Penetration Testing mailing list archives
Auditing and requirements
From: xelerated <xelerated () gmail com>
Date: Thu, 10 Jan 2008 12:36:46 -0500
I wanted to ask here, since in my experience many pen testers have atleast some audit experience. My question has to do with DISA STIG's. Now, it is my understanding, and that of everyone that I have asked so far that the DISA STIG's are only requirements for DoD IA systems. So, who out there would give a company a finding for not having A/V on a Unix system based on DISA STIG's when the STIG's do not apply to the company nor the systems in question. And, the actual policy's and requirements that DO apply to said company and systems (NIST included) do not have any hard requirements for doing this. Also, as a side note, does it make any sence to go through a company and try to apply ALL STIG's possible and the ones that don't leave a system unusable then write a justification for those? I thank you all for your input, Its an important issue to me right now and I greatly appreciate your feedback. Thanks Chris ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing and requirements xelerated (Jan 10)
- Re: Auditing and requirements Brian Russo (Jan 10)