Are You Using Deprecated Security Guidelines?

Wednesday, September 29, 2010

Jamie Adams


Some organizations may be reluctant to deploy new operating systems such as SUSE 11 or Ubuntu 10+ because they are unable to provide evidence of meeting security policies.

Whether you adhere strictly to a particular set of industry standards or define your own security policies based on industry standards, you must be able to assess your server OSs on a regular basis and provide proof that they meet security requirements.

Government Security Standards

Every production server within the U.S. Department of Defense (DoD) and the Intelligence Community that is running any type of information assurance system must be locked down to meet the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs).

If the STIGs are not supporting SUSE Linux Enterprise 11, that precludes thousands of government servers from using this OS. As of December 2009, DISA’s UNIX Security Technical Implementation Guide only supports SUSE Linux Enterprise 9.0; the final version of which was released in April of 2005.

Extensive evaluation of SUSE Linux Enterprise 11 concludes that all of the technical controls necessary to meet or exceed the aforementioned OS guidelines are present in the core distribution of SUSE Linux Enterprise 11 and openSUSE 11, however, the issue remains: How do you gain and maintain the compliance and how do you provide evidence for auditors and information technology (IT) security analysts?

Commercial Security Standards

The Center for Internet Security (CIS) is an independent organization that provides guidelines on how organizations can ensure the security of their business/mission critical systems. The CIS issued the last version of the SUSE Linux Enterprise Server (SLES) Benchmark assessment tool (version 2.0) in May of 2008.

The Benchmark was developed and tested for SUSE Linux Enterprise Server 10 SP1, which was released in May of 2006. Again, if an organization adheres to CIS security guidelines or some subset thereof, they are not likely to run the most current version of SLES.

Attempts to use the System Readiness Review (SRR) scripts provided by DISA to test SLES against the current release of the STIGs or the CIS Benchmark assessment tool will result in numerous false positives, as well as many manual checks, which must be verified.

In many cases, these guidelines discuss deprecated or inferior security technologies simply because they are out-of-date (e.g., TCP wrappers versus iptables or syslog versus syslog-ng).

The Consensus Audit Guidelines

Even though the DISA UNIX STIGs and CIS SLES Benchmark do not address release SUSE 11, organizations can follow the “spirit” of these guidelines and validate their configuration’s effectiveness by following the Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG).

Promoted by the SysAdmin, Audit, Network, Security (SANS) Institute, these Top 20 Controls were agreed upon by the National Security Agency (NSA), US-CERT, DoD Joint Task Force-Global Network Operations (JTF-GNO), the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center, and the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities. Download the entire whitepaper HERE.

Possibly Related Articles:
Information Security
Policy Security Management
Post Rating I Like this!
Jamie Adams I wanted to add, that this article, to some degree, echoes the sentiments of Rob Reck's great "Compliance Leads to Security Breaches" post (

I get so frustrated trying to demonstrate compliancy with useless, or outdated guidelines. In the referenced whitepaper, I discuss superior technology in most operating systems which these old guidelines don't even recognize.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.