[Date Prev][Date Next]
Re: Center for Internet Security benchmark for OpenLDAP
Buchan Milne skrev, on 28-09-2007 08:33:
As usual, if you want to know "best practices", the best way to get that is
just to ask us or read the docs we've already written...
Indeed, but unfortunately our esteemed security group bases their security
standards on the CIS benchmarks (usually their changes reduce the technical
quality at the expense of formatting etc.), so I suspect at some stage I'll
be getting questions about an OpenLDAP standard (and I'll probably have to
fix it up more than I have the Linux one ...).
I've downloaded and read it too (it's *very* short). It's pernickety and
redundant to the extreme. Following it to the letter, if you already
have an host open to all sorts of nastiness, will do you no harm, but
will at the same reduce a whole bunch of OpenLDAP functionality which my
sites enjoy. Exactly as following the widely-adopted LDAP practice of a
commonly used service of which I can't mention the name on this list will.
ICT security should never dictate *how* to implement security, rather
*what* to achieve (examples are permitted). Your "esteemed security
group" should rather be looking at a broader security spec such as ISO
17799 (BS 7799), than combing through a never-ending list of patent
HOWTOs. ISO 17799 isn't an ISO for nothing.
Email: tonni at hetnet dot nl