> I understand what you say and I appreciate you taking the time to write. > Hiding files or pretending others can't see them doesn't make us more > secure. > > I guess the real issue is that sometimes people use check lists. Items > such as this are on those lists. Technical people are asked to make > changes to systems that satisfy the check lists. It's unfortunate, but > the actuality of day to day IT sometimes comes down to this. I realize > that security outcomes are what is important, not check lists... but we > still have to deal with these things as politely and professionally as > possible and for me, that is a simple config change. I appreciate all > the feedback.
And this is where you are making the mistake. when you are presented with bullshit on an audit YOU NEED TO CALL IT BULLSHIT - seriously. the fact that these sorts of things are audit points are only because some idiot with shitty linux machines got called on it and found out changing that setting was the easiest way to shut up the auditors. Now it's in the little book of BS - when things from automated scanners do not make sense is is YOUR duty as a professional to tell the audiors that it is not relevant and does not apply in your environment. the problem is IT people are LAZY and do not do that. don't be LAZY. I call bullshit on audiors all the time. I normally get away with it. Why? I know something about the field, They actually do not, they are working from a cookbook. Once you explain coherently why the cookbook is wrong for your environment you know what *THEY HAVE TO BELIEVE YOU* in absence of proof otherwise. that's how an audit works. Enough people do it the cookbok gets changed. You are an expert. Stop pretending some fucking accountant knows more about your systems than you do. Stop being a pussy and making it harder for the next person with real systems that faces the same auditors. Grow some balls and do your job professionally.
