On Thu, Jun 09, 2005 at 08:57:51AM +0100, [EMAIL PROTECTED] wrote: | | From: "Perry E. Metzger" <[EMAIL PROTECTED]> | | > It is worse than that. At least one large accounting company sends new | > recruits to a "boot camp" where they learn how to conduct "security | > audits" by rote. They then send these brand new 23 year old "security | > auditors" out to conduct security "audits", with minimal supervision | > from a partner or two. The audits are inevitably of the lowest | > possible quality -- they run automated security scanners no better | | The worst security audit point I have ever seen came from KPMG and | said that logging on as a particular non-root unix account got root | access, based on the "WARNING! YOU ARE SUPERUSER" message seen at login. | What they'd never done was check something like "sum /etc/shadow" to | see whether it was permitted or denied, nor run "id" or similar checks. | So when this user's home directory is absent and he ends up using | / and /.profile (where the warning was in an echo statement) he gets | this message on the screen. So where they should be writing | "misleading warning in some circumstances" they write "root access | immediately available for common users". | | I'm planning to teach a class of 5 existing internal auditors | next month on some security s/w and I am going to include: | - focussing on the more important stuff | (a long-running problem where I work) | - you must prove it before you can report it | - you must be able to state what is wrong with the observed state; | usually expressed as the policy point(s) violated | (just appearing in scanner output is not enough) | - you should have some idea of one way reasonable way to fix it
"oh, no, that's a reasonable treatment of those revenues. You have to prove its not before you can report on it." So, while I am sympathetic to what you are saying, the job of audit is to audit. If the system says "You're root," fine, note it and move on. If as an auditor, I need to "prove" each problem I find, then I'm going depth-first, not breadth first, and will miss important stuff. I suggest a better fix is to have an interim audit report, which, with the participation of senior technical people on both sides, becomes a final audit report. In that process, you could probably win the /.profile argument. However, auditors MUST be allowed to point out whatever the hell they want. Adam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]