From: jfvanmeter@comcast.net
Date: Thu Aug 16 2007 - 09:17:22 EDT
-------------- Original message ----------------------
From: "Paul Melson" <pmelson@gmail.com>
> > I have a assignment to complete a pen test of a ESX server and was hoping
> to get some thoughts from everyone
> > on how and what to test. I need to check to see if the server is
> configured in accordance with the "Virtual
> > Computing Security Technical Implementation Guide" Version 1, release0.1
>
> You realize the pen test and evaluating the ESX server against the VM STIG
> are 2 different things, yes?
>> Yes I was trying to find some guide lines and that was what I found.
>Is your client able to provide you with a copy
> of that version of the STIG? The most recent version I can find is v2R2*,
> which is more than 2 years old. Beyond that, the STIG is pretty
> straightforward. However, I would approach this work more as an audit than
> a pen test, otherwise you will be very much handicapped in your ability to
> verify compliance with the STIG.
>
> Anyway, if you do pen-test the server, I would suggest that you check out
> the work** the IntelGuardians guys announced at SANSFire last month. For
> the time being, this pretty much makes it impossible for
>
> PaulM
>> thank you Paul for the information and idea's --John
> * http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf
> **
> http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:02 EDT