From: Paul Melson (pmelson@gmail.com)
Date: Thu Aug 16 2007 - 08:58:01 EDT
> I have a assignment to complete a pen test of a ESX server and was hoping
to get some thoughts from everyone
> on how and what to test. I need to check to see if the server is
configured in accordance with the "Virtual
> Computing Security Technical Implementation Guide" Version 1, release0.1
You realize the pen test and evaluating the ESX server against the VM STIG
are 2 different things, yes? Is your client able to provide you with a copy
of that version of the STIG? The most recent version I can find is v2R2*,
which is more than 2 years old. Beyond that, the STIG is pretty
straightforward. However, I would approach this work more as an audit than
a pen test, otherwise you will be very much handicapped in your ability to
verify compliance with the STIG.
Anyway, if you do pen-test the server, I would suggest that you check out
the work** the IntelGuardians guys announced at SANSFire last month. For
the time being, this pretty much makes it impossible for
PaulM
* http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf
**
http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:02 EDT