Buchan Milne skrev, on 28-09-2007 08:33:
[...]
As usual, if you want to know "best practices", the best way to get that is just to ask us or read the docs we've already written...
Indeed, but unfortunately our esteemed security group bases their security standards on the CIS benchmarks (usually their changes reduce the technical quality at the expense of formatting etc.), so I suspect at some stage I'll be getting questions about an OpenLDAP standard (and I'll probably have to fix it up more than I have the Linux one ...).
I've downloaded and read it too (it's *very* short). It's pernickety and redundant to the extreme. Following it to the letter, if you already have an host open to all sorts of nastiness, will do you no harm, but will at the same reduce a whole bunch of OpenLDAP functionality which my sites enjoy. Exactly as following the widely-adopted LDAP practice of a commonly used service of which I can't mention the name on this list will.
ICT security should never dictate *how* to implement security, rather *what* to achieve (examples are permitted). Your "esteemed security group" should rather be looking at a broader security spec such as ISO 17799 (BS 7799), than combing through a never-ending list of patent HOWTOs. ISO 17799 isn't an ISO for nothing.
Best,
--Tonni