Why don the benchmark documents include any information on DNS/BIND security, Web server/CGI security, Sendmail security, etc?
The benchmark documents are designed to address platform-specific security configuration issues which apply broadly to all systems running a given OS. BIND security configuration information, for example, would really only be relevant to you if the machine in question were intended to be used as a name server. However, it wouldn’t really matter if the machine were a Solaris machine, a Linux machine, etc.– the BIND-specific security configuration steps are largely the same regardless of platform. The Center plans to issue separate documents which address application-specific security issues– NFS, DNS, Web, FTP, and database security concerns plus many others. These application-specific benchmarks are intended to be used in conjunction with the platform-specific benchmark documents (such as the existing Solaris benchmark). In order to target our limited resources most effectively, we would love to receive feedback from the community on which applications the Center should target first.
