Home page logo

pen-test logo Penetration Testing mailing list archives

Auditing and requirements
From: xelerated <xelerated () gmail com>
Date: Thu, 10 Jan 2008 12:36:46 -0500

I wanted to ask here, since in my experience many pen testers have
atleast some audit

My question has to do with DISA STIG's. Now, it is my understanding,
and that of everyone that
I have asked so far that the DISA STIG's are only requirements for DoD
IA systems.

So, who out there would give a company a finding for not having A/V on
a Unix system
based on DISA STIG's when the STIG's do not apply to the company nor
the systems in question.
And, the actual policy's and requirements that DO apply to said
company and systems
(NIST included) do not have any hard requirements for doing this.

Also, as a side note, does it make any sence to go through a company
and try to apply
ALL STIG's possible and the ones that don't leave a system unusable
then write a justification
for those?

I thank you all for your input, Its an important issue to me right now
and I greatly
appreciate your feedback.


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]