pci scans

[Christopher Browne]

On Sat, Apr 16, 2011 at 2:24 PM, teddymills1-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
<teddymills1-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>
> CENgine might be fine on boxes you control, but getting CFengine enabled and
> working on
> hundreds of different client servers of various flavours, with new servers
> all the time,
> CFEngine would not be practical.
>
> CFEngine+Puppet is on my todo list :)

How can you claim to comply with something if you have systems that
aren't under your control?  That seems likely to be a fatal compliance
problem from the get-go.

In any case, cfengine has, as one of its strengths, the ability to
behave differently on each kind of server, so that it can (for
instance) know that log files are in different places depending on
platform.

But back to the point, if the environment is so out of control that it
would be impractical to run something like CFengine, I can't imagine
that it is sufficiently under control to even imagine claiming
compliance with something like PCI DSS.

Although I guess it's no surprise that big consulting firms would be
keen on writing up reports to make up a story supporting compliance;
they could easily keep consultants billing $2K/day for months writing
up policies.
-- 
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists