RFC 3871           Operational Security Requirements      September 2004

   Justification.

      Understanding risk requires understanding exposure.  Each service

      that is enabled presents a certain level of exposure.  Having a

      list of the services that is enabled by default makes it possible

      to perform meaningful risk analysis.

   Examples.

      The list may be no more than the output of a command that

      implements Section 2.5.1.

   Warnings.

      None.

3.3.  Document Service Activation Process

   Requirement.

      The vendor MUST concisely document which features enable and

      disable services.

   Justification.

      Once risk has been assessed, this list provides the operator a

      quick means of understanding how to disable (or enable) undesired

      (or desired) services.

   Examples.

      This may be a list of commands to enable/disable services one by

      one or a single command which enables/disables "standard" groups

      of commands.

   Warnings.

      None.

3.4.  Document Command Line Interface

   Requirement.

      The vendor MUST provide complete documentation of the command line

      interface with each software release.  The documentation SHOULD

      include highlights of changes from previous versions.  The

      documentation SHOULD list potential output for each command.

Jones                        Informational                     [Page 68]