[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)

Note that most of the candidates in this cluster are present in one
form or another in most network security scanners I've examined,
although I generally moved these candidates up a level of abstraction
due to concerns about high cardinality.  This cluster alone probably
accounts for 100+ "checks" that most tool marketing literature
advertises.

Steve Northcutt identified an additional challenge with these
candidates.  What does "inappropriate" mean, and how do we define
"security-critical"?  *Who* defines these terms?  The way I use them,
a security-critical resource is one whose modification by a
non-administrator has a strong chance of resulting in Leveraged
access; thus the resource has inappropriate settings
(permissions/etc.) associated with it.

I believe that at this time, there hasn't been much discussion as to
what really constitutes a "security-critical" resource in the context
of these candidates, and it's somewhat outside of the scope of the CVE
to identify those particular resources.  I believe that these
candidates - despite the ambiguity of the terms they use - will start
to allow us to compare what each database considers to be
"security-critical," and continue the dialog from there.

With respect to audit policies, to me it makes sense to distinguish
between Windows NT auditing versus Unix auditing, since I think they
are functionally different enough.  The lack of distinction between
success and failure is due to the "Different Risk" content decision,
although Steve does make a good point about excessive logging becoming
a denial of service in itself.

- Steve
Page Last Updated or Reviewed: May 22, 2007