Dave Shackleford wrote:
We are about to begin the consensus process for a FreeRADIUS security benchmark. Time commitments are minimal, all you need to do is go and sign up on the mailing list and provide some input to the group on the benchmark draft when it's released.
Looking at the "bind" analysis, 25% is legal text, saying "use this at your own risk". About 25% of the rest is definitions of DNS. The remainder is a short collection of how-to's, that describe how to turn a default insecure configuration of bind into a more secure one. The default installation of FreeRADIUS is secure. There's very little else anyone needs to do to make it secure. We are interested in reviewing the document once it's ready for release. But I do not have time to participate in the process. In addition, FreeRADIUS already contains documentation about how to configure the server. Perhaps the most telling portion of your web site is: ... The annual license fee is $3,000 per consultant, except in the case of Category 2 CIS Members (Consultants, Auditors, and MSP's) whose annual membership investment entitles them to obtain the Commercial Use License for any number of employees a no additional cost. ... If we participate in creating a FreeRADIUS document for CIS, will we share in any revenue generated from it? If so, great. If not, then there's really no reason for us to participate in a process that makes you money, and costs us money. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog