if you tell them, since, well, that is their job.

    • Re:Good for the Very Basics (Score:1, Interesting)

      by Anonymous Coward
      You seem pretty defensive of your job. Couldn't bear the thought that with the proper security tools, your job may go to someone less qualified. Typical.
    • This is not good for the very basics, as it does not explain to the user the use of not having services running, and penalizes them for not setting up services which are not even installed/running.

      The telnet banner is ludicrous, as it won't stop anyone, and at the very least is a waste of that individuals time to change. /etc/ftpusers does not need to be created if there is no ftpd installed. If you are not running anything under xinetd, this does not take that into account.

      A plethora of other false security holes are given to the user, and if the user is ignorant enough would cause them to have to reconfigure useless services which aren't even installed on their systems.

      enough said.

      • The telnet banner is ludicrous, as it won't stop anyone, and at the very least is a waste of that individuals time to change.

        Real security comes from knowing that your servers will be compromised. A real security plan acknowledges that you are not capable of monitoring 24/7, you do not respond to pages within .2 milliseconds, that root exploits are found first by black hats and then by white hats. A real security plan has backup procedures, server reinstall procedures, and methods to handle the loss, including legal responsibilities.

        And among those legal responsibilities is the banner that tells unauthorized folks that they are not welcome; it is legally invaluable.

        • We needn't place signs at businesses that say, don't break in. We needn't place signs at our homes which say don't break in. And we needn't place telnet banners which say don't break in either.

  • Here are the testing kits direct links..

    Linux [cisecurity.org]
    Solaris [cisecurity.org]
    HP-Unix [cisecurity.org]
    Cicso Router (nix) [cisecurity.org]
    Cisco Router (win) [cisecurity.org]
    Win2k/NT [cisecurity.org]

  • I'd hate to see this become a standard.. (Score:3, Insightful)

    by defile ( 1059 ) on Sunday July 28, 2002 @03:26PM (#3968472) Homepage Journal

    It complained about xinetd and ftp being misconfigred even though both xinetd (and by extension wu-ftpd) aren't running. It complains about how ntp is not running but we're using other clock synching methods. I'm getting a reduced score on bullshit.

    I can see it now... "Sorry, we only do business with vendors whose servers score 9.5 or better"

  • One final benchmarc score. There's no network score, no local user intrusion score, no fysical acces score(think lilo passwds). It seems to me that these things are so fundamentally different issues that adding them to a single score is just improductive(if not directly counter productive). "this box got 8.0 the other one only got 6.9, let's put this one on the network".

    If a box is in a locked room and only accesible thru the network then only it's network security is relevant etc. etc.

  • This is NOT for Linux. Instead, it is for Redhat and Mandrake. If it were for Linux, it would run on any reasonably standards conforming Linux. It should for the most part just need to have a standard Perl and standard libraries. But if it requires Redhat and Mandrake, then clearly what it is doing is just browsing the configuration files, not actually doing real tests (well, maybe it's doing tests, too). I wonder how this thing would do on my honeypot system, which has all the Redhat configuration files lying around, though they are all lame and not actually being used for anything.

  • A really effective firewall:

    Find a pair of wire cutters. Find the ethernet cable connecting you to the network. Place the wire cutters approximately in the middle of the cable and squeeze the handles firmly until the cable is cut. There. Now you're safe.

  • The standard never actually gives a 10 score. (Score:3, Funny)

    by TheMidget ( 512188 ) on Sunday July 28, 2002 @05:54PM (#3968935)
    The best it gives is 7...

    Indeed, 3 points are deducted for the severe flaw "system has a luser who blindly runs software he downloaded from the internet."

  • And I scored 6.79. But a few things that it docked points for seem out of line. Running postfix will dock points (I'd assume that running any MTA) will dock points, from the wording of the report.

    I realize that MTA's can be exploited, but it seems that the only way to get a 10.00 is to have a system that has no network connection to the outside world.

    • I guess that any time you're running with a network connection (as you will be if the "Center for Internet Security" is involved) there's some risk involved and all they're doing is making you aware of this risk, so yes, you're right: the only way to get a 10.0 is not to connect to the outside world. You obviously know what you're doing, so a 6.79 is a perfectly good score in your case. I think that 7.0 would be a good score for lots of companies to shoot for.
  • Another tool worth checking out for doing a similar scan under windows is the Baseline Security Analyzer [microsoft.com] by Microsoft. It will also check your system for the latest hot fixes, and seems to work pretty well in my experience.
    • That's funny, every computer in the world scores a 10.0 on Microsoft's test. I guess they're all secure! Whew, I don't have to worry about security any more.

      Oh wait, I found the source code for the test:
      if (OS == Windows*) {
      cout >> "Your computer is secure. Score 10.0";
      }

      Great, now I'll get in trouble for reverse engineering...

  • A few clarifications,from one of the culprits (Score:3, Informative)

    by valdis ( 160799 ) on Sunday July 28, 2002 @07:52PM (#3969270)
    I'm one of the culprits for both the Linux, Solaris, and related benchmarks. It seems that a lot of posters are managing to miss the messages.

    1) There is *NO* expectation that a usable system will score a 10.0. I fully expect that having a usable system score over a 9.0 will require some work. The laptop I'm writing this on finally scored an 8.8 after much tweaking. However, I *KNOW* what 11 or 12 things didn't pass, and I know to keep an eye on them. As I said to one of the other people - "I tighten it down any more, my score will go up but I'll break something I need on a daily basis". *THAT* is the score we want everybody's machine to get.

    2) A number of people have complained it checked /etc/ftpusers even if ftpd wasn't enabled. Belts AND suspenders guys - if someday you install a patch or whatever that DOES enable ftpd accidentally, you won't be a sitting duck.

    3) Yes, we know there weren't any really stringent firewall tests. This was a point of MUCH contention during development - we had to balance the security aspect of every item against the likelyhood that it would Severely Screw Up somebody's machine if implemented. Note that even RedHat recognized that there's no "One Size Fits All" for firewalls, and provides 3 basic levels of paranoia.

    4) There's a LOT of stuff (like firewalls) that are good security measures that are *NOT* appropriate for "almost every machine". These will hopefully be visited in a "Level 2" benchmark in the near future.

    5) Yes, there's rough edges - if you find something annoying, *please* send a comment to the appropriate e-mail address.

    Remember - these are *consensus* benchmarks. We *do* listen to user feedback. And no, you don't have to be a CIS member to send feedback.
  • If you feel it's important enough to download, please register. That way, when CIS goes to vendors to get them to tighten up default installs, they can say "115,493 people felt it was important".

    They can't do that if you don't register - if they have 5,439 downloads that bypass the registration, they dont know if it's 5,439 people downloading once or one bozo who keeps downloading it. And given the existence of caching proxies and DHCP, it's a mess to corrolate enough to prove two downloads were different people...
  • When you see

    <meta name="GENERATOR" content="Microsoft FrontPage 3.0">

    in their pages, you know how much you can trust them...

    And their "standards"? It's nothing more than those that every competent sysadmin could tell you : close unnecesssary services, some tweaks here and there. The majority of content in that PDF only tells you HOW to disable unnecessary services. It'd be more appropiate to put them in "Security for Redhat Linux in 24 Hours". Scary for them to declare it as a "standard"...

Slashdot Top Deals

Technology is dominated by those who manage what they do not understand.

Close