Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Security Standards

Posted by michael on from the sorely-needed dept.

Aetius writes "The Center for Internet Security has released a set of security standards and tools for several operating systems. Here's the ZDNet story. I checked out the Linux standard and it is a pretty good coverage of the basics; about the only thing missing was a simple firewall treatment. I installed it on my wide-open desktop system (RH 7.3) and scored a 6.61 out of 10, which doesn't seem too bad. The scanner code isn't open source, but it's perl so you can at least look at it. You have to register to download it. If nothing else, the PDF of the standards is a good read. Enjoy."

3 of 135 comments (clear)

  1. It's so Microsoft by Animats · · Score: 4, Informative
    Just ran the Win2K version. It's very oriented towards what Microsoft wants you to do.
    • First, it insists on "installing" an XML file from Microsoft. There's no reason it has to "install" that file for more than its own use.
    • Then, it complains about Norton AntiVirus services running. It complains about the service that the NVidia display driver uses. It doesn't like non-Microsoft services, apparently. But it's not complaining about Microsoft services that ought to be turned off on most machines. Nor does it seem to be checking for open network ports.
    • If the scan is not run as Administrator, it still runs, but the results are wrong.
  2. Don't waste your time unless you run rh or mdk by Anonymous Coward · · Score: 5, Informative

    I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system. The uninstall then proceeds to attempt to remove /usr/local. Very nice work.

    Despite the fact they say this is for "linux," it is not nearly that generic.

  3. Doesn't _quite_ work by dakkar · · Score: 4, Informative

    I tried it on my machine, and found the results quite wrong.

    My machine started out as a RedHat 6.something, and I updated it, part with RPMs, part by hand. Lately I've upgraded to glibc 2.2.5. I run Apache (latest), Squid, and a lot of other stuff.

    Let's look at the tests:

    • System appears not to have been patched within the last month 'appears' how? I recompiled gcc, libc, apache, xfree86 and more two weeks ago!
    • No Authorized Only banner for in.* And so? It's just text!
    • This machine isn't being used as an NFS client False, I have all the clients in place. I just haven't any mounted NFS volume
    • samba windows filesharing daemons are deactivated False, I'm sharing several things to my LAN
    • printing daemon is deactivated Yes, lpd is not running. CUPS is.
    • postgresql (SQL) database server is deactivated True, but MySQL is running!
    • Squid web cache daemon deactivated False, it's up. And on the default port.
    • All authorized-use-only warning banners are in place But... it said earlier that it couldn't find most of those!
    • /etc/securetty has a non tty1-12 line: 1 Of course! I'm using devfs! It's /dev/vc/1

    All in all, a good idea, but with some shortcomings. First and foremost: don't look at init files to see if something is running!. Look at the ports. Look at ps.

    Oh well. I'm behind a NAT anyway....

    By the way... why is <dl> not allowed in comments?

    --
    dakkar - mobilis in mobile