<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Another reply to the OP in response to a reply from this list.<br>
</p>
<div class="moz-cite-prefix">On 20/02/2019 10:13, dockrin wrote:<br>
</div>
<blockquote type="cite" cite="mid:q4j97n$inr$1@bar-test.baen.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<cite>AndrewR wrote on Tue, 19 February 2019 13:55</cite>
<blockquote>
<pre style="white-space:pre-wrap; word-wrap: break-word; font-family: Verdana,Geneva,Lucida,'Lucida Grande',Arial,Helvetica,Sans-serif;">Another reply
-------- Forwarded Message --------
Subject: Re: [EdLUG] Fwd: [Baen Baen's Bar] Cybersecurity
Date: Tue, 19 Feb 2019 19:51:41 +0000
From: Edinburgh Linux Users Group <edlug@lists.edlug.org.uk>
Reply-To: <a href="mailto:edlug@lists.edlug.org.uk" moz-do-not-send="true">edlug@lists.edlug.org.uk</a>
To: Edinburgh Linux Users Group <edlug@lists.edlug.org.uk>
Hi Andrew
(Obligatory disclaimer: I am neither a lawyer, nor a security
professional. The following stems from my experience in general and
cannot constitute advice.)
On the face of it, yes, if it is an independent professional auditor,
they will need full access to the system, or for him to provide proof
that everything he is doing meets their requirements. Generally, only
full access can provide such proof.
Log files only provide minimal insight into what a system has done in
the past ; it does not show how the system is configured, and what
practices are in place, and whilst your friend's contact may in good
faith believe he has a secure system and only his own processes are
running on his computers, it is the auditor's responsibility to
investigate it for themselves, first hand, and to possibly ferret out
anything that was missed by the friend.
That is what an audit precisely is.
Conversely:
If he himself is concerned about their activities, he can seek out a
lawyer to provide him with a proper Non Disclosure Agreement contract to
have the auditor sign - I wouldn't know it is standard practice, but I
think he would be within his rights to require this in turn.
If the computers in question are not being used directly to service the
organisation or hold the organisation's data who is requiring the audit,
there is a question mark over to what extent they can require the audit
to be carried out. That's an entirely different question.
Tai
===
Tai Kedzierski
Linux Operations and Deployments Engineer
RHCSA # 170-060-834
<https: www.redhat.com="" rhtapps="" services="" verify?certid="170-060-834">
I use LibreOffice <https: www.libreoffice.org=""> , a free,
Freedom-respecting replacement for MS Office
/Open Source Free Software is a matter of liberty, not price./
<a class="moz-txt-link-freetext" href="https://www.fsf.org/about/what-is-free-software">https://www.fsf.org/about/what-is-free-software</a>
On Tue, 19 Feb 2019 at 19:12, Edinburgh Linux Users Group
<edlug@lists.edlug.org.uk <mailto:edlug@lists.edlug.org.uk="">> wrote:
I just received this email. Can anyone advise the OP on this question ?
Andrew Ramage
-------- Forwarded Message --------
Subject: [Baen Baen's Bar] Cybersecurity
Date: Tue, 19 Feb 2019 11:32:46 -0600vise
From: piobair <piobair@mindspring.com> <mailto:piobair@mindspring.com>
Reply-To: <a href="mailto:baens_bar@bar.baen.com" moz-do-not-send="true">baens_bar@bar.baen.com</a> <mailto:baens_bar@bar.baen.com>
Organization: Baen's Bar
To: <a href="mailto:baens_bar@bar.baen.com" moz-do-not-send="true">baens_bar@bar.baen.com</a> <mailto:baens_bar@bar.baen.com>
Newsgroups: Baen_Baens_Bar
The Board of Directors overseeing a friend of mine has decided that they need a security audit by an independent auditor. My friend's entire system is running on Linux with Linux servers and (mostly) thin clients.
He put out an RFP and, in his words, they want the keys to the front door in order to see if the china cabinet is locked.
Can an adequate audit be made from the /var/log files?
--
EdLUG mailing list
<a href="mailto:EdLUG@lists.edlug.org.uk" moz-do-not-send="true">EdLUG@lists.edlug.org.uk</a> <mailto:edlug@lists.edlug.org.uk>
<a class="moz-txt-link-freetext" href="https://lists.edlug.org.uk/mailman/listinfo/edlug">https://lists.edlug.org.uk/mailman/listinfo/edlug</a>
</mailto:edlug@lists.edlug.org.uk></mailto:baens_bar@bar.baen.com></mailto:baens_bar@bar.baen.com></mailto:piobair@mindspring.com></piobair@mindspring.com></edlug@lists.edlug.org.uk></https:></https:></edlug@lists.edlug.org.uk></edlug@lists.edlug.org.uk></pre>
<pre style="white-space:pre-wrap; word-wrap: break-word; font-family: Verdana,Geneva,Lucida,'Lucida Grande',Arial,Helvetica,Sans-serif;">--
EdLUG mailing list
<a href="mailto:EdLUG@lists.edlug.org.uk" moz-do-not-send="true">EdLUG@lists.edlug.org.uk</a>
<a class="moz-txt-link-freetext" href="https://lists.edlug.org.uk/mailman/listinfo/edlug">https://lists.edlug.org.uk/mailman/listinfo/edlug</a></pre>
</blockquote>
--
<p>Doc Krin, deep in the Ozarks!</p>
<br>
<p>A man’s greatest glory is to love his wife and raise his
children well // Mankind’s greatest shame is an uncherished
child. James Richard Shaver</p>
<p>"You can not leave behind what is always by your side" Richard
Castle </p>
<p>The saddest words ever said: "If only...." </p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Baens_bar mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Baens_bar@bar.baen.com">Baens_bar@bar.baen.com</a>
<a class="moz-txt-link-freetext" href="http://bar.baen.com/cgi-bin/mailman/listinfo/baens_bar">http://bar.baen.com/cgi-bin/mailman/listinfo/baens_bar</a>
</pre>
</blockquote>
</body>
</html>