[cabf_netsec] SC20 and OS Patch Management

[Neil Dunbar]

On 24/02/2020 10:49, Neil Dunbar via Netsec wrote:

> 7. The monitoring systems of step 4 will record a set of file 
> alterations to a log. These change entries are reconciled with the 
> list produced in step 4 for the stage systems. Note: it's possible 
> that because of scheduling differences and minor discrepancies between 
> stage and production, the change logs won't be *identical*, but they 
> should be substantively similar.

In fact, it would be permissible for a HIDS system to know in advance 
that the systems in the ticket for the maintenance period were going to 
produce these change logs. If so, it could legitimately squelch such 
alerts (since it's not an exceptional condition). That said, I've only 
actually seen a single system which could do that level of proactive 
squelching, and the maintenance of the threshold conditions was so 
onerous that reconciliation by saying "no action - false positive" was 
actually easier!

Neil