[Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 123
[Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 123
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 2, Issue 123
- From: Ran Atkinson <email@hidden>
- Date: Sat, 18 Jun 2005 10:27:28 -0400
On 17 Jun 2005, at 15:06, email@hidden wrote:
Message: 4
Date: Fri, 17 Jun 2005 11:00:55 -0400
From: Shawn Geddis <email@hidden>
Subject: [Fed-Talk] Re: How to use pwpolicy for setting local password
policies?
To: Fed Talk <email@hidden>
Cc: Mark Moorcroft <email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset="us-ascii"
On Jun 16, 2005, at 3:26 PM, Mark Moorcroft wrote:
I don't mean to be the voice of doom here but has Apple actually
said they even support pwpolicy on client? The last I heard they
were claiming that it's only "officially" supported when server is
involved. Of course this is a totally unacceptable answer but
that's what they were saying. This was in the Panther time frame if
I recall of course.
To try and quickly address Mark's comments here....
pwpolicy was added to the client side in support of the requirements
for Common Criteria Certification. Apple provides the required
functionality and documentation in the CC Admin Guide to perform
those modifications necessary for the CAPP/EAL3 Certification.
Apple submitted and received CAPP/EAL3 certification for
MacOS X 10.3.6 client and 10.3.6 server. One imagines this
was undertaken under NIAP primarily to meet US DoD requests
persuant to NSTISSP 11.
Limited pwpolicy IS available and IS _Officially_ supported to that
degree. Any additional functionality or options would be beyond
those requirements and work done to date. The man pages were brought
over from the Server implementation and hence the 'man page'
reference to server mentioned earlier.
So by the terms of Apple's EAL3/CAPP certificate, it is officially
supported on 10.3.x, where "x" is the minor version mentioned in the
Apple documentation for "Common Criteria".
One probably also needs to download the "Common Criteria" patch/kit
if one wants to have a deployment that complies with EAL3/CAPP
requirements. Said patch kit and documentation is available at:
http://www.apple.com/support/downloads/commoncriteriatools.html
Personally, I find the improved audit support to be very helpful.
I do wish Apple would look into EAL4 certification, simply because
other competitors have EAL4 already (or in some cases are actively
being evaluated under EAL4). Lack of EAL4 is going to be a risk
for Apple that EAL4 would be used to prevent Apple systems from
being procured under some RFP or deployed in some environments.
(That said, I'm very happy that they have EAL3 already. :-)
There are far better and readily available mechanisms than Complex
Password Polices on locally managed accounts. Smart Card Services
and the use of a Smart Card for Cryptographic login is one to
consider.
I am personally severely backlogged on my responses to Fed-Talk
messages related to security, so if you have not gotten a response,
please be patient and/or resend your question/request for info again
to the list and/or directly to me.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government
------------------------------
Message: 5
Date: Fri, 17 Jun 2005 10:04:23 -0700
From: Mark Moorcroft <email@hidden>
Subject: [Fed-Talk] Re: How to use pwpolicy for setting local password
policies?
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Thanks Shawn, can you elaborate on what OS versions this applies
to, or
how it varies by version? I'm guessing that last sentence should
say "to
that degree in Tiger". Especially since your lead in the server group
has already said the opposite about Panther. I won't see Tiger on the
desktop until next year. Even if the agency pushes us to it there
is no
budget unless they site license it (pipe dream).
He is saying that the Common Criteria features, including pwpolicy (as
documented in the Common Criteria Admin Guide document from Apple),
ARE supported under 10.3.6 (and later) versions of Panther,
so does NOT require Tiger.
What *might not* be "officially supported" would be anything about
pwpolicy
that is not documented in the Apple supplied "Common Criteria
Administration
Guide" (if anything). URL above can be used to get that document from
Apple, along with some useful tools.
If Apple refused to support documented EAL3/CAPP items in 10.3.6, then
they would be in legal trouble for violating the terms of their Common
Criteria evaluation, so there really isn't any room for interpretation
on that.
As virtually no one outside the US Government knows what "Common
Criteria"
even means, it would not surprise me in a large organisation (e.g.
Apple)
if not everyone in the whole company had heard about a "Common Criteria"
evaluation. So it would be easy for someone to mis-speak because
they were
not fully informed. It happens by accident all the time. (Even NASA
spokespeople make those mistakes occasionally. :-)
-------- Original Message --------
pwpolicy was added to the client side in support of the requirements
for Common Criteria Certification. Apple provides the required
functionality and documentation in the CC Admin Guide to perform
those modifications necessary for the CAPP/EAL3 Certification.
Limited pwpolicy IS available and IS _Officially_ supported to that
degree.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government
--
Mark Moorcroft
ELORET Corp.
650-604-4784
mailto:email@hidden
------------------------------
Cheers,
Ran
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden