On Fri, Apr 16, 2004 at 06:19:02PM -0500, Bob Nestor wrote:
> On Apr 16, 2004, at 2:03 PM, Thor Lancelot Simon wrote:
> 
> >FWIW, I just quickly read over the chapter, in particular section 6.
> >It seems to me that nothing is required that can't be easily done with
> >standard Unix facilities and some simple written policy for 
> >administrators.
> 
> I really appreciate all the suggestions, tips and pointers people have 
> been sending and posting.  The problem isn't so much of finding ways of 
> complying with the requirements but of finding or defining a way that's 
> acceptable to Security.  Most Security people who are responsible for 
> enforcing and auditing systems for compliance aren't really computer 
> knowledgeable and they're basically unwilling to push back on 
> requirements they've been told to work with.  As a result they tend to 
> shy away from breaking any new ground on how to do something and will 
> only accept or approve Procedures for local use that have been approved 
> elsewhere.

Okay, so, I think there's some fundamental disconnect here.

The requirements are essentially *operational*.  They don't say *anything*
about what operating system to run; just how you're required to configure
it, and what sort of procedures you must follow when making certain changes.

I fail completely to understand how, exactly, whether you use NetBSD,
Solaris, Windows, or VMS has much bearing on how you must plan to meet
these requirements; they have a lot to do with how a particular system
is configured (which has a lot to do with who's using and administering
it, and for what purpose) and almost *nothing* to do with what operating
system it runs, because essentially *all* modern operating systems
provide the tools needed to do things the way the chapter requires.

At least that's how I see it.  If a security officer is interpreting
the chapter I just read as something that can be satisfied by using a
particular operating system, that security officer is wildly perverting
both the letter and the spirit of the rules.  I guess I would not be
all too surprised to see that happen; I'd be a little surprised if it
were the norm.

However, for what it's worth, many of the things you need to do to meet
the requirements in that document will be the same on almost *any* Unix
system.  Why don't you get feedback from others in your organization who
are using Unix or Linux, and simply point out that NetBSD is just another
color of the same breed of cat?  If you get too much pushback on that,
you can just point out that blue cats, red cats, grey cats, and white
cats clearly _are_ all cats, because their plans are essentially the
same; so it's reasonable to let you keep your yellow cat too.

Thor