When the security auditors come through and ask what standard I use for securing my systems I'd like to have something to tell them.
I've had a few suggestions like USGCB, etc. But looking at them they all seem to start from the direction of "take a bloated, wide-open Microsoft/Redhat default OS and do these things to make it 'secure' so you can let several dozen users play around on it without fear." A lot of the stuff on the list doesn't apply to or would slightly reduce the overall security of the device (I think I'll keep my default umask at 077 thanks...) I'm hoping somebody here knows of a commonly used security specification for bottom-up minimal systems so I can minimize the time I have to waste explaining that it simply doesn't have a print server, email server, cifs server, etc., (or even any way for any user to obtain shell access without first being in possession of administrator- level credentials) and that half to two-thirds of the checklist doesn't even apply. LMP
signature.asc
Description: This is a digitally signed message part