Based on the guidelines, is it possible to build out a custom OS X
install, or at least one with settings pre-setup for new OS X
setups? Something similar to windows slipstreaming would be nice. I
find that setting up 10-20 MacBook Pros based on the guidelines
requires quite a bit of time per machine. It would be great if I
could build a disc or package that disabled/enabled everything I
wanted by default on each machine.
-c kizer
On Tue, Mar 4, 2008 at 9:32 AM, <email@hidden>
wrote:
Send Fed-talk mailing list submissions to
email@hidden
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.apple.com/mailman/listinfo/fed-talk
or, via email, send a message with subject or body 'help' to
email@hidden
You can reach the person managing the list at
email@hidden
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fed-talk digest..."
Today's Topics:
1. Standard Security configurations for Mac OS X (Kim Cummings)
2. FYI: SAV 10.2 phone home "feature" (Allan Marcus)
3. Re: FYI: SAV 10.2 phone home "feature" (William G. Cerniuk)
4. Re: FYI: SAV 10.2 phone home "feature" (Joel Esler)
5. Re: CAC for MAC (Michael)
6. Re: SUCCESS: CAC & OS 10.5 (Walls, Bryan K. (MSFC-IS30))
----------------------------------------------------------------------
Message: 1
Date: Mon, 3 Mar 2008 16:33:38 -0500
From: "Kim Cummings" <email@hidden>
Subject: [Fed-Talk] Standard Security configurations for Mac OS X
To: <email@hidden>
Message-ID:
<email@hidden
>
Content-Type: text/plain; charset="us-ascii"
I wanted to try and clear something up a little. I'm pretty sure
everyone on here knows that the NSA-approved security configuration
guides for Panther and Tiger are posted on the nsa.gov site.
I keep seeing a lot of people up in arms about there not being a
standard configuration for OS X like there is for Windows. Folks -
the
guides posted on the nsa.gov site are essentially what the Windows
guides were in their earlier forms. Producing them is an iterative
process. The OS X guides are maturing far more rapidly than the
Windows
guides did.
My understanding is that NIST has not been doing STIGs for a while now
because they have been simply referring customers to the current
guides
on the nsa.gov site.
Finally, I believe Shawn has already stated this, but in case anyone
missed it, let me bring it up again - the Tiger guides are currently
being developed at Apple. But they are a joint effort by Apple, NSA,
NIST and DISA at this point. We are doing this to make sure that the
guides retain the level of security we feel they should have, but so
that we can pull in the STIG-like elements to make it easier for those
having to do certifications.
Because of this collaboration, and some unforeseen delays, the guides
didn't come out as soon as we would have liked. Yes, we would have
preferred that they came out when Leopard did. That wasn't possible.
But they will be coming out soon - I believe in April (I keep
forgetting
what the schedule says, but I'm sure Shawn will correct me if I have
that wrong.)
Kimberly Cummings Hersh
Apple Team Lead
NSA Systems and Network Analysis Center (SNAC)
410-854-5192
email@hidden <mailto:email@hidden>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.apple.com/mailman/private/fed-talk/attachments/20080303/6c6c69d7/attachment-0001.html
------------------------------
Message: 2
Date: Mon, 3 Mar 2008 14:46:15 -0700
From: Allan Marcus <email@hidden>
Subject: [Fed-Talk] FYI: SAV 10.2 phone home "feature"
To: DOE Mac <email@hidden>, FedTalk Apple
<email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; format=flowed
[sent with permission from Symantec]
Hello,
If you use Symantec Anti Virus on your Macs you are probably aware
that a Leopard compatible version (10.2) was recently released by
Symantec. SAV 10.2 has some new internal features that contact
Symantec servers in the background with no user notification. I've
contacted Symantec and they are aware of this being an issue for some
companies (like those of us in the government). They are looking into
the issue. Hopefully they will have a solution (to either remove the
phone-home feature or allow us to turn it off) by the end of March.
---
Thanks,
Allan Marcus
505-667-5666
------------------------------
Message: 3
Date: Mon, 3 Mar 2008 16:59:53 -0500
From: "William G. Cerniuk" <email@hidden>
Subject: Re: [Fed-Talk] FYI: SAV 10.2 phone home "feature"
To: Allan Marcus <email@hidden>
Cc: FedTalk Apple <email@hidden>, DOE Mac
<email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII;
format=flowed; delsp=yes
Good info. We use NetBarrier's Application Barrier (antivandal)
feature to block all application which have no business talking on the
network or in some cases just no business calling home.
