hi2all take a look at this two pages: http://www.ideahamster.org/osstmm.htm ftp://sailor.gutenberg.org/pub/gutenberg/etext94/sunzu10.txt what you don't find in one, it's on the other =;o) [ ]'s bacano ----- Original Message ----- From: "Dustin Puryear" <dpuryearat_private> To: <pen-testat_private> Sent: Friday, September 07, 2001 10:23 PM Subject: Performing a Security Audit > A client I work for has requested that I perform a security review of a > cluster that I am helping them on. I have experience in hardening > systems, but I do NOT have experience in performing a formal top-down > review. > > I scanned the pen-test archives, including the recent "Security Audit" > thread, but didn't find anything that had a subject line that caught my > eye. Also, I tried using the security-focus.com search tool, but it > reports it is not available "at this time." Oh well on that front. > > Can anyone provide links to sites or books or just be helpful by > providing information on how a security review is approached? I am not > really looking for information on analyzing a particular system or > trying to exploit a given service--that information is more than readily > available on the net and at the bookstore. Rather, I would like an > overview of how a security audit is performed. Something on the lines > of: > > o Create Security Audit Outline > 1. List items to be evaluated > o web service > o smtp > ... > ... > o Review AU, InfoSec, and XYZ Policies > o Perform System Analysis > 1. Determine running services > o http > o smtp > o Attempt Exploits > ... > > Also, how should results be organized? How are reports organized? > > And what about checklists? > > Etc, etc. > > Any help would be appreciated! > > Regards, Dustin > > -- > Dustin Puryear <dpuryearat_private> > http://members.telocity.com/~dpuryear > In the beginning the Universe was created. > This has been widely regarded as a bad move. - Douglas Adams > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:06:11 PDT