While slightly off topic, it may not be his need in and of itself that is increasing risk.
The problem could very well be, if you open this thing for this user, while legitimate, now you have other users saying "Well you opened this up for him! Why not open this up for me?". It is easier for the security team to simply deny anything that doesn't adhere to a given policy. Not saying that is the correct way to manage security risk, but it is certainly the easiest. On Thu, Feb 19, 2015 at 12:33 PM, Kevin <ktne...@astroturfgarden.com> wrote: > Is there not a specific destination server for the rsync services? What is > the stated risk of opening rsync to a specific, known destination? How is > this risk lessened by using http? > > Seems like a knee-jerk security reaction, where that team doesn't > understand how to do risk assessments. > > /end soapbox > > K > ------------------------------ > From: Alter Ego <alterego...@gmail.com> > Sent: 2/19/2015 7:11 AM > To: openvas-discuss@wald.intevation.org > Subject: [Openvas-discuss] RSYNC Alternative for scapdata-sync > > I am wondering if there is any option or solution to being able to do a > SYNC of scapdata without the use of RSYNC. I have requested of our network > team and CISO for unblocking of the RSYNC port 873 through our firewall, > even if for my OpenVAS system only and the answer has been "NO". > I thought about setting up an external machine to tunnel through in order > to retrieve the RSYNC from by sending it to my port 80 or 443 and was > quickly advised that doing so is a violation of our Network Policy > "purposeful workaround of established security procedures". > I have viewed the script for the Scapdata sync and it seems that there may > have been an option for utilization of "WGET" and/or "CURL" at one point, > bu the line is now commented with " [w] Download of SCAP data via HTTP is > currently not supported!". > > Is there no other way to "update" scapdata outside of RSYNC and if so, may > I inquire as to why no other option has been or is considered viable? > > Many thanks, > > alterego...@gmail.com > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
_______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
