« RBAC on AIX: Why Bother? Part 2 | Main | Using RBAC With Scripts »

October 09, 2012


TrackBack URL for this entry:

Listed below are links to weblogs that reference How to FAIL a Security Audit:


Why does no one ever mention actually having your security tested? Setting up policies and running syslog and audit are great but without a penetration test is like an untested backup; how do you know that you've closed the right holes and are gathering enough of the right information about breaches?

Hi Ian,

Thanks for your comment. No one mentions it, I expect - because they are concerned about the results - regardless of the results. Saying we are ready or not ready are both inviting to potential attackers.

Currently most assessments I do are concerned with preparing for an audit that will show compliance. These customers are looking to documents such as PCI DSS v2 (see to identify the right holes.

Regarding auditors and compliance - too many "pass" audit and syslog if they are both enabled. The additional fact that neither of their configurations could be used effectively for forensics (after the fact) or real-time detection goes unnoticed.

In short, you pose a very valid question. My approach is to start with ensuring there are audit records of key components. Additionally, I start with a wide collection of auditable events. As time passes I filter out events that appear to have neither predictive nor forensic value. There is no "one size fits all" approach. If it were that easy I might not have a job :)

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.