Lev Serebryakov <l...@freebsd.org> writes: > In my expirience, "Security audit" people, who could, for example, do > PCI/DSS audit, are like this. So, yet, it is their level of > competence, but you could not pass around them, if you want official > PCI/DSS certification, for example. Did you seen this epic thread on > stackoverflow (or its devops/sysops counterpart) about "log file with > every login of each user with password in clear text,'' for example?
That was the first thing that sprung to my mind as well. scryptkiddy, you should tell them to read this: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants I've been in a similar situation myself. The JITC audited a customer's product for IPv6 compliance and failed it because it did not put an ICMP destination unreachable on the wire when neighbor discovery failed. Note that the RFC *explicitly states* (but not in a normative section) that this is not required when the error occurs on the originating node. (the product in question did not run FreeBSD, but used an old version of the FreeBSD IPv6 stack) They had other idiotic requirements that we were able to work around, and found one genuine but benign bug that had already been fixed in FreeBSD. DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
