Re: [Fed-Talk] Proposed Interim Leopard Benchmark
Re: [Fed-Talk] Proposed Interim Leopard Benchmark
- Subject: Re: [Fed-Talk] Proposed Interim Leopard Benchmark
- From: Peter Link <email@hidden>
- Date: Mon, 29 Oct 2007 09:56:56 -0700
For all of you who aren't yet aware of the SCAP program at NIST,
http://nvd.nist.gov/scap.cfm, please take the time to review it. When
NIST talks about vulnerabilities, it isn't just the common CVE stuff,
it also includes vulnerabilities created by misconfiguration of
systems, something the Apple/NSA guide addresses. NIST is working on
OSX schema/checklist (I've talked to one of the NIST programmers
about this) so any input all of you can forward to Apple to provide
resources to help the Apple security people work on this project will
provide results a lot faster.
Why is the SCAP project important? A recent OMB memo stated that all
Federal systems (Windows only at the moment) will have to comply with
the Federal Desktop Core Configuration (FDCC,
http://csrc.nist.gov/fdcc/) mandate and SCAP is the protocol being
used to configure and validate the configuration of the desktops.
I've begun testing and I like the approach. For all of us that have
to constantly deal with auditors, having this standard method of
validation will help tremendously. Having one cross-platform,
consistent validation protocol can only help.
Without sounding like a vendor, look at the SCAP-compatible product
from ThreatGuard, Secutor Prime,
http://www.threatguard.com/products.htm. They have a free, single
computer version for testing. I've run it under VMWare and BootCamp
to test our XP images. This application is actually a Java app
wrapped in a Windows executable. The ThreatGuard people have said it
won't be a big deal to have a version for OSX. To be fair, Secure
Elements, http://www.secure-elements.com/, also has a fine product
and these two companies have worked the most with NIST to develop
this new protocol/program.
At 9:03 AM -0700 10/29/07, Todd Heberlein wrote:
Attached is a draft of a very basic leopard security benchmark. I'm
very interested in comments.
First comment, please send as a PDF file instead of Word. Apple's
Pages is still not 100% compatible with Word.
Sections 1.6.28, and 1.7.1 - 1.7.3 on auditing and IDS will not be
applicable until Apple releases the Common Criteria tools along with
BSM auditing for Leopard.
This is a pretty extensive list. Any idea how long it takes to carry
out all these steps?
Given that there is very little evidence of security problems with
OS X in the wild, it might be hard to justify to the average system
administrator the Return On Investment for all these steps and the
removal of many capabilities. For example, using FileVault for
laptops is easier to justify (since they are frequently lost or
stolen) than using FileVault on a desktop in a relatively secure
environment, especially when I have heard too many stories of people
having problems with FileVault.
A tool to automate this and/or validate its status would be nice.
Todd
--
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden