|
I have found it very difficult to understand how some scanning vendors
might claim to provide these types of compliances. While scanning and
remediation are VERY important in achieving the pieces of compliance
that pertain to vulnerability management, it is impossible to rely on a
scanning tool completely and feel that one is in compliance. In my
opinion I think there are a lot of scanning vendors out there that may
bring that false sense of compliance to people. Afew examples of things that would be part of compliance but may not necessarily be the responsibility of a vulnerability assessment tool. - Log retention (how long are you keeping your log files, prove that you have 6 mos worth somewhere) - Minimal log file sizes (different audits may have different requirements) - Password complexity settings (different compliance organizations may have different requirements for those settings) - Password temporary or permanent lockout conditions (different compliance organizations may have different requirements here as well, 15min, 30min) I am really not sure how much a person should rely on a vulnerability assessment tool for such things although Nessus is quite capable of adding "best practices". These list usually go on and on and to date the best tool I have seen to validate would be the CIS benchmark tests (www.cisecurity.org). In the opposite argument, I would'nt expect their tools provide vulnerability management. Danny Jason Ledford wrote:
|
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
