• Onno (VK6FLAB)@lemmy.radio
    link
    fedilink
    arrow-up
    17
    ·
    15 hours ago

    Compliant with what?

    “Security compliant” is a completely meaningless phrase, right up there with “locked door” or “secret code”.

    • fartsparkles@lemmy.world
      link
      fedilink
      arrow-up
      14
      ·
      15 hours ago

      Whoever downvoted you probably doesn’t understand what you’re saying. This package doesn’t stipulate as to what regulations, frameworks, standards etc it is checking compliance against.

      If it doesn’t say what it’s checking it’s compliant against, how can it determine if you’re compliant to it or not?

      ISO 27001? SOC2? CIS Benchmarks? HIPAA? GDPR? NIST CSF? 800-53? PCI DSS? Cyber Essentials? Vendor guidance?

      This seems, at best, some general security checks but not mapped to any framework in particular.

      The Linux Security Audit Project is far more mature in this regard and maps checks to specific frameworks.

      • Onno (VK6FLAB)@lemmy.radio
        link
        fedilink
        arrow-up
        4
        ·
        14 hours ago

        Yeah … voting around here is interesting from time to time.

        On a positive note, I hadn’t heard of the Linux Security Audit Project, looks interesting, thank you.

        I only briefly skimmed through the readme so I might have missed it, but I wonder how they’re able to claim compliance with specific standards.

        It was my understanding that it’s typically a drawn out expensive process with a certificate to hang on the wall after the fact.

        • fartsparkles@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          14 hours ago

          They make it clear it’s an assessment aid rather than a replacement for professional audits.

          Ultimately, you need to be accredited by a third party to whatever standard you’re targeting. Linux Security Audit Project just gives you some checks to help review your current posture and start tackling things ahead of the audit.

      • melezhik@programming.devOP
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        14 hours ago

        This seems, at best, some general security checks but not mapped to any framework in particular.

        So. Yes. Ssh access should be passwords only, etc. Some common sense. We don’t need standard to that

        UPDATE: sorry for the typo, meant passwordless