Re: Protocol benchmarking / auditing inquiry

From	Ken Hornstein <kenh@cmf.nrl.navy.mil>
Newsgroups	comp.protocols.kerberos
Subject	Re: Protocol benchmarking / auditing inquiry
Date	2024-02-14 17:10 -0500
Organization	TNet Consulting
Message-ID	<mailman.22.1707948635.2322.kerberos@mit.edu> (permalink)
References	<YT1PR01MB4187CA8C93DE6AC8560FB1BCFA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM> <YT1PR01MB418752C508C40187D7D88BC8FA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM> <ba168ba8-161d-47c1-82e2-edf4cba957c7@acm.org> <YT1PR01MB418788B7045DF1E5B375143FFA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM> <202402142210.41EMAOpv030765@hedwig.cmf.nrl.navy.mil>

Show all headers | View raw

>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR).  Typically, each frame of reference (FoR) needs to be
>audited.  Hence the need for automation.

I can only say this:

- I've been doing Kerberos for a few decades (but I'm certainly not the
  person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
  also involves Kerberos.  As part of the accrediation work we (and
  others) do automated scanning that includes the Kerberos servers
  and this seems to satisfy the powers that be.  Some of the scanning
  seems to detect Kerberos but I am unclear how much it actually checks
  for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
  context, and this corresponds to no security accreditation or auditing
  requirements I have ever encountered so I cannot provide any
  suggestions; I'm really unclear what you are asking for.

--Ken

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: Protocol benchmarking / auditing inquiry Ken Hornstein <kenh@cmf.nrl.navy.mil> - 2024-02-14 17:10 -0500

csiph-web