RE: Pen Test of a ESX Server

[jfvanmeter () comcast net]

 -------------- Original message ----------------------
From: "Paul Melson" <pmelson () gmail com>
> > I have a assignment to complete a pen test of a ESX server and was hoping
> to get some thoughts from everyone 
> > on how and what to test.  I need to check to see if the server is
> configured in accordance with the "Virtual 
> > Computing Security Technical Implementation Guide" Version 1, release0.1
>
> You realize the pen test and evaluating the ESX server against the VM STIG
> are 2 different things, yes?  
> > Yes I was trying to find some guide lines and that was what I found.

> Is your client able to provide you with a copy
> of that version of the STIG?  The most recent version I can find is v2R2*,
> which is more than 2 years old.  Beyond that, the STIG is pretty
> straightforward.  However, I would approach this work more as an audit than
> a pen test, otherwise you will be very much handicapped in your ability to
> verify compliance with the STIG.
>
> Anyway, if you do pen-test the server, I would suggest that you check out
> the work** the IntelGuardians guys announced at SANSFire last month.  For
> the time being, this pretty much makes it impossible for 
>
> PaulM

> > thank you Paul for the information and idea's --John
 
> * http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf
> **
> http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------