Re: Center for Internet Security benchmark for OpenLDAP

[Tony Earnshaw <tonni@hetnet.nl>]

Buchan Milne skrev, on 28-09-2007 08:33:

[...]

> > As usual, if you want to know "best practices", the best way to get that is
> > just to ask us or read the docs we've already written...
>
> Indeed, but unfortunately our esteemed security group bases their security 
> standards on the CIS benchmarks (usually their changes reduce the technical 
> quality at the expense of formatting etc.), so I suspect at some stage I'll 
> be getting questions about an OpenLDAP standard (and I'll probably have to 
> fix it up more than I have the Linux one ...).

I've downloaded and read it too (it's *very* short). It's pernickety and 
redundant to the extreme. Following it to the letter, if you already 
have an host open to all sorts of nastiness, will do you no harm, but 
will at the same reduce a whole bunch of OpenLDAP functionality which my 
sites enjoy. Exactly as following the widely-adopted LDAP practice of a 
commonly used service of which I can't mention the name on this list will.

ICT security should never dictate *how* to implement security, rather 
*what* to achieve (examples are permitted). Your "esteemed security 
group" should rather be looking at a broader security spec such as ISO 
17799 (BS 7799), than combing through a never-ending list of patent 
HOWTOs. ISO 17799 isn't an ISO for nothing.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl