[39349] in Kerberos
Re: Protocol benchmarking / auditing inquiry
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Wed Feb 14 17:11:07 2024
Message-Id: <202402142210.41EMAOpv030765@hedwig.cmf.nrl.navy.mil>
To: "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <YT1PR01MB418788B7045DF1E5B375143FFA4E2@YT1PR01MB4187.CANPRD01.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Date: Wed, 14 Feb 2024 17:10:24 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Minor comment the CIS Benchmark appears to have been written from the
>system administrator's frame of reference - not the network frame of
>reference (FoR). Typically, each frame of reference (FoR) needs to be
>audited. Hence the need for automation.
I can only say this:
- I've been doing Kerberos for a few decades (but I'm certainly not the
person with the most Kerberos experience on this list).
- I've done a ton of security accreditation work at my $DAYJOB, which
also involves Kerberos. As part of the accrediation work we (and
others) do automated scanning that includes the Kerberos servers
and this seems to satisfy the powers that be. Some of the scanning
seems to detect Kerberos but I am unclear how much it actually checks
for other than "Kerberos is found".
- I've used the aforementioned CIS Benchmark.
- I really have no clue what you mean by "frame of reference" in this
context, and this corresponds to no security accreditation or auditing
requirements I have ever encountered so I cannot provide any
suggestions; I'm really unclear what you are asking for.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
