Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Security Standards

Posted by michael on from the sorely-needed dept.

Aetius writes "The Center for Internet Security has released a set of security standards and tools for several operating systems. Here's the ZDNet story. I checked out the Linux standard and it is a pretty good coverage of the basics; about the only thing missing was a simple firewall treatment. I installed it on my wide-open desktop system (RH 7.3) and scored a 6.61 out of 10, which doesn't seem too bad. The scanner code isn't open source, but it's perl so you can at least look at it. You have to register to download it. If nothing else, the PDF of the standards is a good read. Enjoy."

8 of 135 comments (clear)

  1. Open Source vs Free Software by Captain+Pedantic · · Score: 3, Informative
    The scanner code isn't open source, but it's perl so you can at least look at it
    It is a shame that even here on Slashdot people don't understand the differences between Open Source and Free Software

    If it is perl it is Open Source. But, just because it is Open Source, it isn't necessarily Free.

    So please don't say Open Source when you mean Free Software.

    --

    None are more hopelessly enslaved than those who falsely believe they are free. Johann Wolfgang von Goethe.
  2. It's so Microsoft by Animats · · Score: 4, Informative
    Just ran the Win2K version. It's very oriented towards what Microsoft wants you to do.
    • First, it insists on "installing" an XML file from Microsoft. There's no reason it has to "install" that file for more than its own use.
    • Then, it complains about Norton AntiVirus services running. It complains about the service that the NVidia display driver uses. It doesn't like non-Microsoft services, apparently. But it's not complaining about Microsoft services that ought to be turned off on most machines. Nor does it seem to be checking for open network ports.
    • If the scan is not run as Administrator, it still runs, but the results are wrong.
  3. Don't waste your time unless you run rh or mdk by Anonymous Coward · · Score: 5, Informative

    I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system. The uninstall then proceeds to attempt to remove /usr/local. Very nice work.

    Despite the fact they say this is for "linux," it is not nearly that generic.

  4. Doesn't _quite_ work by dakkar · · Score: 4, Informative

    I tried it on my machine, and found the results quite wrong.

    My machine started out as a RedHat 6.something, and I updated it, part with RPMs, part by hand. Lately I've upgraded to glibc 2.2.5. I run Apache (latest), Squid, and a lot of other stuff.

    Let's look at the tests:

    • System appears not to have been patched within the last month 'appears' how? I recompiled gcc, libc, apache, xfree86 and more two weeks ago!
    • No Authorized Only banner for in.* And so? It's just text!
    • This machine isn't being used as an NFS client False, I have all the clients in place. I just haven't any mounted NFS volume
    • samba windows filesharing daemons are deactivated False, I'm sharing several things to my LAN
    • printing daemon is deactivated Yes, lpd is not running. CUPS is.
    • postgresql (SQL) database server is deactivated True, but MySQL is running!
    • Squid web cache daemon deactivated False, it's up. And on the default port.
    • All authorized-use-only warning banners are in place But... it said earlier that it couldn't find most of those!
    • /etc/securetty has a non tty1-12 line: 1 Of course! I'm using devfs! It's /dev/vc/1

    All in all, a good idea, but with some shortcomings. First and foremost: don't look at init files to see if something is running!. Look at the ports. Look at ps.

    Oh well. I'm behind a NAT anyway....

    By the way... why is <dl> not allowed in comments?

    --
    dakkar - mobilis in mobile
  5. Good for the Very Basics by Inexile2002 · · Score: 3, Informative

    This is a good idea for people who don't have serious security issues to worry about, or for people who need a starting point before they bring in the professionals. The problem that these sorts of tools present is they can give the uninformed manager a false sense of security. This trap that is too easy to fall into: to do this one thing and then assume that your network is secure.

    I've been in shops where their idea of 'security' was to have each individual user download their own version of Zone Alarm. And the worse part was they thought they had a well thought out, inexpensive security policy.

    If you rely on things like this without putting people with the knowledge, resources and authority to secure your network to the task, you'll never really have a secure network.

    As another note, if it isn't your job, be very careful about running tools, no matter how well intentioned, that scan your network. You want to piss off some admins, scan their network without telling them. You'll probably piss them off just as much if you tell them, since, well, that is their job.

  6. Re:Tech?Update by cos(0) · · Score: 2, Informative

    ECN is a standard -- RFC 3168.
    It is not marked experimental in the kernel!

    Here's what the help says:

    CONFIG_INET_ECN:

    Explicit Congestion Notification (ECN) allows routers to notify
    clients about network congestion, resulting in fewer dropped packets
    and increased network performance. This option adds ECN support to
    the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn)
    which allows ECN support to be disabled at runtime.

    Note that, on the Internet, there are many broken firewalls which
    refuse connections from ECN-enabled machines, and it may be a while
    before these firewalls are fixed. Until then, to access a site
    behind such a firewall (some of which are major sites, at the time
    of this writing) you will have to disable this option, either by
    saying N now or by using the sysctl.

  7. No it's not by sheldon · · Score: 3, Informative

    I think you ran the tool without first reading the documentation, or understanding what it is that it does.

    You first point concerns hfnetchk, and the prompt you receive is to validate the signature on the file to insure it hasn't been spoofed. I don't understand why you would complain about this.

    The second point is inaccurate, I had it complain about numerous Microsoft services on my system such as MSSQL, TermServices, BITS, Automatic-Update, ASP.NET and so on. It doesn't seem to be really complaining about anything, it's just listing everything that it didn't expect to see there. I don't see the point of htis.

    The third point is understandable because it requires access to secured areas of the system. If it doesn't warn you then that's an issue.

    If you check the members list of CIS you'll see a variety of names, government agencies, companies and such... But you won't find Microsoft's name there.

    I haven't looked at this terribly closely but it seems like a good start. I do see a number of pretty glaring errors in their document, I'm going to send them a note asking about them.

  8. A few clarifications,from one of the culprits by valdis · · Score: 3, Informative

    I'm one of the culprits for both the Linux, Solaris, and related benchmarks. It seems that a lot of posters are managing to miss the messages.

    1) There is *NO* expectation that a usable system will score a 10.0. I fully expect that having a usable system score over a 9.0 will require some work. The laptop I'm writing this on finally scored an 8.8 after much tweaking. However, I *KNOW* what 11 or 12 things didn't pass, and I know to keep an eye on them. As I said to one of the other people - "I tighten it down any more, my score will go up but I'll break something I need on a daily basis". *THAT* is the score we want everybody's machine to get.

    2) A number of people have complained it checked /etc/ftpusers even if ftpd wasn't enabled. Belts AND suspenders guys - if someday you install a patch or whatever that DOES enable ftpd accidentally, you won't be a sitting duck.

    3) Yes, we know there weren't any really stringent firewall tests. This was a point of MUCH contention during development - we had to balance the security aspect of every item against the likelyhood that it would Severely Screw Up somebody's machine if implemented. Note that even RedHat recognized that there's no "One Size Fits All" for firewalls, and provides 3 basic levels of paranoia.

    4) There's a LOT of stuff (like firewalls) that are good security measures that are *NOT* appropriate for "almost every machine". These will hopefully be visited in a "Level 2" benchmark in the near future.

    5) Yes, there's rough edges - if you find something annoying, *please* send a comment to the appropriate e-mail address.

    Remember - these are *consensus* benchmarks. We *do* listen to user feedback. And no, you don't have to be a CIS member to send feedback.