Hi Ray,
Thanks for the pointer!
One of my goals for the Assimilation Project is to analyze the systems
in your data center against best practices. The NIST document likely
contains a large collection of best practices. Some are likely human in
nature (train your staff) and some can likely be mechanically evaluated
(expire your passwords, etc).
In the Assimilation project we collect lots of configuration data, and
can collect lots more quite easily.
The trick is to turn as many recommendations like this NIST document
(and/or the NSA ones for Linux) into audits against our CMDB data (and
to expand the CMDB data to include everything needed for those audits).
An obvious case is to ask the question "Are all the relevant vendor
security patches applied?"
When I worked for IBM, I wrote a tool that did that for AIX - and I
didn't have remotely as good an infrastructure for collecting data as we
have in the Assimilation Project.
If anyone is interested in exploring these ideas - you should join our
mailing list - and come help look for those recommendations that can be
mechanically evaluated, and we'll all go from there.
assimproj.org - open source project web site
assimilationsystems.com - my company - dedicated to this project
bit.ly/AssimML - main mailing ist
Guess I need to read it too ;-)
On 05/14/2014 09:49 PM, Ray Frush wrote:
> Diverging from the current thread of conversation, I saw this linked
> in my news stream, and thought it a worthy topic to share with this
> group. To be honest, I'm still trying to read this, but a quick scan
> gave me the impression of it's general applicability to System
> Administrators and the systems we manage.
>
> A quote from the paper:
>
> Such activities are performed consistently at every stage of the
> system life cycle, including the concept stage, development stage,
> production stage, utilization/support stages, and
> retirement---thus enabling delivery of trustworthy, resilient
> systems that satisfy stakeholder requirements and enforce the
> organizational security policies within the constraints and risk
> tolerance defined by the stakeholders.
>
>
> How many of you have $WORK that has the luxury of considering all the
> aspects of security that this document suggests? My guess is that
> many publicly traded companies have widely differing concepts of "risk
> tolerance"...
>
>
> http://csrc.nist.gov/publications/PubsDrafts.html#800-160
>
>
> "NIST requests comments on the initial public draft of Special
> Publication (SP) 800-160, Systems Security Engineering: An
> Integrated Approach to Building Trustworthy Resilient Systems. The
> new security guidelines recommend steps to help develop a more
> defensible and survivable information technology (IT)
> infrastructure---including the component products, systems, and
> services that compose the infrastructure. A formal announcement of
> the publication is planned on May 13, 2014 at the College of
> Science and Engineering, Technology Leadership Institute,
> University of Minnesota. The public comment period runs from May
> 13 through July 11, 2014. "
>
> --
> Ray Frush
> Time files like an arrow...
> ...but fruit flies like a banana
>
>
> _______________________________________________
> Discuss mailing list
> [email protected]
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
> http://lopsa.org/
--
Alan Robertson <[email protected]> - @OSSAlanR
"Openness is the foundation and preservative of friendship... Let me claim
from you at all times your undisguised opinions." - William Wilberforce
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
