Center for Internet Security - Call for Participation for FreeRADIUS Benchmark
***Thanks to moderators for allowing this post - it's for a good cause!*** Hi folks, I'd like to introduce myself. My name is Dave Shackleford, and I represent the Center for Internet Security. Some of you may know of us, and some of you may not. CIS is a non-profit that coordinates teams of volunteers who collaborate to create benchmark guides for securing systems. Many of you may have used some of the CIS tools to score your systems against the benchmarks at one time or another, and thousands of people download the benchmarks and scoring tools every month. We are actively seeking IT and security professionals to participate in the benchmark development process. We are also looking for anyone experienced in Java and/or XML programming to assist with our newest scoring tool development (contact me off-list). We are about to begin the consensus process for a FreeRADIUS security benchmark. Time commitments are minimal, all you need to do is go and sign up on the mailing list and provide some input to the group on the benchmark draft when it's released. We always have a team leader who puts together the initial draft, pulling from a variety of sources; this is then sent to the mailing list for review and comment. After a consensus is reached, we publish it. We also list participants' names on our "Honor Roll" page at http://www.cisecurity.org/honor_roll.html. Our benchmarks are gaining a lot of attention right now. We are mentioned specifically in the PCI DSS (section 2.2), we are working with NIST to develop tools and content, and a lot more. If you would like to participate, please visit the site and sign up. We won't send you any unsolicited email, just the list postings for benchmark development. Also, please feel free to sign up for anything not mentioned below, we will be working on all of the benchmarks over the course of the next year or so. There are also lots of opportunities to earn CPE credits for participation. If you have any questions, please reply to me off-list (dshackleford at cisecurity dot org). Thanks for your help! -Dave 1. FreeRADIUS Benchmark (OpenLDAP will also be discussed here) MAILING LIST: http://lists.cisecurity.org/mailman/listinfo/access-controls Also the Virtualization Benchmark (may interest some) MAILING LIST: http://lists.cisecurity.org/mailman/listinfo/vm-security-benchmark Note: This list will benefit from varied backgrounds and skill sets.
Dave Shackleford wrote:
We are about to begin the consensus process for a FreeRADIUS security benchmark. Time commitments are minimal, all you need to do is go and sign up on the mailing list and provide some input to the group on the benchmark draft when it's released.
Looking at the "bind" analysis, 25% is legal text, saying "use this at your own risk". About 25% of the rest is definitions of DNS. The remainder is a short collection of how-to's, that describe how to turn a default insecure configuration of bind into a more secure one. The default installation of FreeRADIUS is secure. There's very little else anyone needs to do to make it secure. We are interested in reviewing the document once it's ready for release. But I do not have time to participate in the process. In addition, FreeRADIUS already contains documentation about how to configure the server. Perhaps the most telling portion of your web site is: ... The annual license fee is $3,000 per consultant, except in the case of Category 2 CIS Members (Consultants, Auditors, and MSP's) whose annual membership investment entitles them to obtain the Commercial Use License for any number of employees a no additional cost. ... If we participate in creating a FreeRADIUS document for CIS, will we share in any revenue generated from it? If so, great. If not, then there's really no reason for us to participate in a process that makes you money, and costs us money. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Dave Shackleford