[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
Note that most of the candidates in this cluster are present in one
form or another in most network security scanners I've examined,
although I generally moved these candidates up a level of abstraction
due to concerns about high cardinality. This cluster alone probably
accounts for 100+ "checks" that most tool marketing literature
advertises.
Steve Northcutt identified an additional challenge with these
candidates. What does "inappropriate" mean, and how do we define
"security-critical"? *Who* defines these terms? The way I use them,
a security-critical resource is one whose modification by a
non-administrator has a strong chance of resulting in Leveraged
access; thus the resource has inappropriate settings
(permissions/etc.) associated with it.
I believe that at this time, there hasn't been much discussion as to
what really constitutes a "security-critical" resource in the context
of these candidates, and it's somewhat outside of the scope of the CVE
to identify those particular resources. I believe that these
candidates - despite the ambiguity of the terms they use - will start
to allow us to compare what each database considers to be
"security-critical," and continue the dialog from there.
With respect to audit policies, to me it makes sense to distinguish
between Windows NT auditing versus Unix auditing, since I think they
are functionally different enough. The lack of distinction between
success and failure is due to the "Different Risk" content decision,
although Steve does make a good point about excessive logging becoming
a denial of service in itself.
- Steve