2.2.3.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
Sysadmins may/must have related certifications. They also may attend in security policy creation or at least know and understand these policies.
2.2.3.c For a sample of system components, verify that common security parameters are set appropriately.
We need to check, that most important security settings are in place on a system - usually based on security standart for this system and system passport.
6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.
Check if admins are regulary notified by vendor about security updates and react on these alerts with due diligence. They also have to be subscribed to best practises, magazine, vendor blog or something like this, to be always aware of best security configuration practises and news.
10.2.6 Verify initialization of audit logs is logged.
Try to change audit options, it must be logged.
10.2.7 Verify creation and deletion of system level objects are logged.
For windows try to create registry key. For linux try to create a process.