V/R,
Wm. Cerniuk
Sent from my iPhone
On Mar 3, 2008, at 16:46, Allan Marcus <email@hidden> wrote:
> [sent with permission from Symantec]
>
>
> Hello,
>
> If you use Symantec Anti Virus on your Macs you are probably aware
> that a Leopard compatible version (10.2) was recently released by
> Symantec. SAV 10.2 has some new internal features that contact
> Symantec servers in the background with no user notification. I've
> contacted Symantec and they are aware of this being an issue for
some
> companies (like those of us in the government). They are looking
into
> the issue. Hopefully they will have a solution (to either remove the
> phone-home feature or allow us to turn it off) by the end of March.
>
>
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
------------------------------
Message: 4
Date: Mon, 3 Mar 2008 21:58:13 -0500
From: Joel Esler <email@hidden>
Subject: Re: [Fed-Talk] FYI: SAV 10.2 phone home "feature"
To: Allan Marcus <email@hidden>
Cc: FedTalk Apple <email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Do you have anymore info on what it does?
Joel
On Mar 3, 2008, at 4:46 PM, Allan Marcus wrote:
> [sent with permission from Symantec]
>
>
> Hello,
>
> If you use Symantec Anti Virus on your Macs you are probably aware
> that a Leopard compatible version (10.2) was recently released by
> Symantec. SAV 10.2 has some new internal features that contact
> Symantec servers in the background with no user notification. I've
> contacted Symantec and they are aware of this being an issue for
some
> companies (like those of us in the government). They are looking
into
> the issue. Hopefully they will have a solution (to either remove the
> phone-home feature or allow us to turn it off) by the end of March.
>
>
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
------------------------------
Message: 5
Date: Tue, 4 Mar 2008 11:38:56 -0500
From: Michael <email@hidden>
Subject: Re: [Fed-Talk] CAC for MAC
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
This is the one combination that is known to not work under Leopard,
Shawn's email below gives a more complete discussion of the class of
cards, a search of the archives would so what specific cards do and
don't work, it seems almost every other combination of cards and
readers works.
Michael
On Mar 3, 2008, at 1:23 PM, Franc wrote:
> Need help on getting my CAC card to work with my newly purchased Mac
> that
> came with Leopard pre-installed.
>
> Info as ff:
>
> 1) SCR3310 USB Smart Card Reader:
>
> Version: 5.18
> Bus Power (mA): 500
> Speed: Up to 12 Mb/sec
> Manufacturer: SCM Microsystems Inc.
> Product ID: 0x5116
> Serial Number: 21120715203956
> Vendor ID: 0x04e6
>
> 2) Oberthur ID One V5.2
>
> Be careful not to misrepresent the issue....
>
> There is currently (10.5.0-10.5.2) a very specific issue between
> some of the newer Smart Cards (T=1 / Block Transfer) with very
> specific Smart Card Readers (SCM SCR 331, 531, 3310, 3311).
>
> Combination with a different reader or a different card work as
> expected.
>
> * There are many *different* CACs issued
> * There are many *different* Smart Card Readers available.
>
> It is best not to make sweeping statements about things that don't
> work to avoid misrepresenting the facts to the readers of this list.
>
> - Shawn
------------------------------
Message: 6
Date: Tue, 4 Mar 2008 11:31:25 -0600
From: "Walls, Bryan K. (MSFC-IS30)" <email@hidden>
Subject: Re: [Fed-Talk] SUCCESS: CAC & OS 10.5
To: "Ridley J.DiSiena" <email@hidden>, "McCreery,
Lee CTR
DISA" <email@hidden>
Cc: Apple Fed Talk <email@hidden>
Message-ID: <p0623090ac3f318e96e52@[128.158.78.194]>
Content-Type: text/plain; charset="us-ascii"
SCM has now posted scmccid_5.0.4_installer_Mac.zip which is, in fact,
an installer for the SCM driver that seems to work on Leopard for
both Intel and PPC machines.
http://www.scmmicro.com/support/pcs_downloads.php?lang=en
I also downloaded and installed libusb 0.1.13 beta from
http://www.ellert.se/twain-sane/. I'm guessing it will work okay with
the sourceforge release version libusb 0.1.12, too. The SCM driver
requires libusb to work.
http://sourceforge.net/project/showfiles.php?group_id=1674
http://libusb.wiki.sourceforge.net/
My Oberthur PIV card now shows up in the keychain. I can't get login
to work, though. I followed the directions at
http://docs.info.apple.com/article.html?artnum=304035, everything
looks right, but when I log out and insert the card, I just see the
login window blink. The "Type PIN number" prompt never shows up.
At 4:11 PM -0600 11/7/07, Ridley J.DiSiena wrote:
>Since my last posting I noticed that the SCM website now issues the
>file scmccid_5.0.3_mac.tar.gz when you request an OS X driver for
>the SCR331 CCID reader. It does not have an installer package, just
>install script that seems to need help. My initial attempts with it
>have not worked. They appear to be in process of making a single
>scmccid.bundle rather than individual bundles for each model.
>
>I just tried an older driver that I had from SCM: the scr3xxx_v2.4.1
>installer package. After that is installed, 10.5 GM reads my
>Oberthur PIV card with the SCR331, and makes it available to the
>keychain.
>
>To sum it up, Before I install anything on 10.5 GM, I just get the
>blinking light on the SCM331 as you mentioned and keychain never
>sees my Oberthur card in the SCR331 reader. Attempts at manually
>configuring the newest driver from SCM have not worked yet for me,
>still trying. The older driver for the SCM appears to be
>functional, although I have just begun testing on the 10.5 GM.
>
>It vary well may be a different issue with the CAC, just thought add
>my experience with the SCR331 drivers in case it could help. You
>may want to try an older driver from scm just to see if the problem
>is with the newest driver.
>
>-Ridley
>
><mailto:email@hidden>email@hidden
>
>On Nov 7, 2007, at 12:40 PM, McCreery, Lee CTR DISA wrote:
>
>>Hello All,
>>
>>I just wanted to give an update to the issue that we all have been
>>seeing since the release of 10.5 and CACs.
>>
>>Following the upgrade from 10.4 to 10.5 I also noticed that CAC/PKI
>>stopped working(SCR331 & OmniKey 3121 readers). As I mentioned in
>>another thread a co-worker system seems to work at least for
>>webmail and the PKI required websites we frequent with the OmniKey
>>3121 reader.
>>
>>I upgraded my system at the end of last week. I also lost my
>>ability to access PKI/CAC enabled sites. I reverted back to
>>slicking my system and doing an installation from scratch. The
>>installation was of OSX 10.5 and add-ons like X11. After
>>connecting back to the network there was an update for "Login & Key
>>Chains"(downloaded and installed). After the system was back up I
>>connected my faithful SCR331, but it would only blink the led
>>repeatedly and the Key Chain viewer & "sc_auth hash" did not
>>indicate any connection. I downloaded the MAC drivers for the card
>>reader and also tried "pcsctool" but it still didn't work. I even
>>attempted to upgrade the firmware for the reader from
>>5.18-->5.25...Nothing new...Failure.
>>
>>I then connected a different card reader "OmniKey CardMan 3121".
>>Opened "Key Chain viewer" and you can guess what I saw. In the top
>>of the list was an entry for CAC. In the past I was not ever
>>successful in getting the Omnikey to work with MAC and I followed
>>the mailing list lead in using the SCR331.
>>
>>So far my co-worker and I are successfully able to connect to
>>PKI/CAC enabled webmail and websites with Safari. We have only
>>attempted to connect with Firefox which did not work, but we
>>haven't spent much time troubleshooting.
>>
>>So if I can supply anymore information please let me know.
>>
>>I would like to Thank co-worker April and her husband David for the
>>leads in making it this far.
>>
>>Lee
>>-----------------------------------------
>>
>>Lee G. McCreery
>>
>>SPAWAR System Center - Pensacola FL
>>
>><mailto:email@hidden>mailto:email@hidden
>><<mailto:email@hidden>mailto:email@hidden>
>>
>> _______________________________________________
>>Do not post admin requests to the list. They will be ignored.
>>Fed-talk mailing list
>>(<mailto:email@hidden>email@hidden)
>>Help/Unsubscribe/Update your Subscription:
>>
>>This email sent to
>><mailto:email@hidden>email@hidden
>>
>
>
>
>
>
>Content-Type: text/plain;
> name="ATT124266526.txt"
>Content-Description: ATT124266526.txt
>Content-Disposition: inline;
> filename="ATT124266526.txt"
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
@nasa.gov
>
>This email sent to email@hidden
--
Bryan Walls My words are not NASA policy.
email@hidden (256)544-3311 voice,544-1070 fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.apple.com/mailman/private/fed-talk/attachments/20080304/00eb6053/attachment.html
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 5, Issue 57
***************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden