On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins <lperk...@openeye.net> wrote:
> When the security auditors come through and ask what standard I use for > securing my systems I'd like to have something to tell them. > > I've had a few suggestions like USGCB, etc. But looking at them they > all seem to start from the direction of "take a bloated, wide-open > Microsoft/Redhat default OS and do these things to make it 'secure' so > you can let several dozen users play around on it without fear." > > A lot of the stuff on the list doesn't apply to or would slightly > reduce the overall security of the device (I think I'll keep my default > umask at 077 thanks...) > > You could still use USGCB (or which ever standard the auditors regard highly) but then document the differences with a note explaining why. For USGCB I'd add another column to the spreadsheet with options of compliant/non compliant with mitigations/non compliant/not applicable and another column for notes. eg umask 077 would be compliant, and in the notes column "stricter than required". >From their point of view they need to justify passing you, and USGCB states "these recommendations do not address site-specific configuration issues. Care must be taken when implementing these settings to address local operational and policy concerns" so deltas are expected. Don't worry if it seems like its all deltas...
