|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
Note that most of the candidates in this cluster are present in one form or another in most network security scanners I've examined, although I generally moved these candidates up a level of abstraction due to concerns about high cardinality. This cluster alone probably accounts for 100+ "checks" that most tool marketing literature advertises. Steve Northcutt identified an additional challenge with these candidates. What does "inappropriate" mean, and how do we define "security-critical"? *Who* defines these terms? The way I use them, a security-critical resource is one whose modification by a non-administrator has a strong chance of resulting in Leveraged access; thus the resource has inappropriate settings (permissions/etc.) associated with it. I believe that at this time, there hasn't been much discussion as to what really constitutes a "security-critical" resource in the context of these candidates, and it's somewhat outside of the scope of the CVE to identify those particular resources. I believe that these candidates - despite the ambiguity of the terms they use - will start to allow us to compare what each database considers to be "security-critical," and continue the dialog from there. With respect to audit policies, to me it makes sense to distinguish between Windows NT auditing versus Unix auditing, since I think they are functionally different enough. The lack of distinction between success and failure is due to the "Different Risk" content decision, although Steve does make a good point about excessive logging becoming a denial of service in itself. - Steve
|
||||
