Re: Compliance Tool

[Todd Haverkos <infosec () haverkos com>]

kartik.netsec () gmail com writes:

> Hi,
>
> We're looking for a security compliance tool (with low Total cost of ownership)to deploy in our network. We 
> shortlisted Qualisgard, but dut to some Govt regulations, it could not fit the requirement.
>
> The requirement is to check for OS, database and security patches. In addition to that the tool should allow us to 
> create the baseline according to our security policies such as
> - Default accounts & passwords
> - User/Group rights & permissions
> - Password integrity
> - System security configuration settings
> - Registry settings
> - Antivirus Updates
> - File Attributes
>
> Please help.
>
> Thanks,
> Kartik

If bang for the buck is paramount, you'll have a heck of a time
beating Tenable Nessus for $1200/scanner a year.  It can check for all
these things in credentialed scanning--the rub is that it may not
report on that data the way you like or need.  If you're willing to do
some massaging of output or some API work, you may get where you want
to go very inexpensively and accurately.

Who do you use for AV or System Management today?  If it's one of the
fuller suite players, I'd probably at least entertain a demo of their
compliance/configuration/vuln management centric products.  They won't
be as cheap by any stretch of the imagination, but they may be an ease
of management win for you leveraging existing agents that are deployed
with other existing products in your company.  For instance, a McAfee
shop might at least look at
http://www.mcafee.com/us/products/risk-and-compliance/index.aspx   

A BigFix shop would be interested in their vuln management offering,
symantec has theirs, LANDesk has their own offering, etc.  


These roundups might at least let you know who the players are though,
I'd never take an SC Magazine review (or any magic quadrant writeups)
without a very large grain of salt.

http://www.scmagazineus.com/policy-management/grouptest/215/
http://www.scmagazineus.com/risk-management/grouptest/216/
http://www.scmagazineus.com/vulnerability-assessment/grouptest/240/

Good luck! 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------