Re: [Fed-Talk] Proposed Interim Leopard Benchmark
Re: [Fed-Talk] Proposed Interim Leopard Benchmark
- Subject: Re: [Fed-Talk] Proposed Interim Leopard Benchmark
- From: Allan Marcus <email@hidden>
- Date: Mon, 29 Oct 2007 12:59:51 -0600
Addendum.
Sorry, the CIS list is also generally approved for government
agencies. However, IMHO it is woefully inadequate.
---
I think you misunderstand the reason for my posting. The list for
Tiger is the only government approved checklist for Mac, therefore
it's the list government Mac users have to go with. We at LANL have
made some modification to the list for our purposes, and we document
out variances to satisfy the auditors.
The list I posted is the generic list from Apple with annotations for
Leopard. I'm seeking comments on the annotations, not the list in
general.
By the way, we have an application that applies most of the list in
about 10 seconds. The checking for world readable files in /
Applications and /Library adds about 2 minutes. The program is a
combination of Perl of AppleScript Studio. we are still testing it in
house. I have no idea how I could send it out though.
---
Thank you,
Allan Marcus
Central Software and Development Team (CSD)
Departmental Computing Group (CTN-1)
Computing, Telecommunications, and Networking (CTN) Division
Los Alamos National Laboratory
505-667-5666
email@hidden
On Oct 29, 2007, at 10:03 AM, Todd Heberlein wrote:
Attached is a draft of a very basic leopard security benchmark.
I'm very interested in comments.
First comment, please send as a PDF file instead of Word. Apple's
Pages is still not 100% compatible with Word.
Sections 1.6.28, and 1.7.1 – 1.7.3 on auditing and IDS will not be
applicable until Apple releases the Common Criteria tools along
with BSM auditing for Leopard.
This is a pretty extensive list. Any idea how long it takes to
carry out all these steps?
Given that there is very little evidence of security problems with
OS X in the wild, it might be hard to justify to the average system
administrator the Return On Investment for all these steps and the
removal of many capabilities. For example, using FileVault for
laptops is easier to justify (since they are frequently lost or
stolen) than using FileVault on a desktop in a relatively secure
environment, especially when I have heard too many stories of
people having problems with FileVault.
A tool to automate this and/or validate its status would be nice.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden