« RBAC on AIX: Why Bother? Part 2 | Main | Using RBAC With Scripts »

October 09, 2012


Why does no one ever mention actually having your security tested? Setting up policies and running syslog and audit are great but without a penetration test is like an untested backup; how do you know that you've closed the right holes and are gathering enough of the right information about breaches?

Hi Ian,

Thanks for your comment. No one mentions it, I expect - because they are concerned about the results - regardless of the results. Saying we are ready or not ready are both inviting to potential attackers.

Currently most assessments I do are concerned with preparing for an audit that will show compliance. These customers are looking to documents such as PCI DSS v2 (see to identify the right holes.

Regarding auditors and compliance - too many "pass" audit and syslog if they are both enabled. The additional fact that neither of their configurations could be used effectively for forensics (after the fact) or real-time detection goes unnoticed.

In short, you pose a very valid question. My approach is to start with ensuring there are audit records of key components. Additionally, I start with a wide collection of auditable events. As time passes I filter out events that appear to have neither predictive nor forensic value. There is no "one size fits all" approach. If it were that easy I might not have a job :)

The comments to this entry are closed.