Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?
My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.
SCAP.
Official pronunciation "Ess-CAP" or "Ess See Ay Pee." I think those pronunciations are C-RAP and use the forbidden (and obvious) pronunciation.
That quibble aside, if you're not using SCAP, why not? OpenSCAP on Linux, a Microsoft embraced and extended abomination of it on Windows. A checklist of all known problems you should disable/neuter (e.g., sendmail, NFS) and automation to check they stay disabled/neutered. And you can customize the ruleset where circumstances demand it, such as not complaining about a web server and an email server on the same host (having one host for each minimizes the size of the attack surface, but small hosting providers may choose to live with that risk).
Why rely on your experience and memory to tell you what to disable/neuter/check when SCAP can do it for you? And keep checking that nobody has slyly installed/enabled something they shouldn't. It's not even pets vs cows territory, it makes sense for pets too.
Biting the hand that feeds IT
